Guest

Cisco Catalyst 4900 Series Switches

Release Note for Catalyst 4948 Series Switch, Cisco IOS Release 12.2(54)SGx and 12.2(53)SGx

  • Viewing Options

  • PDF (2.9 MB)
  • Feedback

Table Of Contents

Release Notes for the Catalyst 4900 Series Switch, Cisco IOS Release 12.2(54)SGx and 12.2(53)SGx

Contents

Cisco IOS Software Packaging for the
Cisco Catalyst 4900 Series Switch

Catalyst 4900 Series Switch Cisco IOS Release Strategy

Cisco IOS Software Migration

Summary of Migration Plan

Support

System Requirements

Supported Hardware

Supported Features

Unsupported Features

New and Changed Information

New Hardware Features in Release 12.2(54)SG

New Software Features in Release 12.2(54)SG

New Hardware Features in Release 12.2(53)SG3

New Software Features in Release 12.2(53)SG3

New Hardware Features in Release 12.2(53)SG

New Software Features in Release 12.2(53)SG

New Hardware Features in Release 12.2(52)SG

New Software Features in Release 12.2(52)SG

New Hardware Features in Release 12.2(50)SG2

New Software Features in Release 12.2(50)SG2

New Hardware Features in Release 12.2(50)SG1

New Software Features in Release 12.2(50)SG1

New Hardware Features in Release 12.2(50)SG

New Software Features in Release 12.2(50)SG

New Hardware Features in Release 12.2(46)SG

New Software Features in Release 12.2(46)SG

New Hardware Features in Release 12.2(44)SG

New Software Features in Release 12.2(44)SG

New Hardware Features in Release 12.2(40)SG

New Software Features in Release 12.2(40)SG

New Hardware Features in Release 12.2(37)SG

New Software Features in Release 12.2(37)SG

New Hardware Features in Release 12.2(31)SGA

New Software Features in Release 12.2(31)SGA

New Hardware Features in Release 12.2(31)SG

New Software Features in Release 12.2(31)SG

New Hardware Features in Release 12.2(25)SG

New Software Features in Release 12.2(25)SG

New Hardware Features in Release 12.2(25)EWA

New Software Features in Release 12.2(25)EWA

New Hardware Features in Release 12.2(25)EW

New Software Features in Release 12.2(25)EW

New Hardware Features in Release 12.2(20)EWA

New Software Features in Release 12.2(20)EWA

Upgrading the System Software

Upgrading the ROMMON from the Console

Upgrading the ROMMON Remotely Using Telnet

Upgrading the Cisco IOS Software

Limitations and Restrictions

Caveats

Open Caveats in Cisco IOS Release 12.2(54)SG1

Resolved Caveats in Cisco IOS Release 12.2(54)SG1

Open Caveats in Cisco IOS Release 12.2(54)SG

Resolved Caveats in Cisco IOS Release 12.2(54)SG

Open Caveats in Cisco IOS Release 12.2(53)SG10

Resolved Caveats in Cisco IOS Release 12.2(53)SG10

Open Caveats in Cisco IOS Release 12.2(53)SG9

Resolved Caveats in Cisco IOS Release 12.2(53)SG9

Open Caveats in Cisco IOS Release 12.2(53)SG8

Resolved Caveats in Cisco IOS Release 12.2(53)SG8

Open Caveats in Cisco IOS Release 12.2(53)SG7

Resolved Caveats in Cisco IOS Release 12.2(53)SG7

Open Caveats in Cisco IOS Release 12.2(53)SG6

Resolved Caveats in Cisco IOS Release 12.2(53)SG6

Open Caveats in Cisco IOS Release 12.2(53)SG5

Resolved Caveats in Cisco IOS Release 12.2(53)SG5

Open Caveats in Cisco IOS Release 12.2(53)SG4

Resolved Caveats in Cisco IOS Release 12.2(53)SG4

Open Caveats in Cisco IOS Release 12.2(53)SG3

Resolved Caveats in Cisco IOS Release 12.2(53)SG3

Open Caveats in Cisco IOS Release 12.2(53)SG2

Resolved Caveats in Cisco IOS Release 12.2(53)SG2

Open Caveats in Cisco IOS Release 12.2(53)SG1

Resolved Caveats in Cisco IOS Release 12.2(53)SG1

Open Caveats in Cisco IOS Release 12.2(53)SG

Resolved Caveats in Cisco IOS Release 12.2(53)SG

Open Caveats in Cisco IOS Release 12.2(52)SG

Resolved Caveats in Cisco IOS Release 12.2(52)SG

Open Caveats in Cisco IOS Release 12.2(50)SG8

Resolved Caveats in Cisco IOS Release 12.2(50)SG8

Open Caveats in Cisco IOS Release 12.2(50)SG7

Resolved Caveats in Cisco IOS Release 12.2(50)SG7

Open Caveats in Cisco IOS Release 12.2(50)SG6

Resolved Caveats in Cisco IOS Release 12.2(50)SG6

Open Caveats in Cisco IOS Release 12.2(50)SG4

Resolved Caveats in Cisco IOS Release 12.2(50)SG4

Open Caveats in Cisco IOS Release 12.2(50)SG2

Resolved Caveats in Cisco IOS Release 12.2(50)SG2

Open Caveats in Cisco IOS Release 12.2(50)SG1

Resolved Caveats in Cisco IOS Release 12.2(50)SG1

Open Caveats in Cisco IOS Release 12.2(50)SG

Resolved Caveats in Cisco IOS Release 12.2(50)SG

Open Caveats in Cisco IOS Release 12.2(46)SG

Resolved Caveats in Cisco IOS Release 12.2(46)SG

Open Caveats in Cisco IOS Release 12.2(44)SG1

Resolved Caveats in Cisco IOS Release 12.2(44)SG1

Open Caveats in Cisco IOS Release 12.2(44)SG

Resolved Caveats in Cisco IOS Release 12.2(44)SG

Open Caveats in Cisco IOS Release 12.2(40)SG

Resolved Caveats in Cisco IOS Release 12.2(40)SG

Open Caveats in Cisco IOS Release 12.2(37)SG1

Resolved Caveats in Cisco IOS Release 12.2(37)SG1

Open Caveats in Cisco IOS Release 12.2(37)SG

Resolved Caveats in Cisco IOS Release 12.2(37)SG

Open Caveats in Cisco IOS Release 12.2(31)SGA11

Resolved Caveats in Cisco IOS Release 12.2(31)SGA11

Open Caveats in Cisco IOS Release 12.2(31)SGA10

Resolved Caveats in Cisco IOS Release 12.2(31)SGA10

Open Caveats in Cisco IOS Release 12.2(31)SGA9

Resolved Caveats in Cisco IOS Release 12.2(31)SGA9

Open Caveats in Cisco IOS Release 12.2(31)SGA8

Resolved Caveats in Cisco IOS Release 12.2(31)SGA8

Open Caveats in Cisco IOS Release 12.2(31)SGA7

Resolved Caveats in Cisco IOS Release 12.2(31)SGA7

Open Caveats in Cisco IOS Release 12.2(31)SGA6

Resolved Caveats in Cisco IOS Release 12.2(31)SGA6

Open Caveats in Cisco IOS Release 12.2(31)SGA5

Resolved Caveats in Cisco IOS Release 12.2(31)SGA5

Open Caveats in Cisco IOS Release 12.2(31)SGA4

Resolved Caveats in Cisco IOS Release 12.2(31)SGA4

Open Caveats in Cisco IOS Release 12.2(31)SGA3

Resolved Caveats in Cisco IOS Release 12.2(31)SGA3

Open Caveats in Cisco IOS Release 12.2(31)SGA2

Resolved Caveats in Cisco IOS Release 12.2(31)SGA2

Open Caveats in Cisco IOS Release 12.2(31)SGA1

Resolved Caveats in Cisco IOS Release 12.2(31)SGA1

Open Caveats in Cisco IOS Release 12.2(31)SGA

Resolved Caveats in Cisco IOS Release 12.2(31)SGA

Open Caveats in Cisco IOS Release 12.2(31)SG2

Resolved Caveats in Cisco IOS Release 12.2(31)SG3

Open Caveats in Cisco IOS Release 12.2(31)SG2

Resolved Caveats in Cisco IOS Release 12.2(31)SG2

Open Caveats in Cisco IOS Release 12.2(31)SG1

Resolved Caveats in Cisco IOS Release 12.2(31)SG1

Open Caveats in Cisco IOS Release 12.2(31)SG

Resolved Caveats in Cisco IOS Release 12.2(31)SG

Open Caveats in Cisco IOS Release 12.2(25)SG4

Resolved Caveats in Cisco IOS Release 12.2(25)SG4

Open Caveats in Cisco IOS Release 12.2(25)SG3

Resolved Caveats in Cisco IOS Release 12.2(25)SG3

Open Caveats in Cisco IOS Release 12.2(25)SG2

Resolved Caveats in Cisco IOS Release 12.2(25)SG2

Open Caveats in Cisco IOS Release 12.2(25)SG1

Resolved Caveats in Cisco IOS Release 12.2(25)SG1

Open Caveats in Cisco IOS Release 12.2(25)SG

Resolved Caveats in Cisco IOS Release 12.2(25)SG

Open Caveats in Cisco IOS Release 12.2(25)EWA14

Resolved Caveats in Cisco IOS Release 12.2(25)EWA14

Open Caveats in Cisco IOS Release 12.2(25)EWA13

Resolved Caveats in Cisco IOS Release 12.2(25)EWA13

Open Caveats in Cisco IOS Release 12.2(25)EWA12

Resolved Caveats in Cisco IOS Release 12.2(25)EWA12

Open Caveats in Cisco IOS Release 12.2(25)EWA11

Resolved Caveats in Cisco IOS Release 12.2(25)EWA11

Open Caveats in Cisco IOS Release 12.2(25)EWA10

Resolved Caveats in Cisco IOS Release 12.2(25)EWA10

Open Caveats in Cisco IOS Release 12.2(25)EWA9

Resolved Caveats in Cisco IOS Release 12.2(25)EWA9

Open Caveats in Cisco IOS Release 12.2(25)EWA8

Resolved Caveats in Cisco IOS Release 12.2(25)EWA8

Open Caveats in Cisco IOS Release 12.2(25)EWA7

Resolved Caveats in Cisco IOS Release 12.2(25)EWA7

Open Caveats in Cisco IOS Release 12.2(25)EWA6

Resolved Caveats in Cisco IOS Release 12.2(25)EWA6

Open Caveats in Cisco IOS Release 12.2(25)EWA5

Resolved Caveats in Cisco IOS Release 12.2(25)EWA5

Open Caveats in Cisco IOS Release 12.2(25)EWA4

Resolved Caveats in Cisco IOS Release 12.2(25)EWA4

Open Caveats in Cisco IOS Release 12.2(25)EWA3

Resolved Caveats in Cisco IOS Release 12.2(25)EWA3

Open Caveats in Cisco IOS Release 12.2(25)EWA2

Resolved Caveats in Cisco IOS Release 12.2(25)EWA2

Open Caveats in Cisco IOS Release 12.2(25)EWA1

Resolved Caveats in Cisco IOS Release 12.2(25)EWA1

Open Caveats in Cisco IOS Release 12.2(25)EWA

Resolved Caveats in Cisco IOS Release 12.2(25)EWA

Open Caveats in Cisco IOS Release 12.2(25)EW

Resolved Caveats in Cisco IOS Release 12.2(25)EW

Open Caveats in Cisco IOS Release 12.2(20)EWA4

Resolved Caveats in Cisco IOS Release 12.2(20)EWA4

Open Caveats in Cisco IOS Release 12.2(20)EWA3

Resolved Caveats in Cisco IOS Release 12.2(20)EWA3

Open Caveats in Cisco IOS Release 12.2(20)EWA2

Resolved Caveats in Cisco IOS Release 12.2(20)EWA2

Open Caveats in Cisco IOS Release 12.2(20)EWA1

Resolved Caveats in Cisco IOS Release 12.2(20)EWA1

Open Caveats in Cisco IOS Release 12.2(20)EWA

Resolved Caveats in Cisco IOS Release 12.2(20)EWA

Troubleshooting

Netbooting from the ROMMON

Troubleshooting at the System Level

Troubleshooting Modules

Troubleshooting MIBs

Related Documentation

Hardware Documents

Software Documentation

Cisco IOS Documentation

Notices

OpenSSL/Open SSL Project

License Issues

Obtaining Documentation and Submitting a Service Request


Release Notes for the Catalyst 4900 Series Switch, Cisco IOS Release 12.2(54)SGx and 12.2(53)SGx


Current Release
12.2(53)SG10—December 18, 2013

Previous Releases
12.2(54)SG1,12.2(54)SG, 12.2(53)SG9, 12.2(53)SG8, 12.2(53)SG7, 12.2(53)SG6, 12.2(53)SG5, 12.2(54)SG4, 12.2(53)SG3, 12.2(53)SG2, 12.2(53)SG1, 12.2(53)SG, 12.2(52)SG, 12.2(50)SG8, 12.2(50)SG7, 12.2(50)SG6, 12.2(50)SG4, 12.2(50)SG2, 12.1(50)SG1, 12.2(50)SG, 12.2(46)SG, 12.2(44)SG1, 12.2(44)SG, 12.2(37)SG1, 12..2(37)SG, 12.2(31)SGA11, 12.2(31)SGA10, 12.2(31)SGA9, 12.2(31)SGA8, 12.2(31)SGA7, 12.2(31)SGA6, 12.2(31)SGA5, 12.2(31)SGA4, 12.2(31)SGA3, 12.2(31)SGA2, 12.2(31)SGA1, 12.2(31)SGA, 12.2(31)SG3, 12.2(31)SG2, 12.2(31)SG1, 12.2(31)SG, 112.2(25)SG4, 2.2(25)SG3, 12.2(25)SG2, 12.2(25)SG1, 12.2(25)SG, 12.2(25)EWA14, 12.2(25)EWA13, 12.2(25EWA12, 12.2(25)EWA11, 12.2(25)EWA10, 12.2(25)EWA9, 12.2(25)EWA8, 12.2(25)EWA7, 12.2(25)EWA6, 12.2(25)EWA5, 12.2(25)EWA4, 12.2(25)EWA3, 12.2(25)EWA2, 12.2(25)EWA1, 12.2(25)EW, 12.2(20)EWA4, 12.2(20)EWA3, 12.2(20)EWA2, 12.2(20)EWA1, 12.2(20)EWA

These release notes describe the features, modifications, and caveats for the Cisco IOS software on the Catalyst 4900 series switch. The most current software release is Cisco IOS Release 12.2(54)SG.

Support for Cisco IOS Software Release 12.2(54)SG, the default image, follows the standard Cisco Systems® support policy, available at
http://www.cisco.com/en/US/products/products_end-of-life_policy.html


Note Although their Release Notes are unique, the 4 platforms (Catalyst 4500, Catalyst 4900,
Catalyst ME 4900, and Catalyst 4900M/4948E) use the same Software Configuration Guide, Command Reference Guide, and System Message Guide.


For more information on the Catalyst 4500 series switches, visit the following URL:

http://www.cisco.com/go/cat4500/docs

Contents

This publication consists of these sections:

Cisco IOS Software Packaging for the Cisco Catalyst 4900 Series Switch

Catalyst 4900 Series Switch Cisco IOS Release Strategy

System Requirements

New and Changed Information

Upgrading the System Software

Limitations and Restrictions

Caveats

Troubleshooting

Related Documentation

Notices

Obtaining Documentation and Submitting a Service Request

Cisco IOS Software Packaging for the
Cisco Catalyst 4900 Series Switch

A new Cisco IOS Software package for Cisco Catalyst 4900 Series switches was introduced in Cisco IOS Software Release 12.2(25)SG. It is a new foundation for features and functionality and provides consistency across all Cisco Catalyst switches. The new Cisco IOS Software release train is designated as 12.2SG.

Prior Cisco Catalyst 4900 Series Cisco IOS Software images for the Cisco Catalyst 4900 Series Switches, formerly known as Basic Layer 3 and Enhanced Layer 3, now map to IP Base and Enterprise Services, respectively. All currently shipping Cisco Catalyst 4900 software features based on Cisco IOS Software are supported in the IP Base image of Release 12.2(54)SG with a few exceptions.

The IP Base image does not support enhanced routing features such as Nonstop Forwarding/Stateful Switchover (NSF/SSO), BGP, Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), Intermediate System-to-Intermediate System (IS-IS), Internetwork Packet Exchange (IPX), AppleTalk, Virtual Routing Forwarding (VRF-lite), GLBP, and policy-based routing (PBR). The IP Base image supports EIGRP-Stub for limited routing on Cisco Catalyst 4900 Series Switches.

The Enterprise Services image supports all Cisco Catalyst 4900 Series software features based on Cisco IOS Software, including enhanced routing. BGP capability is included in the Enterprises Services package.

Cisco IOS Release 12.2(46)SG1 introduced a LAN Base software image and an IP upgrade image for the fixed configuration switches, WS-X4948 and WS-X4948-10GE. These will complement the existing IP Base and Enterprise Services images. The LAN Base image is primarily focused on customer access and Layer 2 requirements and therefore many of the IP Base features are not required. An IP Upgrade image is available if later you require some of those features.

For more information about the Cisco Catalyst 4900 series switch, visit
http://www.cisco.com/en/US/products/ps6021/index.html

Table 1 contrasts feature support on the LAN Base vs IP Base images.

For information on MiBs support, pls refer to this URL:

http://ftp.cisco.com/pub/mibs/supportlists/cat4000/cat4000-supportlist.html

Table 1 LAN Base/IP Base Image Support

Feature
LAN Base
IP Base
Enterprise Services

10G Uplink Use

12.2(46)SG1

Yes

Yes

802.1p prioritization

12.2(46)SG1

Yes

Yes

802.1p/802.1q

12.2(46)SG1

Yes

Yes

802.1w/802.1s

12.2(46)SG1

Yes

Yes

802.1X (w/ Guest VLAN and VLAN Assignment)

12.2(50)SG

Yes

Yes

802.1X and MAB with ACL assignment

12.2(50)SG

Yes

Yes

802.1X (Auth-Fail VLAN, Critical Auth, Accounting)

12.2(50)SG

Yes

Yes

802.1X Wake on LAN

12.2(50)SG

Yes

Yes

802.1X Web-Auth

12.2(50)SG

Yes

Yes

802.1X with Multiple authenticated, multi-host

12.2(50)SG

Yes

Yes

802.1X w/ MDA

12.2(50)SG

Yes

Yes

802.1X w/ Open Access

12.2(50)SG

Yes

Yes

802.3ad LACP

12.2(46)SG1

Yes

Yes

802.3x - Flow Control

12.2(46)SG1

Yes

Yes

ACL Logging

12.2(46)SG1

Yes

Yes

All Mibs

12.2(52)SG

Yes

Yes

Auto QoS

12.2(53)SG

Yes

Yes

Auto SmartPort

12.2(54)SG

Yes

Yes

Auto-MDIX

12.2(46)SG1

Yes

Yes

Auto-Voice VLAN (part of Auto QoS)

No support

Yes

Yes

BOOTP

12.2(46)SG1

Yes

Yes

Bootup GOLD

No support

Yes

Yes

Broadcast Suppression

12.2(46)SG1

Yes

Yes

CDP/CDPv2

12.2(46)SG1

Yes

Yes

Community PVLAN support

No support

Yes

Yes

Config File

12.2(46)SG1

Yes

Yes

Console Access

12.2(46)SG1

Yes

Yes

Control Plane Policing

12.2(46)SG1

Yes

Yes

Copy Command

12.2(46)SG1

Yes

Yes

CoS to DSCP Map

Yes

Yes

Yes

Debug Commands

12.2(46)SG1

Yes

Yes

Device Management

12.2(46)SG1

Yes

Yes

DHCP Server

12.2(46)SG1

Yes

Yes

DHCP Snooping

12.2(46)SG1

Yes

Yes

Diagnostics Tools

12.2(46)SG1

Yes

Yes

Downloading Software

12.2(46)SG1

Yes

Yes

DSCP to CoS Map

12.2(46)SG1

Yes

Yes

DSCP to egress queue mapping

12.2(46)SG1

Yes

Yes

Dynamic ARP inspection

12.2(46)SG1

Yes

Yes

EEM and EOT integration

No support

Yes

Yes

EIGRP Stub

No support

Yes

Yes

EnergyWise 1.0

12.2(53)SG

Yes

Yes

EPoE

12.2(53)SG

Yes

Yes

Event Log

12.2(46)SG1

Yes

Yes

Factory Default Settings

12.2(46)SG1

Yes

Yes

File Management

12.2(46)SG1

Yes

Yes

Flex Link

12.2(53)SG

Yes

Yes

GLBP

No support

Yes

Yes

HSRP/VRRP

No support

Yes

Yes

HSRP v2 IPV41

No support

Yes

Yes

HSRP v2 IPV62

No support

No

Yes

ID 4.0 Voice Vlan assignment

12.2(46)SG1

Yes

Yes

ID4.1 Filter ID and per use ACL

12.2(46)SG1

Yes

Yes

IGMP

12.2(46)SG1

Yes

Yes

IGMP Snooping

12.2(46)SG1

Yes

Yes

Ingress Policing

12.2(46)SG1

Yes

Yes

Interface Access (Telnet, Console/Serial, Web)

12.2(46)SG1

Yes

Yes

IP Source Guard

12.2(46)SG1

Yes

Yes

IP Multicast

No support

Yes

Yes

IPv6 HSRP

No support

No

Yes

IPV6 MLD snooping V1 and V2

Future

Yes

Yes

IPV6 Reformation

NA

Yes

Yes

IPV6 Router Advertisement (RA) Guard

12.2(54)SG

Yes

Yes

ISL Trunk

12.2(46)SG1

Yes

Yes

Jumbo Frames

12.2(46)SG1

Yes

Yes

Layer 2 Debug

12.2(46)SG1

Yes

Yes

Layer 2 PT and QinQ

No support

Yes

Yes

Layer 2 Traceroute

12.2(46)SG1

Yes

Yes

Link State Tracking

12.2(54)SG

Yes

Yes

LLDP/LLDP-MED

12.2(52)SG

Yes

Yes

LLDP enhancements (PoE+Layer 2 COS)

12.2(54)SG

No

Yes

Local Web Auth

12.2(52)SG

Yes

Yes

MAB (MAC Authentication Bypass)

12.2(50)SG

Yes

Yes

MAC Address Filtering

12.2(50)SG

Yes

Yes

MAC Based Access List

12.2(50)SG

Yes

Yes

Management IPV6 port

12.2(52)SG

Yes

Yes

MLD Snooping

12.2(53)SG

Yes

Yes

Multicast Filtering

12.2(46)SG1

Yes

Yes

Multihop SXP (CTS)

No support

12.2(52SG

Yes

Network Edge Access Topology (NEAT)

No support

Yes

Yes

No. of QoS Filters

No. of Security ACE

Yes (4K entries)

Yes

Yes

No. of VLAN Support

2048

4096

Yes

PAgP

12.2(46)SG1

Yes

Yes

Passwords
Password clear protection

12.2(46)SG1

Yes

Yes

PIM SM/DM

No support

Yes

Yes

PoE (up to 15.4W only)

12.2(46)SG1

Yes

Yes

PoE+ Ready

Yes

Yes

Yes

Port Monitoring (interface Stats)

12.2(46)SG1

Yes

Yes

Port Security

12.2(46)SG1

Yes; only 1024 MACs

Yes

Post Status

12.2(46)SG1

Yes

Yes

PVST+

12.2(53)SG

Yes

Yes

Q-in-Q

No support

Yes

Yes

RACL (DSCP based)

12.2(46)SG1

Yes

Yes

RADIUS/TACACS+ (AAA)

12.2(46)SG1

Yes

Yes

RMON

12.2(46)SG1

Yes

Yes

Routing - RIP, Static

12.2(46)SG1

Yes

Yes

RPR

12.2(46)SG1

Yes

Yes

RPVST+

12.2(53)SG

Yes

Yes

RSPAN

12.2(46)SG1

Yes

Yes

Service Advertisement Framework (SAF)

12.2(54)SG

Yes

Yes

Smart Call Home

No support

Yes

Yes

Smartports (Role based MACRO)

12/2(53)SG

Yes

Yes

SNMP (including SNMv3)

12.2(46)SG1

Yes

Yes

Source port Filtering (Private VLAN)

12.2(46)SG1

Yes

Yes

SPAN (# of sessions) - Port Mirroring

12.2(46)SG1 (2 sessions)

Yes (8 bidirectional sessions)

Yes

SSHv2/Secure Copy, FTP, SSL, Syslog, Sys Information

12.2(46)SG1

Yes

Yes

Storm Control

12.2(46)SG1

Yes

Yes

TDR

No support

Yes

Yes

Time Protocols (SNTP, TimeP)

12.2(46)SG1

Yes

Yes

Time-based ACL

12.2(46)SG1

Yes

Yes

Traffic Mirroring (SPAN)

12.2(46)SG1

Yes

Yes

Trusted Boundary (LLDP & CDP Based)

12.2(46)SG1

Yes

Yes

UDLD

12.2(46)SG1

Yes

Yes

VACL and PACL

12.2(46)SG1

Yes

Yes

Voice VLAN

12.2(46)SG1

Yes

Yes

VRRP

No support

Yes

Yes

VTP

12.2(46)SG1

Yes

Yes

WCCP

No support

Yes

Yes

XML-PI

12.2(54)SG

Yes

Yes

1 Supported on all supervisor engines.

2 Supported only for Catalyst 4900M and Supervisor Engines 6-E/6L-E.



Note With the LAN Base image, 10GbE uplinks are supported on the Catalyst 4948-10GE switch but not the Catalyst 4948 switch.


Orderable Product Numbers:

S49LB-12254SG(=)—Cisco IOS Software for Cisco Catalyst 4900 Series Switch (LAN Base image)

S49LBK9-12254SG(=)—Cisco IOS Software for Cisco Catalyst 4900 Series Switch (LAN Base image with Triple Data Encryption)

S49IPB-12254SG(=)—Cisco IOS Software for Cisco Catalyst 4900 Series Switch (IP Base image)

S49IPBK9-12254SG(=)—Cisco IOS Software for Cisco Catalyst 4900 Series Switch (IP Base image with Triple Data Encryption)

S49ES-12254SG(=)— Cisco IOS Software for Cisco Catalyst 4900 Series Switch (Enterprise Services image with BGP support)

S49ESK9-12254SG(=)—Cisco IOS Software for Cisco Catalyst 4900 Series Switch (Enterprise Services image with 3DES and BGP support)

S49ES-12253SG - Cisco IOS Software for Cisco Catalyst 4900 Series Switches (Enterprise Services image with BGP support)

S49ESK9-12253SG - Cisco IOS Software for Cisco Catalyst 4900 Series Switches (Enterprise Services image with 3DES and BGP support)

S49IPB-12253SG - Cisco IOS Software for Cisco Catalyst 4900 Series Switches (IP Base image)

S49IPBK9-12253SG - Cisco IOS Software for Cisco Catalyst 4900 Series Switches (IP Base image with 3DES)

S49LB-12253SG - Cisco IOS Software for Cisco Catalyst 4900 Series Switches (LAN Base image)

S49LBK9-12253SG - Cisco IOS Software for Cisco Catalyst 4900 Series Switches (LAN Base image with 3DES)

WS-C4900-SW-LIC - Catalyst 4948 IP Base Upgrade License for LAN Base IOS

S49ES-12252SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with BGP support) (cat4500-entservices-mz)

S49ESK9-12252SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with 3DES and BGP) (cat4500-entservicesk9-mz)

S49IPB-12252SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image) (cat4500-ipbase-mz)

S49IPBK9-12252SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image with Triple Data Encryption Standard (3DES)) (cat4500-ipbasek9-mz)

S49IPB-12250SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image) (cat4500-ipbase-mz)

S49IPBK9-12250SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image with Triple Data Encryption Standard (3DES)) (cat4500-ipbasek9-mz)

S49ES-12250SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with BGP support) (cat4500-entservices-mz)

S49ESK9-12250SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with 3DES and BGP) (cat4500-entservicesk9-mz)

S49IPB-12246SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image) (cat4500-ipbase-mz)

S49IPBK9-12246SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image with Triple Data Encryption Standard (3DES)) (cat4500-ipbasek9-mz)

S49ES-12246SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with BGP support) (cat4500-entservices-mz)

S49ESK9-12246SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with 3DES and BGP) (cat4500-entservicesk9-mz)

S49IPB-12244SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image) (cat4500-ipbase-mz)

S49IPBK9-12244SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image with Triple Data Encryption Standard (3DES)) (cat4500-ipbasek9-mz)

S49ES-12244SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with BGP support) (cat4500-entservices-mz)

S49ESK9-12244SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with 3DES and BGP) (cat4500-entservicesk9-mz)

S49IPB-12240SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image) (cat4500-ipbase-mz)

S49IPBK9-12240SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image with Triple Data Encryption Standard (3DES)) (cat4500-ipbasek9-mz)

S49ES-12240SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with BGP support) (cat4500-entservices-mz)

S49ESK9-12240SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with 3DES and BGP) (cat4500-entservicesk9-mz)

S49IPB-12237SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image) (cat4500-ipbase-mz)

S49IPBK9-12237SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image with Triple Data Encryption Standard (3DES)) (cat4500-ipbasek9-mz)

S49ES-12237SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image) (cat4500-entservices-mz)

S49ESK9-12237SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with 3DES) (cat4500-entservicesk9-mz)

S49IPB-12231SGA—Cisco IOS software for the Catalyst 4900 Series (IP Base image) (cat4500-ipbase-mz)

S49IPBK9-12231SGA—Cisco IOS software for the Catalyst 4900 Series (IP Base image with Triple Data Encryption Standard (3DES)) (cat4500-ipbasek9-mz)

S49ES-12231SGA—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image) (cat4500-entservices-mz)

S49ESK9-12231SGA—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with 3DES) (cat4500-entservicesk9-mz)


Note We recommend that you load 12.2(31)SGA8.


S49IPB-12231SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image) (cat4500-ipbase-mz)

S49IPBK9-12231SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image with Triple Data Encryption Standard (3DES)) (cat4500-ipbasek9-mz)

S49ES-12231SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image) (cat4500-entservices-mz)

S49ESK9-12231SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with 3DES) (cat4500-entservicesk9-mz)

S49IPB-12225SG—Cisco IOS software for the Catalyst 4900 Series Switch (IP Base image) (cat4500-ipbase-mz)

S49IPBK9-12225SG—Cisco IOS software for the Catalyst 4900 Series Switch (IP Base image with Triple Data Encryption Standard (3DES)) (cat4500-ipbasek9-mz)

S49ES-12225SG—Cisco IOS software for the Catalyst 4900 Series Switch (Enterprise Services image with BGP support) (cat4500-entservices-mz)

S49ESK9-12225SG—Cisco IOS software for the Catalyst 4900 Series Switch (Enterprise Services image with 3DES and BGP support) (cat4500-entservicesk9-mz)

S4KL3-12225EWA—Cisco IOS software for the Catalyst 4900 series switch, basic Layer 3 and voice software image (RIPv1, RIPv2, Static Routes, AppleTalk, and IPX Software Routing, Release 12.2(25)EWA (cat4000-i9s-mz.122-25.EWA)

S4KL3E-12225EWA—Cisco IOS software for the Catalyst 4900 series switch, enhanced Layer 3 and voice software image including OSPF, IS-IS, and EIGRP, Release 12.2(25)EWA (cat4000-i5s-mz.122-25.EWA)

S4KL3K9-12225EWA—Cisco IOS software for the Catalyst 4900 series switch, with 3DES strong encryption, basic Layer 3 and voice software image (SSHv1, SSHv2, RIPv1, RIPv2, static routes, AppleTalk, and IPX), Release 12.2(25)EWA (cat4000-i9k9s-mz.122-25.EWA)

S4KL3EK9-12225EWA—Cisco IOS software for the Catalyst 4900 series switch, with 3DES strong encryption, enhanced Layer 3 and voice software image including (OSPF, IS-IS, IGRP, and EIGRP), Release 12.2(25)EWA (cat4000-i5k9s-mz.122-25.EWA)

S4KL3-12220EWA—Cisco IOS software for the Catalyst 4900 series switch, basic Layer 3 and voice software image (RIPv1, RIPv2, Static Routes, AppleTalk, and IPX Software Routing, Release 12.2(20)EWA (cat4000-i9s-mz.122-20.EWA)

S4KL3E-12220EWA—Cisco IOS software for the Catalyst 4900 series switch, enhanced Layer 3 and voice software image including OSPF, IS-IS, and EIGRP, Release 12.2(20)EWA (cat4000-i5s-mz.122-20.EWA)

S4KL3K9-12220EWA—Cisco IOS software for the Catalyst 4900 series switch, with 3DES strong encryption, basic Layer 3 and voice software image (SSHv1, SSHv2, RIPv1, RIPv2, static routes, AppleTalk, and IPX), Release 12.2(20)EWA (cat4000-i9k9s-mz.122-20.EWA)

S4KL3EK9-12220EWA—Cisco IOS software for the Catalyst 4900 series switch, with 3DES strong encryption, enhanced Layer 3 and voice software image including (OSPF, IS-IS, IGRP, and EIGRP), Release 12.2(20)EWA (cat4000-i5k9s-mz.122-20.EWA)

S4KL3-12220EW—Cisco IOS software for the Catalyst 4900 series switch, basic Layer 3 and voice software image (RIPv1, RIPv2, Static Routes, AppleTalk, and IPX), Release Software Routing, Release 12.2(20)EW (cat4000-i9s-mz.122-20.EW)

S4KL3E-12220EW—Cisco IOS software for the Catalyst 4900 series switch, enhanced Layer 3 and voice software image including OSPF, IS-IS, and EIGRP, Release 12.2(20)EW (cat4000-i5s-mz.122-20.EW)

S4KL3K91-12220EW—Cisco IOS software for the Catalyst 4900 series switch, with 3DES strong encryption, basic Layer 3 and voice software image (SSHv1, SSHv2, RIPv1, RIPv2, static routes, AppleTalk, and IPX), Release 12.2(20)EW (cat4000-i9k91s-mz.122-20.EW)

S4KL3EK91-12220EW—Cisco IOS software for the Catalyst 4900 series switch, with 3DES strong encryption, enhanced Layer 3 and voice software image including (OSPF, IS-IS, and EIGRP), Release 12.2(20)EW (cat4000-i5k91s-mz.122-20.EW)

Catalyst 4900 Series Switch Cisco IOS Release Strategy

Customers with Catalyst 4900 series switches who need the latest hardware support and software features should migrate to Cisco IOS Release 12.2(54)SG.

Catalyst 4900 Series has three maintenance trains. The Cisco IOS Release 12.2(31)SGA train is the longest living train. Currently, the Cisco IOS Release 12.2(31)SGA10 is the recommended release for customers who require a release with a maintenance train. The Cisco IOS Release 12.2(53)SG is the latest maintenance train.

Cisco IOS Software Migration

Figure 1 displays the two active, 12.2(31)SGA and 12.2(50)SG, and newly introduced 12.2(53)SG extended maintenance trains.

Figure 1 Software Release Strategy for the Catalyst 4900 Series Switch

Summary of Migration Plan

Customers requiring the latest Cisco Catalyst 4900 Series hardware and software features should migrate to Cisco IOS Software Release 12.2(54)SG.

Cisco IOS Software Release 12.2(31)SGA and 12.2(50)SG will continue offering maintenance releases. The latest release from the 12.2(31)SGA maintenance train is 12.2(31)SGA10. The latest release from the 12.2(50)SG maintenance train is 12.2(50)SG3.

Support

Support for Cisco IOS Software Release 12.2(54)SG follows the standard Cisco Systems® support policy, available at
http://www.cisco.com/en/US/products/products_end-of-life_policy.html

System Requirements

This section describes the system requirements:

Supported Hardware

Supported Features

Unsupported Features

Supported Hardware

This section describes the hardware supported on the Catalyst 4900 series switch.

For Catalyst 4900 series switch transciever module compatibility information, see the url:

http://www.cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list.html

Table 2 briefly describes the Catalyst 4900 series switch product set.

Table 2 WS-4948 and WS-4948-10GE

Product Number (append with "=" for spares)
Product Description
Software Release
 
Minimum

WS-X4948

48-port 10/100/1000 Catalyst 4948 switch, optional software image, optional power supplies, fan tray

12.2(20)EWA

WS-X4948-S

48-port 10/100/1000 Catalyst 4948 switch, SMI, one AC power supply, fan tray

12.2(20)EWA

WS-X4948-E

48-port 10/100/1000 Catalyst 4948 switch, EMI, one AC power supply, fan tray

12.2(20)EWA

WS-X4948-10GE

48-port 10/100/1000 2-10GE Catalyst 4948 switch, optional software image, optional power supplies, fan tray

12.2(25)EWA

WS-X4948-10GE-S

48-port 10/100/1000 2-10GE Catalyst 4948 switch, SMI, one AC power supply, fan tray

12.2(25)EWA

WS-X4948-10GE-E

48-port 10/100/1000 2-10GE Catalyst 4948 switch, EMI, one AC power supply, fan tray

12.2(25)EWA

WS-C4928-10GE

24 Gigabit Ethernet Small Form-Factor Pluggable (SFP) downlinks, 4 Gigabit Ethernet SFP uplinks, two 10 Gigabit Ethernet X2 uplinks, redundant field-replaceable AC and DC power supplies, fan tray with redundant fans, 1 rack unit (RU) form factor

12.2(46)SG


Supported Features

Table 3 lists the Cisco IOS software features for the Catalyst 4900 series switch.

Table 3 Cisco IOS Software Feature Set for the Catalyst 4900 Series Switch 

Layer 2 Switching Features

Storm control

Multicast storm control

IP Source Guard

IP Source Guard for Static Hosts

PVRST+

Layer 2 protocol tunneling

Layer 2 transparent bridging1

Layer 2 MAC2 learning, aging, and switching by software

Unicast MAC address filtering

VMPS3 Client

Layer 2 hardware forwarding up to 102 Mpps

Layer 2 switch ports and VLAN trunks

Spanning-Tree Protocol (IEEE 802.1D) per VLAN

802.1s and 802.1w

Layer 2 traceroute

Unidirectional Ethernet port

Per-VLAN spanning tree (PVST) and PVST+

Spanning-tree root guard

Spanning-tree Loop guard and PortFast BPDU Filtering

Support for 9216 byte frames

Port security on PVLANs

Private VLANs

Private VLAN DHCP snooping

Community PVLANs

Private VLAN Promiscuous Trunk

ISL

IEEE 802.1Q-based VLAN encapsulation

Multiple VLAN access port

VLAN Trunking Protocol (VTP) and VTP domains

VTP v3

No. of VLAN support per switch: 2048 (for LAN Base), 4096 (for IP Base)

Unidirectional link detection (UDLD) and aggressive UDLD

Sub-second UDLD (Fast UDLD)

Resilient Ethernet Protocol

Ethernet CFM

Ethernet OAM Protocol

Layer 3 Routing, Switching, and Forwarding

802.1Q Tunneling (Q in Q)

QinQ and Protocol Tunneling

Pragmatic General Multicast

ANCP Client

Auto RP Listener

IP and IP multicast routing and switching between Ethernet ports

IP Multicast Load Splitting (Equal Cost Multipath (ECMP) using S, G and Next-hop)

Static IP routing

Classless routing4

PBR5

Dynamic Buffer Limiting

Selective Dynamic Buffer Limiting

QoS-based forwarding based on IP precedence

Trusted boundary

Auto QoS

Match CoS for non-IPV4 traffic

CoS Mutation

CEF6 load balancing

Hardware-based IP CEF routing at 102 Mpps

Up to 32,000 IP routes

Up to 32,000 IP host entries (Layer 3 adjacencies)

Up to 16,000 IP multicast route entries

Up to 55,000 unicast entries

Multicast flooding suppression for STP changes

Software routing of IPX, AppleTalk, and IPv6

IGMPv1, IGMPv2, and IGMPv3 (Full Support)

IGMP Querier

VRF-lite

VRF-aware IP services

VRF-aware TACACS+

Route Leaking7

IP Unnumbered

SVI Autostate Exclude

Supported Protocols

IS-IS8

DTP9

RIP10 and RIP II

EIGRP11

EIGRP stub

OSPF12

BGP413

BGP route-map Continue

BGP Neighbor Policy

MBGP14

MSDP15

ICMP16 Router Discovery Protocol

PIM17 —sparse and dense mode

Static routes

Classless interdomain routing (CIDR)

DVMRP18

SSM

NTP19

NTP master

WCCPv2 Layer 2 Redirection

VRRP20

SCP21

GLBP22

EtherChannel Features

Cisco EtherChannel technology - 10/100/1000 Mbps, 10 Gbps

Load balancing for routed traffic, based on source and destination IP addresses

Load sharing for bridged traffic based on MAC addresses

ISL on all EtherChannels

IEEE 802.1Q on all EtherChannels

Bundling of up to eight Ethernet ports

Up to 50 active Ethernet port channels

Trunk Port Security over EtherChannel

Link State Tracking

Additional Protocols and Features

SPAN CPU port mirroring

SPAN packet-type filtering

SPAN destination in-packets option

SPAN ACL filtering

RSPAN23

Enhanced VLAN statistics

Secondary addressing

Bootstrap protocol (BOOTP)

Authentication, authorization, and accounting using TACACS+ and RADIUS protocol

Cisco Discovery Protocol (CDP)

CDP 2nd Port Status TLV

MAC Address-Table Move Update

Flex Link Bi-directional Fast Convergence

Flex Link VLAN Load-Balancing

Flex Links

Flex Links Interface Preemption

Network Mobility Services Protocol

Link Layer Discovery Protocol (LLDP)

LLDP Media Discovery (LLDP-MED)

PoEP via LLDP

DSCP/CoS via LLDP

Sticky port security

Trunk port security

Voice VLAN Sticky Port Security

Cisco Group Management Protocol (CGMP) server support

HSRP24 over Ethernet, EtherChannels - 10/100/1000Mbps, 10 Gbps

IGMP25 snooping version1, version 2, and version 3 (Full Support)

IGMP filtering

Port Aggregation Protocol (PagP)

802.3ad LACP

SSH version 1 and version 226

show interface capabilities command

IfIndex persistence

UDLR27

Enhanced SNMP MIB support

SNMP28 version 1, version 2, and version 3

SNMP version 3 (with encryption)

DHCP server and relay-agent

DHCP snooping

DHCP client autoconfiguration

DHCP Option 82 Pass Through

802.1X port-based authentication

802.1X with port security

802.1X accounting

802.1X with voice VLAN ID29

802.1X private VLAN assignment

802.1X private guest VLAN

802.1X RADIUS-supplied session timeout

802.1X authentication failure VLAN

802.1X MAC Authentication Bypass

802.1X Inaccessible Authentication Bypass

802.1X Unidirectional Controlled Port

802.1X with User Distribution

Cisco TrustSec SGT Exchange Protocol (SXP) IPv4

RADIUS-Provided Session Timeouts

MAC Move and Replace

Flexible Authentication Sequencing

Multi-Authentication

Open Authentication

Web Authentication

Local Web Authentication (EPM syslog and Common session ID)

PPPoE Intermediate Agent

Control Plane Policing

Port flood blocking

Router standard and extended ACLs 30 on all ports with no performance penalty

Identity ACL Policy Enforcement31

Identity 4.1 Network Edge Access Topology

Extended IPX ACL

VLAN ACL

PACL32

Downloadable ACLs

Local Proxy ARP

Dynamic ARP Inspection on PVLANs

Dynamic ARP Inspection

Per-port QoS33 rate-limiting and shaping

Per-port Per-VLAN QoS

Energy Wise

Power redundancy

Non-stop Forwarding Awareness

Non-stop Forwarding Awareness for EIGRP-stub in IP base for all supervisor engines

WCCP34 v2 Layer 2 Redirection

MAC Address Notification

SmartPort macros

Auto SmartPort macros

802.1s standards compliance

IS-IS MIB

OSPF and EIGRP Fast Convergence

OSPF Fast Convergence

Time Domain Reflectometry

CNA35

EEM36

VSS client with PagP+

Ethernet Management Port

IP SLA37

X2 Link Debounce Timer

Enhanced Object Tracking subfeatures:

HSRP with EOT

VRRP with EOT

GLBP with EOT

IP SLA with EOT

Reliable Backup Static Routing with EOT

Inactivity Timer

boot config command

Crashdump enhancement

Unicast MAC filtering

Smart Call Home

DHCPv6 Ethernet Remote ID option

DHCPv6 Relay - Persistent Interface ID option DHCPv6 Relay Agent notification for Prefix Delegation

PIM SSM Mapping

VRF lite NSF support with routing protocols OSPF/EIGRP/BG

Online Diagnostics

PIM Accept Register - Rogue Multicast Server Protection38

Configuration Rollback

Archiving crashfile information

Per-VLAN Learning

XML Programmatic Interface

IPSG for Static Hosts

Layer Control Packet

1 Hardware-based transparent bridging within a VLAN

2 MAC = Media Access Control

3 VMPS = VLAN Management Policy Server

4 The ip classless command is not supported as classless routing is enabled by default.

5 PBR = policy-based routing

6 CEF = Cisco Express Forwarding

7 Route Leaking from a global routing table into a VRF and Route Leaking from a VRF into a global routing table

8 IS-IS = Intermediate System to Intermediate System

9 DTP = Dynamic Trunking Protocol

10 RIP = Routing Information Protocol

11 EIGRP = Enhanced Interior Gateway Routing Protocol

12 OSPF = Open Shortest Path First

13 BGP4 = Border Gateway Protocol 4

14 MBGP = Multicast Border Gateway Protocol

15 MSDP = Multicast Source Discovery Protocol

16 ICMP = Internet Control Message Protocol

17 PIM = Protocol Independent Multicast

18 DVMRP = Distance Vector Multicast Routing Protocol

19 NTP = Network Time Protocol

20 VRRP = Virtual Router Redundancy Protocol

21 SCP = Secure Copy Protocol

22 GLBP = Gateway Load Balancing Protocol

23 RSPAN = Remote SPAN

24 HSRP = Hot Standby Router Protocol

25 IGMP = Internet Group Management Protocol

26 SSH = Secure Shell Protocol

27 UDLR = Unidirectional Link Routing

28 SNMP = Simple Network Management Protocol

29 PoE is not supported on the Catalyst 4900 series switch.

30 ACLs = Access Control Lists

31 filter-ID and per-user ACL

32 PACL = Port Access Control List

33 QoS = Quality of Service

34 WCCP = Web Content Communication Protocol

35 CNA = Cisco Network Assistant; Minimum CNA release that supports Releases 12.2(25)EW is 1.0(2). Minimum CNA release that supports Release 12.2(20)EWA is 1.0(1).

36 EEM = Embedded Event anager

37 Includes HTTPS-HTTP with SSL 3.0, CEF-MIB, Embedded Syslog Manage, ...

38 The route-map keyword is not supported.


Unsupported Features

These features are not supported in Cisco IOS Release 12.2(54)SG for the 4900 series switches:

The following ACL types:

Standard Xerox Network System (XNS) access list

Extended XNS access list

DECnet access list

Protocol type-code access list

CEF Accounting

Cisco IOS software IPX ACLs:

<1200-1299> IPX summary address access list

ADSL and Dial access for IPv6

AppleTalk EIGRP (use native AppleTalk routing instead)

Bridge groups

Cisco IOS software-based transparent bridging (also called "fallback bridging")

Connectionless (CLNS) routing; including IS-IS routing for CLNS. IS-IS is supported for IP routing only.

DLSw (data-link switching)

IGRP (use EIGRP instead)

isis network point-to-point command

Kerberos support for access control

Lock and key

NAT-PT for IPv6

NetFlow

PBR with Multiple Tracking Options

QoS for IPv6 (QoS for IPv6 traffic)

Reflexive ACLs

Routing IPv6 over an MPLS network

Two-way community VLANs in private VLANs

CFM CoS

PBR with EOT

Unicast RPF

New and Changed Information

These sections describe the new and changed information for the Catalyst 4900 series switch running Cisco IOS software:

New Hardware Features in Release 12.2(54)SG

New Software Features in Release 12.2(54)SG

New Hardware Features in Release 12.2(53)SG3

New Software Features in Release 12.2(53)SG3

New Hardware Features in Release 12.2(53)SG

New Software Features in Release 12.2(53)SG

New Hardware Features in Release 12.2(52)SG

New Software Features in Release 12.2(52)SG

New Hardware Features in Release 12.2(50)SG2

New Software Features in Release 12.2(50)SG2

New Hardware Features in Release 12.2(50)SG1

New Software Features in Release 12.2(50)SG1

New Hardware Features in Release 12.2(50)SG

New Software Features in Release 12.2(50)SG

New Hardware Features in Release 12.2(46)SG

New Software Features in Release 12.2(46)SG

New Hardware Features in Release 12.2(44)SG

New Software Features in Release 12.2(44)SG

New Hardware Features in Release 12.2(40)SG

New Software Features in Release 12.2(40)SG

New Hardware Features in Release 12.2(37)SG

New Software Features in Release 12.2(37)SG

New Hardware Features in Release 12.2(31)SGA

New Software Features in Release 12.2(31)SGA

New Hardware Features in Release 12.2(31)SG

New Software Features in Release 12.2(31)SG

New Hardware Features in Release 12.2(25)SG

New Software Features in Release 12.2(25)SG

New Hardware Features in Release 12.2(25)EWA

New Software Features in Release 12.2(25)EWA

New Hardware Features in Release 12.2(25)EW

New Software Features in Release 12.2(25)EW

New Hardware Features in Release 12.2(20)EWA

New Software Features in Release 12.2(20)EWA

New Hardware Features in Release 12.2(54)SG

Release 12.2(54)SG provides the following new hardware on the Catalyst 4900 series switch:

SFP-10G-SR

SFP-10G-LR

SFP-10G-LRM

SFP-H10GB-CU1M

SFP-H10GB-CU3M

SFP-H10GB-CU5M

CVR-X2-SFP10G Converter on Supervisor Engine V-10G, Supervisor Engine II+10G (SFP-10G-SR only), WS-C4948-10GE, and WS-C4928-10GE

New Software Features in Release 12.2(54)SG

Release 12.2(54)SG provides the following new software features on the Catalyst 4900 series switch:

802.1X with User Distribution ("Configuring 802.1X Port-Based Authentication" chapter)

Auto SmartPort ("Configuring Auto SmartPort Macros" chapter)

DSCP/CoS via LLDP ("Configuring LLDP, LLDP-MED, and Location Service" chapter

EEM: Embedded Event Manager 3.2

For details, refer to the URL:

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_3.2.html

EIGRP Service Advertisement Framework

For details refer to the URL:

http://www.cisco.com/en/US/docs/ios/saf/configuration/guide/saf_cg.html

EnergyWise 2.0

For details refer to the URL:

http://www.cisco.com/en/US/docs/switches/lan/energywise/phase2/ios/configuration/guide/ew_v2.html

Identity 4.1 ACL Policy Enhancements ("Configuring Network Security with ACLs" chapter)

Identity 4.1 Network Edge Access Topology ("Configuring 802.1X Port-Based Authentication" chapter)

IPSG for Static Hosts (Refer to the Cisco IOS library)

Layer Control Packet (extended to Supervisor 6)

Link State Tracking ("Configuring EtherChannel and Link State Tracking" chapter)

MAC move and replace ("Administering the Switch" chapter)

Per-VLAN Learning ("Administering the Switch" chapter)

PoEP via LLDP ("Configuring LLDP, LLDP-MED, and Location Service" chapter)

RADIUS CoA ("Configuring 802.1X Port-Based Authentication" chapter)

Sub-second UDLD (Configuring UDLD" chapter)

VRF-aware TACACS+ ("Configuring VRF-lite" chapter)

XML Programmatic Interface (Refer to the Cisco IOS library)

For details refer to the URL:

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_xmlpi_v1.html

New Hardware Features in Release 12.2(53)SG3

Release 12.2(53)SG3 provides the following new hardware on the Catalyst 4500 series switch:


Note This set of optics is not supported on Cisco IOS Release 12.2(54)SG and Cisco IOS XE Release 3.1.0 SG.


DWDM-SFP-6141

DWDM-SFP-5736

DWDM-SFP-5332

DWDM-SFP-4931

DWDM-SFP-4532

DWDM-SFP-4134

DWDM-SFP-3739

DWDM-SFP-3346

New Software Features in Release 12.2(53)SG3

Release 12.2(53)SG3 provides no new features for the Catalyst 4500 series switch.

New Hardware Features in Release 12.2(53)SG

Release 12.2(53)SG provides the following new hardware for the Catalyst 4900 series switch:

None

New Software Features in Release 12.2(53)SG

Release 12.2(53)SG provides the following Cisco IOS software features for the Catalyst 4900 series switch:

IP Multicast Load Splitting (Equal Cost Multipath (ECMP) using S, G and Next-hop)

New Hardware Features in Release 12.2(52)SG

Release 12.2(52)SG provides no new hardware for the Catalyst 4900 series switch.

New Software Features in Release 12.2(52)SG

Release 12.2(52)SG provides the following new Cisco IOS software features for the Catalyst 4900 series switch:

Catalyst 4948 IP Base Upgrade License for LAN Base IOS (WS-C4900-SW-LIC)

All LAN Base customers looking to upgrade from LAN Base to IP Base or Enterprise services are required to order "The Catalyst 4948 IP Base upgrade license WS-C4900-SW-LIC." This license is not required for customers currently running IP base or enterprise services.


Note LAN base is only supported on Catalyst 4948 and Catalyst 4948-10GE. It is not supported on Catalyst 4900M or Catalyst 4928-10GE (ME 4900).


DHCPv6 Enhancements

DHCPv6 Ethernet Remote ID option

DHCPv6 Relay - Persistent Interface ID option DHCPv6 Relay Agent notification for Prefix Delegation

EnergyWise

Identity ACL Policy Enforcement Enhancement

Filter-ID

Per-user ACL

Local WebAuth Enhancement

Network Mobility Services Protocol

Online Diagnostics

PIM Accept Register - Rogue Multicast Server Protection (route-map option is not supported)

QinQ Tunneling and Layer 2 Protocol Tunneling ("Configuring 802.1Q and Layer 2 Protocol Tunneling" chapter)


Note Support has now been extended to Catalyst 4900M series switch and Supervisor Engine 6L-E.


Smart Call Home

SSM Mapping

Supported MIBs

Cisco Enhanced Image MIB

Cisco HSRP extension MIB

CISCO-CALLHOME-MIB.my

EnergyWise MIB

POE MIB

POE ext MIB

Entity-Diag-MIB

Bridge MIB

NTP master command

New Hardware Features in Release 12.2(50)SG2

Release 12.2(50)SG2 provides the following new hardware for the Catalyst 4900 series switch:

None

New Software Features in Release 12.2(50)SG2

Release 12.2(50)SG2 provides the following new Cisco IOS software features for the Catalyst 4900 series switch:

None

New Hardware Features in Release 12.2(50)SG1

Release 12.2(50)SG1 provides the following new hardware for the Catalyst 4900 series switch:

None

New Software Features in Release 12.2(50)SG1

Release 12.2(50)SG1 provides the following new Cisco IOS software features for the Catalyst 4900 series switch:

EEM version 2

New Hardware Features in Release 12.2(50)SG

Release 12.2(50)SG provides the following new hardware for the Catalyst 4900 series switch:

SFP+ using X2 hole adaptor

X2-10GB-ZR optical module

X2-10GB-DWDM optical module

New Software Features in Release 12.2(50)SG

Release 12.2(50)SG provides the following Cisco IOS software features for the Catalyst 4900 series switch:


Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.


IGMP Querier ("Configuring IGMP Snooping" chapter)

OSPF and EIGRP fast convergence and protection (Refer to the Cisco IOS Release 12.4 documentation)

CDP 2nd Port Status TLV (no configuration required on the switch)

Flexible Authentication Sequencing ("Configuring 802.1X" chapter)

Multi-Authentication ("Configuring 802.1X" chapter)

Open Authentication ("Configuring 802.1X" chapter)

Web Authentication ("Configuring Web Authentication" chapter)

Inactivity Timer ("Configuring 802.1X" chapter)

Downloadable ACLs ("Configuring Network Security with ACLs" chapter)

ANCP Client (not supported on E-Series Supervisor Engine 6-E; "Configuring ANCP Client" chapter)

PPPoE Intermediate Agent (not supported on E-Series Supervisor Engine 6-E; "PPPoE Circuit-Id Tag Processing" chapter)

VTP version 3 ("Configuring VLANs, VTP, and VMPS" chapter)

VRF-aware IP services ("Configuring VRF-Lite" chapter)

ANCP Client (not supported on E-Series Supervisor Engine 6-E; "Configuring ANCP Client" chapter)

PPPoE Intermediate Agent (not supported on E-Series Supervisor Engine 6-E; "PPPoE Circuit-Id Tag Processing" chapter)

VTP version 3 ("Configuring VLANs, VTP, and VMPS" chapter)

VRF-aware IP services ("Configuring VRF-Lite" chapter)

boot config command (Refer to the Cisco IOS Release 12.2 documentation)

Archiving Crashinfo Files ("Configuring Command-Line Interfaces" chapter)

Unicast MAC filtering ("Configuring Network Security with ACLs" chapter)

Configuration Rollback

Cisco TrustSec SGT Exchange Protocol (SXP) IPv4

For more information, refer to the following URLs:

http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

and

http://www.cisco.com/en/US/docs/switches/lan/trustsec/release/notes/rn_cts_xplat.html

New Hardware Features in Release 12.2(46)SG

Release 12.2(46)SG provides the following new hardware for the Catalyst 4900 series switch:

None

New Software Features in Release 12.2(46)SG

Release 12.2(46)SG provides the following Cisco IOS software features for the Catalyst 4900 series switch:


Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.


FlexLink and FlexLink+ with MAC Address-Table Move Update (Refer to the "Configuring FlexLink" chapter)

LLDP-MED: location TLV and MIB (Refer to the "Configuring LLDP and LLDP-MED" chapter)

Enhanced Object Tracking (EOT) ((Refer to the Cisco IOS Release 12.2 documentation)

HSRP with EOT

VRRP with EOT

GLBP with EOT

IP SLA with EOT

Reliable Backup Static Routing with EOT

CFM 802.1ag (Refer to the "Configuring Ethernet CFM and OAM" chapter)

E-OAM 802.3ah (Refer to the "Configuring Ethernet CFM and OAM" chapter)

Ethernet Management Port (Refer to the "Configuring Interfaces" chapter)

New Hardware Features in Release 12.2(44)SG

Release 12.2(44)SG provides the following new hardware for the Catalyst 4900 series switch:

None

New Software Features in Release 12.2(44)SG

Release 12.2(44)SG provides the following Cisco IOS software features for the Catalyst 4900 series switch:


Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.


REP (Refer to the "Configuring REP" chapter)

VSS client with PagP+

After configuring VSS dual-active on a Catalyst 6500 switches, the Catalyst 4500 series switch can detect VSS dual-active with PagP+ support.

IP SLA (Refer to the Cisco IOS Release 12.2 documentation)

802.1ab LLDP and LLDP-MED (Refer to the "Configuring LLDP and LLDP-MED" chapter)

X2 Link Debounce Timer (Refer to the "Configuring Interfaces" chapter)

ESM

For details, refer to the ESM Home Page:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_esm.html

New Hardware Features in Release 12.2(40)SG

Release 12.2(40)SG provides the following new hardware for the Catalyst 4900 series switch:

None

New Software Features in Release 12.2(40)SG

Release 12.2(40)SG provides the following Cisco IOS software features for the Catalyst 4900 series switch:


Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.


Embedded Event Manager (Refer to the Cisco IOS Release 12.4 documentation)

Gateway Load Balancing Protocol (Refer to the Cisco IOS Release 12.4 documentation)

New Hardware Features in Release 12.2(37)SG

Release 12.2(37)SG provides the following new hardware for the Catalyst 4900 series switch:

None

New Software Features in Release 12.2(37)SG

Release 12.2(37)SG provides the following Cisco IOS software features for the Catalyst 4900 series switch:


Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.


Selective Dynamic Buffer Limiting ("Configuring QoS" chapter)

SVI Autostate Exclude ("Configuring Layer 3 Interface" chapter)

IP Source Guard for Static Hosts ("Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts" chapter)

BGP route-map Continue Support for Outbound Policy

For details, locate the feature entry in the Feature Information Table located toward the end of the "Connecting to a Service Provider Using External BGP" module

Auto RP Listerner (Refer to the Cisco IOS Release 12.4 documentation)

New Hardware Features in Release 12.2(31)SGA

Cisco IOS Release 12.2(31)SGA is the first IOS release supporting the Cisco ME 4900 Series Ethernet Switch.

Following hardware was supported:

X2-10GB-LRM

New Software Features in Release 12.2(31)SGA

Release 12.2(31)SGA provides the following Cisco IOS software features for the Catalyst 4900 series switch:


Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.


Trunk Port Security over EtherChannel ("Configuring Port Security and Configuring EtherChannel" chapters)

Match CoS for Non-IPv4 Traffic ("Configuring QoS" chapter)

CoS Mutation ("Configuring QoS" chapter)

QinQ Tunneling and Layer 2 Protocol Tunneling ("Configuring 802.1Q and Layer 2 Protocol Tunneling" chapter)


Note This support applies to WS-X4948 only.


IP Unnumbered ("Configuring IP Unnunmbered Support" chapter)

New Hardware Features in Release 12.2(31)SG

There are no new hardware features in Cisco IOS Release 12.2(31)SG.

New Software Features in Release 12.2(31)SG

Release 12.2(31)SG provides the following Cisco IOS software features for the Catalyst 4900 series switch:


Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.


Control Plane Policing ("Configuring Control Plane Policing" chapter)

WCCPv2 Layer 2 Redirection ("Configuring WCCPv2 Services" chapter)

MAC Authentication Bypass ("Configuring 802.1X Port-Based Authentication" chapter)

802.1X Inaccessible Authentication Bypass ("Configuring 802.1X Port-Based Authentication" chapter)

802.1X Unidirectional Controlled Port ("Configuring 802.1X Port-Based Authentication" chapter)

Private VLAN Promiscuous Trunk ("Configuring Private VLANs" chapter)

MAC Address Notification ("Administering the Switch" chapter)

Voice VLAN Sticky Port Security ("Configuring Port Security" chapter)

Virtual Router Redundancy Protocol (VRRP) (Refer to the Cisco IOS Release 12.3 documentation)

Secure Copy Protocol (SCP) (Refer to the Cisco IOS Release 12.3 documentation)

New Hardware Features in Release 12.2(25)SG

There are no new hardware features in Cisco IOS Release 12.2(25)SG.

New Software Features in Release 12.2(25)SG

Release 12.2(25)SG provides the following Cisco IOS software features for the Catalyst 4900 series switch:


Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.


IEEE 802.1S Standards Compliance (Refer to the Cisco IOS Release 12.3 documentation)


Note In Cisco IOS Release 12.2(25)SG for the Catalyst 4500 and 4900 series switches, the implementation for multiple spanning tree (MST) changed from the previous release. Multiple STP (MSTP) complies with IEEE 802.1s standard. Previous MSTP implementations were based on a draft of the IEEE 802.1s standard.


802.1X Authentication Failure VLAN ("Understanding and Configuring 802.1X Port-Based Authentication" chapter)

HTTPS (Refer to the Cisco IOS Release 12.3 documentation)

IS-IS MIB (Refer to the Cisco IOS Release 12.3 documentation

OSPF Fast Convergence (Refer to the Cisco IOS Release 12.3 documentation)

Time Domain Reflectometry ("Checking Port Status and Connectivity" chapter)

IEEE 802.1S Standards Compliance (Refer to the Cisco IOS Release 12.3 documentation)

SNMP V3 support for Bridge-MIB with VLAN indexing

Interface Link and Trunk Status Logging Event Enhancement ("Configuring Interfaces" chapter)

New Hardware Features in Release 12.2(25)EWA

Release 12.2(25)EWA provides the following new hardware for the Catalyst 4900 series switch:

WS-X4948-10GE—Catalyst 4948 48-Port 10/100/1000 + 2 10GE in a 1 RU with dual, redundant AC/DC power


Caution If you plan to insert X2 transceivers in the Cisco Catalyst 4948-10GE, you should ensure that the Catalyst 4900 series switch and the X2 back interfaces are properly oriented during the OIR (Online insertion and removal) of the transceivers. The top transceiver (port tengig1/49) should be inserted with heatsink facing up. The bottom transceiver (port tengig1/50) should be plugged in with heatsink facing down, CLEI (Common Language Equipment Identifiers) label facing up. When inserted correctly, the TX/RX of the bottom transceiver would look reversed. For more details refer to the
Catalyst 4948-10GE Switch Installation Guide.

New Software Features in Release 12.2(25)EWA

Release 12.2(25)EWA provides the following Cisco IOS software features for the Catalyst 4900 series switch:


Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.


Per-Port Per-VLAN QoS ("Configuring QoS and Per-Port Per-VLAN QoS" chapter)

Trunk-Port Security ("Configuring Port Security and Trunk Port Security" chapter)

802.1X Private VLAN Assignment ("Understanding and Configuring 802.1X Port-Based Authentication" chapter)

802.1X Private Guest VLAN ("Understanding and Configuring 802.1X Port-Based Authentication" chapter)

802.1X Radius-Supplied Session Timeout ("Understanding and Configuring 802.1X Port-Based Authentication" chapter)

DHCP Option 82 Pass Through ("Configuring DHCP Snooping and IP Source Guard" chapter)

New Hardware Features in Release 12.2(25)EW

There are no new hardware features in Release 12.2(25)EW.

New Software Features in Release 12.2(25)EW

There are no new software features in Cisco IOS Release 12.2(25)EW

New Hardware Features in Release 12.2(20)EWA

There are no new hardware features in Cisco IOS Release 12.2(20)EWA.

New Software Features in Release 12.2(20)EWA

Release 12.2(20)EWA provides the following Cisco IOS software features for the Catalyst 4900 series switch:


Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.


802.1X with Voice VLAN ID ("Understanding and Configuring 802.1X Port-Based Authentication" chapter)

Forced 10/100 Auto Negotiation ("Configuring Interfaces" chapter)

Upgrading the System Software

In most cases, upgrading the switch to a newer release of Cisco IOS software does not require a ROMMON upgrade. However, if you are running an early release of Cisco IOS software and plan to upgrade, the following tables list the recommended ROMMON release.


Caution Most supervisor engines have the required ROMMON release. However, due to caveat CSCed25996, we recommend that you upgrade your ROMMON to the recommended release.

Table 4 Catalyst 4900 Series Switches, Recommended ROMMON Release, and Promupgrade Programs

Switching Module
Minimum ROMMON Release
Promupgrade Program

WS-X4948

12.2(20r)EW

cat4500-ios-promupgrade-122_31r_SGA1

WS-X4948-10GE

12.2(25r)EWA

cat4500-ios-promupgrade-122_31r_SGA1

WS-C4928-10GE

12.2(31r)SGA2

cat4500-ios-promupgrade-122_31r_SGA2


The following sections describe how to upgrade your switch software:

Upgrading the ROMMON from the Console

Upgrading the ROMMON Remotely Using Telnet

Upgrading the Cisco IOS Software

Upgrading the ROMMON from the Console


Caution To avoid actions that might make your system unable to boot, read this entire section before starting the upgrade.


Note The examples in this section use the programmable read-only memory (PROM) upgrade version 12.2(25r)EWA and Cisco IOS Release 12.2(25)EWA. For other releases, replace the ROMMON release and Cisco IOS software release with the appropriate releases and filenames.


Follow this procedure to upgrade your supervisor engine ROMMON:


Step 1 Directly connect a serial cable to the console port.


Note This section assumes that the console baud rate is set to 9600 (default). If you want to use a different baud rate, change the configuration register value for your switch.


Step 2 Download the cat4000-ios-promupgrade-122_25r_EWA program from Cisco.com, and place it on a TFTP server in a directory that is accessible from the switch that will be upgraded.

The cat4000-ios-promupgrade-122_25r_EWA programs are available on Cisco.com at the same location from which you download Catalyst 4000 system images.

Step 3 Use the dir bootflash: command to ensure that there is sufficient space in Flash memory to store the PROM upgrade image. If there is insufficient space, delete one or more images, and then issue the
squeeze bootflash: command to reclaim the space.

Step 4 Download the cat4000-ios-promupgrade-122_25r_EWA program into Flash memory using the copy tftp command.

The following example shows how to download the PROM upgrade image cat4000-ios-promupgrade-122_25r_EWA from the remote host 172.20.58.78 to bootflash:

Switch# copy tftp: bootflash: 
Address or name of remote host [172.20.58.78]?  
Source filename [cat4000-ios-promupgrade-122_25r_EWA]?  
Destination filename [cat4000-ios-promupgrade-122_25r_EWA]?  
Accessing tftp://172.20.58.78/cat4000-ios-promupgrade-122_25r_EWA... 
Loading cat4000-ios-promupgrade-122_25r_EWA from 172.20.58.78 (via
FastEthernet2/1):!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!
[OK - 455620 bytes] 

455620 bytes copied in 2.644 secs (172322 bytes/sec) 
Switch#

Step 5 Enter the reload command to reset the switch, press Ctrl-C to stop the boot process, and re-enter ROMMON.

The following example shows the output after a reset into ROMMON:

Switch# reload
Proceed with reload? [confirm]
 
 
2d11h: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command
.
**********************************************************
 *                                                        *
 * Welcome to Rom Monitor for WS-C4948-10GE System.       *
 * Copyright (c) 1999-2005 by Cisco Systems, Inc.         *
 * All rights reserved.                                   *
 *                                                        *
 **********************************************************
 
 
 Rom Monitor Program Version 12.2(25r)EWA
 Supervisor: WS-C4948-10GE  Chassis: WS-C4948
 Hardware Revisions - Board: 8.3 CPLD Gill: 17
 
 
 MAC Address  : 00-0b-fc-ff-3b-ff
 IP Address   : 10.5.43.225
 Netmask      : 255.255.255.0
 Gateway      : 10.5.43.1
 TftpServer   : 10.5.5.5
 
 
 ***** The system will autoboot in 5 seconds *****
 
 
 Type control-C to prevent autobooting.
 . .
 Autoboot cancelled......... please wait!!!
 
 
 Autoboot cancelled......... please wait!!!
rommon 1 > [interrupt]
 
 

Step 6 Run the PROM upgrade program by entering this command:
boot bootflash:cat4000-ios-promupgrade-122_25r_EWA


Caution No intervention is necessary to complete the upgrade. To ensure a successful upgrade, do not interrupt the upgrade process. Do not perform a reset, power cycle, or OIR of the supervisor engine until the upgrade is complete.

The following example shows the output from a successful upgrade, followed by a system reset:

rommon 2 > boot bootflash:cat4000-ios-promupgrade-122_25r_EWA
 
 
 
 ********************************************************** 
 *                                                        * 
 * Rom Monitor Upgrade Utility For WS-C4948-10GE System   * 
 * This upgrades flash Rom Monitor image to the latest    * 
 *                                                        * 
 * Copyright (c) 1997-2005 by Cisco Systems, Inc.         * 
 * All rights reserved.                                   * 
 *                                                        * 
 **********************************************************
 
 
 Image size = 1024.0 KBytes 
 
 
 Maximum allowed size = 1048576 KBytes 
 
 
 
 
 Upgrading your PROM... DO NOT RESET the system
 unless instructed or upgrade of PROM will fail !!!
 
 
 Beginning erase of 0x100000 bytes at offset 0x3e00000...  Done!
 
 
 Beginning write of prom  (0x100000 bytes at offset 0x3e00000)...
 
 
 This could take as little as 30 seconds or up to 2 minutes.
 Please DO NOT RESET!
 
 
 Verifying...
 
 
 Success! The prom has been upgraded successfully.
 System will reset itself and reboot within few seconds....
 
 

Step 7 Boot the Cisco IOS software image, and enter the show version command to verify that ROMMON has been upgraded to 12.2(25r)EWA.

Step 8 Use the delete command to delete the PROM upgrade program from bootflash and the squeeze command to reclaim unused space.

The following example shows how to delete the cat4000-ios-promupgrade-122_25r_EWA image from bootflash and reclaim unused space:

Switch# delete bootflash:cat4000-ios-promupgrade-122_25r_EWA
Switch# squeeze bootflash:
 
 
All deleted files will be removed, proceed (y/n) [n]? y
 
 
Squeeze operation may take some time, proceed (y/n) [n]? y
Switch#
 
 

Step 9 Use the show version command to verify that the ROMMON has been upgraded

Switch# show version
Cisco IOS Software, Catalyst 4900 L3 Switch Software (cat4500-IPBASE-M), Version 
12.2(25)EWA, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 17-Aug-05 17:09 by alnguyen
Image text-base: 0x10000000, data-base: 0x11269914
 
 
ROM: 12.2(25r)EWA
Pod Revision 0, Force Revision 31, Tie Revision 17
 
 
Switch uptime is 1 minute
System returned to ROM by reload
System image file is "bootflash:cat4500-ipbase-mz.122-25.EWA"
 
 
cisco WS-C4948-10GE (MPC8540) processor (revision 3) with 262144K bytes of memory.
Processor board ID 0
MPC8540 CPU at 667Mhz, Fixed Module
Last reset from Reload
1 Virtual Ethernet interface
48 Gigabit Ethernet interfaces
2 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.
          
Configuration register is 0x2
 
 
Switch#

The ROMMON has now been upgraded.

See the "Upgrading the Cisco IOS Software" section for instructions on how to upgrade the Cisco IOS software on your switch.

Upgrading the ROMMON Remotely Using Telnet


Caution To avoid actions that might make your system unable to boot, read this entire section before starting the upgrade.

Follow this procedure to upgrade your supervisor engine ROMMON to Release 12.2(25r)EWA. This procedure can be used when console access is not available and when the ROMMON upgrade must be performed remotely.


Note In the following section, use the PROM upgrade version cat4000-ios-promupgrade-122_25r_EWA.



Step 1 Establish a Telnet session to the supervisor engine.


Note In the following discussion, we assume that at least one IP address has been assigned to either an SVI or a routed port.


Step 2 Download the cat4000-ios-promupgrade-122_25r_EWA program from Cisco.com, and place it on a TFTP server in a directory that is accessible from the switch to be upgraded.

The cat4000-ios-promupgrade-122_25r_EWA programs are available on Cisco.com at the same location from which you download Catalyst 4000 system images.

Step 3 Use the dir bootflash: command to ensure that there is sufficient space in Flash memory to store the PROM upgrade image. If there is insufficient space, delete one or more images, and then issue the
squeeze bootflash: command to reclaim the space.

Step 4 Download the cat4000-ios-promupgrade-122_25r_EWA program into Flash memory using the
copy tftp command.

The following example shows how to download the PROM upgrade image cat4000-ios-promupgrade-122_25r_EWA from the remote host 10.5.5.5 to bootflash:

Switch# copy tftp: bootflash: 
Address or name of remote host [10.5.5.5]?
Source filename [cat4000-ios-promupgrade-122_25r_EWA]? 
/tftpboot/pjose/cat4000-ios-promupgrade-122_25r_EWA
Destination filename [cat4000-ios-promupgrade-122_25r_EWA]?
Accessing tftp://10.5.5.5//tftpboot/pjose/cat4000-ios-promupgrade-122_25r_EWA...
Loading /tftpboot/pjose/cat4000-ios-promupgrade-122_25r_EWA from 10.5.5.5 (via G
igabitEthernet1/1): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 1244496 bytes]
 
 
1244496 bytes copied in 9.484 secs (131221 bytes/sec)
Switch#

Step 5 Use the no boot system flash bootflash:file_name command to clear all BOOT variable commands in the configuration file. In this example, the BOOT variable was set to boot the image cat4000-ios-promupgrade-122_25r_EWA from bootflash:

Switch# configure terminal
Switch(config)# no boot system flash bootflash:cat4000-ios-promupgrade-122_25r_EWA
Switch(config)# exit
Switch# write
Building configuration...
Compressed configuration from 3641 to 1244 bytes [OK]
Switch# 
 
 
Use the boot system flash bootflash:file_name command to set the BOOT variable. You will 
use two BOOT commands: one to upgrade the ROMMON and a second to load the Cisco IOS 
software image after the ROMMON upgrade is complete. Notice the order of the BOOT 
variables in the example below. At bootup the first BOOT variable command upgrades the 
ROMMON. When the upgrade is complete the supervisor engine will autoboot, and the second 
BOOT variable command will load the Cisco IOS software image specified by the second BOOT 
command. 

Note The config-register must be set to autoboot.


In this example, we assume that the console port baud rate is set to 9600 bps and that the 
config-register is set to 0x0102.
 
 
Use the config-register command to autoboot using image(s) specified by the BOOT variable. 
Configure the BOOT variable to upgrade the ROMMON and then autoboot the IOS image after 
the ROMMON upgrade is complete. In this example, we are upgrading the ROMMON to version 
12.2(25r)EWA. After the ROMMON upgrade is complete, the supervisor engine will boot Cisco 
IOS software Release 12.2(25)EWA.
 
 
config-register to 0x0102.
 
 
Switch# configure terminal
Switch(config)# boot system flash bootflash:cat4000-ios-promupgrade-122_25r_EWA
Switch(config)# boot system flash bootflash:cat4500-ipbase-mz.122-25.EWA
Switch(config)# config-register 0x0102
Switch(config)# exit
Switch# write
Building configuration...
Compressed configuration from 3641 to 1244 bytes [OK]
Switch# 
 
 

Step 6 Use the show bootvar command to verify the boot string. The BOOT variable in this example will first run the PROM upgrade to upgrade ROMMON. Then, the upgrade software will reload and the supervisor engine will load the Cisco IOS software image.

Switch#sh bootvar
BOOT variable = 
bootflash:cat4000-ios-promupgrade-122_25r_EWA,1;bootflash:cat4500-ipbase-mz.122-25.EWA
CONFIG_FILE variable does not exist
BOOTLDR variable does not exist
Configuration register is 0x2102
 
 

Step 7 Run the PROM upgrade program by issuing the reload command. Issuing this command will terminate your Telnet session.


Caution Verify the boot string in step 6. No intervention is necessary to complete the upgrade. To ensure a successful upgrade, do not interrupt the upgrade process. Do not perform a reset, power cycle, or OIR of the supervisor engine until the upgrade is complete.

The following example shows the console port output from a successful ROMMON upgrade followed by a system reset. Your Telnet session will be disconnected during the ROMMON upgrade, so you will not see this output. This step could take 2-3 minutes to complete. You will need to reconnect your Telnet session after 2-3 minutes when the Cisco IOS software image and the interfaces are loaded.

Switch# reload
Proceed with reload? [confirm]
 
 
00:00:36: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.
 
 
  
 ********************************************************** 
 *                                                        * 
 * Welcome to Rom Monitor for WS-C4948-10GE System.       * 
 * Copyright (c) 1999-2005 by Cisco Systems, Inc.         * 
 * All rights reserved.                                   * 
 *                                                        * 
 **********************************************************
 
 Rom Monitor Program Version 12.2(25r)EWA
 Supervisor: WS-C4948-10GE  Chassis: WS-C4948 
 Hardware Revisions - Board: 8.0 CPLD : 17 FPGA : 0 
 
 MAC Address  : 00-0b-fc-ff-3b-ff 
 IP Address   : 10.5.43.225 
 Netmask      : 255.255.255.0 
 Gateway      : 10.5.43.1 
 TftpServer   : 10.5.5.5 
 
 
 ***** The system will autoboot in 5 seconds *****
 
 
 Type control-C to prevent autobooting.
 . . . . .
 ******** The system will autoboot now ********
 
 
 config-register = 0x102 
 Autobooting using BOOT variable specified file.....
 Current BOOT file is --- bootflash:cat4000-ios-promupgrade-122_25r_EWA 
 
 
 
 
 
 
 ********************************************************** 
 *                                                        * 
 * Rom Monitor Upgrade Utility For WS-C4948-10GE System   * 
 * This upgrades flash Rom Monitor image to the latest    * 
 *                                                        * 
 * Copyright (c) 1997-2005 by Cisco Systems, Inc.         * 
 * All rights reserved.                                   * 
 *                                                        * 
 **********************************************************
 Image size = 1024.0 KBytes 
 Maximum allowed size = 1048576 KBytes 
 
 
 Upgrading your PROM... DO NOT RESET the system
 unless instructed or upgrade of PROM will fail !!!
 Beginning erase of 0x100000 bytes at offset 0x3e00000...  Done!
 Beginning write of prom  (0x100000 bytes at offset 0x3e00000)...
 This could take as little as 30 seconds or up to 2 minutes.
 Please DO NOT RESET!
 Verifying...
 Success! The prom has been upgraded successfully.
 System will reset itself and reboot within few seconds....
 
****
 (output truncated)
 . . . . .
 ******** The system will autoboot now ********
 
 
 config-register = 0x102 
 Autobooting using BOOT variable specified file.....
 Current BOOT file is --- bootflash:cat4500-ipbase-mz.122-25.EWA
Rommon reg: 0x00004180
###########
(output truncated)
Exiting to ios...
Rommon reg: 0x00000180
###############################
              Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706
 
Cisco IOS Software, Catalyst 4900 L3 Switch Software (cat4500-IPBASE-M), Version 
12.2(25)EWA, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 17-Aug-05 17:09 by alnguyen
Image text-base: 0x10000000, data-base: 0x11269914
 
 
 
 
cisco WS-C4948-10GE (MPC8540) processor (revision 3) with 262144K bytes of memory.
Processor board ID 0
MPC8540 CPU at 667Mhz, Fixed Module
Last reset from Reload
1 Virtual Ethernet interface
48 Gigabit Ethernet interfaces
2 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.
Uncompressed configuration from 1171 bytes to 2726 bytes
 
 
Press RETURN to get started!
 
 
Switch>en
Switch#
 
 

Step 8 Use the no boot system flash bootflash:file_name command to clear the BOOT command used to upgrade the ROMMON.

Switch# configure terminal
Switch(config)# no boot system flash bootflash:cat4000-ios-promupgrade-122_25r_EWA
Switch(config)# exit
Switch# write
Building configuration...
Compressed configuration from 3641 to 1244 bytes [OK]
Switch#

Step 9 Use the show version command to verify that the ROMMON has been upgraded.

Switch# show version
Cisco IOS Software, Catalyst 4900 L3 Switch Software (cat4500-IPBASE-M), Version 
12.2(25)EWA, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 17-Aug-05 17:09 by alnguyen
Image text-base: 0x10000000, data-base: 0x11269914
 
 
ROM: 12.2(25r)EWA
Pod Revision 0, Force Revision 31, Tie Revision 17
 
 
Switch uptime is 0 minutes
System returned to ROM by reload
System image file is "bootflash:cat4500-ipbase-mz.122-25.EWA"
 
 
cisco WS-C4948-10GE (MPC8540) processor (revision 3) with 262144K bytes of memory.
Processor board ID 0
MPC8540 CPU at 667Mhz, Fixed Module
Last reset from Reload
1 Virtual Ethernet interface
48 Gigabit Ethernet interfaces
2 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.
 
 
Configuration register is 0x102
 
 
Switch#
 
 

Step 10 Use the delete command to delete the PROM upgrade program from bootflash and the squeeze command to reclaim unused space.

The following example shows how to delete the cat4000-ios-promupgrade-122_25r_EWA image from bootflash and reclaim unused space:

Switch# delete bootflash:cat4000-ios-promupgrade-122_25r_EWA
Switch# squeeze bootflash:
 
 
All deleted files will be removed, proceed (y/n) [n]? y
 
 
Squeeze operation may take some time, proceed (y/n) [n]? y
Switch#
 
 

Step 11 Use the show bootvar command to verify that the ROMMON upgrade program has been removed from the BOOT variable.

Switch# show bootvar
BOOT variable = bootflash:cat4500-ipbase-mz.122-25.EWA,12;
CONFIG_FILE variable does not exist
BOOTLDR variable does not exist
Configuration register is 0x2102
Switch#

The ROMMON has now been upgraded.

See the "Upgrading the Cisco IOS Software" section for instructions on how to upgrade the Cisco IOS software on your switch.

Upgrading the Cisco IOS Software


Caution To avoid actions that might make your system unable to boot, please read this entire section before starting the upgrade.

Before you proceed, observe the following rules for hostname:

Do not expect case to be preserved

Uppercase and lowercase characters look the same to many internet software applications. It may seem appropriate to capitalize a name the same way you might do in English, but conventions dictate that computer names appear all lowercase. For more information, refer to RFC 1178, Choosing a Name for Your Computer.

Must start with a letter and end with a letter or digit.

Interior characters can only be letters, digits, and hyphens; periods and underscores not allowed.

Names must be 63 characters or fewer; hostname of fewer than 10 characters is recommended.

On most systems, a field of 30 characters is used for the host name and the prompt in the CLI. Longer configuration mode prompts may be truncated.

To upgrade the Cisco IOS software on your Catalyst 4900 series switch, use this procedure:


Step 1 Download Cisco IOS Release 12.2(25)EWA from Cisco.com, and place the image on a TFTP server in a directory that is accessible from the supervisor engine that will be upgraded.

Step 2 Use the dir bootflash: command to ensure that there is sufficient space in Flash memory to store the promupgrade image. If there is insufficient space, delete one or more images, and then enter the squeeze bootflash: command to reclaim the space.

Step 3 Download the software image into Flash memory using the copy tftp command.

The following example shows how to download the Cisco IOS software image cat4500-ipbase-mz.122-25.EWA from the remote host 172.20.58.78 to bootflash:

Switch# copy tftp: bootflash:
Address or name of remote host [172.20.58.78]? 
Source filename [cat4500-ipbase-mz.122_25.EWA]?
Destination filename [cat4500-ipbase-mz.122-25.EWA]? 
Accessing tftp://172.20.58.78/cat4500-ipbase-mz.122-25.EWA...
Loading cat4500-ipbase-mz.122-25.EWA from 172.20.58.78 (via
FastEthernet2/1):!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 6923388/13846528 bytes]
 
 
6923388 bytes copied in 72.200 secs (96158 bytes/sec)
Switch#
 
 

Step 4 Use the no boot system flash bootflash:file_name command to clear the cat4500-ipbase-mz.122-25.EWA file and to save the BOOT variable.

The following example shows how to clear the BOOT variable:

Switch# configure terminal
Switch(config)# no boot system flash bootflash:cat4500-ipbase-mz.122_25.EWA
Switch(config)# exit
Switch# write
Building configuration...
Compressed configuration from 3641 to 1244 bytes [OK]
Switch# 
 
 

Step 5 Use the boot system flash command to add the Cisco IOS software image to the BOOT variable.

The following example shows how to add the cat4500-ipbase-mz.122-25.EWA image to the BOOT variable:

Switch# configure terminal
Switch(config)# boot system flash bootflash:cat4500-ipbase-mz.122_25.EWA
Switch(config)# exit
Switch# write
Building configuration...
Compressed configuration from 3641 to 1244 bytes [OK]
Switch# 
 
 

Step 6 Use the config-register command to set the configuration register to 0x2102.

The following example show how to set the second least significant bit in the configuration register:

Switch# configure terminal
Switch(config)# config-register 0x2102
Switch(config)# exit
Switch# write
Building configuration...
Compressed configuration from 3723 to 1312 bytes [OK]
Switch#
 
 

Step 7 Enter the reload command to reset the switch and load the software.


Caution No intervention is necessary to complete the upgrade. To ensure a successful upgrade, do not interrupt the upgrade process by performing a reset, power cycle, or OIR of the supervisor, for at least five minutes.

The following example shows the output from a successful upgrade followed by a system reset:

Switch# reload
 
 
System configuration has been modified. Save? [yes/no]: yes
Building configuration...
Compressed configuration from 2668 bytes to 1127 bytes[OK]
Proceed with reload? [confirm]
 
 
00:02:11: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Comm
and.
 
 
 **********************************************************
 *                                                        *
 * Welcome to Rom Monitor for WS-C4948-10GE System.       *
 * Copyright (c) 1999-2005 by Cisco Systems, Inc.         *
 * All rights reserved.                                   *
 *                                                        *
 **********************************************************
 
 
 Rom Monitor Program Version 12.2(25r)EWA
 Supervisor: WS-C4948-10GE  Chassis: WS-C4948
 Hardware Revisions - Board: 8.3 CPLD Gill: 17
 
 
 
 
 MAC Address  : 00-0b-fc-ff-3b-ff
 IP Address   : 10.5.43.225
 Netmask      : 255.255.255.0
 Gateway      : 10.5.43.1
 TftpServer   : 10.5.5.5
 
 
 
 
 ***** The system will autoboot in 5 seconds *****
 
 
 
 
 Type control-C to prevent autobooting.
 . . . . .
 
 
 ******** The system will autoboot now ********
 
 
 
 
 config-register = 0x2102
 Autobooting using BOOT variable specified file.....
 
 
 Current BOOT file is --- bootflash:cat4500-ipbase-mz.122-25.EWA
 
 
Rommon reg: 0x00004180
###########
k2diags version 5.0.1_e
 
 
prod: WS-C4948-10GE  part: 0  serial: 0
 
 
 
 
Power-on-self-test for Module 1:  WS-C4948-10GE
 Port/Test Status: (. = Pass, F = Fail, U = Untested)
 
 
Cpu Subsystem Tests ...
seeprom: . temperature_sensor: .
 
 
Port Traffic: L2 Serdes Loopback ...
 0: .  1: .  2: .  3: .  4: .  5: .  6: .  7: .  8: .  9: . 10: . 11: .
12: . 13: . 14: . 15: . 16: . 17: . 18: . 19: . 20: . 21: . 22: . 23: .
24: . 25: . 26: . 27: . 28: . 29: . 30: . 31: . 32: . 33: . 34: . 35: .
36: . 37: . 38: . 39: . 40: . 41: . 42: . 43: . 44: . 45: . 46: . 47: .
62: . 63: .
 
 
 
 
Port Traffic: L2 Asic Loopback ...
 0: .  1: .  2: .  3: .  4: .  5: .  6: .  7: .  8: .  9: . 10: . 11: .
12: . 13: . 14: . 15: . 16: . 17: . 18: . 19: . 20: . 21: . 22: . 23: .
24: . 25: . 26: . 27: . 28: . 29: . 30: . 31: . 32: . 33: . 34: . 35: .
36: . 37: . 38: . 39: . 40: . 41: . 42: . 43: . 44: . 45: . 46: . 47: .
62: . 63: .
 
 
 
 
Port Traffic: L3 Asic Loopback ...
 0: .  1: .  2: .  3: .  4: .  5: .  6: .  7: .  8: .  9: . 10: . 11: .
12: . 13: . 14: . 15: . 16: . 17: . 18: . 19: . 20: . 21: . 22: . 23: .
24: . 25: . 26: . 27: . 28: . 29: . 30: . 31: . 32: . 33: . 34: . 35: .
36: . 37: . 38: . 39: . 40: . 41: . 42: . 43: . 44: . 45: . 46: . 47: .
62: . 63: .
 
 
 
 
Switch Subsystem Memory ...
 1: .  2: .  3: .  4: .  5: .  6: .  7: .  8: .  9: . 10: . 11: . 12: .
13: . 14: . 15: . 16: . 17: . 18: . 19: . 20: . 21: . 22: . 23: . 24: .
25: . 26: . 27: . 28: . 29: . 30: . 31: . 32: . 33: . 34: . 35: . 36: .
37: . 38: . 39: . 40: . 41: . 42: . 43: . 44: . 45: . 46: . 47: . 48: .
49: . 50: . 51: .
 
 
 
 
Front Panel Ports ...
 1: .  2: .  3: .  4: .  5: .  6: .  7: .  8: .  9: . 10: . 11: . 12: .
13: . 14: . 15: . 16: . 17: . 18: . 19: . 20: . 21: . 22: . 23: . 24: .
25: . 26: . 27: . 28: . 29: . 30: . 31: . 32: . 33: . 34: . 35: . 36: .
37: . 38: . 39: . 40: . 41: . 42: . 43: . 44: . 45: . 46: . 47: . 48: .
 
 
 
 
Module 1 Passed
 
 
 
 
Exiting to ios...
 
 
Rommon reg: 0x00000180
###############################
              Restricted Rights Legend
 
 
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
 
 
           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706
 
 
 
 
 
Cisco IOS Software, Catalyst 4900 L3 Switch Software (cat4500-IPBASE-M), Version
 12.2(25)EWA, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 17-Aug-05 17:09 by alnguyen
Image text-base: 0x10000000, data-base: 0x11269914
 
 
 
 
#    #    ##    #####   #    #    #    #    #   ####
#    #   #  #   #    #  ##   #    #    ##   #  #    #
#    #  #    #  #    #  # #  #    #    # #  #  #
# ## #  ######  #####   #  # #    #    #  # #  #  ###
##  ##  #    #  #   #   #   ##    #    #   ##  #    #
#    #  #    #  #    #  #    #    #    #    #   ####
 
 
The following environment variable(s) are set.  Setting these
environment variables may cause the system to behave unpredictably.
        "DontShipAllowChassisSimulation"
        "gdbEnable"
Use 'clear platform environment variable unsupported' to clear these variables.
 
 
cisco WS-C4948-10GE (MPC8540) processor (revision 3) with 262144K bytes of memor
y.
Processor board ID 0
MPC8540 CPU at 667Mhz, Fixed Module
Last reset from Reload
1 Virtual Ethernet interface
48 Gigabit Ethernet interfaces
2 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.
 
 
Uncompressed configuration from 1127 bytes to 2668 bytes
 
 
Press RETURN to get started!
 
 
00:00:06: %C4K_IOSMODPORTMAN-4-POWERSUPPLYBAD: Power supply 2 has failed or been
 turned off
00:00:06: %C4K_IOSMODPORTMAN-4-POWERSUPPLYFANBAD: Fan of power supply 2 has fail
ed
00:00:15: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
00:00:15: %C4K_IOSMODPORTMAN-6-MODULEONLINE: Module 1 (WS-C4948-10GE S/N: 0 Hw:
0.3) is online
00:00:16: %SYS-5-CONFIG_I: Configured from memory by console
00:00:16: %SYS-5-RESTART: System restarted --
Cisco IOS Software, Catalyst 4900 L3 Switch Software (cat4500-IPBASE-M), Version
 12.2(25)EWA, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 17-Aug-05 17:09 by alnguyen
Switch>
Switch#
 
 

Step 8 Use the show version command to verify that the new Cisco IOS release is operating on the switch.


Limitations and Restrictions

These sections list the limitations and restrictions for the current release of Cisco IOS software on the Catalyst 4900 series switch.

For IP Unnumbered, the following are not supported:

Dynamic routing protocols

HSRP/VRRP

Static arp

Unnumbered interface and Numbered interface in different VRFs

For WCCP version 2, the following are not supported:

GRE encapsulation forwarding method

Hash bucket based assignment method

Redirection on an egress interface (redirection out)

Redirect-list ACL

For IPX software routing, the following are not supported:

NHRP (Next Hop Resolution Protocol)

NLSP

Jumbo Frames

For AppleTalk software routing, the following are not supported:

AURP

AppleTalk Control Protocol for PPP

Jumbo Frames

EIGRP

For PBR, the following are not supported:

Matching cannot be performed on packet lengths

IP precedence, TOS, and QoS group are fixed

ACL or route-map statistics cannot be updated

IGRP not supported (use EIGRP, instead).

IP classful routing is not supported; do not use the no ip classless command; it will have no effect, as only classless routing is supported. The command ip classless is not supported as classless routing is enabled by default.

Catalyst 4500 supervisor engines will not be properly initialized if the VLAN configuration in the startup file does not match the information stored in the VLAN database file. This situation might occur if a backup configuration file was used.

A Layer 2 LACP channel cannot be configured with the spanning tree PortFast feature.

Netbooting using a boot loader image is not supported. See the "Troubleshooting" section for details on alternatives.

An unsupported default CLI for mobile IP is displayed in the HSRP configuration. Although this CLI will not harm your system, you might want to remove it to avoid confusion.

Workaround: Display the configuration with the show standby command, then remove the CLI. Here is sample output of the show standby GigabitEthernet1/1 command:

switch(config)# interface g1/1
switch(config)# no standby 0 name (0 is hsrp group number)
 
 

For HSRP "preempt delay" to function consistently, you must use the standby delay minimum command. Be sure to set the delay to more than 1 hello interval, thereby ensuring that a hello is received before HSRP leaves the initiate state.

Use the standby delay reload option if the router is rebooting after reloading the image.

When you attempt to run OSPF between a Cisco router and a third party router, the two interfaces might get stuck in the Exstart/Exchange state. This problem occurs when the maximum transmission unit (MTU) settings for neighboring router interfaces do not match. If the router with the higher MTU sends a packet larger than the MTU set on the neighboring router, the neighboring router ignores the packet.

Workaround: Since the problem is caused by mismatched MTUs, the solution is to change the MTU on either router to match the neighbor's MTU.

The Ethernet management port on the supervisor module is active in ROMMON mode only.

If an original packet is dropped due to transmit queue shaping and/or sharing configurations, a SPAN packet copy can still be transmitted on the SPAN port.

All software releases support a maximum of 32,768 IGMP snooping group entries.

Use the no ip unreachables command on all interfaces with ACLs configured for performance reasons.

The threshold for the Dynamic Arp Inspection err-disable function is set to 15 ARP packets per second per interface. You should adjust this threshold depending on the network configuration. The CPU should not receive DHCP packets at a sustained rate greater than 1000 pps.

Workaround: Verify whether or not the Neighbor discovery cache has an entry, separate from regular troubleshooting areas of IPv6 address configurations and other configurations.

If you first configure an IP address or IPv6 address on a Layer 3 port, then change the Layer 3 port to a Layer 2 port with the switchport command, and finally change it back to a Layer 3 port, the original IP/IPv6 address will be lost.

By default, IPv6 is not enabled. To route IPv6, you must issue the IPv6 unicast-routing command. If you plan to use IPv6 multicast routing, use the IPv6 multicast-routing command.

By default, CEF is not enabled for IPv6 (once IPv6 unicast routing is enabled). To prevent IPv6 traffic from being process-switched, use the IPv6 cef command.

Multicast sources in community VLANs are not supported.

Two-way community VLANs are not supported.

Voice VLANs are not supported on community VLAN host interfaces.

Private VLAN trunks do not carry community VLANs.

The maximum number of unique private VLAN pairs supported by the
switchport private-vlan mapping trunk command above is 1000. For example, one thousand secondary VLANs could map to one primary VLAN, or one thousand secondary VLANs could map one to one to one thousand primary VLANs.

While configuring PVLAN promiscuous trunk ports, the maximum number of mappings is 500 primary VLANs to 500 secondary VLANs.

802.1X inaccessible authentication bypass feature is not supported with NAC LAN port IP feature.

Changes to the console speed in "line console 0" configuration mode do not impact console speed in ROMMON mode. To apply the same console speed in ROMMON mode, use the "confreg" ROMMON utility and change ROMMON console speed.

If a Catalyst 4900 series switch requests information from the Cisco Secure Access Control Server (ACS) and the message exchange times out because the server does not respond, a message similar to this appears:

00:02:57: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.20.246.206:1645,1646 is not 
responding.
 
 

If this message appears, check that there is network connectivity between the switch and the ACS. You should also check that the switch has been properly configured as an AAA client on the ACS.

The bgp shutdown command is not supported in BGP router configuration mode. Executing this command might produce unexpected results.

A spurious error message appears when an SSH connection disconnects after an idle timeout.

Workaround: Disable idle timeouts. (CSCec30214)

IPSG for Static Hosts basically supports the same port mode as IPSG except that it does not support trunk port:

It supports Layer 2 access port and PVLAN host port (isolated or community port).

It does not support trunk port, Layer 3 port or EtherChannel.

IPSG for Static Hosts should not be used on uplink ports.

Selective DBL is only supported for non-tagged or single-tagged IP packets. To achieve Selective DBL-like functionality with a non-IP packet (like Q-in-Q and IPX), apply an input policy map that matches COS values and specifies DBL in the class map.

For Selective DBL, if the topology involves Layer 2 Q in Q tunneling, the match cos policy map will apply to the incoming port.

If a set of DSCP values are already configured (e.g. 0-30, 0-63), specifying a subset of these DSCP values with the qos dbl dscp-based 0-7 command will not remove the unwanted DSCP values of 8 through 63. Rather, you must use the no form of the command to remove the extraneous values. In this case, the no qos dbl dscp-based 8-63 command will leave 0-7 selected.

When using Port Security with Multi Domain Authentication (MDA) on an interface:

You must allow for at least 3 MAC addresses to access the switch: 2 for the phone (the MAC address of a phone gets registered to the Data domain and Voice domain), and one for the PC.

The data and voice VLAN IDs must differ.

For IP Port Security (IPSG) for static hosts, the following apply:

As IPSG learns the static hosts on each interface, the switch CPU may hit 100 per cent if there are a large number of hosts to learn. The CPU usage will drop once the hosts are learned.

IPSG violations for static hosts are printed as they occur. If multiple violations occur simultaneously on different interfaces, the CLI displays the last violation. For example, if IPSG is configured for 10 ports and violations exist on ports 3,6 and 9, the violation messages are printed only for port 9.

Inactive host bindings will appear in the device tracking table when either a VLAN is associated with another port or a port is removed from a VLAN. So, as hosts are moved across subnets, the hosts are displayed in the device tracking table as INACTIVE.

Autostate SVI does not work on EtherChannel.

After the fix for CSCsg08775, a GARP ACL entry is no longer part of the Static CAM area, but there is still a system-defined GARP class in Control Plane Policing (CPP). CPP is a macro with many CLIs and the GARP class creation CLI has been removed.

When ipv6 is enabled on an interface via any CLI, it is possible to see the following message:

% Hardware MTU table exhausted
 
 

In such a scenario, the ipv6 MTU value programmed in hardware will be different from the ipv6 interface MTU value. This will happen if there is no room in the hw MTU table to store additional values.

You must free up some space in the table by unconfiguring some unused MTU values and subsequently disable/re-enable ipv6 on the interface or reapply the MTU configuration.

To stop IPSG with Static Hosts on an interface, use the following commands in interface configuration submode:

Switch(config-if)# no ip verify source
Switch(config-if)# no ip device tracking max"
 
 

To enable IPSG with Static Hosts on a port, issue the following commands:

Switch(config)# ip device tracking ****enable IP device tracking globally
Switch(config)# ip device tracking max <n> ***set an IP device tracking maximum on int
Switch(config-if)# ip verify source tracking [port-security] ****activate IPSG on port

Caution If you only configure the ip verify source tracking [port-security] interface configuration command on a port without enabling IP device tracking globally or setting an IP device tracking maximum on that interface, IPSG with Static Hosts will reject all the IP traffic from that interface.


Note The issue above also applies to IPSG with Static Hosts on a PVLAN Host port.


Management port does not support non-VRF aware features.

When you enter the permit any any ? command you will observe the octal option, which is unsupported in Cisco IOS Release 12.2(52)SG.

CSCsy31324

A Span destination of fa1 is not supported.

The "keepalive" CLI is not supported in interface mode on the switch, although it will appear in the running configuration. This behavious has no impact on functionality.

TDR is only supported on interfaces Gi1/1 through Gi1/48, at 1000BaseT under open or shorted cable conditions. TDR length resolution is +/- 10 m. If the cable is less than 10 m or if the cable is properly terminated, the TDR result displays "0" m. If the interface speed is not 1000BaseT, an "unsupported" result status displays. TDR results will be unreliable for cables extended with the use of jack panels or patch panels.

The following guidelines apply to Fast UDLD:

Fast UDLD is disabled by default.

Configure fast UDLD only on point-to-point links between network devices that support fast UDLD.

You can configure fast UDLD in either normal or aggressive mode.

Do not enter the link debounce command on fast UDLD ports.

Configure fast UDLD on at least two links between each connected network device. This reduces the likelihood of fast UDLD incorrectly error disabling a link due to false positives.

Fast UDLD does not report a unidirectional link if the same error occurs simultaneously on more than one link to the same neighbor device.

A XML-PI specification file entry does not return the desired CLI output.

The outputs of certain commands, such as show ip route and show access-lists, contain non-deterministic text. While the output is easily understood, the output text does not contain strings that are consistently output. A general purpose specification file entry is unable to parse all possible output.

Workaround (1):

While a general purpose specification file entry may not be possible, a specification file entry might be created that returns the desired text by searching for text that is guaranteed to be in the output. If a string is guaranteed to be in the output, it can be used for parsing.

For example, the output of the show ip access-lists SecWiz_Gi3_17_out_ip command is this:

    Extended IP access list SecWiz_Gi3_17_out_ip
        10 deny ip 76.0.0.0 0.255.255.255 host 65.65.66.67
        20 deny ip 76.0.0.0 0.255.255.255 host 44.45.46.47
        30 permit ip 76.0.0.0 0.255.255.255 host 55.56.57.57
 
 

The first line is easily parsed because access list is guaranteed to be in the output:

    <Property name="access list" alias="Name" distance="1.0" length="-1" type="String" 
/>
 
 

The remaining lines all contain the term host. As a result, the specification file may report the desired values by specifying that string. For example, this line

<Property name="host" alias="rule" distance="s.1" length="1" type="String" />
 
 

will produce the following for the first and second rules

    <rule>
        deny
    </rule>
 
 

and the following for the third statement

    <rule>
        permit
    <rule>
 
 

Workaround (2):

Request the output of the show running-config command using NETCONF and parse that output for the desired strings. This is useful when the desired lines contain nothing in common. For example, the rules in this access list do not contain a common string and the order (three permits, then a deny, then another permit), prevent the spec file entry from using permit as a search string, as in the following example:

    Extended MAC access list MACCOY 
        permit 0000.0000.ffef ffff.ffff.0000 0000.00af.bcef ffff.ff00.0000 appletalk
        permit any host 65de.edfe.fefe xns-idp
        permit any any protocol-family rarp-non-ipv4
        deny   host 005e.1e5d.9f7d host 3399.e3e1.ff2c dec-spanning
        permit any any
 
 

The XML output of show running-config command includes the following, which can then be parsed programmatically, as desired:

    
<mac><access-list><extended><ACLName>MACCOY</ACLName></extended></access-list></mac>
    <X-Interface> permit 0000.0000.ffef ffff.ffff.0000 0000.00af.bcef ffff.ff00.0000 
appletalk</X-Interface>
    <X-Interface> permit any host 65de.edfe.fefe xns-idp</X-Interface>
    <X-Interface> permit any any protocol-family rarp-non-ipv4</X-Interface>
    <X-Interface> deny   host 005e.1e5d.9f7d host 3399.e3e1.ff2c 
dec-spanning</X-Interface>
    <X-Interface> permit any any</X-Interface>

Although the Catalyst 4900 series switch still supports legacy 802.1X commands used in Cisco IOS Release 12.2(46)SG and earlier releases (that is, they are accepted on the CLI), they do not display in the CLI help menu.

Current IOS software cannot support filenames exceeding 64 characters.

If you use MDA or multi-auth host mode in conjunction with pre-authentication open access, a switch ignores unicast EAPOL responses.

Workarounds:

Force the supplicant to use multicast EAPOL.

Avoid authentication open mode

CSCtq33048

For any configuration where the source-interface keyword is used, if you provide an SVI that is associated with a secondary private VLAN, configuration involving the secondary VLAN may be lost when the switch is reloaded. In such scenarios, always use the primary private VLAN.

Caveats

Caveats describe unexpected behavior in Cisco IOS releases. Caveats listed as open in a prior release are carried forward to the next release as either open or resolved.


Note For the latest information on PSIRTS, refer to the Security Advisories on CCO at the following URL:

http://tools.cisco.com/security/center/publicationListing


Open Caveats in Cisco IOS Release 12.2(54)SG1

This section lists the open caveats in Cisco IOS Release 12.2(54)SG1:

In rare instances, when you are using MAC ACL-based policers, the packet match counters in
show policy-map interface fa6/1 do not show the packets being matched:

Switch# sh policy-map int
  FastEthernet3/2 
 
   Service-policy output: p1
 
     Class-map: c1 (match-all)
       0 packets		<--------It stays at '0' despite of traffic being received
       Match: access-group name fnacl21
       police: Per-interface
         Conform: 9426560 bytes Exceed: 16573440 bytes
 
 

Workaround: Verify that the MAC addresses being transmitted through the system are learned.

(CSCef01798)

When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up.

If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated.

If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain. If either of these differs from the FQDN in the certificate, then the existing persistent self-signed certificate is replaced with a new one with the updated FQDN. Be aware that the existing keypair is used in the new certificate.

On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.

Workaround: Re-connect. (CSCsb11964)

After upgrading to Cisco IOS 12.2(31)SG and later releases, some CPU queues configured as SPAN sources and saved in the startup configuration file do not function as they did in the older software release.

This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.

QueueID
Old QueueName
New QueueName

5

control-packet

control-packet

6

rpf-failure

control-packet

7

adj-same-if

control-packet

8

<unused queue>

control-packet

11

<unused queue>

adj-same-if

13

acl input log

rfp-failure

14

acl input forward

acl input log


Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:

Switch(config)# no monitor session n source cpu queue all rx
Switch(config)# monitor session n source cpu queue <new_Queue_Name>
 
 

(CSCsc94802)

To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command.

Workaround: None. (CSCsc11726)

An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port.

This could occur for these reasons:

A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch.

This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled. The switch receives packets that require redirection and the destination MAC address is already in ARP table.

Workarounds:

Do not inject packets that require IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch.

Configure the correct default gateway on the host side. (CSCse75660)

When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you configure
qos account layer2 encapsulation.

Workaround: None. (CSCsg58526)

When hardcoded duplex and speed settings are deleted after an interface shuts down, an "a-" is added to the duplex and speed in the output from the show interface status command.

This does not impact performance.

Workaround: Issue the no shutdown command. (CSCsg27395)

When a transceiver is removed rapidly from one port and placed in another on the same chassis, occasionally a duplicate seeprom message is displayed and the port is not able to handle traffic.

Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).

When traffic is sent on a VLAN ID higher than 3000, the convergence timing caused by a failure exceeds 225ms.

Workaround: None. (CSCsm30320)

With CFM enabled globally as well as on an ingress interface, CFM packets received on the interface are not policed with HWCOPP (HW Control Plane Policing).

Workaround: None. (CSCso93282)

An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

After a reload, copy the startup-config to the running-config.

Use a loopback interface as the target of the ip unnumbered command

Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:

%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
 
 

Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

During an ISSU upgrade or downgrade from v122_31_sg_throttle to v122_46_sg_throttle, the following error message displays on console of the active supervisor engine:

Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internal
software error occurred. Null0 linked to wrong hwidb Null0
 
 

Workaround: None. (CSCso68331)

VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

When you remove an SFP+ from a OneX converter in a X2 slot, it takes roughly 45 seconds for the system to recognize this. Any commands during this time will indicate that the SFP+ is still present. Reinserting the SFP+ in another port or inserting another SFP+ in the same port can result in Duplicate Seeprom error message.

Workaround: When a log message appears indicating that the SFP+ has been removed, do one of the following:

Enter any commands for that port.

Insert an SFP+ in that port.

Reinsert the removed SFP+ in any other port.

(CSCsv90044)

If VLAN Load Balancing is progressing, and you reconfigure VLAN Load Balancing to reflect different blocking ports, manual preemption does not occur.

Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:

a. Reconfigure the VLAN Load Balancing configuration on the desired REP ports.

b. Shut any one REP port in the segment to cause a failure in that segment.

c. No-shut that port to restore normal REP topology with one ALT port.

d. Invoke manual preemption on a primary edge port to obtain VLAN Load Balancing with the new configuration.

(CSCsv69853)

After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:

%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.101   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.102   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
 
 

This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. (CSCsw14005)

The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.1X on the port and reconnect the host to a IP phone (with CDP port status TLV support) that is connected to the switch.

If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.

Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661

Class-map hit counters do not increment on the egress policy-map when it is attached to the primary VLAN on a PVLAN trunk ports. However, the traffic is properly classified and the actions configured in the policy are applied properly.

Workaround: None. CSCsy72343

If you simultaneously apply a service-policy to a port in the output direction and a service-policy to a vlan-range under that port in the output direction, the class-map hit counters in the output of the
show policy-map interface command are wrong.

Workaround: None.

The queue transmit counters as well as the policing statistics (if any) are correct. CSCsz20149

On a wireless control system (WCS), some device information is incorrectly displayed for PCs sitting behind an lldp-med capable phone. Specifically, WCS displays the phone's serial number, model number, and software version in the PC's device information. All other information about the PC is correctly displayed on WCS.

This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.

Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored. CSCsz34522

On a Layer 2 port (that is, a switchport) of Supervisor Engine II+ thru V-10GE, the
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.

Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command. CSCta16492

If time is not specified in the link debounce command, the default value depends on the supervisor engine. The default is 10 mS for C4900M, Supervisor Engine 6-E, and Supervisor Engine 6L-E. The default is 100 mS for all other supervisor engines.

Workaround: None.

Despite the different default value, you can configure any value in the time range. CSCte51948

On a peer interface on a Catalyst 4948E Ethernet Switch, if errdisabled mode flap detection is set to a very small number (such as 2 flaps in 10 sec), a 10GE link flap may cause the peer interface to enter the errdisabled state.

Workarounds: The Cisco switch default link-flap detection value is 5 flaps in 10 seconds. Use the default value or larger numbers. CSCtg07677

If you disable and re-enable IGMP Snooping on a VLAN, the output of the show mac address command does not display the [term] Switch against the multicast entry. Multicast traffic is not impacted.

Workaround: Do shut, then no shut on the SVI. CSCtg72559

When you have enabled EPM logging and the client is authenticated via MAB or Webauth, the value of AUTHTYPE is DOT1X in EPM syslog messages irrespective of the authentication method.

Similarly, the show epm sessions command always displays the authentication method as DOT1X.

Workaround: To view the authentication method used for a client, enter the
show authentication sessions command. CSCsx42157

When Fallback WebAuth and Multi-host is configured on a port and no PACL exists, "permit ip any any" is installed in the TCAM and all traffic from the host is allowed to pass.

Workaround: Configure an ACL on the port. CSCte18760

With a NEAT configuration on an ASW (Catalyst 4500 series switch) connected to an SSW (Catalyst 3750 series switch) serving as a root bridge and with redundant links between ASW and SSW, the following occur:

STP does not stabilize.

The SVI (network) is unreachable. If an SVI exists on the ASW, because of the STP flap in the setup as well as the CISP operations, the SVI MAC configuration on the ASW is incorrect.

Workaround: Configure the ASW or any other switch upstream as the root-bridge for all the VLANs. CSCtg71030

If host-mode multi-domain is configured and authorization succeeds, traffic may not pass from an IP phone or a data device.

Workaround: None. CSCtj56811

A switch may crash while loading BGP routes if the ip cef accounting non-recursive command is already configured.

Workaround: Disable the ip cef accounting non-recursive command. CSCtn68186

When a switch is configured for MAC Authentication Bypass (MAB) EAP and the AAA server requests EAP-TLS (as the EAP method) first, MAB fails.

Workarounds:

Configure the switch port for mab rather than mab eap.

Configure the AAA server to propose EAP-MD5 first rather than EAP-TLS for MAB EAP requests. CSCti78674

Resolved Caveats in Cisco IOS Release 12.2(54)SG1

This section lists the resolved caveats in Release 12.2(54)SG1:

Catalyst 4500 series switches may lose the per-vlan maximum mac addresses for port-security when the link goes down. This applies to the following interface configuration :

switchport port-security maximum <number> vlan access
switchport port-security maximum <number> vlan voice
 
 

Workaround: None. CSCti74791..ALL

If no vtp is configured on ports that receive VTP updates, a switch no longer processes Layer 2 control traffic (STP and CDP).

Workaround: Upgrade to 12.2(53)SG3, 12.2(50)SG8, or later. CSCth00398 .....ALL

When the show ip ospf int command is paused while the backup designated router neighbor goes down, a switch may reload when you enter the show ip ospf int command:

c3560sw2# show ip ospf int
 Vlan804 is up, line protocol is up 
   Internet Address 10.0.0.2/24, Area 0 
   Process ID 1, Router ID 10.0.0.2, Network Type BROADCAST, Cost: 1
   Transmit Delay is 1 sec, State DR, Priority 1
   Designated Router (ID) 10.0.0.2, Interface address 10.0.0.2
  --More-- 
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8,
 changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan804, changed
 state to down
%OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.1 on Vlan804 from FULL to DOWN,
 Neighbor Down: Interface down or detached
%LINK-3-UPDOWN: Interface FastEthernet0/8, changed state to down
 
 

The next line in the output of the show ip ospf int command is the following:

Backup Designated router (ID) 10.0.0.1, Interface address 10.0.0.1
 
 

If you now advance the output by pressing either Enter or the space bar, the device reloads and the following error message displays:

Unexpected exception to CPUvector 2000, PC = 261FC60
 
 

Workaround: None. CSCtd73256

The show tacacs+ command does not provide private tacacs+ server statistics.

Workaround: None. CSCta96363

Open Caveats in Cisco IOS Release 12.2(54)SG

This section lists the open caveats in Cisco IOS Release 12.2(54)SG:

In rare instances, when you are using MAC ACL-based policers, the packet match counters in
show policy-map interface fa6/1 do not show the packets being matched:

Switch# sh policy-map int
  FastEthernet3/2 
 
   Service-policy output: p1
 
     Class-map: c1 (match-all)
       0 packets		<--------It stays at '0' despite of traffic being received
       Match: access-group name fnacl21
       police: Per-interface
         Conform: 9426560 bytes Exceed: 16573440 bytes
 
 

Workaround: Verify that the MAC addresses being transmitted through the system are learned.

(CSCef01798)

When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up.

If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated.

If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain. If either of these differs from the FQDN in the certificate, then the existing persistent self-signed certificate is replaced with a new one with the updated FQDN. Be aware that the existing keypair is used in the new certificate.

On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.

Workaround: Re-connect. (CSCsb11964)

After upgrading to Cisco IOS 12.2(31)SG and later releases, some CPU queues configured as SPAN sources and saved in the startup configuration file do not function as they did in the older software release.

This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.

QueueID
Old QueueName
New QueueName

5

control-packet

control-packet

6

rpf-failure

control-packet

7

adj-same-if

control-packet

8

<unused queue>

control-packet

11

<unused queue>

adj-same-if

13

acl input log

rfp-failure

14

acl input forward

acl input log


Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:

Switch(config)# no monitor session n source cpu queue all rx
Switch(config)# monitor session n source cpu queue <new_Queue_Name>
 
 

(CSCsc94802)

To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command.

Workaround: None. (CSCsc11726)

An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port.

This could occur for these reasons:

A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch.

This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled. The switch receives packets that require redirection and the destination MAC address is already in ARP table.

Workarounds:

Do not inject packets that require IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch.

Configure the correct default gateway on the host side. (CSCse75660)

When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you configure
qos account layer2 encapsulation.

Workaround: None. (CSCsg58526)

When hardcoded duplex and speed settings are deleted after an interface shuts down, an "a-" is added to the duplex and speed in the output from the show interface status command.

This does not impact performance.

Workaround: Issue the no shutdown command. (CSCsg27395)

When a transceiver is removed rapidly from one port and placed in another on the same chassis, occasionally a duplicate seeprom message is displayed and the port is not able to handle traffic.

Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).

When traffic is sent on a VLAN ID higher than 3000, the convergence timing caused by a failure exceeds 225ms.

Workaround: None. (CSCsm30320)

With CFM enabled globally as well as on an ingress interface, CFM packets received on the interface are not policed with HWCOPP (HW Control Plane Policing).

Workaround: None. (CSCso93282)

An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

After a reload, copy the startup-config to the running-config.

Use a loopback interface as the target of the ip unnumbered command

Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:

%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
 
 

Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

During an ISSU upgrade or downgrade from v122_31_sg_throttle to v122_46_sg_throttle, the following error message displays on console of the active supervisor engine:

Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internal
software error occurred. Null0 linked to wrong hwidb Null0
 
 

Workaround: None. (CSCso68331)

VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

When you remove an SFP+ from a OneX converter in a X2 slot, it takes roughly 45 seconds for the system to recognize this. Any commands during this time will indicate that the SFP+ is still present. Reinserting the SFP+ in another port or inserting another SFP+ in the same port can result in Duplicate Seeprom error message.

Workaround: When a log message appears indicating that the SFP+ has been removed, do one of the following:

Enter any commands for that port.

Insert an SFP+ in that port.

Reinsert the removed SFP+ in any other port.

(CSCsv90044)

If VLAN Load Balancing is progressing, and you reconfigure VLAN Load Balancing to reflect different blocking ports, manual preemption does not occur.

Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:

a. Reconfigure the VLAN Load Balancing configuration on the desired REP ports.

b. Shut any one REP port in the segment to cause a failure in that segment.

c. No-shut that port to restore normal REP topology with one ALT port.

d. Invoke manual preemption on a primary edge port to obtain VLAN Load Balancing with the new configuration.

(CSCsv69853)

After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:

%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.101   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.102   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
 
 

This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. (CSCsw14005)

The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.1X on the port and reconnect the host to a IP phone (with CDP port status TLV support) that is connected to the switch.

If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.

Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661

Class-map hit counters do not increment on the egress policy-map when it is attached to the primary VLAN on a PVLAN trunk ports. However, the traffic is properly classified and the actions configured in the policy are applied properly.

Workaround: None. CSCsy72343

If you simultaneously apply a service-policy to a port in the output direction and a service-policy to a vlan-range under that port in the output direction, the class-map hit counters in the output of the
show policy-map interface command are wrong.

Workaround: None.

The queue transmit counters as well as the policing statistics (if any) are correct. CSCsz20149

On a wireless control system (WCS), some device information is incorrectly displayed for PCs sitting behind an lldp-med capable phone. Specifically, WCS displays the phone's serial number, model number, and software version in the PC's device information. All other information about the PC is correctly displayed on WCS.

This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.

Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored. CSCsz34522

On a Layer 2 port (that is, a switchport) of Supervisor Engine II+ thru V-10GE, the
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.

Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command. CSCta16492

If time is not specified in the link debounce command, the default value depends on the supervisor engine. The default is 10 mS for C4900M, Supervisor Engine 6-E, and Supervisor Engine 6L-E. The default is 100 mS for all other supervisor engines.

Workaround: None.

Despite the different default value, you can configure any value in the time range. CSCte51948

On a peer interface on a Catalyst 4948E Ethernet Switch, if errdisabled mode flap detection is set to a very small number (such as 2 flaps in 10 sec), a 10GE link flap may cause the peer interface to enter the errdisabled state.

Workarounds: The Cisco switch default link-flap detection value is 5 flaps in 10 seconds. Use the default value or larger numbers. CSCtg07677

If you disable and re-enable IGMP Snooping on a VLAN, the output of the show mac address command does not display the [term] Switch against the multicast entry. Multicast traffic is not impacted.

Workaround: Do shut, then no shut on the SVI. CSCtg72559

When you have enabled EPM logging and the client is authenticated via MAB or Webauth, the value of AUTHTYPE is DOT1X in EPM syslog messages irrespective of the authentication method.

Similarly, the show epm sessions command always displays the authentication method as DOT1X.

Workaround: To view the authentication method used for a client, enter the
show authentication sessions command. CSCsx42157

When Fallback WebAuth and Multi-host is configured on a port and no PACL exists, "permit ip any any" is installed in the TCAM and all traffic from the host is allowed to pass.

Workaround: Configure an ACL on the port. CSCte18760

With a NEAT configuration on an ASW (Catalyst 4500 series switch) connected to an SSW (Catalyst 3750 series switch) serving as a root bridge and with redundant links between ASW and SSW, the following occur:

STP does not stabilize.

The SVI (network) is unreachable. If an SVI exists on the ASW, because of the STP flap in the setup as well as the CISP operations, the SVI MAC configuration on the ASW is incorrect.

Workaround: Configure the ASW or any other switch upstream as the root-bridge for all the VLANs. CSCtg71030

If host-mode multi-domain is configured and authorization succeeds, traffic may not pass from an IP phone or a data device.

Workaround: None. CSCtj56811

A switch may crash while loading BGP routes if the ip cef accounting non-recursive command is already configured.

Workaround: Disable the ip cef accounting non-recursive command. CSCtn68186

When a switch is configured for MAC Authentication Bypass (MAB) EAP and the AAA server requests EAP-TLS (as the EAP method) first, MAB fails.

Workarounds:

Configure the switch port for mab rather than mab eap.

Configure the AAA server to propose EAP-MD5 first rather than EAP-TLS for MAB EAP requests. CSCti78674

Resolved Caveats in Cisco IOS Release 12.2(54)SG

This section lists the resolved caveats in Release 12.2(54)SG:

When you configure switchport block multicast on a switch running
Cisco IOS Release 12.2(53)SG1 or 12.2(50)SG6, Layer 2 multicast is not blocked.

Prior to Cisco IOS Release 12.2(53)SG1, 12.2(50)SG6, the switchport block multicast command would block IP Multicast, Layer 2 multicast, and broadcast traffic .

Workaround: None CSCta61825

When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running config.

Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. CSCsv54529

On a switch running Cisco IOS Release 12.2(50)SG, when the access VLAN is deleted and then restored on a port configured with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the access VLAN is restored.

This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.

Workaround: Shut down then reopen the interface. CSCso50921

IP Router Option may not work with IGMP version 2.

Workaround: None. CSCsv42869

When .1X with MDA is set in host mode and guest VLAN is enabled, when you pump traffic from a traffic generator at a high rate, a Security violation is wrongly flagged.

Workaround: None. CSCsy38640

When you enter the show adjacency x.x.x.x internal command for an adjacency, the packet counters are increment correctly but the byte counters remain 0.

Workaround: None. CSCsu35604

When you request an on demand Call Home message send without specifying a profile name & the specified module returns an unknown diagnostic result, the following error message displays:

Switch# call-home send alert-group diagnostic module 2 
Sending diagnostic info call-home message ...
Please wait. This may take some time ...
Switch#
*Jan  3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand 
message failed to send (ERR 18, The alert group is not subscribed)
 
 

Workaround: Specify a profile name when you enter the diagnostic command.

You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.

CSCsz05888

If a host is authenticated in the data VLAN, the STP state of the VLAN is blocked.

Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port.

The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding.

Workaround: Enter shut, then no shut on the port.

CSCta04665

A switch fails if you configure a PBR policy to match on prefix-list(s) instead of ACL(s).

Workaround: Configure the route map to only match on ACL(s).

CSCtg22126

On a redundant switch running Cisco IOS Release 12.2(52)SG, after a ports is authorized through 802.1X, the show dot1x interface statistics command may display empty values on the standby supervisor engine.

The statistics are displayed properly on the active supervisor.

Workaround: None.

CSCsx64308

After three failed authentication attempts, WinXP stops responding to EAPOL requests from the switch that caused the 802.1X timeout (default or configured). After the timeout, WinXP moves to auth-fail VLAN.

Workaround: Attempt an authorization after a timeout.

CSCte84432

The switch may reload after destroying the expExpressionTable row via SNMP when you enter the debug management expression evaluator command.

Workaround: Disable the debug management expression evaluator command. (CSCsu67323)

When using dynamic policy installation for a client or host that is authenticated on a secure port, the traffic from the client is not permitted even though the permit ip any any command is specified as the dynamic policy for the client.

This occurs only if the following conditions are satisfied:

Multi-host mode configured on the port with the authentication host-mode multi-host command.

Default ACL (the IP access-list) configured on the interface specifies deny ip any any.

Dynamic policy authorization for the client specifies permit ip any any.

Workaround: None. CSCsz63739

When you load an unsupported Catalyst 4500 software version on WS-C4507R+E and WS-C4510R+E, the following log messages are seen and none of the ports come up:

"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is 
WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis type" 
Or
"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is 
WS-C4507R-E, but chassis' serial eeprom chassis type is Unknown chassis type"
 
 
"%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 
14" (where n is a slot number)
 
 

Workaround: Load Cisco IOS Release 12.2(54)SG or 12.2(53)SG4 on WS-C4507R+E and WS-C4510R+E.

Open Caveats in Cisco IOS Release 12.2(53)SG10

This section lists the open caveats in Cisco IOS Release 12.2(53)SG10:

In rare instances, when you are using MAC ACL-based policers, the packet match counters in
show policy-map interface fa6/1 do not show the packets being matched:

Switch# sh policy-map int
  FastEthernet3/2 
 
   Service-policy output: p1
 
     Class-map: c1 (match-all)
       0 packets		<--------It stays at '0' despite of traffic being received
       Match: access-group name fnacl21
       police: Per-interface
         Conform: 9426560 bytes Exceed: 16573440 bytes
 
 

Workaround: Verify that the MAC addresses being transmitted through the system are learned.

(CSCef01798)

When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up.

If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated.

If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain. If either of these differs from the FQDN in the certificate, then the existing persistent self-signed certificate is replaced with a new one with the updated FQDN. Be aware that the existing keypair is used in the new certificate.

On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.

Workaround: Re-connect. (CSCsb11964)

After upgrading to Cisco IOS 12.2(31)SG and later releases, some CPU queues configured as SPAN sources and saved in the startup configuration file do not function as they did in the older software release.

This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.

QueueID
Old QueueName
New QueueName

5

control-packet

control-packet

6

rpf-failure

control-packet

7

adj-same-if

control-packet

8

<unused queue>

control-packet

11

<unused queue>

adj-same-if

13

acl input log

rfp-failure

14

acl input forward

acl input log


Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:

Switch(config)# no monitor session n source cpu queue all rx
Switch(config)# monitor session n source cpu queue <new_Queue_Name>
 
 

(CSCsc94802)

To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command.

Workaround: None. (CSCsc11726)

An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port.

This could occur for these reasons:

A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch.

This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled. The switch receives packets that require redirection and the destination MAC address is already in ARP table.

Workarounds:

Do not inject packets that require IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch.

Configure the correct default gateway on the host side. (CSCse75660)

When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you configure
qos account layer2 encapsulation.

Workaround: None. (CSCsg58526)

When hardcoded duplex and speed settings are deleted after an interface shuts down, an "a-" is added to the duplex and speed in the output from the show interface status command.

This does not impact performance.

Workaround: Issue the no shutdown command. (CSCsg27395)

When a transceiver is removed rapidly from one port and placed in another on the same chassis, occasionally a duplicate seeprom message is displayed and the port is not able to handle traffic.

Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).

When traffic is sent on a VLAN ID higher than 3000, the convergence timing caused by a failure exceeds 225ms.

Workaround: None. (CSCsm30320)

CFM packets pass through the Layer 2 protocol tunnel.

Workaround: None. (CSCsq72572)

With CFM enabled globally as well as on an ingress interface, CFM packets received on the interface are not policed with HWCOPP (HW Control Plane Policing).

Workaround: None. (CSCso93282)

An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

After a reload, copy the startup-config to the running-config.

Use a loopback interface as the target of the ip unnumbered command

Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:

%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
 
 

Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

During an ISSU upgrade or downgrade from v122_31_sg_throttle to v122_46_sg_throttle, the following error message displays on console of the active supervisor engine:

Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internal
software error occurred. Null0 linked to wrong hwidb Null0
 
 

Workaround: None. (CSCso68331)

When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running config.

Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)

The CTS SXP cts sxp default password mypassword configuration command does not work when you configure type 6 password encryption on the switch.

Workarounds: Use either of the following to set the sxp default password:

Use clear text (non encryption)

Type 7 password encryption

(CSCsv33006)

Duplicate serial number error messages are reported on switching One X Convertor with SFP+, SFP+, X2 to another port, the inserted port enters a faulty status.

This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.

Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)

On a Catalyst 4500 switch running 12.2(50)SG, when the access VLAN is deleted and then restored on a port configured with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the access VLAN is restored.

This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.

Workaround: Shut down then reopen the interface.

(CSCso50921)

VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

CTS SXP connection with a default password may cause the following message to display on the console because of bad TCP authentication:

*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 
2.2.2.1(64999)
 
 

This issue is seen when the default SXP password is encrypted with type-6 encryption.

Workaround: Do one of the following:

Use type 7 password encryption to encrypt the default SXP password

Don't enable password encryption and allow the default SXP password to set in clear text.

(CSCsv33136)

After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:

%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.101   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.102   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
 
 

This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. (CSCsw14005)

The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.1X on the port and reconnect the host to a IP phone (with CDP port status TLV support) that is connected to the switch.

If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.

Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661

Class-map hit counters do not increment on the egress policy-map when it is attached to the primary VLAN on a PVLAN trunk ports. However, the traffic is properly classified and the actions configured in the policy are applied properly.

Workaround: None. CSCsy72343

When .1X with MDA is set in host mode and guest VLAN is enabled, when you pump traffic from a traffic generator at a high rate, a Security violation is wrongly flagged.

Workaround: None.

CSCsy38640

When you enter the show adjacency x.x.x.x internal command for an adjacency, the packet counters are increment correctly but the byte counters remain 0.

Workaround: None.

CSCsu35604

When you request an on demand Call Home message send without specifying a profile name & the specified module returns an unknown diagnostic result, the following error message displays:

Switch# call-home send alert-group diagnostic module 2 
Sending diagnostic info call-home message ...
Please wait. This may take some time ...
Switch#
*Jan  3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand 
message failed to send (ERR 18, The alert group is not subscribed)
 
 

Workaround: Specify a profile name when you enter the diagnostic command.

You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.

CSCsz05888

If you simultaneously apply a service-policy to a port in the output direction and a service-policy to a vlan-range under that port in the output direction, the class-map hit counters in the output of the
show policy-map interface command are wrong.

Workaround: None.

The queue transmit counters as well as the policing statistics (if any) are correct.

CSCsz20149

Packets entering a switch as fragments or with a non-zero fragment offset field are not be subjected to PBR.

Workaround: None.

CSCsz06719

When you configure EnergyWise power control on PoE ports with a time-based execution schedule, time entry executes without adjusting for daylight savings time.

Workaround: Manually re-enter all entries with new time settings.

CSCsy27389

On wireless control system (WCS), some device information is incorrectly displayed for PCs sitting behind an lldp-med capable phone. Specifically, WCS displays the phone's serial number, model number, and software version in the PC's device information. All other information about the PC is correctly displayed on WCS.

This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.

Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.

CSCsz34522

If a host is authenticated in the data VLAN, the STP state of the VLAN is blocked.

Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port.

The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding.

Workaround: Enter shut, then no shut on the port.

CSCta04665

On a Layer 2 port (that is, a switchport) of Supervisor Engine II+ thru V-10GE, the
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.

Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command.

CSCta16492

When using dynamic policy installation for a client or host that is authenticated on a secure port, the traffic from the client is not permitted even though the permit ip any any command is specified as the dynamic policy for the client.

This occurs only if the following conditions are satisfied:

Multi-host mode configured on the port with the authentication host-mode multi-host command.

Default ACL (the IP access-list) configured on the interface specifies deny ip any any.

Dynamic policy authorization for the client specifies permit ip any any.

Workaround: None.

CSCsz63739

If time is not specified in the link debounce command, the default value depends on the supervisor engine. The default is 10 mS for C4900M, Supervisor Engine 6-E, and Supervisor Engine 6L-E. The default is 100 mS for all other supervisor engines.

Workaround: None.

Despite the different default value, you can configure any value in the time range.

CSCte51948

If you observe a periodic increase in call or packet drops and a constant decrease in free memory available in your switch, you could use the show memory debug leak command. However, this command is CPU intensive; it might tear down your call or data session if used on live network.

The show memory debug leak lowmem command can work in extremely low memory conditions but might crash the switch due to its very high CPU intensity. It also takes between 20 and 90 minutes to complete.

Workaround: If call or packet drops persist, contact TAC rather than entering these commands on your own. CSCsi48986

A switch might fail an ftp to a dhcp-snooping file if the file's size is 0 Kb.

Workaround: When creating the file, enter some characters, remove the ftp command, then re-enter it as follows:

Switch(config)# no ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.$
Switch(config)# ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.log
 
 

CSCsk38763

When you load an unsupported Catalyst 4500 software version on WS-C4507R+E and WS-C4510R+E, the following log messages are seen and none of the ports come up:

"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is 
WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis type" 
Or
"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is 
WS-C4507R-E, but chassis' serial eeprom chassis type is Unknown chassis type"
 
 
"%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 
14" (where n is a slot number)
 
 

Workaround: Load Cisco IOS Release 12.2(54)SG or 12.2(53)SG4 on WS-C4507R+E and WS-C4510R+E.

CSCtl70275

When you load software images earlier than Cisco IOS Release 12.2(53)SG4, 12.54(SG) or 15.0(1)SG on a redundant WS-C4510R+E or WS-C4507R+E chassis, the active supervisor engines displays the following log message:

%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is 
WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis type
 
 

The active supervisor engine also displays following log message for each linecard slot in the chassis:

%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 
14
 
 

where n is the slot number

If the standby supervisor engine boots, the active supervisor engine displays the following message and reboots:

%C4K_REDUNDANCY-2-POSTFAIL_RESET: Power-On Self Test (POST) failure on ACTIVE 
supervisor detected. Detected the Standby Supervisor bootupFailed
 
 

While active supervisor engine is up, no traffic can be handled by the switch.

The two supervisor engines might alternately reboot continuously.

Workaround: Use Cisco IOS Release 12.2(53)SG4, 12.2(54)SG, 15.0(1)SG or later images with WS-C4510R+E and WS-C4507R+E chassis.

CSCtl84092

If a port is configured for Private VLAN and is authorized in a guest VLAN, a traceback appears on the console.

Workaround: None.

CSCtq73579

Resolved Caveats in Cisco IOS Release 12.2(53)SG10

This section lists the resolved caveats in Release 12.2(53)SG10:

The following message appears during MAC aging or learning on ports where dot1x or port security is configured:

%C4K_HWL2MAN-4-ADDRESSNOTLOADABLE message appears
 
 

Workaround: None. The message is cosmetic.CSCue77562

After TCAM resources are first exhausted, then freed, CPU remains high.

Workaround: Reconfigure ACLs on all interfaces.CSCuf93866

Open Caveats in Cisco IOS Release 12.2(53)SG9

This section lists the open caveats in Cisco IOS Release 12.2(53)SG9:

In rare instances, when you are using MAC ACL-based policers, the packet match counters in
show policy-map interface fa6/1 do not show the packets being matched:

Switch# sh policy-map int
  FastEthernet3/2 
 
   Service-policy output: p1
 
     Class-map: c1 (match-all)
       0 packets		<--------It stays at '0' despite of traffic being received
       Match: access-group name fnacl21
       police: Per-interface
         Conform: 9426560 bytes Exceed: 16573440 bytes
 
 

Workaround: Verify that the MAC addresses being transmitted through the system are learned.

(CSCef01798)

When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up.

If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated.

If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain. If either of these differs from the FQDN in the certificate, then the existing persistent self-signed certificate is replaced with a new one with the updated FQDN. Be aware that the existing keypair is used in the new certificate.

On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.

Workaround: Re-connect. (CSCsb11964)

After upgrading to Cisco IOS 12.2(31)SG and later releases, some CPU queues configured as SPAN sources and saved in the startup configuration file do not function as they did in the older software release.

This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.

QueueID
Old QueueName
New QueueName

5

control-packet

control-packet

6

rpf-failure

control-packet

7

adj-same-if

control-packet

8

<unused queue>

control-packet

11

<unused queue>

adj-same-if

13

acl input log

rfp-failure

14

acl input forward

acl input log


Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:

Switch(config)# no monitor session n source cpu queue all rx
Switch(config)# monitor session n source cpu queue <new_Queue_Name>
 
 

(CSCsc94802)

To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command.

Workaround: None. (CSCsc11726)

An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port.

This could occur for these reasons:

A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch.

This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled. The switch receives packets that require redirection and the destination MAC address is already in ARP table.

Workarounds:

Do not inject packets that require IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch.

Configure the correct default gateway on the host side. (CSCse75660)

When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you configure
qos account layer2 encapsulation.

Workaround: None. (CSCsg58526)

When hardcoded duplex and speed settings are deleted after an interface shuts down, an "a-" is added to the duplex and speed in the output from the show interface status command.

This does not impact performance.

Workaround: Issue the no shutdown command. (CSCsg27395)

When a transceiver is removed rapidly from one port and placed in another on the same chassis, occasionally a duplicate seeprom message is displayed and the port is not able to handle traffic.

Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).

When traffic is sent on a VLAN ID higher than 3000, the convergence timing caused by a failure exceeds 225ms.

Workaround: None. (CSCsm30320)

CFM packets pass through the Layer 2 protocol tunnel.

Workaround: None. (CSCsq72572)

With CFM enabled globally as well as on an ingress interface, CFM packets received on the interface are not policed with HWCOPP (HW Control Plane Policing).

Workaround: None. (CSCso93282)

An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

After a reload, copy the startup-config to the running-config.

Use a loopback interface as the target of the ip unnumbered command

Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:

%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
 
 

Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

During an ISSU upgrade or downgrade from v122_31_sg_throttle to v122_46_sg_throttle, the following error message displays on console of the active supervisor engine:

Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internal
software error occurred. Null0 linked to wrong hwidb Null0
 
 

Workaround: None. (CSCso68331)

When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running config.

Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)

The CTS SXP cts sxp default password mypassword configuration command does not work when you configure type 6 password encryption on the switch.

Workarounds: Use either of the following to set the sxp default password:

Use clear text (non encryption)

Type 7 password encryption

(CSCsv33006)

Duplicate serial number error messages are reported on switching One X Convertor with SFP+, SFP+, X2 to another port, the inserted port enters a faulty status.

This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.

Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)

On a Catalyst 4500 switch running 12.2(50)SG, when the access VLAN is deleted and then restored on a port configured with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the access VLAN is restored.

This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.

Workaround: Shut down then reopen the interface.

(CSCso50921)

VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

CTS SXP connection with a default password may cause the following message to display on the console because of bad TCP authentication:

*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 
2.2.2.1(64999)
 
 

This issue is seen when the default SXP password is encrypted with type-6 encryption.

Workaround: Do one of the following:

Use type 7 password encryption to encrypt the default SXP password

Don't enable password encryption and allow the default SXP password to set in clear text.

(CSCsv33136)

After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:

%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.101   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.102   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
 
 

This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. (CSCsw14005)

The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.1X on the port and reconnect the host to a IP phone (with CDP port status TLV support) that is connected to the switch.

If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.

Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661

Class-map hit counters do not increment on the egress policy-map when it is attached to the primary VLAN on a PVLAN trunk ports. However, the traffic is properly classified and the actions configured in the policy are applied properly.

Workaround: None. CSCsy72343

When .1X with MDA is set in host mode and guest VLAN is enabled, when you pump traffic from a traffic generator at a high rate, a Security violation is wrongly flagged.

Workaround: None.

CSCsy38640

When you enter the show adjacency x.x.x.x internal command for an adjacency, the packet counters are increment correctly but the byte counters remain 0.

Workaround: None.

CSCsu35604

When you request an on demand Call Home message send without specifying a profile name & the specified module returns an unknown diagnostic result, the following error message displays:

Switch# call-home send alert-group diagnostic module 2 
Sending diagnostic info call-home message ...
Please wait. This may take some time ...
Switch#
*Jan  3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand 
message failed to send (ERR 18, The alert group is not subscribed)
 
 

Workaround: Specify a profile name when you enter the diagnostic command.

You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.

CSCsz05888

If you simultaneously apply a service-policy to a port in the output direction and a service-policy to a vlan-range under that port in the output direction, the class-map hit counters in the output of the
show policy-map interface command are wrong.

Workaround: None.

The queue transmit counters as well as the policing statistics (if any) are correct.

CSCsz20149

Packets entering a switch as fragments or with a non-zero fragment offset field are not be subjected to PBR.

Workaround: None.

CSCsz06719

When you configure EnergyWise power control on PoE ports with a time-based execution schedule, time entry executes without adjusting for daylight savings time.

Workaround: Manually re-enter all entries with new time settings.

CSCsy27389

On wireless control system (WCS), some device information is incorrectly displayed for PCs sitting behind an lldp-med capable phone. Specifically, WCS displays the phone's serial number, model number, and software version in the PC's device information. All other information about the PC is correctly displayed on WCS.

This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.

Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.

CSCsz34522

If a host is authenticated in the data VLAN, the STP state of the VLAN is blocked.

Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port.

The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding.

Workaround: Enter shut, then no shut on the port.

CSCta04665

On a Layer 2 port (that is, a switchport) of Supervisor Engine II+ thru V-10GE, the
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.

Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command.

CSCta16492

When using dynamic policy installation for a client or host that is authenticated on a secure port, the traffic from the client is not permitted even though the permit ip any any command is specified as the dynamic policy for the client.

This occurs only if the following conditions are satisfied:

Multi-host mode configured on the port with the authentication host-mode multi-host command.

Default ACL (the IP access-list) configured on the interface specifies deny ip any any.

Dynamic policy authorization for the client specifies permit ip any any.

Workaround: None.

CSCsz63739

If time is not specified in the link debounce command, the default value depends on the supervisor engine. The default is 10 mS for C4900M, Supervisor Engine 6-E, and Supervisor Engine 6L-E. The default is 100 mS for all other supervisor engines.

Workaround: None.

Despite the different default value, you can configure any value in the time range.

CSCte51948

If you observe a periodic increase in call or packet drops and a constant decrease in free memory available in your switch, you could use the show memory debug leak command. However, this command is CPU intensive; it might tear down your call or data session if used on live network.

The show memory debug leak lowmem command can work in extremely low memory conditions but might crash the switch due to its very high CPU intensity. It also takes between 20 and 90 minutes to complete.

Workaround: If call or packet drops persist, contact TAC rather than entering these commands on your own. CSCsi48986

A switch might fail an ftp to a dhcp-snooping file if the file's size is 0 Kb.

Workaround: When creating the file, enter some characters, remove the ftp command, then re-enter it as follows:

Switch(config)# no ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.$
Switch(config)# ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.log
 
 

CSCsk38763

When you load an unsupported Catalyst 4500 software version on WS-C4507R+E and WS-C4510R+E, the following log messages are seen and none of the ports come up:

"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is 
WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis type" 
Or
"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is 
WS-C4507R-E, but chassis' serial eeprom chassis type is Unknown chassis type"
 
 
"%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 
14" (where n is a slot number)
 
 

Workaround: Load Cisco IOS Release 12.2(54)SG or 12.2(53)SG4 on WS-C4507R+E and WS-C4510R+E.

CSCtl70275

When you load software images earlier than Cisco IOS Release 12.2(53)SG4, 12.54(SG) or 15.0(1)SG on a redundant WS-C4510R+E or WS-C4507R+E chassis, the active supervisor engines displays the following log message:

%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is 
WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis type
 
 

The active supervisor engine also displays following log message for each linecard slot in the chassis:

%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 
14
 
 

where n is the slot number

If the standby supervisor engine boots, the active supervisor engine displays the following message and reboots:

%C4K_REDUNDANCY-2-POSTFAIL_RESET: Power-On Self Test (POST) failure on ACTIVE 
supervisor detected. Detected the Standby Supervisor bootupFailed
 
 

While active supervisor engine is up, no traffic can be handled by the switch.

The two supervisor engines might alternately reboot continuously.

Workaround: Use Cisco IOS Release 12.2(53)SG4, 12.2(54)SG, 15.0(1)SG or later images with WS-C4510R+E and WS-C4507R+E chassis.

CSCtl84092

If a port is configured for Private VLAN and is authorized in a guest VLAN, a traceback appears on the console.

Workaround: None.

CSCtq73579

The following message appears during MAC aging or learning on ports where dot1x or port security is configured:

%C4K_HWL2MAN-4-ADDRESSNOTLOADABLE message appears
 
 

Workaround: None. The message is cosmetic.CSCue77562

After TCAM resources are first exhausted, then freed, CPU remains high.

Workaround: Reconfigure ACLs on all interfaces.CSCuf93866

Resolved Caveats in Cisco IOS Release 12.2(53)SG9

This section lists the resolved caveats in Release 12.2(53)SG9:

When a trunk port is configured with a native VLAN other than VLAN 1, REP packets are not sent on that VLAN.

Workaround: Retain the default setting (VLAN 1) for the native VLAN on trunks ports. CSCud05521

The Cisco IOS Software implementation of the virtual routing and forwarding (VRF) aware network address translation (NAT) feature contains a vulnerability when translating IP packets that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-nat

Note: The March 27, 2013, Cisco IOS Software Security Advisory bundled publication includes seven Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2013 bundled publication.

Individual publication links are in "Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication" at the following link:

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar13.html

CSCtg47129

Open Caveats in Cisco IOS Release 12.2(53)SG8

This section lists the open caveats in Cisco IOS Release 12.2(53)SG8:

In rare instances, when you are using MAC ACL-based policers, the packet match counters in
show policy-map interface fa6/1 do not show the packets being matched:

Switch# sh policy-map int
  FastEthernet3/2 
 
   Service-policy output: p1
 
     Class-map: c1 (match-all)
       0 packets		<--------It stays at '0' despite of traffic being received
       Match: access-group name fnacl21
       police: Per-interface
         Conform: 9426560 bytes Exceed: 16573440 bytes
 
 

Workaround: Verify that the MAC addresses being transmitted through the system are learned.

(CSCef01798)

When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up.

If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated.

If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain. If either of these differs from the FQDN in the certificate, then the existing persistent self-signed certificate is replaced with a new one with the updated FQDN. Be aware that the existing keypair is used in the new certificate.

On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.

Workaround: Re-connect. (CSCsb11964)

After upgrading to Cisco IOS 12.2(31)SG and later releases, some CPU queues configured as SPAN sources and saved in the startup configuration file do not function as they did in the older software release.

This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.

QueueID
Old QueueName
New QueueName

5

control-packet

control-packet

6

rpf-failure

control-packet

7

adj-same-if

control-packet

8

<unused queue>

control-packet

11

<unused queue>

adj-same-if

13

acl input log

rfp-failure

14

acl input forward

acl input log


Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:

Switch(config)# no monitor session n source cpu queue all rx
Switch(config)# monitor session n source cpu queue <new_Queue_Name>
 
 

(CSCsc94802)

To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command.

Workaround: None. (CSCsc11726)

An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port.

This could occur for these reasons:

A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch.

This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled. The switch receives packets that require redirection and the destination MAC address is already in ARP table.

Workarounds:

Do not inject packets that require IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch.

Configure the correct default gateway on the host side. (CSCse75660)

When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you configure
qos account layer2 encapsulation.

Workaround: None. (CSCsg58526)

When hardcoded duplex and speed settings are deleted after an interface shuts down, an "a-" is added to the duplex and speed in the output from the show interface status command.

This does not impact performance.

Workaround: Issue the no shutdown command. (CSCsg27395)

When a transceiver is removed rapidly from one port and placed in another on the same chassis, occasionally a duplicate seeprom message is displayed and the port is not able to handle traffic.

Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).

When traffic is sent on a VLAN ID higher than 3000, the convergence timing caused by a failure exceeds 225ms.

Workaround: None. (CSCsm30320)

CFM packets pass through the Layer 2 protocol tunnel.

Workaround: None. (CSCsq72572)

With CFM enabled globally as well as on an ingress interface, CFM packets received on the interface are not policed with HWCOPP (HW Control Plane Policing).

Workaround: None. (CSCso93282)

An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

After a reload, copy the startup-config to the running-config.

Use a loopback interface as the target of the ip unnumbered command

Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:

%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
 
 

Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

During an ISSU upgrade or downgrade from v122_31_sg_throttle to v122_46_sg_throttle, the following error message displays on console of the active supervisor engine:

Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internal
software error occurred. Null0 linked to wrong hwidb Null0
 
 

Workaround: None. (CSCso68331)

When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running config.

Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)

The CTS SXP cts sxp default password mypassword configuration command does not work when you configure type 6 password encryption on the switch.

Workarounds: Use either of the following to set the sxp default password:

Use clear text (non encryption)

Type 7 password encryption

(CSCsv33006)

Duplicate serial number error messages are reported on switching One X Convertor with SFP+, SFP+, X2 to another port, the inserted port enters a faulty status.

This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.

Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)

On a Catalyst 4500 switch running 12.2(50)SG, when the access VLAN is deleted and then restored on a port configured with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the access VLAN is restored.

This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.

Workaround: Shut down then reopen the interface.

(CSCso50921)

VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

CTS SXP connection with a default password may cause the following message to display on the console because of bad TCP authentication:

*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 
2.2.2.1(64999)
 
 

This issue is seen when the default SXP password is encrypted with type-6 encryption.

Workaround: Do one of the following:

Use type 7 password encryption to encrypt the default SXP password

Don't enable password encryption and allow the default SXP password to set in clear text.

(CSCsv33136)

After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:

%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.101   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.102   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
 
 

This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. (CSCsw14005)

The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.1X on the port and reconnect the host to a IP phone (with CDP port status TLV support) that is connected to the switch.

If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.

Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661

Class-map hit counters do not increment on the egress policy-map when it is attached to the primary VLAN on a PVLAN trunk ports. However, the traffic is properly classified and the actions configured in the policy are applied properly.

Workaround: None. CSCsy72343

When .1X with MDA is set in host mode and guest VLAN is enabled, when you pump traffic from a traffic generator at a high rate, a Security violation is wrongly flagged.

Workaround: None.

CSCsy38640

When you enter the show adjacency x.x.x.x internal command for an adjacency, the packet counters are increment correctly but the byte counters remain 0.

Workaround: None.

CSCsu35604

When you request an on demand Call Home message send without specifying a profile name & the specified module returns an unknown diagnostic result, the following error message displays:

Switch# call-home send alert-group diagnostic module 2 
Sending diagnostic info call-home message ...
Please wait. This may take some time ...
Switch#
*Jan  3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand 
message failed to send (ERR 18, The alert group is not subscribed)
 
 

Workaround: Specify a profile name when you enter the diagnostic command.

You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.

CSCsz05888

If you simultaneously apply a service-policy to a port in the output direction and a service-policy to a vlan-range under that port in the output direction, the class-map hit counters in the output of the
show policy-map interface command are wrong.

Workaround: None.

The queue transmit counters as well as the policing statistics (if any) are correct.

CSCsz20149

Packets entering a switch as fragments or with a non-zero fragment offset field are not be subjected to PBR.

Workaround: None.

CSCsz06719

When you configure EnergyWise power control on PoE ports with a time-based execution schedule, time entry executes without adjusting for daylight savings time.

Workaround: Manually re-enter all entries with new time settings.

CSCsy27389

On wireless control system (WCS), some device information is incorrectly displayed for PCs sitting behind an lldp-med capable phone. Specifically, WCS displays the phone's serial number, model number, and software version in the PC's device information. All other information about the PC is correctly displayed on WCS.

This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.

Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.

CSCsz34522

If a host is authenticated in the data VLAN, the STP state of the VLAN is blocked.

Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port.

The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding.

Workaround: Enter shut, then no shut on the port.

CSCta04665

On a Layer 2 port (that is, a switchport) of Supervisor Engine II+ thru V-10GE, the
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.

Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command.

CSCta16492

When using dynamic policy installation for a client or host that is authenticated on a secure port, the traffic from the client is not permitted even though the permit ip any any command is specified as the dynamic policy for the client.

This occurs only if the following conditions are satisfied:

Multi-host mode configured on the port with the authentication host-mode multi-host command.

Default ACL (the IP access-list) configured on the interface specifies deny ip any any.

Dynamic policy authorization for the client specifies permit ip any any.

Workaround: None.

CSCsz63739

If time is not specified in the link debounce command, the default value depends on the supervisor engine. The default is 10 mS for C4900M, Supervisor Engine 6-E, and Supervisor Engine 6L-E. The default is 100 mS for all other supervisor engines.

Workaround: None.

Despite the different default value, you can configure any value in the time range.

CSCte51948

If you observe a periodic increase in call or packet drops and a constant decrease in free memory available in your switch, you could use the show memory debug leak command. However, this command is CPU intensive; it might tear down your call or data session if used on live network.

The show memory debug leak lowmem command can work in extremely low memory conditions but might crash the switch due to its very high CPU intensity. It also takes between 20 and 90 minutes to complete.

Workaround: If call or packet drops persist, contact TAC rather than entering these commands on your own. CSCsi48986

A switch might fail an ftp to a dhcp-snooping file if the file's size is 0 Kb.

Workaround: When creating the file, enter some characters, remove the ftp command, then re-enter it as follows:

Switch(config)# no ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.$
Switch(config)# ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.log
 
 

CSCsk38763

When you load an unsupported Catalyst 4500 software version on WS-C4507R+E and WS-C4510R+E, the following log messages are seen and none of the ports come up:

"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is 
WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis type" 
Or
"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is 
WS-C4507R-E, but chassis' serial eeprom chassis type is Unknown chassis type"
 
 
"%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 
14" (where n is a slot number)
 
 

Workaround: Load Cisco IOS Release 12.2(54)SG or 12.2(53)SG4 on WS-C4507R+E and WS-C4510R+E.

CSCtl70275

When you load software images earlier than Cisco IOS Release 12.2(53)SG4, 12.54(SG) or 15.0(1)SG on a redundant WS-C4510R+E or WS-C4507R+E chassis, the active supervisor engines displays the following log message:

%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is 
WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis type
 
 

The active supervisor engine also displays following log message for each linecard slot in the chassis:

%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 
14
 
 

where n is the slot number

If the standby supervisor engine boots, the active supervisor engine displays the following message and reboots:

%C4K_REDUNDANCY-2-POSTFAIL_RESET: Power-On Self Test (POST) failure on ACTIVE 
supervisor detected. Detected the Standby Supervisor bootupFailed
 
 

While active supervisor engine is up, no traffic can be handled by the switch.

The two supervisor engines might alternately reboot continuously.

Workaround: Use Cisco IOS Release 12.2(53)SG4, 12.2(54)SG, 15.0(1)SG or later images with WS-C4510R+E and WS-C4507R+E chassis. CSCtl84092

If a port is configured for Private VLAN and is authorized in a guest VLAN, a traceback appears on the console.

Workaround: None. CSCtq73579

When a trunk port is configured with a native VLAN other than VLAN 1, REP packets are not sent on that VLAN.

Workaround: Retain the default setting (VLAN 1) for the native VLAN on trunks ports. CSCud05521

After TCAM resources are first exhausted, then freed, CPU remains high.

Workaround: Reconfigure ACLs on all interfaces.CSCuf93866

Resolved Caveats in Cisco IOS Release 12.2(53)SG8

This section lists the resolved caveats in Release 12.2(53)SG8:

While processing a CDP frame, a switch may crash after displaying SYS-2-FREEFREE and SYS-6-MTRACE messages.

Workaround: Enter the no cdp run command to disable CDP. CSCub45763

Open Caveats in Cisco IOS Release 12.2(53)SG7

This section lists the open caveats in Cisco IOS Release 12.2(53)SG7:

In rare instances, when you are using MAC ACL-based policers, the packet match counters in
show policy-map interface fa6/1 do not show the packets being matched:

Switch# sh policy-map int
  FastEthernet3/2 
 
   Service-policy output: p1
 
     Class-map: c1 (match-all)
       0 packets		<--------It stays at '0' despite of traffic being received
       Match: access-group name fnacl21
       police: Per-interface
         Conform: 9426560 bytes Exceed: 16573440 bytes
 
 

Workaround: Verify that the MAC addresses being transmitted through the system are learned.

(CSCef01798)

When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up.

If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated.

If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain. If either of these differs from the FQDN in the certificate, then the existing persistent self-signed certificate is replaced with a new one with the updated FQDN. Be aware that the existing keypair is used in the new certificate.

On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.

Workaround: Re-connect. (CSCsb11964)

After upgrading to Cisco IOS 12.2(31)SG and later releases, some CPU queues configured as SPAN sources and saved in the startup configuration file do not function as they did in the older software release.

This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.

QueueID
Old QueueName
New QueueName

5

control-packet

control-packet

6

rpf-failure

control-packet

7

adj-same-if

control-packet

8

<unused queue>

control-packet

11

<unused queue>

adj-same-if

13

acl input log

rfp-failure

14

acl input forward

acl input log


Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:

Switch(config)# no monitor session n source cpu queue all rx
Switch(config)# monitor session n source cpu queue <new_Queue_Name>
 
 

(CSCsc94802)

To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command.

Workaround: None. (CSCsc11726)

An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port.

This could occur for these reasons:

A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch.

This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled. The switch receives packets that require redirection and the destination MAC address is already in ARP table.

Workarounds:

Do not inject packets that require IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch.

Configure the correct default gateway on the host side. (CSCse75660)

When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you configure
qos account layer2 encapsulation.

Workaround: None. (CSCsg58526)

When hardcoded duplex and speed settings are deleted after an interface shuts down, an "a-" is added to the duplex and speed in the output from the show interface status command.

This does not impact performance.

Workaround: Issue the no shutdown command. (CSCsg27395)

When a transceiver is removed rapidly from one port and placed in another on the same chassis, occasionally a duplicate seeprom message is displayed and the port is not able to handle traffic.

Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).

When traffic is sent on a VLAN ID higher than 3000, the convergence timing caused by a failure exceeds 225ms.

Workaround: None. (CSCsm30320)

CFM packets pass through the Layer 2 protocol tunnel.

Workaround: None. (CSCsq72572)

With CFM enabled globally as well as on an ingress interface, CFM packets received on the interface are not policed with HWCOPP (HW Control Plane Policing).

Workaround: None. (CSCso93282)

An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

After a reload, copy the startup-config to the running-config.

Use a loopback interface as the target of the ip unnumbered command

Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:

%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
 
 

Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

During an ISSU upgrade or downgrade from v122_31_sg_throttle to v122_46_sg_throttle, the following error message displays on console of the active supervisor engine:

Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internal
software error occurred. Null0 linked to wrong hwidb Null0
 
 

Workaround: None. (CSCso68331)

When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running config.

Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)

The CTS SXP cts sxp default password mypassword configuration command does not work when you configure type 6 password encryption on the switch.

Workarounds: Use either of the following to set the sxp default password:

Use clear text (non encryption)

Type 7 password encryption

(CSCsv33006)

Duplicate serial number error messages are reported on switching One X Convertor with SFP+, SFP+, X2 to another port, the inserted port enters a faulty status.

This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.

Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)

On a Catalyst 4500 switch running 12.2(50)SG, when the access VLAN is deleted and then restored on a port configured with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the access VLAN is restored.

This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.

Workaround: Shut down then reopen the interface.

(CSCso50921)

VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

CTS SXP connection with a default password may cause the following message to display on the console because of bad TCP authentication:

*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 
2.2.2.1(64999)
 
 

This issue is seen when the default SXP password is encrypted with type-6 encryption.

Workaround: Do one of the following:

Use type 7 password encryption to encrypt the default SXP password

Don't enable password encryption and allow the default SXP password to set in clear text.

(CSCsv33136)

After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:

%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.101   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.102   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
 
 

This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. (CSCsw14005)

The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.1X on the port and reconnect the host to a IP phone (with CDP port status TLV support) that is connected to the switch.

If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.

Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661

Class-map hit counters do not increment on the egress policy-map when it is attached to the primary VLAN on a PVLAN trunk ports. However, the traffic is properly classified and the actions configured in the policy are applied properly.

Workaround: None. CSCsy72343

When .1X with MDA is set in host mode and guest VLAN is enabled, when you pump traffic from a traffic generator at a high rate, a Security violation is wrongly flagged.

Workaround: None.

CSCsy38640

When you enter the show adjacency x.x.x.x internal command for an adjacency, the packet counters are increment correctly but the byte counters remain 0.

Workaround: None.

CSCsu35604

When you request an on demand Call Home message send without specifying a profile name & the specified module returns an unknown diagnostic result, the following error message displays:

Switch# call-home send alert-group diagnostic module 2 
Sending diagnostic info call-home message ...
Please wait. This may take some time ...
Switch#
*Jan  3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand 
message failed to send (ERR 18, The alert group is not subscribed)
 
 

Workaround: Specify a profile name when you enter the diagnostic command.

You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.

CSCsz05888

If you simultaneously apply a service-policy to a port in the output direction and a service-policy to a vlan-range under that port in the output direction, the class-map hit counters in the output of the
show policy-map interface command are wrong.

Workaround: None.

The queue transmit counters as well as the policing statistics (if any) are correct.

CSCsz20149

Packets entering a switch as fragments or with a non-zero fragment offset field are not be subjected to PBR.

Workaround: None.

CSCsz06719

When you configure EnergyWise power control on PoE ports with a time-based execution schedule, time entry executes without adjusting for daylight savings time.

Workaround: Manually re-enter all entries with new time settings.

CSCsy27389

On wireless control system (WCS), some device information is incorrectly displayed for PCs sitting behind an lldp-med capable phone. Specifically, WCS displays the phone's serial number, model number, and software version in the PC's device information. All other information about the PC is correctly displayed on WCS.

This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.

Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.

CSCsz34522

If a host is authenticated in the data VLAN, the STP state of the VLAN is blocked.

Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port.

The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding.

Workaround: Enter shut, then no shut on the port.

CSCta04665

On a Layer 2 port (that is, a switchport) of Supervisor Engine II+ thru V-10GE, the
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.

Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command.

CSCta16492

When using dynamic policy installation for a client or host that is authenticated on a secure port, the traffic from the client is not permitted even though the permit ip any any command is specified as the dynamic policy for the client.

This occurs only if the following conditions are satisfied:

Multi-host mode configured on the port with the authentication host-mode multi-host command.

Default ACL (the IP access-list) configured on the interface specifies deny ip any any.

Dynamic policy authorization for the client specifies permit ip any any.

Workaround: None.

CSCsz63739

If time is not specified in the link debounce command, the default value depends on the supervisor engine. The default is 10 mS for C4900M, Supervisor Engine 6-E, and Supervisor Engine 6L-E. The default is 100 mS for all other supervisor engines.

Workaround: None.

Despite the different default value, you can configure any value in the time range.

CSCte51948

If you observe a periodic increase in call or packet drops and a constant decrease in free memory available in your switch, you could use the show memory debug leak command. However, this command is CPU intensive; it might tear down your call or data session if used on live network.

The show memory debug leak lowmem command can work in extremely low memory conditions but might crash the switch due to its very high CPU intensity. It also takes between 20 and 90 minutes to complete.

Workaround: If call or packet drops persist, contact TAC rather than entering these commands on your own. CSCsi48986

A switch might fail an ftp to a dhcp-snooping file if the file's size is 0 Kb.

Workaround: When creating the file, enter some characters, remove the ftp command, then re-enter it as follows:

Switch(config)# no ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.$
Switch(config)# ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.log
 
 

CSCsk38763

When you load an unsupported Catalyst 4500 software version on WS-C4507R+E and WS-C4510R+E, the following log messages are seen and none of the ports come up:

"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is 
WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis type" 
Or
"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is 
WS-C4507R-E, but chassis' serial eeprom chassis type is Unknown chassis type"
 
 
"%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 
14" (where n is a slot number)
 
 

Workaround: Load Cisco IOS Release 12.2(54)SG or 12.2(53)SG4 on WS-C4507R+E and WS-C4510R+E.

CSCtl70275

When you load software images earlier than Cisco IOS Release 12.2(53)SG4, 12.54(SG) or 15.0(1)SG on a redundant WS-C4510R+E or WS-C4507R+E chassis, the active supervisor engines displays the following log message:

%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is 
WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis type
 
 

The active supervisor engine also displays following log message for each linecard slot in the chassis:

%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 
14
 
 

where n is the slot number

If the standby supervisor engine boots, the active supervisor engine displays the following message and reboots:

%C4K_REDUNDANCY-2-POSTFAIL_RESET: Power-On Self Test (POST) failure on ACTIVE 
supervisor detected. Detected the Standby Supervisor bootupFailed
 
 

While active supervisor engine is up, no traffic can be handled by the switch.

The two supervisor engines might alternately reboot continuously.

Workaround: Use Cisco IOS Release 12.2(53)SG4, 12.2(54)SG, 15.0(1)SG or later images with WS-C4510R+E and WS-C4507R+E chassis.

CSCtl84092

If a port is configured for Private VLAN and is authorized in a guest VLAN, a traceback appears on the console.

Workaround: None.

CSCtq73579

While processing a CDP frame, a switch may crash after displaying SYS-2-FREEFREE and SYS-6-MTRACE messages.

Workaround: Enter the no cdp run command to disable CDP. CSCub45763

When a trunk port is configured with a native VLAN other than VLAN 1, REP packets are not sent on that VLAN.

Workaround: Retain the default setting (VLAN 1) for the native VLAN on trunks ports. CSCud05521

After TCAM resources are first exhausted, then freed, CPU remains high.

Workaround: Reconfigure ACLs on all interfaces.CSCuf93866

Resolved Caveats in Cisco IOS Release 12.2(53)SG7

This section lists the resolved caveats in Release 12.2(53)SG7:

If you use AAA accounting with the broadcast keyword, a switch may either display unpredictable behavior or crash.

Workaround: Do not use AAA accounting with the broadcast keyword. CSCts56125

A vulnerability exists in the Cisco IOS software that may allow a remote application or device to exceed its authorization level when authentication, authorization, and accounting (AAA) authorization is used. This vulnerability requires that the HTTP or HTTPS server is enabled on the Cisco IOS device.

Products that are not running Cisco IOS software are not vulnerable.

Cisco has released free software updates that address these vulnerabilities.

The HTTP server may be disabled as a workaround for the vulnerability described in this advisory.

This advisory is available at the following link:


http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-pai

Additional information on Cisco's security vulnerability policy can be found at the URL:


http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html

CSCtr91106

A switch operating as a DHCP server where sessions receive DHCP information from a RADIUS server may experience a crash and DHCP related errors.

Workaround: None. CSCtj48387

A vulnerability in the Multicast Source Discovery Protocol (MSDP) implementation of Cisco IOS Software and Cisco IOS XE Software could allow a remote, unauthenticated attacker to cause a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial of service (DoS) condition.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link:


http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp


Note The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication.


Individual publication links are in ''Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication'' at the following link:


http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html

CSCtr28857

A switch crashes after displaying the message:

%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (Unknown 
MAC) on Interface Gi5/39 AuditSessionID AC156241000000670001BC9.
 
 

provided the following conditions apply:

A switchport is configured with the following:

authentication event server dead action authorize...

authenticaton event server alive action reinitalize

The RADIUS server was down previously, and a port without traffic (for example, a hub with no devices attached) was authorized into the inaccessible authentication bypass (IAB) VLAN without an associated MAC address.

The RADIUS server becomes available again, and the IAB-authorized port transitions to another state.

Workaround: None. CSCtx61557

Open Caveats in Cisco IOS Release 12.2(53)SG6

This section lists the open caveats in Cisco IOS Release 12.2(53)SG6:

In rare instances, when you are using MAC ACL-based policers, the packet match counters in
show policy-map interface fa6/1 do not show the packets being matched:

Switch# sh policy-map int
  FastEthernet3/2 
 
   Service-policy output: p1
 
     Class-map: c1 (match-all)
       0 packets		<--------It stays at '0' despite of traffic being received
       Match: access-group name fnacl21
       police: Per-interface
         Conform: 9426560 bytes Exceed: 16573440 bytes
 
 

Workaround: Verify that the MAC addresses being transmitted through the system are learned.

(CSCef01798)

When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up.

If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated.

If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain. If either of these differs from the FQDN in the certificate, then the existing persistent self-signed certificate is replaced with a new one with the updated FQDN. Be aware that the existing keypair is used in the new certificate.

On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.

Workaround: Re-connect. (CSCsb11964)

After upgrading to Cisco IOS 12.2(31)SG and later releases, some CPU queues configured as SPAN sources and saved in the startup configuration file do not function as they did in the older software release.

This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.

QueueID
Old QueueName
New QueueName

5

control-packet

control-packet

6

rpf-failure

control-packet

7

adj-same-if

control-packet

8

<unused queue>

control-packet

11

<unused queue>

adj-same-if

13

acl input log

rfp-failure

14

acl input forward

acl input log


Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:

Switch(config)# no monitor session n source cpu queue all rx
Switch(config)# monitor session n source cpu queue <new_Queue_Name>
 
 

(CSCsc94802)

To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command.

Workaround: None. (CSCsc11726)

An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port.

This could occur for these reasons:

A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch.

This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled. The switch receives packets that require redirection and the destination MAC address is already in ARP table.

Workarounds:

Do not inject packets that require IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch.

Configure the correct default gateway on the host side. (CSCse75660)

When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you configure
qos account layer2 encapsulation.

Workaround: None. (CSCsg58526)

When hardcoded duplex and speed settings are deleted after an interface shuts down, an "a-" is added to the duplex and speed in the output from the show interface status command.

This does not impact performance.

Workaround: Issue the no shutdown command. (CSCsg27395)

When a transceiver is removed rapidly from one port and placed in another on the same chassis, occasionally a duplicate seeprom message is displayed and the port is not able to handle traffic.

Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).

When traffic is sent on a VLAN ID higher than 3000, the convergence timing caused by a failure exceeds 225ms.

Workaround: None. (CSCsm30320)

CFM packets pass through the Layer 2 protocol tunnel.

Workaround: None. (CSCsq72572)

With CFM enabled globally as well as on an ingress interface, CFM packets received on the interface are not policed with HWCOPP (HW Control Plane Policing).

Workaround: None. (CSCso93282)

An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

After a reload, copy the startup-config to the running-config.

Use a loopback interface as the target of the ip unnumbered command

Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:

%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
 
 

Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

During an ISSU upgrade or downgrade from v122_31_sg_throttle to v122_46_sg_throttle, the following error message displays on console of the active supervisor engine:

Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internal
software error occurred. Null0 linked to wrong hwidb Null0
 
 

Workaround: None. (CSCso68331)

When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running config.

Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)

The CTS SXP cts sxp default password mypassword configuration command does not work when you configure type 6 password encryption on the switch.

Workarounds: Use either of the following to set the sxp default password:

Use clear text (non encryption)

Type 7 password encryption

(CSCsv33006)

Duplicate serial number error messages are reported on switching One X Convertor with SFP+, SFP+, X2 to another port, the inserted port enters a faulty status.

This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.

Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)

On a Catalyst 4500 switch running 12.2(50)SG, when the access VLAN is deleted and then restored on a port configured with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the access VLAN is restored.

This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.

Workaround: Shut down then reopen the interface.

(CSCso50921)

VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

CTS SXP connection with a default password may cause the following message to display on the console because of bad TCP authentication:

*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 
2.2.2.1(64999)
 
 

This issue is seen when the default SXP password is encrypted with type-6 encryption.

Workaround: Do one of the following:

Use type 7 password encryption to encrypt the default SXP password

Don't enable password encryption and allow the default SXP password to set in clear text.

(CSCsv33136)

After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:

%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.101   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.102   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
 
 

This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. (CSCsw14005)

The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.1X on the port and reconnect the host to a IP phone (with CDP port status TLV support) that is connected to the switch.

If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.

Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661

Class-map hit counters do not increment on the egress policy-map when it is attached to the primary VLAN on a PVLAN trunk ports. However, the traffic is properly classified and the actions configured in the policy are applied properly.

Workaround: None. CSCsy72343

When .1X with MDA is set in host mode and guest VLAN is enabled, when you pump traffic from a traffic generator at a high rate, a Security violation is wrongly flagged.

Workaround: None.

CSCsy38640

When you enter the show adjacency x.x.x.x internal command for an adjacency, the packet counters are increment correctly but the byte counters remain 0.

Workaround: None.

CSCsu35604

When you request an on demand Call Home message send without specifying a profile name & the specified module returns an unknown diagnostic result, the following error message displays:

Switch# call-home send alert-group diagnostic module 2 
Sending diagnostic info call-home message ...
Please wait. This may take some time ...
Switch#
*Jan  3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand 
message failed to send (ERR 18, The alert group is not subscribed)
 
 

Workaround: Specify a profile name when you enter the diagnostic command.

You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.

CSCsz05888

If you simultaneously apply a service-policy to a port in the output direction and a service-policy to a vlan-range under that port in the output direction, the class-map hit counters in the output of the
show policy-map interface command are wrong.

Workaround: None.

The queue transmit counters as well as the policing statistics (if any) are correct.

CSCsz20149

Packets entering a switch as fragments or with a non-zero fragment offset field are not be subjected to PBR.

Workaround: None.

CSCsz06719

When you configure EnergyWise power control on PoE ports with a time-based execution schedule, time entry executes without adjusting for daylight savings time.

Workaround: Manually re-enter all entries with new time settings.

CSCsy27389

On wireless control system (WCS), some device information is incorrectly displayed for PCs sitting behind an lldp-med capable phone. Specifically, WCS displays the phone's serial number, model number, and software version in the PC's device information. All other information about the PC is correctly displayed on WCS.

This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.

Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.

CSCsz34522

If a host is authenticated in the data VLAN, the STP state of the VLAN is blocked.

Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port.

The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding.

Workaround: Enter shut, then no shut on the port.

CSCta04665

On a Layer 2 port (that is, a switchport) of Supervisor Engine II+ thru V-10GE, the
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.

Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command.

CSCta16492

When using dynamic policy installation for a client or host that is authenticated on a secure port, the traffic from the client is not permitted even though the permit ip any any command is specified as the dynamic policy for the client.

This occurs only if the following conditions are satisfied:

Multi-host mode configured on the port with the authentication host-mode multi-host command.

Default ACL (the IP access-list) configured on the interface specifies deny ip any any.

Dynamic policy authorization for the client specifies permit ip any any.

Workaround: None.

CSCsz63739

If time is not specified in the link debounce command, the default value depends on the supervisor engine. The default is 10 mS for C4900M, Supervisor Engine 6-E, and Supervisor Engine 6L-E. The default is 100 mS for all other supervisor engines.

Workaround: None.

Despite the different default value, you can configure any value in the time range.

CSCte51948

If you observe a periodic increase in call or packet drops and a constant decrease in free memory available in your switch, you could use the show memory debug leak command. However, this command is CPU intensive; it might tear down your call or data session if used on live network.

The show memory debug leak lowmem command can work in extremely low memory conditions but might crash the switch due to its very high CPU intensity. It also takes between 20 and 90 minutes to complete.

Workaround: If call or packet drops persist, contact TAC rather than entering these commands on your own. CSCsi48986

A switch might fail an ftp to a dhcp-snooping file if the file's size is 0 Kb.

Workaround: When creating the file, enter some characters, remove the ftp command, then re-enter it as follows:

Switch(config)# no ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.$
Switch(config)# ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.log
 
 

CSCsk38763

When you load an unsupported Catalyst 4500 software version on WS-C4507R+E and WS-C4510R+E, the following log messages are seen and none of the ports come up:

"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is 
WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis type" 
Or
"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is 
WS-C4507R-E, but chassis' serial eeprom chassis type is Unknown chassis type"
 
 
"%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 
14" (where n is a slot number)
 
 

Workaround: Load Cisco IOS Release 12.2(54)SG or 12.2(53)SG4 on WS-C4507R+E and WS-C4510R+E.

CSCtl70275

When you load software images earlier than Cisco IOS Release 12.2(53)SG4, 12.54(SG) or 15.0(1)SG on a redundant WS-C4510R+E or WS-C4507R+E chassis, the active supervisor engines displays the following log message:

%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is 
WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis type
 
 

The active supervisor engine also displays following log message for each linecard slot in the chassis:

%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 
14
 
 

where n is the slot number

If the standby supervisor engine boots, the active supervisor engine displays the following message and reboots:

%C4K_REDUNDANCY-2-POSTFAIL_RESET: Power-On Self Test (POST) failure on ACTIVE 
supervisor detected. Detected the Standby Supervisor bootupFailed
 
 

While active supervisor engine is up, no traffic can be handled by the switch.

The two supervisor engines might alternately reboot continuously.

Workaround: Use Cisco IOS Release 12.2(53)SG4, 12.2(54)SG, 15.0(1)SG or later images with WS-C4510R+E and WS-C4507R+E chassis.

CSCtl84092

If a port is configured for Private VLAN and is authorized in a guest VLAN, a traceback appears on the console.

Workaround: None.

CSCtq73579

If you use AAA accounting with the broadcast keyword, a switch may either display unpredictable behavior or crash.

Workaround: Do not use AAA accounting with the broadcast keyword. CSCts56125

A vulnerability exists in the Cisco IOS software that may allow a remote application or device to exceed its authorization level when authentication, authorization, and accounting (AAA) authorization is used. This vulnerability requires that the HTTP or HTTPS server is enabled on the Cisco IOS device.

Products that are not running Cisco IOS software are not vulnerable.

Cisco has released free software updates that address these vulnerabilities.

The HTTP server may be disabled as a workaround for the vulnerability described in this advisory.

This advisory is available at the following link:


http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-pai

Additional information on Cisco's security vulnerability policy can be found at the URL:


http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html

CSCtr91106

A switch operating as a DHCP server where sessions receive DHCP information from a RADIUS server may experience a crash and DHCP related errors.

Workaround: None. CSCtj48387

A vulnerability in the Multicast Source Discovery Protocol (MSDP) implementation of Cisco IOS Software and Cisco IOS XE Software could allow a remote, unauthenticated attacker to cause a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial of service (DoS) condition.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link:


http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp


Note The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication.


Individual publication links are in ''Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication'' at the following link:


http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html

CSCtr28857

A switch crashes after displaying the message:

%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (Unknown 
MAC) on Interface Gi5/39 AuditSessionID AC156241000000670001BC9.
 
 

provided the following conditions apply:

A switchport is configured with the following:

authentication event server dead action authorize...

authenticaton event server alive action reinitalize

The RADIUS server was down previously, and a port without traffic (for example, a hub with no devices attached) was authorized into the inaccessible authentication bypass (IAB) VLAN without an associated MAC address.

The RADIUS server becomes available again, and the IAB-authorized port transitions to another state.

Workaround: None. CSCtx61557

When a trunk port is configured with a native VLAN other than VLAN 1, REP packets are not sent on that VLAN.

Workaround: Retain the default setting (VLAN 1) for the native VLAN on trunks ports. CSCud05521

After TCAM resources are first exhausted, then freed, CPU remains high.

Workaround: Reconfigure ACLs on all interfaces.CSCuf93866

Resolved Caveats in Cisco IOS Release 12.2(53)SG6

This section lists the resolved caveats in Release 12.2(53)SG6:

When you enter the rep preempt segment command, the MAC might not flush.

Workaround: Re-enter the rep preempt segment command.

CSCtr89862

A switch crashes following changes to policy-based routing (route-map).

Workaround: Ensure that a policy is configured on an interface prior to changing a default next-hop in route-map. CSCtr31759

The following problems are experienced with IPv6 SNMP, when an IPv4 address is not configured:

Traps are not sent through IPv6.

SNMP GETs sent to a switch IPv6 address trigger a traceback.

Workaround: Perform the following task:

1. Disable the SNMP engine with the no snmp-server command.

2. Configure an IPv4 address and an IPv6 address on loopback interfaces.

3. Enable the SNMP engine.

CSCsw76894

If you enable SNMP before assigning an IPv4 address, SNMP does not listen for requests.

Workaround: Perform the following task:

1. Disable the SNMP engine with the no snmp-server command.

2. Configure an IP address and an IPv6 address on loopback interfaces.

3. Enable the SNMP engine.

CSCsw92921

When flex link load balancing is used, MAC addresses sourced over the backup interface are not programmed into the dynamic MAC address table. Source address learning is triggered for all traffic from these MAC addresses, which may cause high CPU.

Workaround: Configure static MAC addresses for the source addresses on the backup flex link interface. CSCtr40070

On networks with round-trip-time (RTT) delay of 5 milisec and over, IP SLA ethernet jitter probes are stuck in NoConnection/Busy/Timeout state:

uPE1#sh ip sla stat | inc Timeout
Latest RTT: NoConnection/Busy/Timeout
 
 

Issue is likely not to appear in environments with low latency (<5msec).

Workarounds:

None (regarding ethernet jitter probe)

Consider using the IP sla ethernet echo probes to collect RTT statistics. CSCtb96522

A system may crash if it receives more than 10 MA (Management Address) TLVs per LLDP neighbor entry.

Workaround: Disable LLDP MA TLV sending on the peers. CSCtj22354

Querying rttMonHistory objects using an invalid index causes a switch to crash.

Workaround: Use getnext rather than get to list valid indicies for the MIB OID. CSCtr52740

Registering a TCL policy may cause the switch to hang.

Workaround: None. CSCto72927

Flooded multicast traffic is not sent over a port channel interface after a member link or port-channel flaps.

Workarounds:

Delete and add impacted VLAN with no vlan vlan_id and vlan vlan_id commands.

Flap the impacted port channel with the shutdown and no shutdown commands. CSCtr17251

If VLAN Load Balancing is progressing, and you reconfigure VLAN Load Balancing to reflect different blocking ports, manual preemption does not occur.

Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:

a. Reconfigure the VLAN Load Balancing configuration on the desired REP ports.

b. Shut any one REP port in the segment to cause a failure in that segment.

c. No-shut that port to restore normal REP topology with one ALT port.

d. Invoke manual preemption on a primary edge port to obtain VLAN Load Balancing with the new configuration.

(CSCsv69853)

If VLAN Load Balancing is progressing, and you reconfigure VLAN Load Balancing to reflect different blocking ports, manual preemption does not occur.

Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:

a. Reconfigure the VLAN Load Balancing configuration on the desired REP ports.

b. Shut any one REP port in the segment to cause a failure in that segment.

c. No-shut that port to restore normal REP topology with one ALT port.

d. Invoke manual preemption on a primary edge port to obtain VLAN Load Balancing with the new configuration.

(CSCsv69853)

Open Caveats in Cisco IOS Release 12.2(53)SG5

This section lists the open caveats in Cisco IOS Release 12.2(53)SG5:

In rare instances, when you are using MAC ACL-based policers, the packet match counters in
show policy-map interface fa6/1 do not show the packets being matched:

Switch# sh policy-map int
  FastEthernet3/2 
 
   Service-policy output: p1
 
     Class-map: c1 (match-all)
       0 packets		<--------It stays at '0' despite of traffic being received
       Match: access-group name fnacl21
       police: Per-interface
         Conform: 9426560 bytes Exceed: 16573440 bytes
 
 

Workaround: Verify that the MAC addresses being transmitted through the system are learned.

(CSCef01798)

When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up.

If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated.

If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain. If either of these differs from the FQDN in the certificate, then the existing persistent self-signed certificate is replaced with a new one with the updated FQDN. Be aware that the existing keypair is used in the new certificate.

On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.

Workaround: Re-connect. (CSCsb11964)

After upgrading to Cisco IOS 12.2(31)SG and later releases, some CPU queues configured as SPAN sources and saved in the startup configuration file do not function as they did in the older software release.

This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.

QueueID
Old QueueName
New QueueName

5

control-packet

control-packet

6

rpf-failure

control-packet

7

adj-same-if

control-packet

8

<unused queue>

control-packet

11

<unused queue>

adj-same-if

13

acl input log

rfp-failure

14

acl input forward

acl input log


Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:

Switch(config)# no monitor session n source cpu queue all rx
Switch(config)# monitor session n source cpu queue <new_Queue_Name>
 
 

(CSCsc94802)

To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command.

Workaround: None. (CSCsc11726)

An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port.

This could occur for these reasons:

A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch.

This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled. The switch receives packets that require redirection and the destination MAC address is already in ARP table.

Workarounds:

Do not inject packets that require IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch.

Configure the correct default gateway on the host side. (CSCse75660)

When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you configure
qos account layer2 encapsulation.

Workaround: None. (CSCsg58526)

When hardcoded duplex and speed settings are deleted after an interface shuts down, an "a-" is added to the duplex and speed in the output from the show interface status command.

This does not impact performance.

Workaround: Issue the no shutdown command. (CSCsg27395)

When a transceiver is removed rapidly from one port and placed in another on the same chassis, occasionally a duplicate seeprom message is displayed and the port is not able to handle traffic.

Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).

When traffic is sent on a VLAN ID higher than 3000, the convergence timing caused by a failure exceeds 225ms.

Workaround: None. (CSCsm30320)

CFM packets pass through the Layer 2 protocol tunnel.

Workaround: None. (CSCsq72572)

With CFM enabled globally as well as on an ingress interface, CFM packets received on the interface are not policed with HWCOPP (HW Control Plane Policing).

Workaround: None. (CSCso93282)

An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

After a reload, copy the startup-config to the running-config.

Use a loopback interface as the target of the ip unnumbered command

Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:

%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
 
 

Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

During an ISSU upgrade or downgrade from v122_31_sg_throttle to v122_46_sg_throttle, the following error message displays on console of the active supervisor engine:

Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internal
software error occurred. Null0 linked to wrong hwidb Null0
 
 

Workaround: None. (CSCso68331)

When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running config.

Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)

The CTS SXP cts sxp default password mypassword configuration command does not work when you configure type 6 password encryption on the switch.

Workarounds: Use either of the following to set the sxp default password:

Use clear text (non encryption)

Type 7 password encryption

(CSCsv33006)

Duplicate serial number error messages are reported on switching One X Convertor with SFP+, SFP+, X2 to another port, the inserted port enters a faulty status.

This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.

Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)

On a Catalyst 4500 switch running 12.2(50)SG, when the access VLAN is deleted and then restored on a port configured with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the access VLAN is restored.

This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.

Workaround: Shut down then reopen the interface.

(CSCso50921)

VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

CTS SXP connection with a default password may cause the following message to display on the console because of bad TCP authentication:

*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 
2.2.2.1(64999)
 
 

This issue is seen when the default SXP password is encrypted with type-6 encryption.

Workaround: Do one of the following:

Use type 7 password encryption to encrypt the default SXP password

Don't enable password encryption and allow the default SXP password to set in clear text.

(CSCsv33136)

If VLAN Load Balancing is progressing, and you reconfigure VLAN Load Balancing to reflect different blocking ports, manual preemption does not occur.

Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:

a. Reconfigure the VLAN Load Balancing configuration on the desired REP ports.

b. Shut any one REP port in the segment to cause a failure in that segment.

c. No-shut that port to restore normal REP topology with one ALT port.

d. Invoke manual preemption on a primary edge port to obtain VLAN Load Balancing with the new configuration.

(CSCsv69853)

After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:

%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.101   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.102   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
 
 

This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. (CSCsw14005)

The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.1X on the port and reconnect the host to a IP phone (with CDP port status TLV support) that is connected to the switch.

If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.

Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661

Class-map hit counters do not increment on the egress policy-map when it is attached to the primary VLAN on a PVLAN trunk ports. However, the traffic is properly classified and the actions configured in the policy are applied properly.

Workaround: None. CSCsy72343

When .1X with MDA is set in host mode and guest VLAN is enabled, when you pump traffic from a traffic generator at a high rate, a Security violation is wrongly flagged.

Workaround: None.

CSCsy38640

When you enter the show adjacency x.x.x.x internal command for an adjacency, the packet counters are increment correctly but the byte counters remain 0.

Workaround: None.

CSCsu35604

When you request an on demand Call Home message send without specifying a profile name & the specified module returns an unknown diagnostic result, the following error message displays:

Switch# call-home send alert-group diagnostic module 2 
Sending diagnostic info call-home message ...
Please wait. This may take some time ...
Switch#
*Jan  3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand 
message failed to send (ERR 18, The alert group is not subscribed)
 
 

Workaround: Specify a profile name when you enter the diagnostic command.

You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.

CSCsz05888

If you simultaneously apply a service-policy to a port in the output direction and a service-policy to a vlan-range under that port in the output direction, the class-map hit counters in the output of the
show policy-map interface command are wrong.

Workaround: None.

The queue transmit counters as well as the policing statistics (if any) are correct.

CSCsz20149

Packets entering a switch as fragments or with a non-zero fragment offset field are not be subjected to PBR.

Workaround: None.

CSCsz06719

When you configure EnergyWise power control on PoE ports with a time-based execution schedule, time entry executes without adjusting for daylight savings time.

Workaround: Manually re-enter all entries with new time settings.

CSCsy27389

On wireless control system (WCS), some device information is incorrectly displayed for PCs sitting behind an lldp-med capable phone. Specifically, WCS displays the phone's serial number, model number, and software version in the PC's device information. All other information about the PC is correctly displayed on WCS.

This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.

Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.

CSCsz34522

If a host is authenticated in the data VLAN, the STP state of the VLAN is blocked.

Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port.

The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding.

Workaround: Enter shut, then no shut on the port.

CSCta04665

On a Layer 2 port (that is, a switchport) of Supervisor Engine II+ thru V-10GE, the
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.

Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command.

CSCta16492

When using dynamic policy installation for a client or host that is authenticated on a secure port, the traffic from the client is not permitted even though the permit ip any any command is specified as the dynamic policy for the client.

This occurs only if the following conditions are satisfied:

Multi-host mode configured on the port with the authentication host-mode multi-host command.

Default ACL (the IP access-list) configured on the interface specifies deny ip any any.

Dynamic policy authorization for the client specifies permit ip any any.

Workaround: None.

CSCsz63739

If time is not specified in the link debounce command, the default value depends on the supervisor engine. The default is 10 mS for C4900M, Supervisor Engine 6-E, and Supervisor Engine 6L-E. The default is 100 mS for all other supervisor engines.

Workaround: None.

Despite the different default value, you can configure any value in the time range.

CSCte51948

If you observe a periodic increase in call or packet drops and a constant decrease in free memory available in your switch, you could use the show memory debug leak command. However, this command is CPU intensive; it might tear down your call or data session if used on live network.

The show memory debug leak lowmem command can work in extremely low memory conditions but might crash the switch due to its very high CPU intensity. It also takes between 20 and 90 minutes to complete.

Workaround: If call or packet drops persist, contact TAC rather than entering these commands on your own. CSCsi48986

A switch might fail an ftp to a dhcp-snooping file if the file's size is 0 Kb.

Workaround: When creating the file, enter some characters, remove the ftp command, then re-enter it as follows:

Switch(config)# no ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.$
Switch(config)# ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.log
 
 

CSCsk38763

When you load an unsupported Catalyst 4500 software version on WS-C4507R+E and WS-C4510R+E, the following log messages are seen and none of the ports come up:

"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is 
WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis type" 
Or
"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is 
WS-C4507R-E, but chassis' serial eeprom chassis type is Unknown chassis type"
 
 
"%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 
14" (where n is a slot number)
 
 

Workaround: Load Cisco IOS Release 12.2(54)SG or 12.2(53)SG4 on WS-C4507R+E and WS-C4510R+E.

CSCtl70275

When you load software images earlier than Cisco IOS Release 12.2(53)SG4, 12.54(SG) or 15.0(1)SG on a redundant WS-C4510R+E or WS-C4507R+E chassis, the active supervisor engines displays the following log message:

%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is 
WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis type
 
 

The active supervisor engine also displays following log message for each linecard slot in the chassis:

%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 
14
 
 

where n is the slot number

If the standby supervisor engine boots, the active supervisor engine displays the following message and reboots:

%C4K_REDUNDANCY-2-POSTFAIL_RESET: Power-On Self Test (POST) failure on ACTIVE 
supervisor detected. Detected the Standby Supervisor bootupFailed
 
 

While active supervisor engine is up, no traffic can be handled by the switch.

The two supervisor engines might alternately reboot continuously.

Workaround: Use Cisco IOS Release 12.2(53)SG4, 12.2(54)SG, 15.0(1)SG or later images with WS-C4510R+E and WS-C4507R+E chassis.

CSCtl84092

If a port is configured for Private VLAN and is authorized in a guest VLAN, a traceback appears on the console.

Workaround: None.

CSCtq73579

If you use AAA accounting with the broadcast keyword, a switch may either display unpredictable behavior or crash.

Workaround: Do not use AAA accounting with the broadcast keyword. CSCts56125

A vulnerability exists in the Cisco IOS software that may allow a remote application or device to exceed its authorization level when authentication, authorization, and accounting (AAA) authorization is used. This vulnerability requires that the HTTP or HTTPS server is enabled on the Cisco IOS device.

Products that are not running Cisco IOS software are not vulnerable.

Cisco has released free software updates that address these vulnerabilities.

The HTTP server may be disabled as a workaround for the vulnerability described in this advisory.

This advisory is available at the following link:


http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-pai

Additional information on Cisco's security vulnerability policy can be found at the URL:


http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html

CSCtr91106

A switch operating as a DHCP server where sessions receive DHCP information from a RADIUS server may experience a crash and DHCP related errors.

Workaround: None. CSCtj48387

A vulnerability in the Multicast Source Discovery Protocol (MSDP) implementation of Cisco IOS Software and Cisco IOS XE Software could allow a remote, unauthenticated attacker to cause a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial of service (DoS) condition.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link:


http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp


Note The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication.


Individual publication links are in ''Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication'' at the following link:


http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html

CSCtr28857

A switch crashes after displaying the message:

%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (Unknown 
MAC) on Interface Gi5/39 AuditSessionID AC156241000000670001BC9.
 
 

provided the following conditions apply:

A switchport is configured with the following:

authentication event server dead action authorize...

authenticaton event server alive action reinitalize

The RADIUS server was down previously, and a port without traffic (for example, a hub with no devices attached) was authorized into the inaccessible authentication bypass (IAB) VLAN without an associated MAC address.

The RADIUS server becomes available again, and the IAB-authorized port transitions to another state.

Workaround: None. CSCtx61557

When a trunk port is configured with a native VLAN other than VLAN 1, REP packets are not sent on that VLAN.

Workaround: Retain the default setting (VLAN 1) for the native VLAN on trunks ports. CSCud05521

Resolved Caveats in Cisco IOS Release 12.2(53)SG5

This section lists the resolved caveats in Release 12.2(53)SG5:

When you specify a proxy ACL ACE with an extra space, the proxy ACL is not programmed for authenticated and authorized hosts.

Workarounds:

Do not provide an extra space while specifying a proxy ACL ACE.

Use a Downloadable ACL or a Filter-ID ACL rather than a proxy ACL. CSCtk67010

When reconnecting to a switch using IP device tracking, a Windows Vista, Windows 2008, or Windows 2007 device registers a duplicate address message.

Workaround: Disable gratuitous ARP on the Windows device. CSCtn27420

802.1X supplicants connected to ports in a guest VLAN fail the initial authentication.

Workarounds:

Configure the supplicant to retry 802.1X.

Connect or disconnect to the port. CSCtl89361

The switch crashes when AAA accounting packets are generated for web authentications.

Workaround: Disable AAA accounting. CSCtl77241

When IP SLA probes are configured and active for a period of 72 weeks, and you poll the rttmon mib for probe statistics, the router reloads.

The problem is not observed for another 72 weeks.

Workaround: None. CSCsl70722

If a device is connected to multiple ports on the switch and no ip routing is configured, ARP entries display in an incorrect VLAN (pv vlan appears in the entry).

Workaround: Configure ip routing. CSCtj20399

When a switch is using 802.X with web authentication, and you open an http session, you see a login screen using http, rather than https.

This happens only if you use a custom banner configured like the following:

ip auth-proxy auth-proxy-banner http ^C Custom Banner here ^C
 
 

Workaround: Remove the custom banner. CSCtb77378

If you change the authentication method for a client to webauth before removing the fallback configuration, web authentication is triggered.

Workarounds:

Reconfigure 802.1X with the no dot1x pae authenticator/dot1x pae authenticator command.

Reload the switch. CSCtd43793

LLDP packets are sent (.1q) tagged when the native VLAN of the of the dot1q trunk is not the default (VLAN 1).

LLDP IEEE standard requires frames sent untagged. With this issue, some peer devices may reject the tagged LLDP frame.

Workaround: Use the default native VLAN for the trunks. CSCtn29321

When a redundant power supply is turned off, ciscoEnvMonAlarmContacts returns 00 even though the LED on the supervisor engine is orange.

Workaround: If you include snmp-server enable traps envmon in the device configuration, a ciscoEnvMonSuppStatusChangeNotification is generated when the power supply either turns off or fails. CSCtl72109

A switch might crash if ip cef accounting non-recursive is configured and BGP routes are being supplied.

Workaround: Disable IP cef accounting. CSCtn68186

A port channel will not establish correctly if the following conditions apply:

vlan dot1q tag native is configured.

Either the native VLAN is not allowed on the trunk, or the peer does not accept tagged channel protocol packets.

Workaround: None. CSCtj90471

A power supply can be listed as removed, but continues to function normally. This behavior is illustrated by the following system messages:

%C4K_IOSMODPORTMAN-4-POWERSUPPLYREMOVED: Power supply 1 has been removed
%C4K_CHASSIS-3-INSUFFICIENTPOWERSUPPLIESDETECTED: Insufficient power supplies present 
for specified configuration
%C4K_CHASSIS-2-INSUFFICIENTPOWERDETECTED: Insufficient power available for the 
 
 

Workaround: None. CSCtn38000

High CPU results from constant MAC learning when multiple REP rings are used, each with a different VLAN list.

Workaround: Ensure that all trunk ports in the REP ring topology have the same list of VLANs, including ports in other REP rings that export STCNs into the REP ring where the problem is observed. CSCto67625

DHCP clients renewing through a load-balanced DHCP relay on an unnumbered interface may be unable to renew their lease because the renew ACK is lost.

Workaround: Avoid using DHCP load balancing. CSCth00482

If a switch is configured for multiple authentication host-mode, and an interface on that switch is configured for 802.1X, that interface disallows unidirectional port control, breaking the functionality of Wake on LAN.

Workaround: Use a different host-mode. CSCti92970

A memory leak caused by corrupted SSH packets is detected in SSH process during internal testing.

Workaround: Allow SSH connections only from trusted hosts. CSCth87458

If you provide extra space anywhere in between while specifying a proxy ACL ACE, the proxy ACL is not programmed for authenticated and authorized hosts.

Workarounds

Do not provide any extra space while specifying a proxy ACL ACE.

Use DACL or Filter-Id ACL instead of proxy ACLs. CSCtk67010

In multi-auth mode, when you disconnect a PC behind a Cisco IP phone, the data session is not removed.

This behavior is anticipated. In multi-auth mode, the system cannot distinguish between the data client that is attached to the phone and those that are attached to the switch through a hub.

Workaround: None. CSCtd70009

A switch crashes when you use no set extcommunity cost to remove set extcommunity cost in a route-map and you enter show run.

Workaround: Remove the entire route-map and re-create it. CSCsr23563

On a SSH and telnet-configured switch, if you configure a banner, then SSH to the router, the banner shows incorrectly:

pqiu@apt-cse-613% ssh cisco@10.66.79.211
"$(hostname) via line $(line) $(line-desc)"
 
 

Here is how you configured the banner:

banner login ^CC
$(hostname) via line $(line) $(line-desc)
^C
!
 
 

If you telnet to the router, the banner shows correctly as follows:

"SV-9-5 via line 67"
 
 

Workaround: None. CSCei24145

After you boot a reloaded switch in a REP ring topology, the soon-to-be alternate port forwards traffic and causes a loop. This continues until you enter shut and no shut on the alternate port.

Workaround: Enter shut and no shut on the alternate interface. CSCtn03533

If a static route is configured for an RP address that is reachable from a directly connected network, the switch does not send a PIM register toward the RP.

Workaround: Avoid configuring overlapping IP addresses. CSCtj96095

Open Caveats in Cisco IOS Release 12.2(53)SG4

This section lists the open caveats in Cisco IOS Release 12.2(53)SG4:

In rare instances, when you are using MAC ACL-based policers, the packet match counters in
show policy-map interface fa6/1 do not show the packets being matched:

Switch# sh policy-map int
  FastEthernet3/2 
 
   Service-policy output: p1
 
     Class-map: c1 (match-all)
       0 packets		<--------It stays at '0' despite of traffic being received
       Match: access-group name fnacl21
       police: Per-interface
         Conform: 9426560 bytes Exceed: 16573440 bytes
 
 

Workaround: Verify that the MAC addresses being transmitted through the system are learned.

(CSCef01798)

When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up.

If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated.

If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain. If either of these differs from the FQDN in the certificate, then the existing persistent self-signed certificate is replaced with a new one with the updated FQDN. Be aware that the existing keypair is used in the new certificate.

On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.

Workaround: Re-connect. (CSCsb11964)

After upgrading to Cisco IOS 12.2(31)SG and later releases, some CPU queues configured as SPAN sources and saved in the startup configuration file do not function as they did in the older software release.

This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.

QueueID
Old QueueName
New QueueName

5

control-packet

control-packet

6

rpf-failure

control-packet

7

adj-same-if

control-packet

8

<unused queue>

control-packet

11

<unused queue>

adj-same-if

13

acl input log

rfp-failure

14

acl input forward

acl input log


Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:

Switch(config)# no monitor session n source cpu queue all rx
Switch(config)# monitor session n source cpu queue <new_Queue_Name>
 
 

(CSCsc94802)

To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command.

Workaround: None. (CSCsc11726)

An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port.

This could occur for these reasons:

A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch.

This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled. The switch receives packets that require redirection and the destination MAC address is already in ARP table.

Workarounds:

Do not inject packets that require IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch.

Configure the correct default gateway on the host side. (CSCse75660)

When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you configure
qos account layer2 encapsulation.

Workaround: None. (CSCsg58526)

When hardcoded duplex and speed settings are deleted after an interface shuts down, an "a-" is added to the duplex and speed in the output from the show interface status command.

This does not impact performance.

Workaround: Issue the no shutdown command. (CSCsg27395)

When a transceiver is removed rapidly from one port and placed in another on the same chassis, occasionally a duplicate seeprom message is displayed and the port is not able to handle traffic.

Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).

When traffic is sent on a VLAN ID higher than 3000, the convergence timing caused by a failure exceeds 225ms.

Workaround: None. (CSCsm30320)

CFM packets pass through the Layer 2 protocol tunnel.

Workaround: None. (CSCsq72572)

With CFM enabled globally as well as on an ingress interface, CFM packets received on the interface are not policed with HWCOPP (HW Control Plane Policing).

Workaround: None. (CSCso93282)

An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

After a reload, copy the startup-config to the running-config.

Use a loopback interface as the target of the ip unnumbered command

Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:

%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
 
 

Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

During an ISSU upgrade or downgrade from v122_31_sg_throttle to v122_46_sg_throttle, the following error message displays on console of the active supervisor engine:

Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internal
software error occurred. Null0 linked to wrong hwidb Null0
 
 

Workaround: None. (CSCso68331)

When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running config.

Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)

The CTS SXP cts sxp default password mypassword configuration command does not work when you configure type 6 password encryption on the switch.

Workarounds: Use either of the following to set the sxp default password:

Use clear text (non encryption)

Type 7 password encryption

(CSCsv33006)

Duplicate serial number error messages are reported on switching One X Convertor with SFP+, SFP+, X2 to another port, the inserted port enters a faulty status.

This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.

Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)

On a Catalyst 4500 switch running 12.2(50)SG, when the access VLAN is deleted and then restored on a port configured with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the access VLAN is restored.

This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.

Workaround: Shut down then reopen the interface.

(CSCso50921)

VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

CTS SXP connection with a default password may cause the following message to display on the console because of bad TCP authentication:

*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 
2.2.2.1(64999)
 
 

This issue is seen when the default SXP password is encrypted with type-6 encryption.

Workaround: Do one of the following:

Use type 7 password encryption to encrypt the default SXP password

Don't enable password encryption and allow the default SXP password to set in clear text.

(CSCsv33136)

If VLAN Load Balancing is progressing, and you reconfigure VLAN Load Balancing to reflect different blocking ports, manual preemption does not occur.

Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:

a. Reconfigure the VLAN Load Balancing configuration on the desired REP ports.

b. Shut any one REP port in the segment to cause a failure in that segment.

c. No-shut that port to restore normal REP topology with one ALT port.

d. Invoke manual preemption on a primary edge port to obtain VLAN Load Balancing with the new configuration.

(CSCsv69853)

After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:

%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.101   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.102   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
 
 

This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. (CSCsw14005)

The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.1X on the port and reconnect the host to a IP phone (with CDP port status TLV support) that is connected to the switch.

If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.

Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661

Class-map hit counters do not increment on the egress policy-map when it is attached to the primary VLAN on a PVLAN trunk ports. However, the traffic is properly classified and the actions configured in the policy are applied properly.

Workaround: None. CSCsy72343

When .1X with MDA is set in host mode and guest VLAN is enabled, when you pump traffic from a traffic generator at a high rate, a Security violation is wrongly flagged.

Workaround: None.

CSCsy38640

When you enter the show adjacency x.x.x.x internal command for an adjacency, the packet counters are increment correctly but the byte counters remain 0.

Workaround: None.

CSCsu35604

When you request an on demand Call Home message send without specifying a profile name & the specified module returns an unknown diagnostic result, the following error message displays:

Switch# call-home send alert-group diagnostic module 2 
Sending diagnostic info call-home message ...
Please wait. This may take some time ...
Switch#
*Jan  3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand 
message failed to send (ERR 18, The alert group is not subscribed)
 
 

Workaround: Specify a profile name when you enter the diagnostic command.

You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.

CSCsz05888

If you simultaneously apply a service-policy to a port in the output direction and a service-policy to a vlan-range under that port in the output direction, the class-map hit counters in the output of the
show policy-map interface command are wrong.

Workaround: None.

The queue transmit counters as well as the policing statistics (if any) are correct.

CSCsz20149

Packets entering a switch as fragments or with a non-zero fragment offset field are not be subjected to PBR.

Workaround: None.

CSCsz06719

When you configure EnergyWise power control on PoE ports with a time-based execution schedule, time entry executes without adjusting for daylight savings time.

Workaround: Manually re-enter all entries with new time settings.

CSCsy27389

On wireless control system (WCS), some device information is incorrectly displayed for PCs sitting behind an lldp-med capable phone. Specifically, WCS displays the phone's serial number, model number, and software version in the PC's device information. All other information about the PC is correctly displayed on WCS.

This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.

Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.

CSCsz34522

If a host is authenticated in the data VLAN, the STP state of the VLAN is blocked.

Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port.

The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding.

Workaround: Enter shut, then no shut on the port.

CSCta04665

On a Layer 2 port (that is, a switchport) of Supervisor Engine II+ thru V-10GE, the
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.

Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command.

CSCta16492

When using dynamic policy installation for a client or host that is authenticated on a secure port, the traffic from the client is not permitted even though the permit ip any any command is specified as the dynamic policy for the client.

This occurs only if the following conditions are satisfied:

Multi-host mode configured on the port with the authentication host-mode multi-host command.

Default ACL (the IP access-list) configured on the interface specifies deny ip any any.

Dynamic policy authorization for the client specifies permit ip any any.

Workaround: None.

CSCsz63739

If time is not specified in the link debounce command, the default value depends on the supervisor engine. The default is 10 mS for C4900M, Supervisor Engine 6-E, and Supervisor Engine 6L-E. The default is 100 mS for all other supervisor engines.

Workaround: None.

Despite the different default value, you can configure any value in the time range.

CSCte51948

If you observe a periodic increase in call or packet drops and a constant decrease in free memory available in your switch, you could use the show memory debug leak command. However, this command is CPU intensive; it might tear down your call or data session if used on live network.

The show memory debug leak lowmem command can work in extremely low memory conditions but might crash the switch due to its very high CPU intensity. It also takes between 20 and 90 minutes to complete.

Workaround: If call or packet drops persist, contact TAC rather than entering these commands on your own. CSCsi48986

A switch might fail an ftp to a dhcp-snooping file if the file's size is 0 Kb.

Workaround: When creating the file, enter some characters, remove the ftp command, then re-enter it as follows:

Switch(config)# no ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.$
Switch(config)# ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.log
 
 

CSCsk38763

When you load an unsupported Catalyst 4500 software version on WS-C4507R+E and WS-C4510R+E, the following log messages are seen and none of the ports come up:

"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is 
WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis type" 
Or
"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is 
WS-C4507R-E, but chassis' serial eeprom chassis type is Unknown chassis type"
 
 
"%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 
14" (where n is a slot number)
 
 

Workaround: Load Cisco IOS Release 12.2(54)SG or 12.2(53)SG4 on WS-C4507R+E and WS-C4510R+E.

CSCtl70275

A proxy ACL is not programmed for authenticated and authorized hosts, when you specify a proxy ACL ACE with an extra space

Workarounds:

Do not provide an extra space while specifying a proxy ACL ACE.

Use a Downloadable ACL or a Filter-ID ACL instead of a proxy ACL.

CSCtk67010

When you load software images earlier than Cisco IOS Release 12.2(53)SG4, 12.54(SG) or 15.0(1)SG on a redundant WS-C4510R+E or WS-C4507R+E chassis, the active supervisor engines displays the following log message:

%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is 
WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis type
 
 

The active supervisor engine also displays following log message for each linecard slot in the chassis:

%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 
14
 
 

where n is the slot number

If the standby supervisor engine boots, the active supervisor engine displays the following message and reboots:

%C4K_REDUNDANCY-2-POSTFAIL_RESET: Power-On Self Test (POST) failure on ACTIVE 
supervisor detected. Detected the Standby Supervisor bootupFailed
 
 

While active supervisor engine is up, no traffic can be handled by the switch.

The two supervisor engines might alternately reboot continuously.

Workaround: Use Cisco IOS Release 12.2(53)SG4, 12.2(54)SG, 15.0(1)SG or later images with WS-C4510R+E and WS-C4507R+E chassis.

CSCtl84092

A switch may crash while loading BGP routes if the ip cef accounting non-recursive command is already configured.

Workaround: Disable the ip cef accounting non-recursive command.

(CSCtn68186)

If you use AAA accounting with the broadcast keyword, a switch may either display unpredictable behavior or crash.

Workaround: Do not use AAA accounting with the broadcast keyword. CSCts56125

A vulnerability exists in the Cisco IOS software that may allow a remote application or device to exceed its authorization level when authentication, authorization, and accounting (AAA) authorization is used. This vulnerability requires that the HTTP or HTTPS server is enabled on the Cisco IOS device.

Products that are not running Cisco IOS software are not vulnerable.

Cisco has released free software updates that address these vulnerabilities.

The HTTP server may be disabled as a workaround for the vulnerability described in this advisory.

This advisory is available at the following link:


http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-pai

Additional information on Cisco's security vulnerability policy can be found at the URL:


http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html

CSCtr91106

A switch operating as a DHCP server where sessions receive DHCP information from a RADIUS server may experience a crash and DHCP related errors.

Workaround: None. CSCtj48387

A vulnerability in the Multicast Source Discovery Protocol (MSDP) implementation of Cisco IOS Software and Cisco IOS XE Software could allow a remote, unauthenticated attacker to cause a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial of service (DoS) condition.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link:


http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp


Note The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication.


Individual publication links are in ''Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication'' at the following link:


http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html

CSCtr28857

A switch crashes after displaying the message:

%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (Unknown 
MAC) on Interface Gi5/39 AuditSessionID AC156241000000670001BC9.
 
 

provided the following conditions apply:

A switchport is configured with the following:

authentication event server dead action authorize...

authenticaton event server alive action reinitalize

The RADIUS server was down previously, and a port without traffic (for example, a hub with no devices attached) was authorized into the inaccessible authentication bypass (IAB) VLAN without an associated MAC address.

The RADIUS server becomes available again, and the IAB-authorized port transitions to another state.

Workaround: None. CSCtx61557

When a trunk port is configured with a native VLAN other than VLAN 1, REP packets are not sent on that VLAN.

Workaround: Retain the default setting (VLAN 1) for the native VLAN on trunks ports. CSCud05521

After TCAM resources are first exhausted, then freed, CPU remains high.

Workaround: Reconfigure ACLs on all interfaces.CSCuf93866

Resolved Caveats in Cisco IOS Release 12.2(53)SG4

This section lists the resolved caveats in Release 12.2(53)SG4:

If you are using a large custom Webauth login page on a switch running Cisco IOS Release 12.2(53)SG3 or IOS-XE 3.1.0 SG and multiple user are trying to access custom HTML pages, the switch might reload.

Workaround: Unconfigure the customized HTML page to use default internal Webauth pages and reload the switch after changing the configuration. CSCti81874

When you remove an SFP+ from a OneX converter in a X2 slot, it takes roughly 45 seconds for the system to recognize this. Any commands during this time will indicate that the SFP+ is still present. Reinserting the SFP+ in another port or inserting another SFP+ in the same port can result in Duplicate Seeprom error message.

Workaround: When a log message appears indicating that the SFP+ has been removed, do one of the following:

Enter any commands for that port.

Insert an SFP+ in that port.

Reinsert the removed SFP+ in any other port.

(CSCsv90044)

Open Caveats in Cisco IOS Release 12.2(53)SG3

This section lists the open caveats in Cisco IOS Release 12.2(53)SG3:

In rare instances, when you are using MAC ACL-based policers, the packet match counters in
show policy-map interface fa6/1 do not show the packets being matched:

Switch# sh policy-map int
  FastEthernet3/2 
 
   Service-policy output: p1
 
     Class-map: c1 (match-all)
       0 packets		<--------It stays at '0' despite of traffic being received
       Match: access-group name fnacl21
       police: Per-interface
         Conform: 9426560 bytes Exceed: 16573440 bytes
 
 

Workaround: Verify that the MAC addresses being transmitted through the system are learned.

(CSCef01798)

When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up.

If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated.

If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain. If either of these differs from the FQDN in the certificate, then the existing persistent self-signed certificate is replaced with a new one with the updated FQDN. Be aware that the existing keypair is used in the new certificate.

On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.

Workaround: Re-connect. (CSCsb11964)

After upgrading to Cisco IOS 12.2(31)SG and later releases, some CPU queues configured as SPAN sources and saved in the startup configuration file do not function as they did in the older software release.

This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.

QueueID
Old QueueName
New QueueName

5

control-packet

control-packet

6

rpf-failure

control-packet

7

adj-same-if

control-packet

8

<unused queue>

control-packet

11

<unused queue>

adj-same-if

13

acl input log

rfp-failure

14

acl input forward

acl input log


Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:

Switch(config)# no monitor session n source cpu queue all rx
Switch(config)# monitor session n source cpu queue <new_Queue_Name>
 
 

(CSCsc94802)

To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command.

Workaround: None. (CSCsc11726)

An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port.

This could occur for these reasons:

A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch.

This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled. The switch receives packets that require redirection and the destination MAC address is already in ARP table.

Workarounds:

Do not inject packets that require IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch.

Configure the correct default gateway on the host side. (CSCse75660)

When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you configure
qos account layer2 encapsulation.

Workaround: None. (CSCsg58526)

When hardcoded duplex and speed settings are deleted after an interface shuts down, an "a-" is added to the duplex and speed in the output from the show interface status command.

This does not impact performance.

Workaround: Issue the no shutdown command. (CSCsg27395)

When a transceiver is removed rapidly from one port and placed in another on the same chassis, occasionally a duplicate seeprom message is displayed and the port is not able to handle traffic.

Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).

When traffic is sent on a VLAN ID higher than 3000, the convergence timing caused by a failure exceeds 225ms.

Workaround: None. (CSCsm30320)

CFM packets pass through the Layer 2 protocol tunnel.

Workaround: None. (CSCsq72572)

With CFM enabled globally as well as on an ingress interface, CFM packets received on the interface are not policed with HWCOPP (HW Control Plane Policing).

Workaround: None. (CSCso93282)

An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

After a reload, copy the startup-config to the running-config.

Use a loopback interface as the target of the ip unnumbered command

Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:

%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
 
 

Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

During an ISSU upgrade or downgrade from v122_31_sg_throttle to v122_46_sg_throttle, the following error message displays on console of the active supervisor engine:

Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internal
software error occurred. Null0 linked to wrong hwidb Null0
 
 

Workaround: None. (CSCso68331)

When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running config.

Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)

The CTS SXP cts sxp default password mypassword configuration command does not work when you configure type 6 password encryption on the switch.

Workarounds: Use either of the following to set the sxp default password:

Use clear text (non encryption)

Type 7 password encryption

(CSCsv33006)

Duplicate serial number error messages are reported on switching One X Convertor with SFP+, SFP+, X2 to another port, the inserted port enters a faulty status.

This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.

Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)

On a Catalyst 4500 switch running 12.2(50)SG, when the access VLAN is deleted and then restored on a port configured with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the access VLAN is restored.

This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.

Workaround: Shut down then reopen the interface.

(CSCso50921)

VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

When you remove an SFP+ from a OneX converter in a X2 slot, it takes roughly 45 seconds for the system to recognize this. Any commands during this time will indicate that the SFP+ is still present. Reinserting the SFP+ in another port or inserting another SFP+ in the same port can result in Duplicate Seeprom error message.

Workaround: When a log message appears indicating that the SFP+ has been removed, do one of the following:

Enter any commands for that port.

Insert an SFP+ in that port.

Reinsert the removed SFP+ in any other port.

(CSCsv90044)

CTS SXP connection with a default password may cause the following message to display on the console because of bad TCP authentication:

*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 
2.2.2.1(64999)
 
 

This issue is seen when the default SXP password is encrypted with type-6 encryption.

Workaround: Do one of the following:

Use type 7 password encryption to encrypt the default SXP password

Don't enable password encryption and allow the default SXP password to set in clear text.

(CSCsv33136)

If VLAN Load Balancing is progressing, and you reconfigure VLAN Load Balancing to reflect different blocking ports, manual preemption does not occur.

Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:

a. Reconfigure the VLAN Load Balancing configuration on the desired REP ports.

b. Shut any one REP port in the segment to cause a failure in that segment.

c. No-shut that port to restore normal REP topology with one ALT port.

d. Invoke manual preemption on a primary edge port to obtain VLAN Load Balancing with the new configuration.

(CSCsv69853)

After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:

%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.101   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.102   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
 
 

This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. (CSCsw14005)

The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.1X on the port and reconnect the host to a IP phone (with CDP port status TLV support) that is connected to the switch.

If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.

Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661

Class-map hit counters do not increment on the egress policy-map when it is attached to the primary VLAN on a PVLAN trunk ports. However, the traffic is properly classified and the actions configured in the policy are applied properly.

Workaround: None. CSCsy72343

When .1X with MDA is set in host mode and guest VLAN is enabled, when you pump traffic from a traffic generator at a high rate, a Security violation is wrongly flagged.

Workaround: None.

CSCsy38640

When you enter the show adjacency x.x.x.x internal command for an adjacency, the packet counters are increment correctly but the byte counters remain 0.

Workaround: None.

CSCsu35604

When you request an on demand Call Home message send without specifying a profile name & the specified module returns an unknown diagnostic result, the following error message displays:

Switch# call-home send alert-group diagnostic module 2 
Sending diagnostic info call-home message ...
Please wait. This may take some time ...
Switch#
*Jan  3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand 
message failed to send (ERR 18, The alert group is not subscribed)
 
 

Workaround: Specify a profile name when you enter the diagnostic command.

You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.

CSCsz05888

If you simultaneously apply a service-policy to a port in the output direction and a service-policy to a vlan-range under that port in the output direction, the class-map hit counters in the output of the
show policy-map interface command are wrong.

Workaround: None.

The queue transmit counters as well as the policing statistics (if any) are correct.

CSCsz20149

Packets entering a switch as fragments or with a non-zero fragment offset field are not be subjected to PBR.

Workaround: None.

CSCsz06719

When you configure EnergyWise power control on PoE ports with a time-based execution schedule, time entry executes without adjusting for daylight savings time.

Workaround: Manually re-enter all entries with new time settings.

CSCsy27389

On wireless control system (WCS), some device information is incorrectly displayed for PCs sitting behind an lldp-med capable phone. Specifically, WCS displays the phone's serial number, model number, and software version in the PC's device information. All other information about the PC is correctly displayed on WCS.

This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.

Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.

CSCsz34522

If a host is authenticated in the data VLAN, the STP state of the VLAN is blocked.

Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port.

The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding.

Workaround: Enter shut, then no shut on the port.

CSCta04665

On a Layer 2 port (that is, a switchport) of Supervisor Engine II+ thru V-10GE, the
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.

Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command.

CSCta16492

When using dynamic policy installation for a client or host that is authenticated on a secure port, the traffic from the client is not permitted even though the permit ip any any command is specified as the dynamic policy for the client.

This occurs only if the following conditions are satisfied:

Multi-host mode configured on the port with the authentication host-mode multi-host command.

Default ACL (the IP access-list) configured on the interface specifies deny ip any any.

Dynamic policy authorization for the client specifies permit ip any any.

Workaround: None.

CSCsz63739

If time is not specified in the link debounce command, the default value depends on the supervisor engine. The default is 10 mS for C4900M, Supervisor Engine 6-E, and Supervisor Engine 6L-E. The default is 100 mS for all other supervisor engines.

Workaround: None.

Despite the different default value, you can configure any value in the time range.

CSCte51948

If you observe a periodic increase in call or packet drops and a constant decrease in free memory available in your switch, you could use the show memory debug leak command. However, this command is CPU intensive; it might tear down your call or data session if used on live network.

The show memory debug leak lowmem command can work in extremely low memory conditions but might crash the switch due to its very high CPU intensity. It also takes between 20 and 90 minutes to complete.

Workaround: If call or packet drops persist, contact TAC rather than entering these commands on your own. CSCsi48986

If you are using a large custom Webauth login page on a switch running Cisco IOS Release 12.2(53)SG3 or IOS-XE 3.1.0 SG and multiple user are trying to access custom HTML pages, the switch might reload.

Workaround: Unconfigure the customized HTML page to use default internal Webauth pages and reload the switch after changing the configuration. CSCti81874

A switch may crash while loading BGP routes if the ip cef accounting non-recursive command is already configured.

Workaround: Disable the ip cef accounting non-recursive command.

(CSCtn68186)

A switch crashes after displaying the message:

%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (Unknown 
MAC) on Interface Gi5/39 AuditSessionID AC156241000000670001BC9.
 
 

provided the following conditions apply:

A switchport is configured with the following:

authentication event server dead action authorize...

authenticaton event server alive action reinitalize

The RADIUS server was down previously, and a port without traffic (for example, a hub with no devices attached) was authorized into the inaccessible authentication bypass (IAB) VLAN without an associated MAC address.

The RADIUS server becomes available again, and the IAB-authorized port transitions to another state.

Workaround: None. CSCtx61557

When a trunk port is configured with a native VLAN other than VLAN 1, REP packets are not sent on that VLAN.

Workaround: Retain the default setting (VLAN 1) for the native VLAN on trunks ports. CSCud05521

After TCAM resources are first exhausted, then freed, CPU remains high.

Workaround: Reconfigure ACLs on all interfaces.CSCuf93866

Resolved Caveats in Cisco IOS Release 12.2(53)SG3

This section lists the resolved caveats in Release 12.2(53)SG3:

IP Router Option may not work with IGMP version 2.

Workaround: None. CSCsv42869

When you configure switchport block multicast on a switch running
Cisco IOS Release 12.2(53)SG1 or 12.2(50)SG6, Layer 2 multicast is not blocked.

Prior to Cisco IOS Release 12.2(53)SG1, 12.2(50)SG6, the switchport block multicast command would block IP Multicast, Layer 2 multicast, and broadcast traffic (CSCta61825).

Workaround: None CSCtb30327

A switch fails if you configure a PBR policy to match on prefix-list(s) instead of ACL(s).

Workaround: Configure the route map to only match on ACL(s). CSCtg22126

Under SSH configuration, when using access-class vty-login in, you cannot telnet on an interfaces in a VRF. SSH is still avail but not enabled. As documented, if the vrf-also keyword is not used in access-class, the SSH to interface in VRF will not work.

After upgrading to Cisco IOS Release 12.2(53)SG3, ensure that the vrf-also keyword follows any access-class under the SSH configuration.

Workaround: None. CSCsv86113

Open Caveats in Cisco IOS Release 12.2(53)SG2

This section lists the open caveats in Cisco IOS Release 12.2(53)SG2:

In rare instances, when you are using MAC ACL-based policers, the packet match counters in
show policy-map interface fa6/1 do not show the packets being matched:

Switch# sh policy-map int
  FastEthernet3/2 
 
   Service-policy output: p1
 
     Class-map: c1 (match-all)
       0 packets		<--------It stays at '0' despite of traffic being received
       Match: access-group name fnacl21
       police: Per-interface
         Conform: 9426560 bytes Exceed: 16573440 bytes
 
 

Workaround: Verify that the MAC addresses being transmitted through the system are learned.

(CSCef01798)

When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up.

If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated.

If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain. If either of these differs from the FQDN in the certificate, then the existing persistent self-signed certificate is replaced with a new one with the updated FQDN. Be aware that the existing keypair is used in the new certificate.

On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.

Workaround: Re-connect. (CSCsb11964)

After upgrading to Cisco IOS 12.2(31)SG and later releases, some CPU queues configured as SPAN sources and saved in the startup configuration file do not function as they did in the older software release.

This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.

QueueID
Old QueueName
New QueueName

5

control-packet

control-packet

6

rpf-failure

control-packet

7

adj-same-if

control-packet

8

<unused queue>

control-packet

11

<unused queue>

adj-same-if

13

acl input log

rfp-failure

14

acl input forward

acl input log


Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:

Switch(config)# no monitor session n source cpu queue all rx
Switch(config)# monitor session n source cpu queue <new_Queue_Name>
 
 

(CSCsc94802)

To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command.

Workaround: None. (CSCsc11726)

An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port.

This could occur for these reasons:

A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch.

This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled. The switch receives packets that require redirection and the destination MAC address is already in ARP table.

Workarounds:

Do not inject packets that require IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch.

Configure the correct default gateway on the host side. (CSCse75660)

When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you configure
qos account layer2 encapsulation.

Workaround: None. (CSCsg58526)

When hardcoded duplex and speed settings are deleted after an interface shuts down, an "a-" is added to the duplex and speed in the output from the show interface status command.

This does not impact performance.

Workaround: Issue the no shutdown command. (CSCsg27395)

When a transceiver is removed rapidly from one port and placed in another on the same chassis, occasionally a duplicate seeprom message is displayed and the port is not able to handle traffic.

Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).

When traffic is sent on a VLAN ID higher than 3000, the convergence timing caused by a failure exceeds 225ms.

Workaround: None. (CSCsm30320)

CFM packets pass through the Layer 2 protocol tunnel.

Workaround: None. (CSCsq72572)

With CFM enabled globally as well as on an ingress interface, CFM packets received on the interface are not policed with HWCOPP (HW Control Plane Policing).

Workaround: None. (CSCso93282)

An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

After a reload, copy the startup-config to the running-config.

Use a loopback interface as the target of the ip unnumbered command

Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:

%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
 
 

Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

During an ISSU upgrade or downgrade from v122_31_sg_throttle to v122_46_sg_throttle, the following error message displays on console of the active supervisor engine:

Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internal
software error occurred. Null0 linked to wrong hwidb Null0
 
 

Workaround: None. (CSCso68331)

When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running config.

Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)

The CTS SXP cts sxp default password mypassword configuration command does not work when you configure type 6 password encryption on the switch.

Workarounds: Use either of the following to set the sxp default password:

Use clear text (non encryption)

Type 7 password encryption

(CSCsv33006)

Duplicate serial number error messages are reported on switching One X Convertor with SFP+, SFP+, X2 to another port, the inserted port enters a faulty status.

This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.

Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)

On a Catalyst 4500 switch running 12.2(50)SG, when the access VLAN is deleted and then restored on a port configured with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the access VLAN is restored.

This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.

Workaround: Shut down then reopen the interface.

(CSCso50921)

VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

When you remove an SFP+ from a OneX converter in a X2 slot, it takes roughly 45 seconds for the system to recognize this. Any commands during this time will indicate that the SFP+ is still present. Reinserting the SFP+ in another port or inserting another SFP+ in the same port can result in Duplicate Seeprom error message.

Workaround: When a log message appears indicating that the SFP+ has been removed, do one of the following:

Enter any commands for that port.

Insert an SFP+ in that port.

Reinsert the removed SFP+ in any other port.

(CSCsv90044)

CTS SXP connection with a default password may cause the following message to display on the console because of bad TCP authentication:

*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 
2.2.2.1(64999)
 
 

This issue is seen when the default SXP password is encrypted with type-6 encryption.

Workaround: Do one of the following:

Use type 7 password encryption to encrypt the default SXP password

Don't enable password encryption and allow the default SXP password to set in clear text.

(CSCsv33136)

IP Router Option may not work with IGMP version 2.

Workaround: None. (CSCsv42869)

If VLAN Load Balancing is progressing, and you reconfigure VLAN Load Balancing to reflect different blocking ports, manual preemption does not occur.

Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:

a. Reconfigure the VLAN Load Balancing configuration on the desired REP ports.

b. Shut any one REP port in the segment to cause a failure in that segment.

c. No-shut that port to restore normal REP topology with one ALT port.

d. Invoke manual preemption on a primary edge port to obtain VLAN Load Balancing with the new configuration.

(CSCsv69853)

After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:

%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.101   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.102   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
 
 

This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. (CSCsw14005)

The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.1X on the port and reconnect the host to a IP phone (with CDP port status TLV support) that is connected to the switch.

If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.

Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661

Class-map hit counters do not increment on the egress policy-map when it is attached to the primary VLAN on a PVLAN trunk ports. However, the traffic is properly classified and the actions configured in the policy are applied properly.

Workaround: None. CSCsy72343

When .1X with MDA is set in host mode and guest VLAN is enabled, when you pump traffic from a traffic generator at a high rate, a Security violation is wrongly flagged.

Workaround: None.

CSCsy38640

When you enter the show adjacency x.x.x.x internal command for an adjacency, the packet counters are increment correctly but the byte counters remain 0.

Workaround: None.

CSCsu35604

When you request an on demand Call Home message send without specifying a profile name & the specified module returns an unknown diagnostic result, the following error message displays:

Switch# call-home send alert-group diagnostic module 2 
Sending diagnostic info call-home message ...
Please wait. This may take some time ...
Switch#
*Jan  3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand 
message failed to send (ERR 18, The alert group is not subscribed)
 
 

Workaround: Specify a profile name when you enter the diagnostic command.

You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.

CSCsz05888

If you simultaneously apply a service-policy to a port in the output direction and a service-policy to a vlan-range under that port in the output direction, the class-map hit counters in the output of the
show policy-map interface command are wrong.

Workaround: None.

The queue transmit counters as well as the policing statistics (if any) are correct.

CSCsz20149

Packets entering a switch as fragments or with a non-zero fragment offset field are not be subjected to PBR.

Workaround: None.

CSCsz06719

When you configure EnergyWise power control on PoE ports with a time-based execution schedule, time entry executes without adjusting for daylight savings time.

Workaround: Manually re-enter all entries with new time settings.

CSCsy27389

On wireless control system (WCS), some device information is incorrectly displayed for PCs sitting behind an lldp-med capable phone. Specifically, WCS displays the phone's serial number, model number, and software version in the PC's device information. All other information about the PC is correctly displayed on WCS.

This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.

Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.

CSCsz34522

If a host is authenticated in the data VLAN, the STP state of the VLAN is blocked.

Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port.

The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding.

Workaround: Enter shut, then no shut on the port.

CSCta04665

On a Layer 2 port (that is, a switchport) of Supervisor Engine II+ thru V-10GE, the
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.

Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command.

CSCta16492

When you configure switchport block multicast on a switch running
Cisco IOS Release 12.2(53)SG1 or 12.2(50)SG6, Layer 2 multicast is not blocked.

Prior to Cisco IOS Release 12.2(53)SG1, 12.2(50)SG6, the switchport block multicast command would block IP Multicast, Layer 2 multicast, and broadcast traffic (CSCta61825).

Workaround: None

CSCtb30327

When using dynamic policy installation for a client or host that is authenticated on a secure port, the traffic from the client is not permitted even though the permit ip any any command is specified as the dynamic policy for the client.

This occurs only if the following conditions are satisfied:

Multi-host mode configured on the port with the authentication host-mode multi-host command.

Default ACL (the IP access-list) configured on the interface specifies deny ip any any.

Dynamic policy authorization for the client specifies permit ip any any.

Workaround: None.

CSCsz63739

If time is not specified in the link debounce command, the default value depends on the supervisor engine. The default is 10 mS for C4900M, Supervisor Engine 6-E, and Supervisor Engine 6L-E. The default is 100 mS for all other supervisor engines.

Workaround: None.

Despite the different default value, you can configure any value in the time range.

CSCte51948

A switch fails if you configure a PBR policy to match on prefix-list(s) instead of ACL(s).

Workaround: Configure the route map to only match on ACL(s).

CSCtg22126

A switch may crash while loading BGP routes if the ip cef accounting non-recursive command is already configured.

Workaround: Disable the ip cef accounting non-recursive command.

(CSCtn68186)

If you use AAA accounting with the broadcast keyword, a switch may either display unpredictable behavior or crash.

Workaround: Do not use AAA accounting with the broadcast keyword. CSCts56125

A vulnerability exists in the Cisco IOS software that may allow a remote application or device to exceed its authorization level when authentication, authorization, and accounting (AAA) authorization is used. This vulnerability requires that the HTTP or HTTPS server is enabled on the Cisco IOS device.

Products that are not running Cisco IOS software are not vulnerable.

Cisco has released free software updates that address these vulnerabilities.

The HTTP server may be disabled as a workaround for the vulnerability described in this advisory.

This advisory is available at the following link:


http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-pai

Additional information on Cisco's security vulnerability policy can be found at the URL:


http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html

CSCtr91106

A switch operating as a DHCP server where sessions receive DHCP information from a RADIUS server may experience a crash and DHCP related errors.

Workaround: None. CSCtj48387

A vulnerability in the Multicast Source Discovery Protocol (MSDP) implementation of Cisco IOS Software and Cisco IOS XE Software could allow a remote, unauthenticated attacker to cause a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial of service (DoS) condition.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link:


http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp


Note The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication.


Individual publication links are in ''Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication'' at the following link:


http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html

CSCtr28857

A switch crashes after displaying the message:

%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (Unknown 
MAC) on Interface Gi5/39 AuditSessionID AC156241000000670001BC9.
 
 

provided the following conditions apply:

A switchport is configured with the following:

authentication event server dead action authorize...

authenticaton event server alive action reinitalize

The RADIUS server was down previously, and a port without traffic (for example, a hub with no devices attached) was authorized into the inaccessible authentication bypass (IAB) VLAN without an associated MAC address.

The RADIUS server becomes available again, and the IAB-authorized port transitions to another state.

Workaround: None. CSCtx61557

When a trunk port is configured with a native VLAN other than VLAN 1, REP packets are not sent on that VLAN.

Workaround: Retain the default setting (VLAN 1) for the native VLAN on trunks ports. CSCud05521

After TCAM resources are first exhausted, then freed, CPU remains high.

Workaround: Reconfigure ACLs on all interfaces.CSCuf93866

Resolved Caveats in Cisco IOS Release 12.2(53)SG2

This section lists the resolved caveats in Release 12.2(53)SG2:

A 802.1X port enabled for multi-authentication might not begin learning the MAC address of a successfully authenticated phone.

Workaround: Configure the port in multi-domain mode (rather than multi-auth mode) with the authentication host-mode multi-domain command

CSCtb28114

A PBR policy is not honored on a Supervisor Engine 6 running Cisco IOS Release 12.2(53)SG or 12.2(52)SG. Packets are forwarded through the normal routing table instead of through policy based routing.

This is a side effect of a heavily shared path.

Workaround: None.

CSCtc90702

Upon upgrading to Cisco IOS Releases 12.2(52)SG, 12.2(52)XO, 12.2(53)SG, or 12.2(53)SG1, if the flash device name differs from the default name flash:, you might observe the following message continuously on your console:

%Error copying flash:/eem_pnt_2 (Invalid path)
 
 

Workaround: Rename the flash device to the default name flash:.

CSCte05909

MAC learning does not work with Guest VLAN, Wake-on-LAN, and port security. When these features are enabled simultaneously in an interface, MAC learning does not work; none of the packets are forwarded.

Workaround: None.

You will need to disableWake-on-LAN on the interface.

CSCtc58982

When you delete and recreate an interface, the tacking process is unable to track its state track.

Workaround: Reconfigure tracking on the newly created interface. (CSCsr66876)

When a PVLAN isolated port is connected to a router serving as a multicast source, and you enable igmp snooping, the routers connected to the isolated ports display as PIM neighbors.

Workaround: Do one of the following:

Do not attach routers to PVLAN isolated ports.

Disable igmp snooping (either globally or on the VLAN).

Do not use a router connected to PVLAN isolated port as a multicast source.

(CSCsu39009)

Egress traffic may not be allowed when 802.1X is configured as a Unidirectional Controlled Port.

Workarounds: Do one of the following:

Enter spanning-tree portfast then authentication control-direction in on a 802.1X port.

Enter shut then no shut on a 802.1X port.

(CSCsv05205)

After a .1X port is enabled for Guest VLAN, if you shut down the port connected to the RADIUS server so that the server goes dead and EAPOL packets are sent on that port, it is authorized in the access VLAN although the server is unreachable.

Workaround: Enter shut, then no shut on the port.

CSCsz63355

When a switch enabled for explicit host tracking runs IGMPv3, ports that stopped sending IGMPv3 reports are displayed in the IGMPv3 table until a timeout. This behavior didn't exist in Cisco IOS Release 12.2(50)SG..

Workaround: Disable explicit host tracking in the affected VLANs.

CSCsz28612

On a WS-C4948-10GE, on each reload or power off/on, the system clock may lose (decrease) up to 59 seconds.

All software releases up to and including Cisco IOS Releases 12.2(31)SGA9, 12.2(50)SG6 and 12,2(53)SG1 are affected.

Workaround: After rebooting the switch, adjust the system clock with the clock set command.

CSCtc65375

A switch running Cisco IOS Release 12.2(53)SG displays the message

%C4K_EBM-4-HOSTFLAPPING: happening between master loopback port and the source port during layer3 (IPv4 and IPv6) packets loop using ethernet oam (EOAM)

This message is does not impact performance.

Workaround: None.

CSCtc26043

EnergyWise is enabled and you use the energywise level level recurrence importance importance at minute hour day_of_month month day_of_week interface configuration command to configure a recurring event on a switch. After the time changes from daylight savings time to standard time, the switch might

Restart when it tries to power a PoE device

Power on or off the PoE device at an incorrect time

Fail

This occurs when the time change for the next year occurs after the time change for the current year.

Before the time change occurs, use one of these workarounds:

Remove the recurring events from the EnergyWise configuration, do not use recurring events for a week, and reconfigure them a week after the time change occurs.

Use the energywise level level recurrence importance importance time-range time-range-name interface configuration command to reschedule the events.

Use the power inline auto interface configuration command to power on the PoE port.

CSCtc91312

On a 10GE Catalyst 4948 switch, the X2-10GB-LRM link is down on boot up.

This problem is observed on images later than Cisco IOS Release 12.2(46)SG.

CSCtf26763

Open Caveats in Cisco IOS Release 12.2(53)SG1

This section lists the open caveats in Cisco IOS Release 12.2(53)SG1:

In rare instances, when you are using MAC ACL-based policers, the packet match counters in
show policy-map interface fa6/1 do not show the packets being matched:

Switch# sh policy-map int
  FastEthernet3/2 
 
   Service-policy output: p1
 
     Class-map: c1 (match-all)
       0 packets		<--------It stays at '0' despite of traffic being received
       Match: access-group name fnacl21
       police: Per-interface
         Conform: 9426560 bytes Exceed: 16573440 bytes
 
 

Workaround: Verify that the MAC addresses being transmitted through the system are learned.

(CSCef01798)

When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up.

If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated.

If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain. If either of these differs from the FQDN in the certificate, then the existing persistent self-signed certificate is replaced with a new one with the updated FQDN. Be aware that the existing keypair is used in the new certificate.

On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.

Workaround: Re-connect. (CSCsb11964)

After upgrading to Cisco IOS 12.2(31)SG and later releases, some CPU queues configured as SPAN sources and saved in the startup configuration file do not function as they did in the older software release.

This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.

QueueID
Old QueueName
New QueueName

5

control-packet

control-packet

6

rpf-failure

control-packet

7

adj-same-if

control-packet

8

<unused queue>

control-packet

11

<unused queue>

adj-same-if

13

acl input log

rfp-failure

14

acl input forward

acl input log


Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:

Switch(config)# no monitor session n source cpu queue all rx
Switch(config)# monitor session n source cpu queue <new_Queue_Name>
 
 

(CSCsc94802)

To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command.

Workaround: None. (CSCsc11726)

An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port.

This could occur for these reasons:

A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch.

This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled. The switch receives packets that require redirection and the destination MAC address is already in ARP table.

Workarounds:

Do not inject packets that require IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch.

Configure the correct default gateway on the host side. (CSCse75660)

When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you configure
qos account layer2 encapsulation.

Workaround: None. (CSCsg58526)

When hardcoded duplex and speed settings are deleted after an interface shuts down, an "a-" is added to the duplex and speed in the output from the show interface status command.

This does not impact performance.

Workaround: Issue the no shutdown command. (CSCsg27395)

When a transceiver is removed rapidly from one port and placed in another on the same chassis, occasionally a duplicate seeprom message is displayed and the port is not able to handle traffic.

Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).

When traffic is sent on a VLAN ID higher than 3000, the convergence timing caused by a failure exceeds 225ms.

Workaround: None. (CSCsm30320)

CFM packets pass through the Layer 2 protocol tunnel.

Workaround: None. (CSCsq72572)

With CFM enabled globally as well as on an ingress interface, CFM packets received on the interface are not policed with HWCOPP (HW Control Plane Policing).

Workaround: None. (CSCso93282)

An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

After a reload, copy the startup-config to the running-config.

Use a loopback interface as the target of the ip unnumbered command

Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:

%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
 
 

Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

During an ISSU upgrade or downgrade from v122_31_sg_throttle to v122_46_sg_throttle, the following error message displays on console of the active supervisor engine:

Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internal
software error occurred. Null0 linked to wrong hwidb Null0
 
 

Workaround: None. (CSCso68331)

When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running config.

Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)

The CTS SXP cts sxp default password mypassword configuration command does not work when you configure type 6 password encryption on the switch.

Workarounds: Use either of the following to set the sxp default password:

Use clear text (non encryption)

Type 7 password encryption

(CSCsv33006)

Duplicate serial number error messages are reported on switching One X Convertor with SFP+, SFP+, X2 to another port, the inserted port enters a faulty status.

This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.

Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)

Certain Cisco Trusted Security (CTS) SXP connection configuration may not consistently select the best source IP for each SXP connection.

On a switch with multiple Layer 3 interfaces, if the CTS SXP connection is configured without specifying source IP address and no default SXP source IP address is configured on the box, different SXP connections may pickup different source IP address for each connection.

Workaround: Do one of the following:

Ensure that only one active Layer 3 interface exists on the switch.

Specify source the IP address in each SXP connection configuration so there is no ambiguity

Configure a default SXP source IP address so that the SXP connection without the source IP address will use this source IP address.

(CSCsv28348)

On a Catalyst 4500 switch running 12.2(50)SG, when the access VLAN is deleted and then restored on a port configured with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the access VLAN is restored.

This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.

Workaround: Shut down then reopen the interface.

(CSCso50921)

VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

Egress traffic may not be allowed when 802.1X is configured as a Unidirectional Controlled Port.

Workarounds: Do one of the following:

Enter spanning-tree portfast then authentication control-direction in on a 802.1X port.

Enter shut then no shut on a 802.1X port.

(CSCsv05205)

When you remove an SFP+ from a OneX converter in a X2 slot, it takes roughly 45 seconds for the system to recognize this. Any commands during this time will indicate that the SFP+ is still present. Reinserting the SFP+ in another port or inserting another SFP+ in the same port can result in Duplicate Seeprom error message.

Workaround: When a log message appears indicating that the SFP+ has been removed, do one of the following:

Enter any commands for that port.

Insert an SFP+ in that port.

Reinsert the removed SFP+ in any other port.

(CSCsv90044)

When a PVLAN isolated port is connected to a router serving as a multicast source, and you enable igmp snooping, the routers connected to the isolated ports display as PIM neighbors.

Workaround: Do one of the following:

Do not attach routers to PVLAN isolated ports.

Disable igmp snooping (either globally or on the VLAN).

Do not use a router connected to PVLAN isolated port as a multicast source.

(CSCsu39009)

When you delete and recreate an interface, the tacking process is unable to track its state track.

Workaround: Reconfigure tracking on the newly created interface. (CSCsr66876)

CTS SXP connection with a default password may cause the following message to display on the console because of bad TCP authentication:

*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 
2.2.2.1(64999)
 
 

This issue is seen when the default SXP password is encrypted with type-6 encryption.

Workaround: Do one of the following:

Use type 7 password encryption to encrypt the default SXP password

Don't enable password encryption and allow the default SXP password to set in clear text.

(CSCsv33136)

IP Router Option may not work with IGMP version 2.

Workaround: None. (CSCsv42869)

If VLAN Load Balancing is progressing, and you reconfigure VLAN Load Balancing to reflect different blocking ports, manual preemption does not occur.

Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:

a. Reconfigure the VLAN Load Balancing configuration on the desired REP ports.

b. Shut any one REP port in the segment to cause a failure in that segment.

c. No-shut that port to restore normal REP topology with one ALT port.

d. Invoke manual preemption on a primary edge port to obtain VLAN Load Balancing with the new configuration.

(CSCsv69853)

After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:

%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.101   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.102   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
 
 

This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. (CSCsw14005)

The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.1X on the port and reconnect the host to a IP phone (with CDP port status TLV support) that is connected to the switch.

If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.

Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661

Class-map hit counters do not increment on the egress policy-map when it is attached to the primary VLAN on a PVLAN trunk ports. However, the traffic is properly classified and the actions configured in the policy are applied properly.

Workaround: None. CSCsy72343

When .1X with MDA is set in host mode and guest VLAN is enabled, when you pump traffic from a traffic generator at a high rate, a Security violation is wrongly flagged.

Workaround: None.

CSCsy38640

When you enter the show adjacency x.x.x.x internal command for an adjacency, the packet counters are increment correctly but the byte counters remain 0.

Workaround: None.

CSCsu35604

When you request an on demand Call Home message send without specifying a profile name & the specified module returns an unknown diagnostic result, the following error message displays:

Switch# call-home send alert-group diagnostic module 2 
Sending diagnostic info call-home message ...
Please wait. This may take some time ...
Switch#
*Jan  3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand 
message failed to send (ERR 18, The alert group is not subscribed)
 
 

Workaround: Specify a profile name when you enter the diagnostic command.

You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.

CSCsz05888

When an access-list is attached to an interface under extreme hardware resource exhaustion, the ACL may not be automatically loaded into the hardware even if hardware resources later become available.

No TCAM entries are available for the new access-list.

Workaround: Manually remove and reapply the ACL after freeing hardware TCAM resources by removing or shortening other classification policies on the switch.

CSCsy85006

If you simultaneously apply a service-policy to a port in the output direction and a service-policy to a vlan-range under that port in the output direction, the class-map hit counters in the output of the
show policy-map interface command are wrong.

Workaround: None.

The queue transmit counters as well as the policing statistics (if any) are correct.

CSCsz20149

Packets entering a switch as fragments or with a non-zero fragment offset field are not be subjected to PBR.

Workaround: None.

CSCsz06719

After a .1X port is enabled for Guest VLAN, if you shut down the port connected to the RADIUS server so that the server goes dead and EAPOL packets are sent on that port, it is authorized in the access VLAN although the server is unreachable.

Workaround: Enter shut, then no shut on the port.

CSCsz63355

When a switch enabled for explicit host tracking runs IGMPv3, ports that stopped sending IGMPv3 reports are displayed in the IGMPv3 table until a timeout. This behavior didn't exist in Cisco IOS Release 12.2(50)SG..

Workaround: Disable explicit host tracking in the affected VLANs.

CSCsz28612

On wireless control system (WCS), some device information is incorrectly displayed for PCs sitting behind an lldp-med capable phone. Specifically, WCS displays the phone's serial number, model number, and software version in the PC's device information. All other information about the PC is correctly displayed on WCS.

This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.

Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.

CSCsz34522

If a host is authenticated in the data VLAN, the STP state of the VLAN is blocked.

Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port.

The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding.

Workaround: Enter shut, then no shut on the port.

CSCta04665

On a Layer 2 port (that is, a switchport) of Supervisor Engine II+ thru V-10GE, the
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.

Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command.

CSCta16492

A 802.1X port enabled for multi-authentication might not begin learning the MAC address of a successfully authenticated phone.

Workaround: Configure the port in multi-domain mode (rather than multi-auth mode) with the authentication host-mode multi-domain command

CSCtb28114

On a WS-C4948-10GE, on each reload or power off/on, the system clock may lose (decrease) up to 59 seconds.

All software releases up to and including Cisco IOS Releases 12.2(31)SGA9, 12.2(50)SG6 and 12,2(53)SG1 are affected.

Workaround: After rebooting the switch, adjust the system clock with the clock set command.

CSCtc65375

When you configure switchport block multicast on a switch running
Cisco IOS Release 12.2(53)SG1 or 12.2(50)SG6, Layer 2 multicast is not blocked.

Prior to Cisco IOS Release 12.2(53)SG1, 12.2(50)SG6, the switchport block multicast command would block IP Multicast, Layer 2 multicast, and broadcast traffic (CSCta61825).

Workaround: None

CSCtb30327

A switch running Cisco IOS Release 12.2(53)SG displays the message

%C4K_EBM-4-HOSTFLAPPING: happening between master loopback port and the source port during layer3 (IPv4 and IPv6) packets loop using ethernet oam (EOAM)

This message is does not impact performance.

Workaround: None.

CSCtc26043

When using dynamic policy installation for a client or host that is authenticated on a secure port, the traffic from the client is not permitted even though the permit ip any any command is specified as the dynamic policy for the client.

This occurs only if the following conditions are satisfied:

Multi-host mode configured on the port with the authentication host-mode multi-host command.

Default ACL (the IP access-list) configured on the interface specifies deny ip any any.

Dynamic policy authorization for the client specifies permit ip any any.

Workaround: None.

CSCsz63739

EnergyWise is enabled and you use the energywise level level recurrence importance importance at minute hour day_of_month month day_of_week interface configuration command to configure a recurring event on a switch. After the time changes from daylight savings time to standard time, the switch might

Restart when it tries to power a PoE device

Power on or off the PoE device at an incorrect time

Fail

This occurs when the time change for the next year occurs after the time change for the current year.

Before the time change occurs, use one of these workarounds:

Remove the recurring events from the EnergyWise configuration, do not use recurring events for a week, and reconfigure them a week after the time change occurs.

Use the energywise level level recurrence importance importance time-range time-range-name interface configuration command to reschedule the events.

Use the power inline auto interface configuration command to power on the PoE port.

CSCtc91312

Upon upgrading to Cisco IOS Releases 12.2(52)SG, 12.2(52)XO, 12.2(53)SG, or 12.2(53)SG1, if the flash device name differs from the default name flash:, you might observe the following message continuously on your console:

%Error copying flash:/eem_pnt_2 (Invalid path)
 
 

Workaround: Rename the flash device to the default name flash:.

CSCte05909

If time is not specified in the link debounce command, the default value depends on the supervisor engine. The default is 10 mS for C4900M, Supervisor Engine 6-E, and Supervisor Engine 6L-E. The default is 100 mS for all other supervisor engines.

Workaround: None.

Despite the different default value, you can configure any value in the time range.

CSCte51948

A switch may crash while loading BGP routes if the ip cef accounting non-recursive command is already configured.

Workaround: Disable the ip cef accounting non-recursive command.

(CSCtn68186)

If you use AAA accounting with the broadcast keyword, a switch may either display unpredictable behavior or crash.

Workaround: Do not use AAA accounting with the broadcast keyword. CSCts56125

A vulnerability exists in the Cisco IOS software that may allow a remote application or device to exceed its authorization level when authentication, authorization, and accounting (AAA) authorization is used. This vulnerability requires that the HTTP or HTTPS server is enabled on the Cisco IOS device.

Products that are not running Cisco IOS software are not vulnerable.

Cisco has released free software updates that address these vulnerabilities.

The HTTP server may be disabled as a workaround for the vulnerability described in this advisory.

This advisory is available at the following link:


http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-pai

Additional information on Cisco's security vulnerability policy can be found at the URL:


http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html

CSCtr91106

A switch operating as a DHCP server where sessions receive DHCP information from a RADIUS server may experience a crash and DHCP related errors.

Workaround: None. CSCtj48387

A vulnerability in the Multicast Source Discovery Protocol (MSDP) implementation of Cisco IOS Software and Cisco IOS XE Software could allow a remote, unauthenticated attacker to cause a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial of service (DoS) condition.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link:


http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp


Note The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication.


Individual publication links are in ''Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication'' at the following link:


http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html

CSCtr28857

A switch crashes after displaying the message:

%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (Unknown 
MAC) on Interface Gi5/39 AuditSessionID AC156241000000670001BC9.
 
 

provided the following conditions apply:

A switchport is configured with the following:

authentication event server dead action authorize...

authenticaton event server alive action reinitalize

The RADIUS server was down previously, and a port without traffic (for example, a hub with no devices attached) was authorized into the inaccessible authentication bypass (IAB) VLAN without an associated MAC address.

The RADIUS server becomes available again, and the IAB-authorized port transitions to another state.

Workaround: None. CSCtx61557

When a trunk port is configured with a native VLAN other than VLAN 1, REP packets are not sent on that VLAN.

Workaround: Retain the default setting (VLAN 1) for the native VLAN on trunks ports. CSCud05521

After TCAM resources are first exhausted, then freed, CPU remains high.

Workaround: Reconfigure ACLs on all interfaces.CSCuf93866

Resolved Caveats in Cisco IOS Release 12.2(53)SG1

This section lists the resolved caveats in Release 12.2(53)SG1:

When a service-policy is attached to a port-channel and that service-policy is configured to match CPU generated packets, the classification statistics do not increment for the CPU generated packets.

Workaround: Configure an access-list to permit the CPU generated packets and apply the ACL to the class-map.

CSCsy43967

When you configure EnergyWise power control on PoE ports with a time-based execution schedule, time entry executes without adjusting for daylight savings time.

Workaround: Manually re-enter all entries with new time settings.

CSCsy27389

If many ARP entries (47k) exist and you clear the ARP table, the system reloads and the switch crashes with the message:

ROM by abort at PC 0x0
 
 

Workaround: None.

Downgrade to Cisco IOS Release 12.2(50)SG3 if needed.

CSCta49512

On a switch running Cisco IOS Release 12.2(50)SG or 12.2(52)SG, when an 802.1X port configured with PVLAN community VLAN receives a new PVLAN assignment from the AAA server, resetting the configuration on this interface may cause the switch to reload.

Workaround: None.

CSCsz38442

When the vlan-port state changes on flexlink ports, the following two messages appear on the console:

A syslog warning message "%SM-4-BADEVENT: Event 'forward' is invalid for the current 
state 'present': pm_vp .."
 
 
A traceback error message
 
 

This issue happens only on flexlink ports under the following two scenarios:

You configure flexlink vlan load balancing before changing the port mode of a backup interface to trunk mode.

Flexlink recovers from per vlan-port error disable states.

Workaround: None

The syslog and Traceback do not impact functionality. Flexlink states end up with correct states and there is no impact on traffic forwarding.

CSCta05317

Per vlan-port error disable features (dhcp-rate-limit and arp-inspection) do not work on flexlink (without VLAN load balancing). When a violation occurs on the Active link, the corresponding vlan-port will not be error disabled.

The existing per-port error disable (that is, when a violation happens, the entire port will be error disabled) still works on flexlink.

Workaround: Use flexlink with VLAN load balancing.

If you do not want to use vlan load balancing, then enter the
switchport backup interface perfer vlan command on the Active interface, where vlan z is set to an unused vlan on the system

CSCta76320

If you enable VTP pruning after a switch is moved to VTP version 3, VLAN pruning does not happen on the trunks.

Workaround: Change the VTP version from 3 to version 2 or 1 and then revert to version 3.

CSCsy66803

If a switch running Cisco IOS Release 12.2(52)SG receives MPLS packets, SA miss and host learning will cause high CPU.

Workarounds:

Enter the mac address-table dynamic group protocols ip other command.

Configure a static MAC address.

CSCta09651

When you configure EnergyWise power control on PoE ports with a time-based execution schedule, time entry executes without adjusting for daylight savings time.

Workaround: Manually re-enter all entries with new time settings.

CSCsy27389

Open Caveats in Cisco IOS Release 12.2(53)SG

This section lists the open caveats in Cisco IOS Release 12.2(53)SG:

In rare instances, when you are using MAC ACL-based policers, the packet match counters in
show policy-map interface fa6/1 do not show the packets being matched:

Switch# sh policy-map int
  FastEthernet3/2 
 
   Service-policy output: p1
 
     Class-map: c1 (match-all)
       0 packets		<--------It stays at '0' despite of traffic being received
       Match: access-group name fnacl21
       police: Per-interface
         Conform: 9426560 bytes Exceed: 16573440 bytes
 
 

Workaround: Verify that the MAC addresses being transmitted through the system are learned.

(CSCef01798)

When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up.

If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated.

If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain. If either of these differs from the FQDN in the certificate, then the existing persistent self-signed certificate is replaced with a new one with the updated FQDN. Be aware that the existing keypair is used in the new certificate.

On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.

Workaround: Re-connect. (CSCsb11964)

After upgrading to Cisco IOS 12.2(31)SG and later releases, some CPU queues configured as SPAN sources and saved in the startup configuration file do not function as they did in the older software release.

This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.

QueueID
Old QueueName
New QueueName

5

control-packet

control-packet

6

rpf-failure

control-packet

7

adj-same-if

control-packet

8

<unused queue>

control-packet

11

<unused queue>

adj-same-if

13

acl input log

rfp-failure

14

acl input forward

acl input log


Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:

Switch(config)# no monitor session n source cpu queue all rx
Switch(config)# monitor session n source cpu queue <new_Queue_Name>
 
 

(CSCsc94802)

To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command.

Workaround: None. (CSCsc11726)

An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port.

This could occur for these reasons:

A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch.

This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled. The switch receives packets that require redirection and the destination MAC address is already in ARP table.

Workarounds:

Do not inject packets that require IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch.

Configure the correct default gateway on the host side. (CSCse75660)

When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you configure
qos account layer2 encapsulation.

Workaround: None. (CSCsg58526)

When hardcoded duplex and speed settings are deleted after an interface shuts down, an "a-" is added to the duplex and speed in the output from the show interface status command.

This does not impact performance.

Workaround: Issue the no shutdown command. (CSCsg27395)

When a transceiver is removed rapidly from one port and placed in another on the same chassis, occasionally a duplicate seeprom message is displayed and the port is not able to handle traffic.

Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).

When traffic is sent on a VLAN ID higher than 3000, the convergence timing caused by a failure exceeds 225ms.

Workaround: None. (CSCsm30320)

CFM packets pass through the Layer 2 protocol tunnel.

Workaround: None. (CSCsq72572)

With CFM enabled globally as well as on an ingress interface, CFM packets received on the interface are not policed with HWCOPP (HW Control Plane Policing).

Workaround: None. (CSCso93282)

An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

After a reload, copy the startup-config to the running-config.

Use a loopback interface as the target of the ip unnumbered command

Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:

%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
 
 

Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

During an ISSU upgrade or downgrade from v122_31_sg_throttle to v122_46_sg_throttle, the following error message displays on console of the active supervisor engine:

Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internal
software error occurred. Null0 linked to wrong hwidb Null0
 
 

Workaround: None. (CSCso68331)

When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running config.

Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)

The CTS SXP cts sxp default password mypassword configuration command does not work when you configure type 6 password encryption on the switch.

Workarounds: Use either of the following to set the sxp default password:

Use clear text (non encryption)

Type 7 password encryption

(CSCsv33006)

Duplicate serial number error messages are reported on switching One X Convertor with SFP+, SFP+, X2 to another port, the inserted port enters a faulty status.

This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.

Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)

Certain Cisco Trusted Security (CTS) SXP connection configuration may not consistently select the best source IP for each SXP connection.

On a switch with multiple Layer 3 interfaces, if the CTS SXP connection is configured without specifying source IP address and no default SXP source IP address is configured on the box, different SXP connections may pickup different source IP address for each connection.

Workaround: Do one of the following:

Ensure that only one active Layer 3 interface exists on the switch.

Specify source the IP address in each SXP connection configuration so there is no ambiguity

Configure a default SXP source IP address so that the SXP connection without the source IP address will use this source IP address.

(CSCsv28348)

On a Catalyst 4500 switch running 12.2(50)SG, when the access VLAN is deleted and then restored on a port configured with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the access VLAN is restored.

This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.

Workaround: Shut down then reopen the interface.

(CSCso50921)

VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

Egress traffic may not be allowed when 802.1X is configured as a Unidirectional Controlled Port.

Workarounds: Do one of the following:

Enter spanning-tree portfast then authentication control-direction in on a 802.1X port.

Enter shut then no shut on a 802.1X port.

(CSCsv05205)

When you remove an SFP+ from a OneX converter in a X2 slot, it takes roughly 45 seconds for the system to recognize this. Any commands during this time will indicate that the SFP+ is still present. Reinserting the SFP+ in another port or inserting another SFP+ in the same port can result in Duplicate Seeprom error message.

Workaround: When a log message appears indicating that the SFP+ has been removed, do one of the following:

Enter any commands for that port.

Insert an SFP+ in that port.

Reinsert the removed SFP+ in any other port.

(CSCsv90044)

When a PVLAN isolated port is connected to a router serving as a multicast source, and you enable igmp snooping, the routers connected to the isolated ports display as PIM neighbors.

Workaround: Do one of the following:

Do not attach routers to PVLAN isolated ports.

Disable igmp snooping (either globally or on the VLAN).

Do not use a router connected to PVLAN isolated port as a multicast source.

(CSCsu39009)

When you delete and recreate an interface, the tacking process is unable to track its state track.

Workaround: Reconfigure tracking on the newly created interface. (CSCsr66876)

CTS SXP connection with a default password may cause the following message to display on the console because of bad TCP authentication:

*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 
2.2.2.1(64999)
 
 

This issue is seen when the default SXP password is encrypted with type-6 encryption.

Workaround: Do one of the following:

Use type 7 password encryption to encrypt the default SXP password

Don't enable password encryption and allow the default SXP password to set in clear text.

(CSCsv33136)

IP Router Option may not work with IGMP version 2.

Workaround: None. (CSCsv42869)

If VLAN Load Balancing is progressing, and you reconfigure VLAN Load Balancing to reflect different blocking ports, manual preemption does not occur.

Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:

a. Reconfigure the VLAN Load Balancing configuration on the desired REP ports.

b. Shut any one REP port in the segment to cause a failure in that segment.

c. No-shut that port to restore normal REP topology with one ALT port.

d. Invoke manual preemption on a primary edge port to obtain VLAN Load Balancing with the new configuration.

(CSCsv69853)

After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:

%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.101   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.102   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
 
 

This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. (CSCsw14005)

The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.1X on the port and reconnect the host to a IP phone (with CDP port status TLV support) that is connected to the switch.

If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.

Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661

Class-map hit counters do not increment on the egress policy-map when it is attached to the primary VLAN on a PVLAN trunk ports. However, the traffic is properly classified and the actions configured in the policy are applied properly.

Workaround: None. CSCsy72343

When .1X with MDA is set in host mode and guest VLAN is enabled, when you pump traffic from a traffic generator at a high rate, a Security violation is wrongly flagged.

Workaround: None.

CSCsy38640

When you enter the show adjacency x.x.x.x internal command for an adjacency, the packet counters are increment correctly but the byte counters remain 0.

Workaround: None.

CSCsu35604

If you enable VTP pruning after a switch is moved to VTP version 3, VLAN pruning does not happen on the trunks.

Workaround: Change the VTP version from 3 to version 2 or 1 and then revert to version 3.

CSCsy66803

When you request an on demand Call Home message send without specifying a profile name & the specified module returns an unknown diagnostic result, the following error message displays:

Switch# call-home send alert-group diagnostic module 2 
Sending diagnostic info call-home message ...
Please wait. This may take some time ...
Switch#
*Jan  3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand 
message failed to send (ERR 18, The alert group is not subscribed)
 
 

Workaround: Specify a profile name when you enter the diagnostic command.

You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.

CSCsz05888

When an access-list is attached to an interface under extreme hardware resource exhaustion, the ACL may not be automatically loaded into the hardware even if hardware resources later become available.

No TCAM entries are available for the new access-list.

Workaround: Manually remove and reapply the ACL after freeing hardware TCAM resources by removing or shortening other classification policies on the switch.

CSCsy85006

If you simultaneously apply a service-policy to a port in the output direction and a service-policy to a vlan-range under that port in the output direction, the class-map hit counters in the output of the
show policy-map interface command are wrong.

Workaround: None.

The queue transmit counters as well as the policing statistics (if any) are correct.

CSCsz20149

On a switch running Cisco IOS Release 12.2(50)SG or 12.2(52)SG, when an 802.1X port configured with PVLAN community VLAN receives a new PVLAN assignment from the AAA server, resetting the configuration on this interface may cause the switch to reload.

Workaround: None.

CSCsz38442

Packets entering a switch as fragments or with a non-zero fragment offset field are not be subjected to PBR.

Workaround: None.

CSCsz06719

After a .1X port is enabled for Guest VLAN, if you shut down the port connected to the RADIUS server so that the server goes dead and EAPOL packets are sent on that port, it is authorized in the access VLAN although the server is unreachable.

Workaround: Enter shut, then no shut on the port.

CSCsz63355

When you configure EnergyWise power control on PoE ports with a time-based execution schedule, time entry executes without adjusting for daylight savings time.

Workaround: Manually re-enter all entries with new time settings.

CSCsy27389

When a switch enabled for explicit host tracking runs IGMPv3, ports that stopped sending IGMPv3 reports are displayed in the IGMPv3 table until a timeout. This behavior didn't exist in Cisco IOS Release 12.2(50)SG..

Workaround: Disable explicit host tracking in the affected VLANs.

CSCsz28612

On wireless control system (WCS), some device information is incorrectly displayed for PCs sitting behind an lldp-med capable phone. Specifically, WCS displays the phone's serial number, model number, and software version in the PC's device information. All other information about the PC is correctly displayed on WCS.

This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.

Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.

CSCsz34522

If a host is authenticated in the data VLAN, the STP state of the VLAN is blocked.

Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port.

The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding.

Workaround: Enter shut, then no shut on the port.

CSCta04665

On a Layer 2 port (that is, a switchport) of Supervisor Engine II+ thru V-10GE, the
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.

Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command.

CSCta16492

When the vlan-port state changes on flexlink ports, the following two messages appear on the console:

A syslog warning message "%SM-4-BADEVENT: Event 'forward' is invalid for the current 
state 'present': pm_vp .."
 
 
A traceback error message
 
 

This issue happens only on flexlink ports under the following two scenarios:

You configure flexlink vlan load balancing before changing the port mode of a backup interface to trunk mode.

Flexlink recovers from per vlan-port error disable states.

Workaround: None

The syslog and Traceback do not impact functionality. Flexlink states end up with correct states and there is no impact on traffic forwarding.

CSCta05317

Per vlan-port error disable features (dhcp-rate-limit and arp-inspection) do not work on flexlink (without VLAN load balancing). When a violation occurs on the Active link, the corresponding vlan-port will not be error disabled.

The existing per-port error disable (that is, when a violation happens, the entire port will be error disabled) still works on flexlink.

Workaround: Use flexlink with VLAN load balancing.

If you do not want to use vlan load balancing, then enter the
switchport backup interface perfer vlan command on the Active interface, where vlan z is set to an unused vlan on the system

CSCta76320

When using dynamic policy installation for a client or host that is authenticated on a secure port, the traffic from the client is not permitted even though the permit ip any any command is specified as the dynamic policy for the client.

This occurs only if the following conditions are satisfied:

Multi-host mode configured on the port with the authentication host-mode multi-host command.

Default ACL (the IP access-list) configured on the interface specifies deny ip any any.

Dynamic policy authorization for the client specifies permit ip any any.

Workaround: None.

CSCsz63739

If a switch running Cisco IOS Release 12.2(52)SG receives MPLS packets, SA miss and host learning will cause high CPU.

Workarounds:

Enter the mac address-table dynamic group protocols ip other command.

Configure a static MAC address.

CSCta09651

EnergyWise is enabled and you use the energywise level level recurrence importance importance at minute hour day_of_month month day_of_week interface configuration command to configure a recurring event on a switch. After the time changes from daylight savings time to standard time, the switch might

Restart when it tries to power a PoE device

Power on or off the PoE device at an incorrect time

Fail

This occurs when the time change for the next year occurs after the time change for the current year.

Before the time change occurs, use one of these workarounds:

Remove the recurring events from the EnergyWise configuration, do not use recurring events for a week, and reconfigure them a week after the time change occurs.

Use the energywise level level recurrence importance importance time-range time-range-name interface configuration command to reschedule the events.

Use the power inline auto interface configuration command to power on the PoE port.

CSCtc91312

Upon upgrading to Cisco IOS Releases 12.2(52)SG, 12.2(52)XO, 12.2(53)SG, or 12.2(53)SG1, if the flash device name differs from the default name flash:, you might observe the following message continuously on your console:

%Error copying flash:/eem_pnt_2 (Invalid path)
 
 

Workaround: Rename the flash device to the default name flash:.

CSCte05909

If time is not specified in the link debounce command, the default value depends on the supervisor engine. The default is 10 mS for C4900M, Supervisor Engine 6-E, and Supervisor Engine 6L-E. The default is 100 mS for all other supervisor engines.

Workaround: None.

Despite the different default value, you can configure any value in the time range.

CSCte51948

A switch may crash while loading BGP routes if the ip cef accounting non-recursive command is already configured.

Workaround: Disable the ip cef accounting non-recursive command.

(CSCtn68186)

If you use AAA accounting with the broadcast keyword, a switch may either display unpredictable behavior or crash.

Workaround: Do not use AAA accounting with the broadcast keyword. CSCts56125

A vulnerability exists in the Cisco IOS software that may allow a remote application or device to exceed its authorization level when authentication, authorization, and accounting (AAA) authorization is used. This vulnerability requires that the HTTP or HTTPS server is enabled on the Cisco IOS device.

Products that are not running Cisco IOS software are not vulnerable.

Cisco has released free software updates that address these vulnerabilities.

The HTTP server may be disabled as a workaround for the vulnerability described in this advisory.

This advisory is available at the following link:


http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-pai

Additional information on Cisco's security vulnerability policy can be found at the URL:


http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html

CSCtr91106

A switch operating as a DHCP server where sessions receive DHCP information from a RADIUS server may experience a crash and DHCP related errors.

Workaround: None. CSCtj48387

A vulnerability in the Multicast Source Discovery Protocol (MSDP) implementation of Cisco IOS Software and Cisco IOS XE Software could allow a remote, unauthenticated attacker to cause a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial of service (DoS) condition.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link:


http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp