Release Notes for Cisco IOS Release 12.2SX
Downloads: This chapterpdf (PDF - 109.0 KB) | Feedback

Table of Contents


Restrictions Removed by the PFC3

General Limitations and Restrictions


These sections list restrictions for Cisco IOS for the Catalyst 6500 series switches:

Restrictions Removed by the PFC3

The PFC3 removes these restrictions that were present with other policy feature cards:

  • You can configure features to use up to 3 different flow masks.
  • You can configure more than 1 Gateway Load Balancing Protocol (GLBP) group.
  • You can configure up to 255 unique HSRP group numbers.
  • You can configure a separate MAC address on each interface.
  • You can configure Unicast RPF check without reducing the number of available CEF entries.
  • You can configure VLAN-based QoS with DFC3s installed.
  • You can configure port-based and VLAN-based QoS on a per-port basis on the WS-X6548-RJ-45 and WS-X6548-RJ-21 switching modules.
  • You can configure QoS policy maps attached to an EtherChannel formed from interfaces on different DFC-equipped switching modules.

General Limitations and Restrictions

This section describes general limitations and restrictions:




Request for Global command to enable Syslog


HSRP/VRRP/GLBP switchover delays with switchports on DFC3A


VPN-SM-C2:Ingress traffic on Intf vlan cannot be spanned


traceback message when boot up from sup720


SNMP topology discovery caused Cat6000 high CPU utilization


Service policy marking inbound not working on SUP720


Need to port the fix of CSCsb58066 to cat6000/c7600 platform codes


L3 packet duplication with vacl capture enabled and WS-X6708 present


Multicast with L2 broadcast address is routed w/o rewriting the mac.


PBR forwards local destined packets which match ACL criteria


Some commands are not getting converted when converting vs to standalone


%ISSU_PROCESS-SP-3-SYSTEM: Not enough space in NVRAM;Fail to set bootvar


C2W2: CFM Draft1 does not support in Whitney2.0.


Traceback@ip_adm_ha_cf_get_msg_buf during reauthentication with webauth


Support for patching modular IOS images deferred


IPv6 raguad fail to drop RA pkt with hop-by-hob and auth ext hdr


CFM:W2.C-->SXI1 with cfm configs, 2MR LCs are powered down


Authentication doesnt start with traffic on link up.(Multi-auth)


MPLS ENF-ISSU : Internal VLAN not removed on downgrade


CSM not loadbalancing when a real is removed/added dynamically


W2.Clix:Multicast Service Reflect: Translation Entries missing in DFCs


W2.Clix: service reflection with short masks requires rate-limit tweak


W.Clix: missing OIF in rmcast Serv Refl with BIDIR in priv network


W2.Clix: after switchover, some groups miss ServRefl. vlans in OIF-list


W2.Clix: shutdown of VSL link causes 80 seconds mcast disruption


c2w2c: fast redirect broken on secondary portchannel id's (still)


10G SFP+: Some fields in the o/p of 'sh idprom interface' shows unspecif


Vacl capture stops on reloading legacy card.


"%FABRIC-SP-6-TIMEOUT_ERR" upon ISSU SXI4-->SXI2a, powering up the LCs


Standby Sup crashes due to bulk sync failure, Issue same as CSCsx46323


rcv queue bandwidth does not programmed in sh qm port for R2D2 rev2


standby reboots twice and comes up in rpr due to config sync fail


Module 1. LCC Client UNSOLICITED SCP failed


Tracebacks at pm_port_want_to_bundle on shut/noshut on range of mlacp po


multicast traffic drop and duplicate - DR reload


C2WA1:Ports succesfully budled in sec agg flap on modifying Po VLAN mask


Marking does not work with CoPP policy


ES40 QoS : No more than 7 classes accepted on a policy-map (Flat/HQoS)


c2wa1:Periodic High CPU due to SNMP ENGINE process with NAM in VSS setup


SGT is not assigned to webauth client even after receiving from ACS


block qos config on portchannel with same asic as vsl on load/issu


Fail to achieve more then 5gig through put on 2VTI Tunnel in VSS


ES40 QoS : cos2exp service-policy command missing in run-confg on reload


NAM3: hw-module shutdown cmd power down NAM3


c2wa1b: ERSPAN monitoring fails when routed src port is on CFC on VSS


ES40 Interface not coming UP on reload of VSS


c2wa1b:RG doesn't re-calc sys-id on changing mlacp sys-prio on a PoA


NAM3:dataport 2 not rcv traffic if same span destined to both dataports


c2wa1c: memory leak when bennu and nam are reset together.


L3 Multicast stream over VPLS affected by Link down


c2wa1c: Bennu states toggles due to autostate down on VSS


VPLS_TE_FRR_Multicast traffic is affected


SXJ2:standby reloads twice @%SATVS_IBC-SW1_SP-5-VSL_DOWN_SCP_DROP


LTL index missing post sso+rcfg (no functionality or traffic impact)


Enhanced FlexWAN (WS-X6582-2PA) silently reload during BERT w/o crashinf


Cisco IOS

EoMPLS:CWPA: per-vlan shaping does not work when egress is FlexWan


Cisco IOS

hubble: SNMP traps delayed 3-10 minutes


Cisco IOS

const2: C2MSFC3: PBR continues to fwd traffic when RPF check fails


Cisco IOS

eigrp dflt-network stays prg in h/w when route is removed


Cisco IOS

Const2:egress qos policy applied to ingressing rpf failure pkts


Cisco IOS

Berytos perf drop if sw reboot after NVRAM is cleared


Cisco IOS

MPLS: Egress ACL applied on tagged traffic


Cisco IOS

Sporadic packet drops on 6704 linecard under IPv6 Unicast Bidir flows


Cisco IOS

MVPN: multicast entries in globle table leak into VRF table


Cisco IOS

Disable egress span of vacl redirected packets


Cisco IOS

MMLS: rpdf-cache not updated when using BSR. Bidir flows SW switched


Cisco IOS

eibgp load balancing interwork with tag to ip recirculation cause loop



W2C: polling flashMIB shows wrong info with snmp mib flash cache enabled



NAT source address translation not done for PIM register packets



Able to disable IPv6 with HSRPv6 configured and the state is active



c2wa1:ISSU from SXI4a/SXI4 to later image fails due to RF progression



@SyncMutexLock_r - Blocked remote registry call from blob to ION pro



TE/FRR:FRR broken when LDP NOT enabled



ip multicast rate-limit command inadvertently removed from config



microflow policing not working with same flow on multiple input port



sh runn VRF does not show EIGRP vrf config



IPv6 stalled interface is sending HSRP-Hellos



c2wa1: crash in pdb_flushcache during unconfig



Flexwan OIR causes WS-6516-GBIC (no DFC) to reload

  • When a redundant supervisor engine is in standby mode, the Ethernet ports on the redundant supervisor engine are always active.
  • All Ethernet LAN ports on all modules, including those on a redundant supervisor engine, support EtherChannel (maximum of eight interfaces) with no requirement that the ports be contiguous.
  • All Ethernet ports on all modules support 802.1Q VLAN trunking.
  • When you add a member port that does not support ISL trunking to an EtherChannel, Cisco IOS software automatically adds a switchport trunk encapsulation dot1q command to the port-channel interface to prevent configuration of the EtherChannel as an ISL trunk. The switchport trunk encapsulation dot1q command is inactive when the EtherChannel is not a trunk.
  • A distributed EtherChannel (DEC) is an EtherChannel with ports on more than one DFC-equipped module or, on a DFC-equipped dual-fabric connection module, with ports that use different fabric connections. (Search for “Dual switch-fabric connections” in this document.)
  • To reduce CPU utilization during ACL configuration changes, use named ACLs instead of numbered ACLs whenever possible, because the ACL merge algorithm runs each time you change an ACE in a numbered ACL. With named ACLs, the ACL merge algorithm runs only when you exit the named ACL configuration mode.
  • In releases where caveat CSCef78235 is resolved, with any Supervisor Engine 720 hardware revision, local SPAN and RSPAN source ports do not copy VACL-redirected traffic.

In releases where caveat CSCef78235 is not resolved:

With WS-SUP720, hardware revision 3.2 or higher, local SPAN source ports do not copy VACL-redirected traffic.

With WS-SUP720 hardware revisions lower than 3.2, local SPAN source ports copy VACL-redirected traffic.

With any Supervisor Engine 720 hardware revision, RSPAN source ports copy VACL-redirected traffic.

Enter the show module version | include WS-SUP720-BASE command to display the hardware revision. For example:

Router# show module version | include WS-SUP720-BASE
7 2 WS-SUP720-BASE SAD075301SZ Hw :3.2
  • IPsec in software on the MSFC is supported only for administrative connections to Catalyst 6500 series switches and Cisco 7600 series routers.
  • PFC QoS does not rewrite the payload ToS byte in tunnel traffic.
  • PFC QoS does not rewrite the ToS byte in bridged multicast traffic.
  • The PFC3 does not apply egress policing to traffic that is being bridged to the MSFC3.
  • The PFC3 does not apply egress policing or egress DSCP mutation to multicast traffic from the MSFC3.
  • The MSFC3 supports tunnels configured with egress features on the tunnel interface. Examples of egress features are output Cisco IOS ACLs, NAT (for inside to outside translation), TCP intercept, context-based access control (CBAC), and encryption.
  • The PFC3A does not support any PFC QoS features on tunnel interfaces.
  • The PFC3BXL does not provide hardware switching for ICMP traffic if you configure NAT.
  • The PFC3A does not provide hardware switching for ICMP traffic if you configure NAT or Cisco IOS reflexive ACLs.
  • If you have a network device in your network with MAC address reduction enabled, you should also enable MAC address reduction on all other Layer-2 connected network devices to avoid undesirable root bridge election and spanning tree topology issues.

When MAC address reduction is enabled, the root bridge priority becomes a multiple of 4096 plus the VLAN ID. With MAC address reduction enabled, a switch bridge ID (used by the spanning-tree algorithm to determine the identity of the root bridge, the lowest being preferred) can only be specified as a multiple of 4096. Only the following values are possible: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440.

If another bridge in the same spanning-tree domain does not run the MAC address reduction feature, it could win root bridge ownership because of the finer granularity in the selection of its bridge ID.

  • Cisco IOS software Release 12.2SX does not support:

Integrated routing and bridging (IRB)

Concurrent routing and bridging (CRB)

Remote source-route bridging (RSRB)

  • Use bridge groups on VLAN interfaces, sometimes called fall-back bridging, to bridge nonrouted protocols. Bridge groups on VLAN interfaces are supported in software on the MSFC.
  • Cisco IOS software Release 12.2SX does not support the IEEE bridging protocol for bridge groups. Configure bridge groups to use the VLAN-bridge or the DEC spanning-tree protocol.
  • FlexWAN module interfaces support dNBAR. Do not configure NBAR or dNBAR on other interfaces.
  • Ingress IP Packets with TTL=1 that are not addressed to the MSFC and that match QoS filtering parameters might cause overpolicing of other ingress traffic on the same ingress interface.
  • When the outgoing interface list for group G traffic transitions to null on a last-hop multicast router, the router sends a (*,G) prune message to the PIM neighbor toward the rendezvous point (RP) to stop the flow of group G traffic (if any) down the shared tree, but does not send an (S,G) prune message to stop the flow of traffic down the shortest path tree (SPT). The transition of the outgoing interface list to null does not trigger an (S,G) prune message. (S,G) prune messages are triggered by the arrival of (S,G) traffic.

If the last-hop multicast router is a Catalyst 6500 series switch, traffic is forwarded in hardware. In most cases, RPF-MFD is installed for the (S,G) entries. The MSFC does not see the multicast traffic flowing down the SPT and does not send any traffic-triggered (S,G) prunes to stop the flow of traffic down the SPT. This situation does not have any adverse effect on the MSFC because the PFC processes and drops the unwanted (S,G) traffic.

  • Cisco IOS software Release 12.2SX does not support network booting.
  • The IP HTTP server feature is disabled by default. Enter the ip http server command to use the feature.
  • For LAN switching modules, the Cisco IOS show controllers command generates no output in Cisco IOS software Release 12.2SX. Enter the show module command instead.
  • To avoid the case where all traffic is out of profile, the burst size specified in a QoS policing rule must be at least as large as the maximum packet size permissible in the traffic to which the rule is applied.
  • By default, the MSFC sends Internet Control Message Protocol (ICMP) unreachable messages when a packet is denied by an access group.

With the ip unreachables command enabled (which is the default), the supervisor engine drops most of the denied packets in hardware and sends only a small number of packets (10 packets per second, maximum) to the MSFC to be dropped, which generates ICMP-unreachable messages.

To eliminate the load imposed on the MSFC CPU by the task of dropping denied packets and generating ICMP-unreachable messages, you can enter the no ip unreachables interface configuration command to disable ICMP unreachable messages, which allows all access-group denied packets to be dropped in hardware.

  • MAC address-based Cisco IOS ACLs are not supported for packets that are Layer 3 switched in hardware. MAC address-based Cisco IOS ACLs will be applied on software-switched packets.
  • If you enable multicast routing globally, then you should also enable multicast routing (using the ip pim command) on all Layer 3 interfaces on which you anticipate receiving IP multicast traffic. This command causes the packets to be sent to the process switching level to create the route entry. If you disable multicast routing on the RPF interface, the entry cannot be created and the packet is dropped. If the source traffic rate exceeds what can be handled by the process level, it can have an undesirable impact on the system. For example, routing protocol packets, such as EIGRP hello packets, might get dropped.
  • The in and out ports displayed in Layer 3 table entries are set by the hardware at the time the entry is created. They are not guaranteed to be accurate in case multiple flows use the same entry (for example, if the flow mask is Dest-only and some kind of load sharing is active) or if the source or destination of the Layer 3 entry moves in the Layer 2 topology. The port information is not always available when the Layer 3 entry is established. This is the case if the destination port of the rewritten packet is unknown when the shortcut is created.
  • For EtherChannels, you can configure the QoS trust state and default CoS directly on the EtherChannel interface with the mls qos trust or mls qos cos commands, respectively. These two parameters must be the same for all physical interfaces in the channel. No other QoS queueing configuration commands can be applied to EtherChannel interfaces. Other QoS queueing configuration commands can be applied, however, to individual EtherChannel physical interfaces. After the physical interfaces are bundled into an EtherChannel, QoS classification, marking, and policing by the Policy Feature Card (PFC) for the channel packets is determined by the service-policy attached to the EtherChannel interface. The service policies attached to the individual physical interfaces of the EtherChannel do not matter. The same is true for the port-based and VLAN-based QoS state of the EtherChannel interface. You can disable the PFC QoS features using the no mls qos interface configuration command on the EtherChannel interface.
  • The maximum recommended number of Layer 3 multicast entries is 10,000. The maximum recommended number of multicast entries supported in the Layer 2 forwarding table is 12,000.
  • After enabling Protocol Independent Multicast (PIM) on an interface, you need to enter the ip mroute-cache command on the interface to enable multicast fast-switching. If you have “no ip mroute-cache” configured, multicast packets that are not hardware switched will go to the process level that increases the load on the router.
  • FlexWAN ports do not support SPAN or RSPAN.
  • MPLS on the FlexWAN module does not support Virtual Private LAN Service (VPLS).