Guest

Cisco Catalyst 6500 Series Switches

Release Notes for Cisco IOS Release 12.2ZY on the Supervisor Engine 32 PISA

  • Viewing Options

  • PDF (2.6 MB)
  • Feedback
Release Notes for Cisco IOS Release 12.2ZY on the Supervisor Engine 32 PISA

Table Of Contents

Release Notes for Cisco IOS Release 12.2ZY on the Supervisor Engine 32 PISA

Contents

Chronological List of Releases

Release Hierarchy

Supported Hardware

Supervisor Engine 32 PISA (CAT6000-SUP32/PISA)

Supervisor Engine 32 PISA Restrictions

Supervisor Engine 32 PISA Features

Policy Feature Cards

Policy Feature Card Guidelines and Restrictions

Policy Feature Card 3B

Transceivers

XENPAKs

Small Form-Factor Pluggable (SFP) Modules

Gigabit Interface Converters (GBICs)

10-Gigabit Ethernet Switching Modules

Gigabit Ethernet Switching Modules

Power over Ethernet Daughtercards

10/100/1000 Ethernet Switching Modules

Fast Ethernet Switching Modules

Ethernet/Fast Ethernet (10/100) Switching Modules

Ethernet Switching Modules

Shared Port Adapter (SPA) Interface Processors (SIPs)

Shared Port Adapters (SPAs)

Gigabit Ethernet SPAs

POS SPAs

ATM SPAs

SFPs for OC3 and OC12 POS and ATM SPAs

Serial SPAs

Services SPA Carrier (SSC)

Services SPAs

Enhanced FlexWAN Module

Enhanced FlexWAN Module Port Adapters

Service Modules

Firewall Services Module

Intrusion Detection System Modules (IDSMs)

Network Analysis Modules (NAMs)

Fan Trays

Power Supplies

CISCO7606 Power Supplies

WS-C6504-E and CISCO7604 Power Supplies

WS-C6503 and WS-C6503-E Power Supplies

All Other Power Supplies

Chassis

13-Slot Chassis

9-Slot Chassis

6-Slot Chassis

4-Slot Chassis

3-Slot Chassis

Unsupported Hardware

FPD Image Packages

FPD-Image Dependant Modules

FPD Image Package Contents

FPD Upgrades

Feature Sets

New Features in Release 12.2(18)ZYA3c

New Hardware Features in Release 12.2(18)ZYA3c

New Software Features in Release 12.2(18)ZYA3c

New Features in Release 12.2(18)ZYA3b

New Hardware Features in Release 12.2(18)ZYA3b

New Software Features in Release 12.2(18)ZYA3b

New Features in Release 12.2(18)ZYA3a

New Hardware Features in Release 12.2(18)ZYA3a

New Software Features in Release 12.2(18)ZYA3a

New Features in Release 12.2(18)ZYA3

New Hardware Features in Release 12.2(18)ZYA3

New Software Features in Release 12.2(18)ZYA3

New Features in Release 12.2(18)ZYA2

New Hardware Features in Release 12.2(18)ZYA2

New Software Features in Release 12.2(18)ZYA2

New Features in Release 12.2(18)ZYA1

New Hardware Features in Release 12.2(18)ZYA1

New Software Features in Release 12.2(18)ZYA1

New Features in Release 12.2(18)ZYA

New Hardware Features in Release 12.2(18)ZYA

New Software Features in Release 12.2(18)ZYA

New Features in Release 12.2(18)ZY2

New Hardware Features in Release 12.2(18)ZY2

New Software Features in Release 12.2(18)ZY2

New Features in Release 12.2(18)ZY1

New Hardware Features in Release 12.2(18)ZY1

New Software Features in Release 12.2(18)ZY1

Features in Release 12.2(18)ZY

PISA-Accelerated Features

Other Features

Unsupported Features and Commands

Limitations and Restrictions

Restrictions Removed by the PFC3B

General Limitations and Restrictions

FlexWAN Limitations and Restrictions

Service Module and IPsec SPA Limitations and Restrictions

Caveats

Open Caveats in Release 12.2ZY

Resolved Caveats in Release 12.2(18)ZYA3b

Resolved Caveats in Release 12.2(18)ZYA3b

Resolved Caveats in Release 12.2(18)ZYA3a

Resolved Caveats in Release 12.2(18)ZYA3

Resolved Caveats in Release 12.2(18)ZYA2

Resolved Caveats in Release 12.2(18)ZYA1

Resolved Caveats in Release 12.2(18)ZYA

Resolved Caveats in Release 12.2(18)ZY2

Resolved Caveats in Release 12.2(18)ZY1

Resolved Caveats in Release 12.2(18)ZY

Troubleshooting

System Troubleshooting

Module Troubleshooting

VLAN Troubleshooting

Spanning Tree Troubleshooting

Additional Troubleshooting Information

System Software Upgrade Instructions

Related Documentation

Release-Specific Documents

Platform-Specific Documents

Cisco Feature Navigator

Cisco IOS Software Documentation Set

Documentation Modules

Release 12.2 Documentation Set

Notices

OpenSSL/Open SSL Project

License Issues

Obtaining Documentation, Obtaining Support, and Security Guidelines


Release Notes for Cisco IOS Release 12.2ZY on the Supervisor Engine 32 PISA


January 12, 2011


Note This publication applies to the CAT6000-SUP32/PISA platform.


The most current version of this document is available on Cisco.com at this URL:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/release/notes/ol_13011.html


Caution Cisco IOS running on the supervisor engine and the PISA supports redundant configurations where the supervisor engines and PISAs are identical. If they are not identical, one will boot first and become active and hold the other supervisor engine in a reset condition.

Contents

This publication consists of these sections:

Chronological List of Releases

Release Hierarchy

Supported Hardware

Unsupported Hardware

FPD Image Packages

Feature Sets

New Features in Release 12.2(18)ZYA3c

New Features in Release 12.2(18)ZYA3b

New Features in Release 12.2(18)ZYA3a

New Features in Release 12.2(18)ZYA3

New Features in Release 12.2(18)ZYA2

New Features in Release 12.2(18)ZYA1

New Features in Release 12.2(18)ZYA

New Features in Release 12.2(18)ZY2

New Features in Release 12.2(18)ZY1

Features in Release 12.2(18)ZY

Unsupported Features and Commands

Limitations and Restrictions

Caveats

Troubleshooting

System Software Upgrade Instructions

Related Documentation

Chronological List of Releases


Note See the "Release Hierarchy" section for information about parent releases.


This is a chronological list of the 12.2ZY releases:

12 Jan 2011—Release 12.2(18)ZYA3c

25 Oct 2010—Release 12.2(18)ZYA3b

11 May 2010—Release 12.2(18)ZYA3a

01 Dec 2009—Release 12.2(18)ZYA3

24 Jun 2009—Release 12.2(18)ZYA2

23 Dec 2008—Release 12.2(18)ZYA1

07 Aug 2008—Release 12.2(18)ZYA

30 Nov 2007—Release 12.2(18)ZY2

15 Jun 2007—Release 12.2(18)ZY1

04 May 2007—Release 12.2(18)ZY

Release Hierarchy

These releases support the hardware listed in the "Supported Hardware" section:

Release 12.2(18)ZYA3c:

Date of release: 12 Jan 2011

Based on Release 12.2(18)ZYA3b

Release 12.2(18)ZYA3b:

Date of release: 25 Oct 2010

Based on Release 12.2(18)ZYA3a

Release 12.2(18)ZYA3a:

Date of release: 11 May 2010

Based on Release 12.2(18)ZYA3

Release 12.2(18)ZYA3:

Date of release: 01 Dec 2009

Based on Release 12.2(18)ZYA2 and Release 12.2(18)SXF17

Release 12.2(18)ZYA2:

Date of release: 24 Jun 2009

Based on Release 12.2(18)ZYA1 and Release 12.2(18)SXF16

Release 12.2(18)ZYA1:

Date of release: 23 Dec 2008

Based on Release 12.2(18)ZYA and Release 12.2(18)SXF15

Release 12.2(18)ZYA:

Date of release: 07 Aug 2008

Based on Release 12.2(18)ZY2 and Release 12.2(18)SXF13

Release 12.2(18)ZY2:

Date of release: 30 Nov 2007

Based on Release 12.2(18)ZY1 and Release 12.2(18)SXF10

Release 12.2(18)ZY1:

Date of release: 15 Jun 2007

Based on Release 12.2(18)ZY and Release 12.2(18)SXF8

Release 12.2(18)ZY:

Date of release: 09 May 2007

Parent in Release 12.2S: 12.2(18)S (not all features in Release 12.2(18)S are supported)

Based on Release 12.2(18)SXF7

This publication does not describe features that are available in Release 12.2, Release 12.2 T, Release 12.2 S, or other Release 12.2 early deployment releases.

For a list of the Release 12.2 caveats that apply to Release 12.2ZY, see the "Caveats" section and refer to this publication:

http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfmulti.html

For a list of the Release 12.2 S caveats that apply to Release 12.2ZY, see the "Caveats" section and refer to this publication:

http://www.cisco.com/en/US/docs/ios/12_2s/release/notes/122Srn.html

Supported Hardware

These sections describe the hardware supported in Release 12.2ZY:

Supervisor Engine 32 PISA (CAT6000-SUP32/PISA)

Policy Feature Cards

Transceivers

10-Gigabit Ethernet Switching Modules

Gigabit Ethernet Switching Modules

Power over Ethernet Daughtercards

10/100/1000 Ethernet Switching Modules

Fast Ethernet Switching Modules

Ethernet/Fast Ethernet (10/100) Switching Modules

Ethernet Switching Modules

Shared Port Adapter (SPA) Interface Processors (SIPs)

Shared Port Adapters (SPAs)

Services SPA Carrier (SSC)

Services SPAs

Enhanced FlexWAN Module

Enhanced FlexWAN Module Port Adapters

Service Modules

Fan Trays

Power Supplies

Chassis


NoteUse the values in the "Power Required" column to determine the exact power requirements for your configuration to ensure that you are within the power budget.

Daughtercard power is shown separately.

Enter the show power command to display current system power usage.


Supervisor Engine 32 PISA (CAT6000-SUP32/PISA)

These sections describe the Supervisor Engine 32 PISA:

Supervisor Engine 32 PISA Restrictions

Supervisor Engine 32 PISA Features

Supervisor Engine 32 PISA Restrictions

Supervisor Engine 32 PISA requires a high-capacity fan tray (see the "Fan Trays" section).

In some chassis, Supervisor Engine 32 PISA requires a high-capacity power supply (see the "Power Supplies" section).

Supervisor Engine 32 PISA Features

Product ID
(append "=" for spares)
Power
Required
Product Description
Minimum Software Version
WS-S32-GE-PISA

2.96 A@42 V

WS-S32-GE-PISA features:

Eight Gigabit Ethernet SFP ports

Requires Gigabit Ethernet SFPs

12.2(18)ZY

WS-S32-10GE-PISA

2.97 A@42 V

WS-S32-10GE-PISA features:

Two 10-Gigabit Ethernet ports

Requires XENPAKs

12.2(18)ZY1

 

Supervisor Engine 32 PISA common features:

One 10/100/1000 Mbps RJ-45 port

QoS port architecture (Rx/Tx): 2q8t/1p3q8t

512-MB DRAM or 1-GB DRAM (cannot be upgraded in the field)

256-MB bootdisk

Policy Feature Card 3B (PFC3B; see the "Policy Feature Cards" section)

Programmable Intelligent Services Accelerator (PISA):

1-GB DRAM

256-MB bootdisk


Policy Feature Cards

Policy Feature Card Guidelines and Restrictions

Policy Feature Card 3B

Policy Feature Card Guidelines and Restrictions

The PFC3B supports a theoretical maximum of 64 K MAC addresses (32 K MAC addresses recommended maximum).

The PFC3B partitions the hardware FIB table to route IPv4 unicast, IPv4 multicast, MPLS, and IPv6 unicast and multicast traffic in hardware. Traffic for routes that do not have entries in the hardware FIB table are routed by the PISA in software.

The defaults are:

IPv4 unicast and MPLS—192,000 routes

IPv4 multicast and IPv6 unicast and multicast—32,000 routes


Note The size of the global internet routing table plus any local routes might exceed the default partition sizes.


These are the theoretical maximum numbers of routes for the supported protocols (the maximums are not supported simultaneously):

IPv4 and MPLS—Up to 239,000 routes

IPv4 multicast and IPv6 unicast and multicast—Up to 119,000 routes

Enter the mls cef maximum-routes command to repartition the hardware FIB table. IPv4 unicast and MPLS require one hardware FIB table entry per route. IPv4 multicast and IPv6 unicast and multicast require two hardware FIB table entries per route. Changing the partition for one protocol makes corresponding changes in the partitions of the other protocols. You must enter the reload command to put configuration changes made with the mls cef maximum-routes command into effect.

Enter the show platform hardware pfc mode command to display the PFC mode.

The Supervisor Engine 32 PISA operates in PFC3B mode.

Policy Feature Card 3B

Product ID
(append "=" for spares)
Power
Required
Product Description
Minimum Software Version
WS-F6K-PFC3B

2.25 A@42 V

Policy Feature Card 3B (PFC3B)

With Supervisor Engine 32 PISA

12.2(18)ZY

Note There are no memory upgrade options for WS-F6K-PFC3B.


Transceivers

XENPAKs

Small Form-Factor Pluggable (SFP) Modules

Gigabit Interface Converters (GBICs)

XENPAKs

Product ID
(append "=" for spares)
Product Description
Minimum Software Version
XENPAK-10GB-LRM

10GBASE-LRM XENPAK Module for MMF

Note Not supported by the show idprom command. (CSCsl21260)

12.2(18)ZY

XENPAK-10GB-ZR

10GBASE for any SMF type

DWDM-XENPAK

10GBASE dense wavelength-division multiplexing (DWDM) 100-GHz ITU grid

WDM-XENPAK-REC

10GBASE receive-only wavelength division multiplexing (WDM)

XENPAK-10GB-CX4

10GBASE for CX4 (copper) cable

XENPAK-10GB-SR

10GBASE-SR Serial 850-nm short-reach multimode (MMF)

XENPAK-10GB-LX4

10GBASE-LX4 Serial 1310-nm multimode (MMF)

XENPAK-10GB-ER+

10GBASE-ER Serial 1550-nm extended-reach, single-mode fiber (SMF), dispersion-shifted fiber (DSF)

XENPAK-10GB-LR

10GBASE-LR Serial 1310-nm long-reach, single-mode fiber (SMF), dispersion-shifted fiber (DSF)

XENPAK-10GB-LR+

10GBASE-LR Serial 1310-nm long-reach, single-mode fiber (SMF), dispersion-shifted fiber (DSF)

XENPAK-10GB-ER

10GBASE-ER Serial 1550-nm extended-reach, single-mode fiber (SMF), dispersion-shifted fiber (DSF)

Note XENPAK-10GB-ER units with Part No. 800-24557-01, as described in this external field notice (CSCee47030), are not supported:

http://www.cisco.com/en/US/ts/fn/200/fn29736.html

XENPAK-10GB-LW

10GBASE-LW XENPAK Module with WAN PHY for SMF

Note XENPAK-10GB-LW operates at an interface speed compatible with SONET/SDH OC-192/STM-64 and supports transmission at a data rate of 9.6Gbps.


Small Form-Factor Pluggable (SFP) Modules

These sections describe SFPs:

Gigabit Ethernet SFPs

Fast Ethernet SFPs

Gigabit Ethernet SFPs


Note See the "Unsupported Hardware" section for information about unsupported DWDM-SFPs.


Product ID
(append "=" for spares)
Product Description
Minimum Software Version
DWDM-SFP-6061

1000BASE-DWDM 1560.61 nm SFP (100-GHz ITU grid) SFP module

12.2(18)ZY

DWDM-SFP-5979

1000BASE-DWDM 1559.79 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-5898

1000BASE-DWDM 1558.98 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-5655

1000BASE-DWDM 1556.55 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-5575

1000BASE-DWDM 1555.75 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-5494

1000BASE-DWDM 1554.94 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-5413

1000BASE-DWDM 1554.13 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-5092

1000BASE-DWDM 1550.92 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-4851

1000BASE-DWDM 1548.51 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-4772

1000BASE-DWDM 1547.72 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-4612

1000BASE-DWDM 1546.12 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-4453

1000BASE-DWDM 1544.53 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-4294

1000BASE-DWDM 1542.94 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-4056

1000BASE-DWDM 1540.56 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-3819

1000BASE-DWDM 1538.19 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-3661

1000BASE-DWDM 1536.61 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-3425

1000BASE-DWDM 1534.25 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-3268

1000BASE-DWDM 1532.68 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-3190

1000BASE-DWDM 1531.90 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-3112

1000BASE-DWDM 1531.12 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-3033

1000BASE-DWDM 1530.33 nm SFP (100-GHz ITU grid) SFP module

GLC-BX-D

1000BASE-BX10 SFP module for single-strand SMF, 1490-nm TX/1310-nm RX wavelength

GLC-BX-U

1000BASE-BX10 SFP module for single-strand SMF, 1310-nm TX/1490-nm RX wavelength

GLC-ZX-SM

1000BASE-ZX SFP module

CWDM-SFP

1000BASE coarse wavelength-division multiplexing (CWDM) SFP module

GLC-T

1000BASE-T SFP module

GLC-LH-SM

1000BASE-LX/LH SFP

GLC-SX-MM

1000BASE-SX SFP


Fast Ethernet SFPs


Note Only WS-X6148-FE-SFP supports these Fast Ethernet SFPs.


Product ID
(append "=" for spares)
Product Description
Minimum Software Version
GLC-FE-100BX-U

100BASE-BX10-U SFP

12.2(18)ZY

GLC-FE-100BX-D

100BASE-BX10-D SFP

GLC-FE-100EX

100BASEEX SFP

GLC-FE-100ZX

100BASEZX SFP

GLC-FE-100FX

100BASEFX SFP

GLC-FE-100LX

100BASELX SFP


Gigabit Interface Converters (GBICs)


Note The support listed in this section applies to all modules that use GBICs.


Product ID
(append "=" for spares)
Product Description
Minimum Software Version
WDM-GBIC-REC

Receive-only wavelength division multiplexing (WDM) GBIC

12.2(18)ZY

DWDM-GBIC

Dense wavelength division multiplexing (DWDM) GBIC

CWDM-GBIC

Coarse wave division multiplexing (CWDM) GBIC

WS-G5483

1000BASET GBIC

WS-G5484

Short wavelength, 1000BASE-SX

WS-G5486

Long wavelength/long haul, 1000BASE-LX/LH

WS-G5487

Extended distance, 1000BASE-ZX


10-Gigabit Ethernet Switching Modules

Product ID
(append "=" for spares)
Power
Required
Product Description
Minimum Software Version
WS-X6502-10GE

3.30 A@42 V

1-port 10-Gigabit Ethernet

QoS port architecture (Rx/Tx): 1p1q8t/1p2q1t

Number of ports: 1
Number of port groups: 1
Port ranges per port group: 1 port in 1 group

With Supervisor Engine 32 PISA

12.2(18)ZY

Note WS-X6502-10GE does not support ISL encapsulation.

Optical Interface Module (OIM) for WS-X6502-10GE
 WS-G6488

10GBASE-LR serial 1310 nm long-reach OIM

12.2(18)ZY

 WS-G6483

10GBASE-ER serial 1550 nm extended-reach OIM


Gigabit Ethernet Switching Modules

Product ID
(append "=" for spares)
Power
Required
Product Description
Minimum Software Version
WS-X6516A-GBIC

3.62 A@42 V

16-port Gigabit Ethernet GBIC

CEF256

1-MB per-port packet buffers

Supports egress multicast replication

QoS port architecture (Rx/Tx): 1p1q4t/1p2q2t

Number of ports: 16
Number of port groups: 2
Port ranges per port group: 1-8, 9-16

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-X6516-GBIC

3.40 A@42 V

16-port Gigabit Ethernet GBIC

CEF256

512-KB per-port packet buffers

QoS port architecture (Rx/Tx): 1p1q4t/1p2q2t

Number of ports: 16
Number of port groups: 2
Port ranges per port group: 1-8, 9-16

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-X6416-GBIC

2.81 A@42 V

16-port Gigabit Ethernet GBIC

QoS port architecture (Rx/Tx): 1p1q4t/1p2q2t

Number of ports: 16
Number of port groups: 2
Port ranges per port group: 1-8, 9-16

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-X6416-GE-MT

2.50 A@42 V

16-Port Gigabit Ethernet MT-RJ

QoS port architecture (Rx/Tx): 1p1q4t/1p2q2t

Number of ports: 16
Number of port groups: 2
Port ranges per port group: 1-8, 9-16

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-X6316-GE-TX

5.15 A@42 V

16-port Gigabit Ethernet RJ-45

QoS port architecture (Rx/Tx): 1p1q4t/1p2q2t

Number of ports: 16
Number of port groups: 2
Port ranges per port group: 1-8, 9-16

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-X6408A-GBIC

2.00 A@42 V

8-port Gigabit Ethernet GBIC

QoS port architecture (Rx/Tx): 1p1q4t/1p2q2t

Number of ports: 8
Number of port groups: 1
Port ranges per port group: 1-8

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-X6408-GBIC

2.00 A@42 V

8-port Gigabit Ethernet GBIC

QoS port architecture (Rx/Tx): 1q4t/2q2t

Number of ports: 8
Number of port groups: 1
Port ranges per port group: 1-8

 

With Supervisor Engine 32 PISA

12.2(18)ZY


Power over Ethernet Daughtercards


Note The power over Ethernet (PoE) daughtercard "Power Required" values do not include the power drawn by phones.


Product ID
(append "=" for spares)
Power
Required
Product Description
Minimum Software Version
WS-F6K-FE48X2-AF

0.42 A@42 V

IEEE 802.3af PoE daughtercard for WS-X6148X2-RJ-45 and WS-X6196-RJ-21.

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-F6K-GE48-AF
WS-F6K-48-AF

0.18 A@42 V

IEEE 802.3af PoE daughtercard for:

WS-X6548-GE-TX

WS-X6148-GE-TX

WS-X6148A-GE-TX

WS-X6148A-RJ-45

Note

WS-F6K-GE48-AF and WS-F6K-48-AF are not FRUs for these switching modules:

WS-X6148-RJ-45 or WS-X6148-RJ45V (replace with WS-X6148-45AF-UG=).

WS-X6148-RJ-21 or WS-X6148-RJ-21V (replace with WS-X6148-21AF-UG=).

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-F6K-VPWR-GE

0.42 A@42 V

PoE daughtercard for WS-X6548-GE-TX and WS-X6148-GE-TX

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-F6K-VPWR

None

PoE daughtercard for:

WS-X6348-RJ-45

WS-X6348-RJ-21V

WS-X6148-RJ-45

WS-X6148-RJ-21

 

With Supervisor Engine 32 PISA

12.2(18)ZY


10/100/1000 Ethernet Switching Modules

Product ID
(append "=" for spares)
Power
Required
Product Description
Minimum Software Version
WS-X6548-GE-TX

2.98 A@42 V

48-port 10/100/1000 Mbps

RJ-45

CEF256

WS-X6548-GE-TX supports:

WS-F6K-VPWR-GE

WS-F6K-GE48-AF

WS-F6K-48-AF

WS-X6548V-GE-TX has WS-F6K-VPWR-GE

WS-X6548-GE-45AF has WS-F6K-GE48-AF or WS-F6K-48-AF

QoS port architecture (Rx/Tx): 1q2t/1p2q2t

Number of ports: 48
Number of port groups: 2
Port ranges per port group: 1-24, 25-48

WS-X6548V-GE-TX

3.40 A@42 V

WS-X6548-GE-45AF

3.16 A@42 V

 

With Supervisor Engine 32 PISA

12.2(18)ZY

Note

WS-X6548-GE-TX and WS-X6548V-GE-TX do not support these features:

ISL trunking

Jumbo frames

802.1Q tunneling

Traffic storm control

WS-X6148A-GE-TX

2.50 A@42 V

48-port 10/100/1000 Mbps

RJ-45

WS-X6148A-GE-TX supports WS-F6K-GE48-AF or WS-F6K-48-AF

WS-X6148A-GE-45AF has WS-F6K-GE48-AF or WS-F6K-48-AF

QoS port architecture (Rx/Tx): 1q2t/1p3q8t

Number of ports: 48
Number of port groups: 6
Port ranges per port group: 1-8, 9-16, 17-24, 25-32, 33-40, 41-48

The aggregate bandwidth of each port group is 1 Gbps.

WS-X6148A-GE-45AF

2.68 A@42 V

 

With Supervisor Engine 32 PISA

12.2(18)ZY

Note WS-X6148A-GE-TX and WS-X6148A-GE-45AF do not support traffic storm control.

WS-X6148-GE-TX

2.47 A@42 V

48-port 10/100/1000 Mbps

RJ-45

WS-X6148-GE-TX supports:

WS-F6K-VPWR-GE

WS-F6K-GE48-AF

WS-F6K-48-AF

WS-X6148V-GE-TX has WS-F6K-VPWR-GE

WS-X6148-GE-45AF has WS-F6K-GE48-AF or WS-F6K-48-AF

QoS port architecture (Rx/Tx): 1q2t/1p2q2t

Number of ports: 48
Number of port groups: 2
Port ranges per port group: 1-24, 25-48

WS-X6148V-GE-TX

2.89 A@42 V

WS-X6148-GE-45AF

2.65 A@42 V

 

With Supervisor Engine 32 PISA

12.2(18)ZY

Note WS-X6148-GE-TX, WS-X6148V-GE-TX, and WS-X6148-GE-45AF do not support these features:

More than 1 Gbps of traffic per EtherChannel

ISL trunking

Jumbo frames

802.1Q tunneling

Traffic storm control

WS-X6516-GE-TX

3.45 A@42 V

16-port 10/100/1000BASE-T

CEF256

QoS port architecture (Rx/Tx): 1p1q4t/1p2q2t

Number of ports: 16
Number of port groups: 2
Port ranges per port group: 1-8, 9-16

 

With Supervisor Engine 32 PISA

12.2(18)ZY


Fast Ethernet Switching Modules

Product ID
(append "=" for spares)
Power
Required
Product Description
Minimum Software Version
WS-X6148-FE-SFP

2.30 A@42 V

48-port 100BASE-FX

Requires Fast Ethernet SFPs

QoS port architecture (Rx/Tx): 1p1q4t/1p3q8t

Number of ports: 48
Number of port groups: 3
Port ranges per port group: 1-16, 17-32, and 33-48

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-X6524-100FX-MM

1.90 A@42 V

24-port 100FX Ethernet multimode

CEF256

QoS port architecture (Rx/Tx): 1p1q0t/1p3q1t

Number of ports: 24
Number of port groups: 1
Port ranges per port group: 1-24

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-X6324-100FX-SM

1.52 A@42 V

24-port 100FX Ethernet

Single mode and multimode MT-RJ

128-KB per-port packet buffers

QoS port architecture (Rx/Tx): 1q4t/2q2t

Number of ports: 24
Number of port groups: 2
Port ranges per port group: 1-12, 13-24

WS-X6324-100FX-MM

1.52 A@42 V

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-X6224-100FX-MT

1.90 A@42 V

24-port 100FX Ethernet Multimode MT-RJ

QoS port architecture (Rx/Tx): 1q4t/2q2t

Number of ports: 24
Number of port groups: 2
Port ranges per port group: 1-12, 13-24

 

With Supervisor Engine 32 PISA

12.2(18)ZY


Ethernet/Fast Ethernet (10/100) Switching Modules

Product ID
(append "=" for spares)
Power
Required
Product Description
Minimum Software Version
WS-X6548-RJ-45

2.90 A@42 V

48-port 10/100TX RJ-45

CEF256

QoS port architecture (Rx/Tx): 1p1q0t/1p3q1t

Number of ports: 48
Number of port groups: 1
Port ranges per port group: 1-48

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-X6548-RJ-21

2.90 A@42 V

48-port 10/100TX RJ-21

CEF256

QoS port architecture (Rx/Tx): 1p1q0t/1p3q1t

Number of ports: 48
Number of port groups: 1
Port ranges per port group: 1-48

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-X6148X2-RJ-45

2.65 A@42 V

96-port 10/100TX RJ-45

QoS port architecture (Rx/Tx): 1p1q0t/1p3q1t

WS-X6148X2-RJ-45 supports WS-F6K-FE48X2-AF

WS-X6148X2-45AF has WS-F6K-FE48X2-AF

WS-X6148X2-45AF

2.92 A@42 V

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-X6196-RJ-21

2.74 A@42 V

96-port 10/100TX RJ-21

QoS port architecture (Rx/Tx): 1p1q0t/1p3q1t

WS-X6196-RJ-21 supports WS-F6K-FE48X2-AF

WS-X6196-21AF has WS-F6K-FE48X2-AF

WS-X6196-21AF

3.16 A@42 V

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-X6348-RJ-45

2.39 A@42 V

48-port 10/100TX RJ-45

128-KB per-port packet buffers

QoS port architecture (Rx/Tx): 1q4t/2q2t

WS-X6348-RJ-45 supports WS-F6K-VPWR

WS-X6348-RJ-45V has WS-F6K-VPWR

Number of ports: 48
Number of port groups: 4
Port ranges per port group: 1-12, 13-24, 25-36, 37-48

WS-X6348-RJ-45V

2.39 A@42 V

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-X6348-RJ-21V

2.39 A@42 V

48-port 10/100TX RJ-21

128-KB per-port packet buffers

QoS port architecture (Rx/Tx): 1q4t/2q2t

Has WS-F6K-VPWR

Number of ports: 48
Number of port groups: 4
Port ranges per port group: 1-12, 13-24, 25-36, 37-48

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-X6248-RJ-45

2.69 A@42 V

48-port 10/100TX RJ-45

QoS port architecture (Rx/Tx): 1q4t/2q2t

Number of ports: 48
Number of port groups: 4
Port ranges per port group: 1-12, 13-24, 25-36, 37-48

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-X6248A-TEL

2.69 A@42 V

48-port 10/100TX RJ-21

128-KB per-port packet buffers

QoS port architecture (Rx/Tx): 1q4t/2q2t

Number of ports: 48
Number of port groups: 4
Port ranges per port group: 1-12, 13-24, 25-36, 37-48

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-X6248-TEL

2.69 A@42 V

48-port 10/100TX RJ-21

QoS port architecture (Rx/Tx): 1q4t/2q2t

Number of ports: 48
Number of port groups: 4
Port ranges per port group: 1-12, 13-24, 25-36, 37-48

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-X6148A-RJ-45

2.39 A@42 V

48-port 10/100TX RJ-45

5.3-MB per-port packet buffers

QoS port architecture (Rx/Tx): 1p1q4t/1p3q8t

WS-X6148A-RJ-45 supports WS-F6K-GE48-AF or WS-F6K-48-AF

WS-X6148A-45AF has WS-F6K-GE48-AF or WS-F6K-48-AF

Number of ports: 48
Number of port groups: 6
Port ranges per port group: 1-8, 9-16, 17-24, 25-32, 33-40, 41-48

WS-X6148A-45AF

2.57 A@42 V

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-X6148-RJ-45

2.39 A@42 V

48-port 10/100TX RJ-45

128-KB per-port packet buffers

QoS port architecture (Rx/Tx): 1q4t/2q2t

WS-X6148-RJ-45 supports WS-F6K-VPWR

WS-X6148-RJ45V has WS-F6K-VPWR

WS-X6148-45AF has WS-F6K-48-AF

Number of ports: 48
Number of port groups: 4
Port ranges per port group: 1-12, 13-24, 25-36, 37-48

WS-X6148-RJ45V

2.39 A@42 V

WS-X6148-45AF

2.57 A@42 V

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-X6148-RJ-21

2.39 A@42 V

48-port 10/100TX RJ-21

128-KB per-port packet buffers

QoS port architecture (Rx/Tx): 1q4t/2q2t

WS-X6148-RJ-21 supports WS-F6K-VPWR

WS-X6148-RJ-21V has WS-F6K-VPWR

WS-X6148-21AF has WS-F6K-48-AF

Number of ports: 48
Number of port groups: 4
Port ranges per port group: 1-12, 13-24, 25-36, 37-48

WS-X6148-RJ-21V

2.39 A@42 V

WS-X6148-21AF

2.57 A@42 V

 

With Supervisor Engine 32 PISA

12.2(18)ZY


Ethernet Switching Modules

Product ID
(append "=" for spares)
Power
Required
Product Description
Minimum Software Version
WS-X6024-10FL-MT

1.52 A@42 V

24-port 10BASE-FL MT-RJ

QoS port architecture (Rx/Tx): 1q4t/2q2t

Number of ports: 24
Number of port groups: 2
Port ranges per port group: 1-12, 13-24

 

With Supervisor Engine 32 PISA

12.2(18)ZY


Shared Port Adapter (SPA) Interface Processors (SIPs)


Note See the "FPD Image Packages" section for information about additional procedures required to support SIPs.


Product ID
(append "=" for spares)
Power
Required
Product Description
Minimum Software Version
7600-SIP-400

6.31 A@42 V

SPA Interface Processor-400

 

With Supervisor Engine 32 PISA

12.2(18)ZY

7600-SIP-200

5.72 A@42 V

SPA Interface Processor-200

 

With Supervisor Engine 32 PISA

12.2(18)ZY


Shared Port Adapters (SPAs)

These sections describe SPAs:

Gigabit Ethernet SPAs

POS SPAs

ATM SPAs

SFPs for OC3 and OC12 POS and ATM SPAs

Serial SPAs


Note PISA-accelerated features are not supported on SPA interfaces.


Gigabit Ethernet SPAs

Product ID
(append "=" for spares)
SIP Support
Product Description
Minimum Software Version
SPA-2X1GE

7600-SIP-400

2-port Gigabit Ethernet SPA, SFP Optics

12.2(18)ZY

SFPs Supported in Gigabit Ethernet SPAs
 SFP-GE-S

Extended Temperature SX SFP

 SFP-GE-L

Extended Temperature LX/LH SFP

 SFP-GE-Z

Extended Temperature ZX SFP


POS SPAs

Product ID
(append "=" for spares)
SIP Support
Product Description
Minimum Software Version
SPA-1XOC48POS/RPR

7600-SIP-400

1-Port OC-48 POS/RPR SPA

Note Requires SFPs.

12.2(18)ZY2

SPA-2XOC3-POS

7600-SIP-200
7600-SIP-400

2-port OC-3c/STM-1c POS SPA

Note Requires SFPs.

12.2(18)ZY

SPA-4XOC3-POS

7600-SIP-200
7600-SIP-400

4-port OC-3c/STM-1c POS SPA

Note Requires SFPs.

SPA-1XOC12-POS

7600-SIP-400

1-port OC-12c/STM-4c POS SPA

Note Requires an SFP.


ATM SPAs

Product ID
(append "=" for spares)
SIP Support
Product Description
Minimum Software Version
SPA-2XOC3-ATM

7600-SIP-200
7600-SIP-400

2-port OC-3c/STM-1c ATM SPA

Note Requires SFPs.

12.2(18)ZY

SPA-4XOC3-ATM

7600-SIP-200
7600-SIP-400

4-port OC-3c/STM-1c ATM SPA

Note Requires SFPs.

SPA-1XOC12-ATM

7600-SIP-400

1-Port OC-12c/STM-4c ATM SPA

Note Requires an SFP.

SPA-1XOC48-ATM

7600-SIP-400

1 port OC-48c/STM-16 ATM SPA


SFPs for OC3 and OC12 POS and ATM SPAs

Product ID
(append "=" for spares)
Product Description
SFP-OC3-MM

OC-3/STM-1 pluggable short-reach (2 km) transceiver module, 1310-nm wavelength, MMF, LC connector

SFP-OC3-SR

OC-3/STM-1 pluggable short-reach (2 km) transceiver module, 1310-nm wavelength, LC connector

SFP-OC3-IR1

OC-3/STM-1 pluggable intermediate-reach (15 km) transceiver module, 1310-nm wavelength, LC connector

SFP-OC3-LR1

OC-3/STM-1 pluggable long-reach (40 km) transceiver module, 1310-nm wavelength, LC connector

SFP-OC3-LR2

OC-3/STM-1 pluggable long-reach (80 km) transceiver module, 1550-nm wavelength, LC connector

SFP-OC12-MM

OC-12/STM-4 pluggable short-reach (2 km) transceiver module, 1310-nm wavelength, MMF, LC connector

SFP-OC12-SR

OC-12/STM-4 pluggable short-reach (2 km) transceiver module, 1310-nm wavelength, LC connector

SFP-OC12-IR1

OC-12/STM-4 pluggable intermediate-reach (15 km) transceiver module, 1310-nm wavelength

SFP-OC12-LR1

OC-12/STM-4 pluggable long-reach (40 km) transceiver module, 1310-nm wavelength, LC connector

SFP-OC12-LR2

OC-12/STM-4 pluggable long-reach (80 km) transceiver module, 1550-nm wavelength, LC connector


Serial SPAs

Product ID
(append "=" for spares)
SIP Support
Product Description
Minimum Software Version
SPA-8XCHT1/E1

7600-SIP-200

8-Port Channelized T1/E1 SPA

12.2(18)ZY

SPA-2XT3/E3

7600-SIP-200

2-port Clear Channel T3/E3 SPA

SPA-4XT3/E3

7600-SIP-200

4-port Clear Channel T3/E3 SPA

SPA-2XCT3/DS0

7600-SIP-200

2-port Channelized T3 to DS0 SPA

SPA-4XCT3/DS0

7600-SIP-200

4-port Channelized T3 to DS0 SPA


Services SPA Carrier (SSC)

Product ID
(append "=" for spares)
Power
Required
Product Description
Minimum Software Version
7600-SSC-400

5.43 A@42 V

Services SPA Carrier (SSC)

With Supervisor Engine 32 PISA

12.2(18)ZY1

Note 7600-SSC-400 does not maintain state when an NSF with SSO redundancy mode switchover occurs.


Services SPAs


Note See the "FPD Image Packages" section for information about additional procedures required to support SPA-IPSEC-2G.


Product ID
(append "=" for spares)
Carrier
Product Description
Minimum Software Version
SPA-IPSEC-2G

7600-SSC-400

IPsec SPA

12.2(18)ZY1

Note SPA-IPSEC-2G does not support TACACS+ authentication for IPsec. (CSCee33200)


Enhanced FlexWAN Module


Note PISA-accelerated features are not supported on FlexWAN module interfaces.


Product ID
(append "=" for spares)
Power
Required
Product Description
Minimum Software Version
WS-X6582-2PA

2.50 A@42 V

Enhanced FlexWAN Module; CEF256

 

With Supervisor Engine 32 PISA

12.2(18)ZY


Enhanced FlexWAN Module Port Adapters

Product ID
(append "=" for spares)
Product Description
Minimum Software Version
PA-2FE

2-port Fast Ethernet Port Adapter

12.2(18)ZY

PA-1FE

1-port Fast Ethernet Port Adapter

PA-POS-1OC3

1-port Packet over SONET OC3c/STM1 Port Adapter

PA-POS-2OC3

2-port POS OC3c/STM1

SFPs for PA-POS-2OC3
 SFP-OC3-MM

Short range, multimode fiber

 SFP-OC3-IR1

Intermediate range, single-mode fiber

 SFP-OC3-LR1

Long range, single-mode fiber

PA-POS-OC3MM
PA-POS-OC3SMI
PA-POS-OC3SML

Packet over SONET (OC-3)

PA-A6-OC3MM

1-port ATM OC-3c/STM-1 multimode port adapter, enhanced

12.2(18)ZY

PA-A6-OC3SMI

1-port ATM OC-3c/STM-1 single-mode (IR) port adapter, enhanced

PA-A6-OC3SML

1-port ATM OC-3c/STM-1 single-mode (LR) port adapter, enhanced

PA-A6-T3

1-port ATM DS3 port adapter, enhanced

PA-A6-E3

1-port ATM E3 port adapter, enhanced

PA-A3-OC3MM
PA-A3-OC3SMI
PA-A3-T3
PA-A3-OC3SML
PA-A3-E3
PA-A3-8T1IMA
PA-A3-8E1IMA

ATM with traffic shaping

Note These port adapters do not support LANE when installed in the FlexWAN module.

PA-T3
PA-T3+
PA-2T3
PA-2T3+
PA-E3
PA-2E3
PA-MC-T3
PA-MC-E3
PA-MC-2T3+

T3/E3 (clear-channel and channelized)

12.2(18)ZY

PA-4T+
PA-8T-V35
PA-8T-X21
PA-8T-232
PA-MC-2E1/120
PA-MC-8T1
PA-MC-8E1/120
PA-MC-2T1
PA-MC-4T1

T1/E1

PA-4E1G/75
PA-4E1G/120

T1/E1

PA-MC-8TE1+

Multichannel T1/E1 8PRI

Note This port adapter does not support ISDN PRI when installed in the FlexWAN module.

PA-H
PA-2H

HSSI

PA-MC-STM-1

Multichannel STM-1


Service Modules


NoteFor any service module that runs its own software, see the service module software release notes for information about the minimum required service module software version.

PISA-accelerated features are not supported on service module switch virtual interfaces (SVIs).


Firewall Services Module

Intrusion Detection System Modules (IDSMs)

Network Analysis Modules (NAMs)

Firewall Services Module

Product ID
(append "=" for spares)
Power
Required
Product Description
Minimum Software Version
WS-SVC-FWM-1-K9

4.09 A@42 V

Firewall Services Module; CEF256

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-SVC-FWM-1-K9 runs its own software—See these publications:

http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/tsd_products_support_model_home.html

See the WS-SVC-FWM-1-K9 software release notes for information about the minimum required WS-SVC-FWM-1-K9 software version.

Note With Firewall Services Module Software Release 2.3(1), WS-SVC-FWM-1-K9 maintains state when an NSF with SSO redundancy mode switchover occurs.


Intrusion Detection System Modules (IDSMs)

Product ID
(append "=" for spares)
Power
Required
Product Description
Minimum Software Version
WS-SVC-IDSM2-K9

2.50 A@42 V

Intrusion Detection System Module 2; CEF256

 

With Supervisor Engine 32 PISA

12.2(18)ZY1

WS-SVC-IDSM2-K9 runs its own software—See these publications:

http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfmulti.html

See the WS-SVC-IDSM2-K9 software release notes for information about the minimum required WS-SVC-IDSM2-K9 software version.


Network Analysis Modules (NAMs)

Product ID
(append "=" for spares)
Power
Required
Product Description
Minimum Software Version
WS-SVC-NAM-2

3.47 A@42 V

Network Analysis Module 2; CEF256

WS-SVC-NAM-1

2.89 A@42 V

Network Analysis Module 1; CEF256

 

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-SVC-NAM-2 and WS-SVC-NAM-1 run their own software—See these publications for more information:

http://www.cisco.com/en/US/products/sw/cscowork/ps5401/prod_release_notes_list.html

http://www.cisco.com/en/US/products/sw/cscowork/ps5401/tsd_products_support_series_home.html

See the WS-SVC-NAM-2 and WS-SVC-NAM-1 software release notes for information about the minimum required WS-SVC-NAM-2 and WS-SVC-NAM-1 software version.


Fan Trays


Note Enter the show environment status | include fan command or the show environment cooling command to display information about the installed fan trays.


These high-capacity fan trays require at least a 2,500 W power supply.

Product ID
(append "=" for spares)
Power
Allocated at 42 V
Product Description
Minimum
Software
Version
WS-C6503-E-FAN

1.37 A@42 V

High-capacity fan tray for WS-C6503-E chassis

12.2(18)ZY

FAN-MOD-3HS

2.98 A@42 V

High-capacity fan tray for WS-C6503 chassis

FAN-MOD-6HS

4.29 A@42 V

High-capacity fan tray for CISCO7606 chassis

WS-C6506-E-FAN

2.35 A@42 V

High-capacity fan tray for WS-C6506-E chassis

WS-C6K-6SLOT-FAN2

12 V fan

High-capacity fan tray for WS-C6506 chassis

FAN-MOD-09

5.75 A@42 V

High-capacity fan tray for WS-C6509-NEB-A and CISCO7609 chassis

WS-C6509-E-FAN

3.58 A@42 V

High-capacity fan tray for WS-C6509-E chassis

WS-C6K-9SLOT-FAN2

12 V fan

High-capacity fan tray for WS-C6509 chassis

WS-C6K-13SLT-FAN2

7.10 A@42 V

High-capacity fan tray for WS-C6513 and CISCO7613 chassis


Power Supplies

CISCO7606 Power Supplies

WS-C6504-E and CISCO7604 Power Supplies

WS-C6503 and WS-C6503-E Power Supplies

All Other Power Supplies

CISCO7606 Power Supplies

Product ID
(append "=" for spares)
Product Description
Minimum Software Version
PWR-2700-AC

2700 W AC power supply

12.2(18)ZY

PWR-2700-DC

2700 W DC power supply


WS-C6504-E and CISCO7604 Power Supplies

Product ID
(append "=" for spares)
Product Description
Minimum Software Version
PWR-2700-AC/4

2700 W AC power supply

12.2(18)ZY

PWR-2700-DC/4

2700 W DC power supply


WS-C6503 and WS-C6503-E Power Supplies

Product ID
(append "=" for spares)
Product Description
Minimum Software Version
PWR-1400-AC

1,400 W AC power supply

12.2(18)ZY

PWR-950-AC

950 W AC power supply

PWR-950-DC

950 W DC power supply


All Other Power Supplies

Product ID
(append "=" for spares)
Product Description
Minimum Software Version
WS-CAC-8700W-E

8,700 W AC power supply

12.2(18)ZY1

Note

Limited to 4,500 W in the WS-C6509-NEB-A chassis.

Limited to 4,000 W in these chassis:

WS-C6509

WS-C6506

WS-C6509-NEB

WS-CAC-8700W-E supports a remote power cycling feature. See this publication for more information:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Chassis_Installation/Cat6500/6500_ins.html

WS-CAC-6000W

Note

Limited to 4,500 W in the WS-C6509-NEB-A chassis.

Limited to 4,000 W in these chassis:

WS-C6509

WS-C6506

WS-C6509-NEB

12.2(18)ZY

PWR-4000-DC

4,000 W DC power supply

WS-CAC-4000W

4,000 W AC power supply

+WS-CAC-3000W

3,000 W AC power supply

WS-CAC-3000W

3,000 W AC power supply

WS-CAC-2500W

2,500 W AC power supply

WS-CDC-2500W

2,500 W DC power supply


Chassis

13-Slot Chassis

9-Slot Chassis

6-Slot Chassis

4-Slot Chassis

3-Slot Chassis

13-Slot Chassis

Product ID
(append "=" for spare)
Product Description
Minimum Software Version
WS-C6513

Catalyst 6513 chassis:

13 slots

64 chassis MAC addresses

With Supervisor Engine 32 PISA

12.2(18)ZY

CISCO7613

Cisco 7613 chassis:

13 slots

64 chassis MAC addresses

With Supervisor Engine 32 PISA

12.2(18)ZY


9-Slot Chassis

Product ID
(append "=" for spare)
Product Description
Minimum Software Version
WS-C6509-E

Catalyst 6509 chassis:

9 horizontal slots

1024 chassis MAC addresses

Requires WS-C6509-E-FAN

Requires 2,500 W or higher power supply

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-C6509

Catalyst 6509 chassis:

9 horizontal slots

1024 chassis MAC addresses

Use with Supervisor Engine 720 or Supervisor Engine 32 requires WS-C6K-9SLOT-FAN2

WS-CAC-6000W is limited to 4,000 W in WS-C6509

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-C6509-NEB-A

Catalyst 6509-NEB chassis

9 vertical slots

64 chassis MAC addresses

No fan tray upgrade required for use with Supervisor Engine 720

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-C6509-NEB

Catalyst 6509-NEB chassis:

9 vertical slots

1024 chassis MAC addresses

With Supervisor Engine 32 PISA

12.2(18)ZY

CISCO7609

Cisco 7609 chassis

9 vertical slots

64 chassis MAC addresses

With Supervisor Engine 32 PISA

12.2(18)ZY

OSR-7609

Cisco 7609 chassis:

9 vertical slots

1024 chassis MAC addresses

With Supervisor Engine 32 PISA

12.2(18)ZY


6-Slot Chassis

Product ID
(append "=" for spare)
Product Description
Minimum Software Version
WS-C6506-E

Catalyst 6506 chassis:

6 slots

1024 chassis MAC addresses

Requires WS-C6506-E-FAN

Requires 2,500 W or higher power supply

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-C6506

Catalyst 6506 chassis:

6 slots

1024 chassis MAC addresses

Use with Supervisor Engine 720 or Supervisor Engine 32 requires WS-C6K-6SLOT-FAN2

WS-CAC-6000W is limited to 4,000 W in WS-C6506

With Supervisor Engine 32 PISA

12.2(18)ZY

CISCO7606

Cisco 7606 chassis:

6 slots

64 chassis MAC addresses

Use with Supervisor Engine 720 or Supervisor Engine 32 requires FAN-MOD-6HS

With Supervisor Engine 32 PISA

12.2(18)ZY


4-Slot Chassis

Product ID
(append "=" for spare)
Product Description
Minimum Software Version
WS-C6504-E

Catalyst 6504-E chassis:

4 slots

64 chassis MAC addresses

With Supervisor Engine 32 PISA

12.2(18)ZY

CISCO7604

Cisco 7604 chassis:

4 slots

64 chassis MAC addresses

With Supervisor Engine 32 PISA

12.2(18)ZY


3-Slot Chassis

Product ID
(append "=" for spare)
Product Description
Minimum Software Version
WS-C6503-E

3 slots

64 chassis MAC addresses

With Supervisor Engine 32 PISA

12.2(18)ZY

WS-C6503

Catalyst 6503 chassis:

3 slots

64 chassis MAC addresses

With Supervisor Engine 32 PISA

12.2(18)ZY


Unsupported Hardware

Release 12.2(18)ZY does not support this hardware:

Supervisor Engine 720

Supervisor Engine 32

Supervisor Engine 2

Supervisor Engine 1

WS-F6K-PFC3A Policy Feature Card 3A (PFC3A)

WS-F6K-PFC3BXL Policy Feature Card 3BXL (PFC3BXL)

DFCs (installed DFCs do not power up with a Supervisor Engine 32 PISA)

Switch Fabric Modules

These switching modules:

WS-X6704-10GE 4-port 10-Gigabit Ethernet XENPAK

WS-X6748-SFP 48-port Gigabit Ethernet SFP

WS-X6724-SFP 24-port Gigabit Ethernet SFP

WS-X6816-GBIC 16-port Gigabit Ethernet GBIC

WS-X6748-GE-TX 48-port 10/100/1000 RJ-45

7600-SIP-600 SPA Interface Processor-600

Optical Services Modules (OSMs)

WS-X6182-2PA FlexWAN Module (the WS-X6582-2PA Enhanced FlexWAN Module is supported)

CISCO7603 3-slot chassis

These service modules:

WS-SVC-SSL-1 Secure Sockets Layer (SSL) Services Module

WS-SVC-WEBVPN-K9 WebVPN Services Module

WS-SVC-WISM-1-K9 Wireless Services Module (WiSM)

WS-SVC-AON-1-K9 Application-Oriented Networking (AON) Module

WS-SVC-AGM-1-K9 Anomaly Guard Module

WS-SVC-ADM-1-K9 Traffic Anomaly Detector Module

WS-SVC-CSG-1 Content Services Gateway (CSG)

WS-X6066-SLB-APC Content Switching Module (CSM)

WS-X6066-SLB-S-K9 Content Switching Module with SSL (CSM-S)

WS-SVC-PSD-1 Persistent Storage Device (PSD) Module

WS-SVC-WLAN-1-K9 Wireless LAN service module

WS-SVC-IPSEC-1 IPsec VPN acceleration services module

WS-X6381-IDS Intrusion Detection System (IDS) Module


Note WS-SVC-IDSM2-K9 is supported.


WS-X6380-NAM Network Analysis Module (NAM)


Note WS-SVC-NAM-2 and WS-SVC-NAM-1 are supported.


These DWDM SFPs:

DWDM-SFP-5817—1000BASE-DWDM 1558.17 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-5252—1000BASE-DWDM 1552.52 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-5172—1000BASE-DWDM 1551.72 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-5012—1000BASE-DWDM 1550.12 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-4692—1000BASE-DWDM 1546.92 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-4373—1000BASE-DWDM 1543.73 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-4214—1000BASE-DWDM 1542.14 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-3977—1000BASE-DWDM 1539.77 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-3898—1000BASE-DWDM 1538.98 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-3582—1000BASE-DWDM 1535.82 nm SFP (100-GHz ITU grid) SFP module

DWDM-SFP-3504—1000BASE-DWDM 1535.04 nm SFP (100-GHz ITU grid) SFP module

WS-X6624-FXS, WS-X6608-T1, and WS-X6608-E1 voice modules

WS-X6101-OC12-MMF and WS-X6101-OC12-SMF ATM LANE modules

WS-X6302-MSM Multilayer Switch Module

Catalyst 6000 series chassis

These power supplies cannot support high-capacity fan trays:

WS-CAC-1300W

WS-CDC-1300W

WS-CAC-1000W

Unsupported modules remain powered down if detected and do not affect system behavior.

FPD Image Packages


Note FPD image packages update FPD images. If a discrepancy exists between an FPD image and the Cisco IOS image, the module that has the FPD discrepancy is deactivated until the discrepancy is resolved.


These sections describe FPD packages:

FPD-Image Dependant Modules

FPD Image Package Contents

FPD Upgrades

FPD-Image Dependant Modules

These modules use FPD images:

Shared Port Adapter (SPA) Interface Processors (SIPs)

Shared Port Adapters

Enhanced FlexWAN Module (WS-X6582-2PA)


Note You do not need to do a separate FPD image upgrade for the Enhanced FlexWAN module, because the Cisco IOS software images contain the FPD image for the Enhanced FlexWAN module. The FPD image package also includes the FPD image for the Enhanced FlexWAN module. (CSCin90971)


FPD Image Package Contents

Enter the show upgrade fpd file command to display the contents of the FPD package.

FPD Upgrades


Note You do not need to do a separate FPD image upgrade for the Enhanced FlexWAN module, because the Cisco IOS software images contain the FPD image for the Enhanced FlexWAN module. The FPD image package also includes the FPD image for the Enhanced FlexWAN module. (CSCin90971)


See this publication:

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/sipspasw.html

Feature Sets

Use Cisco Feature Navigator to display information about the images and feature sets in Release 12.2ZY.

The releases includes strong encryption images. Strong encryption images are subject to U.S. and local country export, import, and use laws. The country and class of end users eligible to receive and use Cisco encryption solutions are limited. See this publication for more information:

http://www.cisco.com/web/about/doing_business/legal/global_export_trade/general_export/contract_compliance.html

New Features in Release 12.2(18)ZYA3c

These sections describe the new features in Release 12.2(18)ZYA3c:

New Hardware Features in Release 12.2(18)ZYA3c

New Software Features in Release 12.2(18)ZYA3c

New Hardware Features in Release 12.2(18)ZYA3c

None.

New Software Features in Release 12.2(18)ZYA3c

None.

New Features in Release 12.2(18)ZYA3b

These sections describe the new features in Release 12.2(18)ZYA3b:

New Hardware Features in Release 12.2(18)ZYA3b

New Software Features in Release 12.2(18)ZYA3b

New Hardware Features in Release 12.2(18)ZYA3b

None.

New Software Features in Release 12.2(18)ZYA3b

None.

New Features in Release 12.2(18)ZYA3a

These sections describe the new features in Release 12.2(18)ZYA3a:

New Hardware Features in Release 12.2(18)ZYA3a

New Software Features in Release 12.2(18)ZYA3a

New Hardware Features in Release 12.2(18)ZYA3a

None.

New Software Features in Release 12.2(18)ZYA3a

None.

New Features in Release 12.2(18)ZYA3

These sections describe the new features in Release 12.2(18)ZYA3:

New Hardware Features in Release 12.2(18)ZYA3

New Software Features in Release 12.2(18)ZYA3

New Hardware Features in Release 12.2(18)ZYA3

None.

New Software Features in Release 12.2(18)ZYA3

None.

New Features in Release 12.2(18)ZYA2

These sections describe the new features in Release 12.2(18)ZYA2:

New Hardware Features in Release 12.2(18)ZYA2

New Software Features in Release 12.2(18)ZYA2

New Hardware Features in Release 12.2(18)ZYA2

None.

New Software Features in Release 12.2(18)ZYA2

Application-aware NetFlow—See this publication:

http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/nf_lay2_sec_mon_exp.html

AutoQoS for the Enterprise - Suggested Policy—See this publication:

http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/autoqos_enterprise.html

NBAR PDLM - Telepresence—See this publication:

http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffic_nbar.html

New Features in Release 12.2(18)ZYA1

These sections describe the new features in Release 12.2(18)ZYA1:

New Hardware Features in Release 12.2(18)ZYA1

New Software Features in Release 12.2(18)ZYA1

New Hardware Features in Release 12.2(18)ZYA1

None.

New Software Features in Release 12.2(18)ZYA1

FPM - Copy and/or Redirect matched packet—See this publication:

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_flex_pack_match.html

Intelligent Traffic Redirect—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/P1.html#platform_ip_features_pisa

Non-intrusive Protocol Discovery—See this publication:

http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffic_nbar.html

New Features in Release 12.2(18)ZYA

These sections describe the new features in Release 12.2(18)ZYA:

New Hardware Features in Release 12.2(18)ZYA

New Software Features in Release 12.2(18)ZYA

New Hardware Features in Release 12.2(18)ZYA

None.

New Software Features in Release 12.2(18)ZYA

Enhance FPM Search Window Size To 128 bytes—See this publication:

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_flex_pack_match.html

Enhanced PoE Support (Additional Wattage Range)—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/voip.html#wpCisco_Enhanced_PoE_Support

Firewall Websense URL Filtering—See this publication:

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_fwall_websense.html

NBAR and FPM activation on Layer 2 interfaces—See this publication:

http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_trfc_nbar_map.html

PISA - FWSM integration—See this publication:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/protct_f.html#Permitting_or_Denying_Application_Types_with_PISA_Integration


Note Application-aware NetFlow is being developed for release in a future rebuild of Release 12.2(18)ZYA.


New Features in Release 12.2(18)ZY2

These sections describe the new features in Release 12.2(18)ZY2:

New Hardware Features in Release 12.2(18)ZY2

New Software Features in Release 12.2(18)ZY2

New Hardware Features in Release 12.2(18)ZY2

1-Port OC-48 POS/RPR SPA (SPA-1XOC48POS/RPR):

Supported only with 7600-SIP-400

See these publications:

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/install_upgrade/6500series/sipspahw.html

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/sipspasw.html

New Software Features in Release 12.2(18)ZY2

NBAR URL Classification Scalable to 56 URLs—See this publication:

http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffic_nbar.html

New Features in Release 12.2(18)ZY1

These sections describe the new features in Release 12.2(18)ZY1:

New Hardware Features in Release 12.2(18)ZY1

New Software Features in Release 12.2(18)ZY1

New Hardware Features in Release 12.2(18)ZY1

Supervisor Engine 32 PISA with two 10-Gigabit Ethernet ports (WS-S32-10GE-PISA)

Services SPA Carrier (SSC; 7600-SSC-400)


Note 7600-SSC-400 does not maintain state when an NSF with SSO redundancy mode switchover occurs.


IPsec SPA (SPA-IPSEC-2G):

See these publications:

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/install_upgrade/6500series/sipspahw.html

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/sipspasw.html

8700 W AC power supply (WS-CAC-8700W-E)—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Chassis_Installation/Cat6500/6500_ins.html

New Software Features in Release 12.2(18)ZY1

Certificate Security Attribute-Based Access Control (supported on SPA-IPSEC-2G)—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-cfg-auth-rev-cert.html

Crypto Conditional Debug Support (supported on SPA-IPSEC-2G)—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/12-2sx/sec-crypto-debug-sup.html

Certificate Autoenrollment (supported on SPA-IPSEC-2G)—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-cert-enroll-pki.html

Distinguished Name-Based Crypto Maps (supported on SPA-IPSEC-2G)—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ikevpn/configuration/12-2sx/sec-dist-nm-cyrpto.html

Dynamic Multipoint VPN (DMVPN) Phase 2 on SPA-IPSEC-2G—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-s/sec-conn-dmvpn.html

Easy VPN Server features (supported on SPA-IPSEC-2G)—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_esyvpn/configuration/12-2sx/sec-easy-vpn-12-2sx-book.html

Encrypted Multicast over GRE (supported on SPA-IPSEC-2G)—See this publication:

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/sipspasw.html

Encrypted Preshared Key (supported on SPA-IPSEC-2G)—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ikevpn/configuration/12-2sx/sec-encrypt-preshare.html

IDSM-2 EtherChannel load balancing—See this publication:

http://www.cisco.com/en/US/products/hw/modules/ps2706/ps5058/tsd_products_support_model_home.html

IKE: Initiate Aggressive Mode (supported on SPA-IPSEC-2G)—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ikevpn/configuration/12-2sx/sec-aggr-mde-ike.html

IPsec VPN Accounting (supported on SPA-IPSEC-2G)—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_imgmt/configuration/12-2sx/sec-ipsec-vpn-acctg.html

IPsec VPN Monitoring (supported on SPA-IPSEC-2G)—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_imgmt/configuration/12-2sx/sec-ip-security-vpn.html

Manual Certificate Enrollment (TFTP and Cut-and-Paste; supported on SPA-IPSEC-2G)—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-cert-enroll-pki.html

Multiple RSA Key Pair Support (supported on SPA-IPSEC-2G)—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-deploy-rsa-pki.html

Protected private key storage (supported on SPA-IPSEC-2G)—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-deploy-rsa-pki.html

Real-Time Resolution for IPsec Tunnel Peer (supported on SPA-IPSEC-2G)—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnav/configuration/12-2sx/sec-realtime-ipsec.html

Re-enroll using existing certificate (supported on SPA-IPSEC-2G)—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-cert-enroll-pki.html

Source Interface Selection for Outgoing Traffic with Certificate Authority (supported on SPA-IPSEC-2G)—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-sis-with-ca.html

Trusted Root Certification Authority (supported on SPA-IPSEC-2G)—See this publication:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cfg_cert_auth_io_OBS.html

Trustpoint CLI (supported on SPA-IPSEC-2G)—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-cert-enroll-pki.html

VRF Aware IPsec with SPA-IPSEC-2G—See this publication:

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/76ovwvpn.html

Features in Release 12.2(18)ZY

These sections describe the features in Release 12.2(18)ZY:

PISA-Accelerated Features

Other Features


NoteSee the following site for information about MIBs:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

Features in the Cisco IOS 12.2ZY releases that are also supported in the Cisco IOS 12.2 mainline, 12.2T and 12.2S releases are documented in the publications for these releases. When applicable, this section refers to these publications for platform-independent features supported in the Cisco IOS 12.2ZY releases.


PISA-Accelerated Features

These features are accelerated in hardware on the PISA:

Network-Based Application Recognition (NBAR)—See this publication:

http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffic_nbar.html

Flexible Packet Matching (FPM)—See this publication:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_fpm.html


Note NBAR and FPM are features that can only be configured on Layer 3 interfaces and are applied only to Layer 3 traffic. You cannot apply NBAR and FPM to Layer 2 traffic.


Other Features

These features are accelerated on the PFC3B or run in software on the PISA:

4096 Layer 2 VLANs—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/vlans.html


Note We recommend that you configure a combined total of no more than 2,000 Layer 3 VLAN interfaces and Layer 3 ports.


Any Transport over MPLS (AToM) Features (supported on WAN ports):

Supported on WAN ports

Ethernet over MPLS (EoMPLS)

Frame Relay over MPLS (FRoMPLS)

ATM Single Cell Relay over MPLS-VC Mode (CRoMPLS)

ATM AAL5 over MPLS (AAL5oMPLS)

See this publication:

http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/mpls.html#Configuring_the_VFI_in_the_PE

Any Transport over MPLS (AToM): HDLC over MPLS (HDLCoMPLS):

Supported on WAN ports.

See this publication:

http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/pwan.html#Configuring_Strict_Priority_Low_Latency_Queuing_(LLQ)_Support_on_the_OSM-24GE-WAN

Any Transport over MPLS (AToM): PPP over MPLS (PPPoMPLS):

Supported on WAN ports.

See this publication:

http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/pwan.html#Configuring_Strict_Priority_Low_Latency_Queuing_(LLQ)_Support_on_the_OSM-24GE-WAN

ARP ACLs for QoS Filtering—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos.html

ATM Cell Loss Priority (CLP) Setting on FlexWAN module ATM interfaces—See this publication:

http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/features.html

ATM OAM ping—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12satmpng.html

ATM VC access trunk emulation—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12satmpng.html

ATM Virtual Circuit (VC) Bundling—See these publications:

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfipaov_ps1835_TSD_Products_Configuration_Guide_Chapter.html

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fsmu26s.html

Autostate - Firewall Capability for the Firewall service module—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fsmu26s.html

Bandwidth Command for HQoS Parent Class Support—See this publication:

http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/pwan.html#Configuring_Strict_Priority_Low_Latency_Queuing_(LLQ)_Support_on_the_OSM-24GE-WAN

BGP Configuration Using Peer Templates—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/s_bgpct.html

BGP Cost Community—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/s_bgpcc.html

BGP Dynamic Update Peer-Groups—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/s_bgpcc.html

BGP Increased Support of Numbered AS-path Access Lists to 500—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/s_bgpcc.html

BGP multipath load sharing for both eBGP and iBGP in an MPLS-VPN—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2sx/feature/guide/fsxeibmp.html


Note With the BGP multipath load sharing for both eBGP and iBGP in an MPLS-VPN feature configured, do not attach output service policies to VRF interfaces. (CSCsb25509)

For nonMPLS environments, see the Interior Border Gateway Protocol (iBGP) Multipath Load Sharing feature.


BGP Policy Accounting—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsbgppa.html

BGP Restart Session After Max-Prefix Limit—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsbgppa.html

BGP Route Map Continue—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsbgppa.html

BGP Route-Map Policy List Support—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsbgppa.html

BGP support for TTL security check—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsbgppa.html

Bidirectional Forwarding Detection (BFD) standard implementation—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fs_bfd.html


Note Catalyst 6500 switches support BFD only on Ethernet, Fast Ethernet (except PA-2FE and PA-1FE), Gigabit Ethernet, and 10-Gigabit Ethernet ports, including Ethernet SPAs. The Catalyst 6500 switches and Cisco 7600 routers do not support BFD on PA-2FE or PA-1FE Ethernet LAN ports, or on POS, ATM, or serial WAN ports.

Also see "Integrated IS-IS support for BFD over IPv4" and "OSPF support for BFD over IPv4."


Bidirectional Protocol Independent Multicast (PIM)—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/mcastv4.html

Boot Protocol (BOOTP) relay—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfdhcp.html

Bridge Control Protocol (BCP)—See this publication:

http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/features.html

Bridging using RFC1483 Routed Encapsulation (BRE)—See this publication:

http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/features.html

Cisco Discovery Protocol (CDP)—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/cdp.html

Cisco IOS IP Event Dampening—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_pi/configuration/12-2sx/iri-ip-event-damp.html

Cisco IP Phone support and enhancements:

Support for a high-powered phone to negotiate a low-power mode (dimmed screen) when powered by a pre-standard Cisco PoE daughtercard.

Support for a high-powered phone to negotiate a high-power mode (full screen brightness) when powered by a IEEE 802.3af Cisco PoE daughtercard.

See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/voip.html

Cisco Nonstop Forwarding (NSF) with stateful switchover (SSO) supervisor engine redundancy—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/nsfsso.html


NoteNSF with SSO supports multicast traffic.

NSF with SSO redundancy mode supports IPv4. NSF with SSO redundancy mode does not support IPv6, IPX, or MPLS.

These protocols can coexist with NSF with SSO redundancy mode, but there is no stateful support for them:

MPLS and LDP

GLBP

HSRP

VRRP

Following an NSF with SSO switchover, traffic loss occurs on the links where the protocols are configured until the protocols converge.

With Firewall Services Module Software Release 2.3(1), WS-SVC-FWM-1-K9 maintains state when an NSF with SSO redundancy mode switchover occurs.


Clear hardware interface counters—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/cmdref.html

CNS Interactive CLI—Network management applications can use the Cisco Networking Services (CNS) agents to manage network routers. The CNS agent provides the capability to send commands to a router from a programmable source. The CNS Interactive CLI feature introduces a new XML interface that allows you to send interactive commands to a router, such as commands that generate prompts for user input. A benefit of this feature is that interactive commands can be aborted before they have been fully processed. For example, for commands that generate a significant amount of output, the XML interface can be customized to limit the size of the output or the length of time allowed for the output to accumulate. The capability to use a programmable interface to abort a command before its normal termination (similar to manually aborting a command) can greatly increase the efficiency of diagnostic applications that might use this functionality. The new XML interface also allows for multiple commands to be processed in a single session. The response for each command is packaged together and sent in a single response event.

Configurable Per VLAN MAC Learning (PVL)—See the mac-address-table learning command in this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/cmdref.html

Control Plane DSCP Support for RSVP—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/qos_rsvp/configuration/15-mt/rsvp-dscp-spt-for-rsvp.html

Custom IEEE 802.1Q Ethertypes:

Supported on these modules:

—Supervisor Engine 32 PISA
—WS-X6516-GE-TX
—WS-X6516A-GBIC
—WS-X6516-GBIC


Note The WS-X6516A-GBIC and WS-X6516-GBIC modules apply a configured custom EtherType field value to all ports supported by each port ASIC (1 through 8 and 9 through 16).


See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/layer2.html

Data-link switching plus (DLSw+)—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2/ibm/configuration/guide/bcfdlsw_support_TSD_Island_of_Content_Chapter.html

DE/CLP and EXP mapping on FR/ATMoMPLS VC—See this publication:

http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/mpls.html#Configuring_the_VFI_in_the_PE

DHCP Option 82 on Untrusted Port—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/snoodhcp.html

DHCP Snooping—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/snoodhcp.html

Digital Optical Monitoring (DOM)—See the show interfaces transceiver command in this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/cmdref.html


Note See this publication for additional information about DOM:

http://www.cisco.com/en/US/docs/interfaces_modules/transceiver_modules/compatibility/matrix/OL_8031.html


Distributed LFI (dLFI) and distributed QoS (dQoS) over Leased Lines on FlexWAN module interfaces—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/qos_latjit/configuration/15-mt/qos-mlppp-fr.html

Distributed MLPPP (dMLPPP) on FlexWAN module interfaces—See this publication:

http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/features.html


Note cRTP is not supported on dMLPPP bundled links.


Distributed Multilink Frame Relay (FRF.16)—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/dmfr.html

Distributed network-based application recognition (dNBAR) on FlexWAN module interfaces—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/dmfr.html

Directed broadcast hardware support with the mls ip directed-broadcast command—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/M1.html

Dot1q Transparency for EoMPLS on WAN ports—See this publication:

http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/mpls.html#Configuring_the_VFI_in_the_PE

DSCP transparency (also called "Preserving the Received ToS Byte")—See the procedures in this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos.html

Dynamic ARP Inspection (DAI)—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/dynarp.html

Dynamic Host Configuration Protocol (DHCP)— See this publication:

http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfdhcp.html

Egress ACL support for remarked DSCP—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos.html

Egress DSCP mutation—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos.html

Egress policing for LAN ports configured as Layer 3 interfaces and for VLAN interfaces—See the procedures in this publication for information about configuring the service-policy output command:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos.html

EIGRP MPLS VPN PE-CE site of origin (SoO)—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/s_mvesoo.html

Embedded CiscoView—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/intro.html

Embedded network management improvements—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/s_mvesoo.html

Encapsulated Remote SPAN (ERSPAN)—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/span.html

Enhanced support for interface link status messages (CSCeb06765). See the following publication for more information:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/I1.html

EtherChannel Enhancement - 128 EtherChannels Support—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/channel.html

EtherChannel Min-Links—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/channel.html

EtherChannel—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/channel.html

Ethernet over MPLS (EoMPLS) per VLAN QoS—See this publication:

http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/mpls.html#Configuring_the_VFI_in_the_PE

Field-programmable device upgrade tool—The Cisco SPA field-programmable device (FPD) upgrade tool provides customers and field engineers a consistent way across platforms to upgrade firmware or images for the programmable devices (for example, FPGAs, PLDs, ROMMON). The customer can get proper images from Cisco.com, and use this tool to automatically download (with a flash card or TFTP) to the FPD tool, or manually if needed. The FPD tool provides a convenient and safe way for customer to upgrade an FPD for related bug fixes and feature enhancement with minimum system impact. The FPD tool significantly improves customer satisfaction and product reliability.

Flex Links—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/flexlink.html

FlexWAN interface support for 4000 ATM VCs per port adapter on the following ATM port adapters:

PA-A3-OC3MM

PA-A3-OC3SMI

PA-A3-OC3SML

PA-A3-T3

PA-A3-E3

PA-A6-OC3MM

PA-A6-OC3SMI

PA-A6-OC3SML

PA-A6-T3

PA-A6-E3

Frame Relay virtual circuit (VC) bundling—See this publication:

http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/mpls.html#Configuring_the_VFI_in_the_PE

Gateway Load Balancing Protocol—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fs_glbp2.html

Generic Online Diagnostics (GOLD)—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/diags.html

Half-Bridging on FlexWAN ATM interfaces (CSCin27157)

Hardware Capacity Monitoring—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/pwr_envr.html

Hardware Control Plane Interface for Control Plane Policing (CoPP):

With Cisco IOS 12.2ZY releases, the PFC3B supports CoPP.

The PFC3B does not support CoPP output rate limiting (policing).

The PFC3B does not support the CoPP silent operation mode.

The PFC3B does not support the match protocol arp command.

See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/dos.html

Hardware-supported counters for hardware-supported ACLs, displayed by the show tcam interface command. See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/show4.html

HQoS support for Ethernet over MPLS (EoMPLS) VC—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/show4.html

H-VPLS with MPLS Edge—See this publication:

http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/mpls.html#Configuring_the_VFI_in_the_PE

ICMP traffic hardware switching when Cisco IOS reflexive ACLs are configured. (CSCeb20666)

IEEE 802.1Q protocol tunneling—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/dot1qtnl.html

IEEE 802.1Q tunneling—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/dot1qtnl.html

IEEE 802.1s - Multiple Spanning Tree (MST) Standard Compliance—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/spantree.html

IEEE 802.1w rapid reconfiguration of spanning tree—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/spantree.html

IEEE 802.1X Port-Based Authentication—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/dot1x.html

IEEE 802.3ad link aggregation control protocol (LACP)—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/channel.html

IGMP snooping and IGMP snooping querier—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/snooigmp.html

IGMP Static Group Range Support—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2sx/feature/guide/stgrpsxf.html

Ingress CoS mutation on IEEE 802.1Q tunnel ports—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos.html

Integrated IS-IS global default metric—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_isis/configuration/15-mt/irs-netd.html

Integrated IS-IS protocol shutdown support maintaining configuration parameters—See this publication:

http://www.cisco.com/en/US/docs/ios/iproute_isis/configuration/guide/irs_initcf.html

Integrated IS-IS support for BFD over IPv4—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fs_bfd.html


Note Also see "Bidirectional Forwarding Detection (BFD) standard implementation."


Interior Border Gateway Protocol (iBGP) Multipath Load Sharing—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsbgpls.html


Note For MPLS support, see BGP Multipath Load Sharing for Both eBGP and iBGP in an MPLS-VPN.


Internet Group Management Protocol Version 3 (IGMPv3) snooping—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/snooigmp.html

Invalid Special Parameter Index (SPI) Recovery—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dplane/configuration/12-2sx/sec-invald-index-rec.html

Inverse Multiplexing over ATM (IMA) on FlexWAN module interfaces—See this publication:

http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/features.html

IP-in-IP tunneling and generic routing encapsulation (GRE) tunneling supported in hardware—The PFC3B supports the following tunnel commands:

tunnel destination

tunnel mode gre

tunnel mode ipip

tunnel source

tunnel ttl

tunnel tos

Other supported types of tunneling run in software on the PISA. The PFC3B does not provide hardware acceleration for tunnels configured with the tunnel key command.

The tunnel ttl command (default 255) sets the TTL of encapsulated packets.

The tunnel tos command, if present, sets the ToS byte of a packet when it is encapsulated. If the tunnel tos command is not present and QoS is not enabled, the ToS byte of a packet sets the ToS byte of the packet when it is encapsulated. If the tunnel tos command is not present and QoS is enabled, the ToS byte of a packet as modified by PFC QoS sets the ToS byte of the packet when it is encapsulated.

To configure GRE Tunneling and IP in IP Tunneling, refer to these publications:

http://www.cisco.com/en/US/docs/ios/12_2/interface/configuration/guide/icflogin.html

http://www.cisco.com/en/US/docs/ios/12_2/interface/command/reference/irfshoip.html

To configure the tunnel tos and tunnel ttl commands, refer to this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_tos.html

Note the following information about tunnels:

Each hardware-assisted tunnel must have a unique source. Hardware-assisted tunnels cannot share a source even if the destinations are different. Use secondary addresses on loopback interfaces or create multiple loopback interfaces. (CSCdy72539)

Each tunnel interface uses one internal VLAN.

Each tunnel interface uses one additional router MAC address entry per router MAC address.

The PFC3B supports PFC QoS features on tunnel interfaces.

The PFC3B supports GRE tunnel encapsulation and de-encapsulation of multicast traffic.

The PISA supports tunnels configured with egress features on the tunnel interface. Examples of egress features are output Cisco IOS ACLs, NAT and PAT (for inside to outside translation), TCP intercept, context-based access control (CBAC), and encryption.

IP routing of RFC1483 ATM bridge encapsulation (RBE)—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_tos.html

IP Unnumbered for VLAN-SVI interfaces—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/layer3.html

IPSec Anti-Replay Window: Expanding and Disabling—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dplane/configuration/12-2sx/sec-ipsec-antireplay.html

IPv4 multicast over point-to-point GRE tunnels (hardware supported)—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2/interface/configuration/guide/icflogin.html


Note The PFC3B does not provide hardware acceleration for tunnels configured with the tunnel key command.


IPv6 supported in hardware for these basic IPv6 functions:

IPv6 standard access control lists (ACLs)

IPv6 extended ACLs

Reflexive ACLs

Manually configured v6 tunnels

ISATAP (ISATAP with 6-to-4 prefix is not supported in hardware)

Automatically configured IPv4 compatible tunnels

6-to-4 tunnel

IPv6 over IPV4 IP in IP tunnels

IPv6 supported in software for these basic IPv6 functions:

IPv6 addressing architecture

ICMPv6

Neighbor Discovery

Static ND cache entry

IPv6 stateless autoconfiguration

ICMPv6 Redirect

MTU path Discovery for IPv6

IPv6 ICMP rate limiting

IPv6 over IPV4 GRE tunnels

IPv6 supported in software for these IPv6 routing functions:

Static routes within IPv6

RIPng

MP-BGP4

OSPFv3

ISIS

Configuring an IPv6 Multiprotocol BGP Peer using a link local address

IPv6 MP-BGP distance command

IPv6 switching support:

Process switching

CEFv6 switching

Distributed CEFv6 switching

IPv6 supported in software for these IPv6 applications:

Ping

Traceroute

Telnet

TFTP (client only)

FTP

SSH over IPv6

DNS

HTTP server

For configuration information, refer to this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_pim/configuration/15-mt/ip6-mcast-ssm-map.html

For command reference information, refer to this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_pim/configuration/15-mt/ip6-mcast-ssm-map.html

IPv6 access services: DHCPv6 prefix delegation—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_pim/configuration/15-mt/ip6-mcast-ssm-map.html

IPv6 hardware: multicast assist—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/mcastv6.html

IPv6 multicast RPR support—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/redund.html

IPv6 multicast: Bootstrap Router (BSR)—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/12-2sx/ipv6-12-2sx-book.html

IPv6 Provider Edge Router (6PE) over MPLS—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/12-2sx/ipv6-12-2sx-book.html

IPv6 QoS: (quality of service)—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos.html

IPv6 Support on WAN Interfaces—See this publication:

http://www.cisco.com/en/US/tech/tk872/tech_white_papers_list.html

IS-IS caching of redistributed routes—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/isredrib.html

IS-IS Incremental SPF—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/isisispf.html

IS-IS Limit on Number of Redistributed Routes—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fsiredis.html

IS-IS Mechanisms to Exclude Connected IP Prefixes from LSP Advertisements—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fsisiadv.html

IS-IS support for priority-driven IP prefix RIB installation—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fslocrib.html

IS-IS Support for Route Tags—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_isis/configuration/15-mt/irs-isis-supp-route-tags.html

Jumbo frames on all Ethernet ports except ports on the WS-X6548-GE-TX, WS-X6548V-GE-TX, WS-X6148-GE-TX, and WS-X6148V-GE-TX switching modules.


Caution The following switching modules support a maximum ingress frame size of 8092 bytes:

·  WS-X6516-GE-TX when operating at 100 Mbps
·  WS-X6148-RJ-45, WS-X6148-RJ45V and WS-X6148-RJ21, WS-X6148-RJ21V
·  WS-X6248-RJ-45 and WS-X6248-TEL
· WS-X6248A-RJ-45 and WS-X6248A-TEL
·  WS-X6348-RJ-45, WS-X6348-RJ45V and WS-X6348-RJ21V

When jumbo frame support is configured, these modules drop ingress frames larger than 8092 bytes.

Key rollover for certificate renewal—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-cert-enroll-pki.html

L3 MPLS VPN over GRE on 7600-SIP-400—See this publication:

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/sipspasw.html

Layer 2 protocol tunneling global threshold—See the l2protocol-tunnel global drop-threshold command in the command reference at this URL:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/cmdref.html

Layer 2 switch ports and VLAN trunks with the Dynamic Trunking Protocol (DTP), including support on Gigabit Ethernet ports for jumbo frames—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/layer2.html

Layer 2 traceroute—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/l2trace.html

Link Fragmentation and Interleaving (LFI) for Frame Relay and ATM Virtual Circuits (supported on FlexWAN interfaces)—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/qos_latjit/configuration/15-mt/qos-mlppp-fr.html

Local proxy ARP—See the Catalyst Supervisor Engine 32 PISA Cisco IOS Command Reference, Release 12.2ZY, publication.


Note To use the local proxy ARP feature, you must enable the IP proxy ARP feature. The IP proxy ARP feature is enabled by default. See this publication:

http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfipadr.html#Enabling_Proxy_ARP


Low Latency Queueing (LLQ) and Class-based Weighted Fair Queueing (CBWFQ) on MLPPP links (supported on FlexWAN interfaces)—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/fqos_c.html

MAC address-based traffic blocking—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/secure.html

Mapping a subinterface to an EoMPLS VC on 7600-SIP-400—See this publication:

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/sipspasw.html

'match cos' classification on 7600-SIP-400—See this publication:

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/sipspasw.html

Metro Ethernet Advanced QinQ Service Mapping—See this publication:

http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/pwan.html

MLD snooping—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/snoopmld.html

Mobile IP—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfmobip_ps1835_TSD_Products_Configuration_Guide_Chapter.html


Note These redundancy modes support MultiProtocol Label Switching (MPLS):

Route Processor Redundancy (RPR)

MPLS can coexist with NSF with SSO redundancy, but there is no support for stateful MPLS switchover.


MPLS Basic, including Provider (P) and Provider Edge (PE) functionality—See this publication:

http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/pwan.html

MPLS Label Distribution Protocol (LDP)—See this publication:

http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/mpls.html#Configuring_the_VFI_in_the_PE

MPLS LDP - Inbound Label Binding Filtering—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsinbd4.html

MPLS LSP ping/traceroute and AToM VCCV—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsinbd4.html

MPLS Traffic Engineering (TE) Fast Reroute (FRR) Link and Node Protection—See these publications:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fsfrr24.html


Note Also see MPLS Traffic Engineering DiffServ Aware (DS-TE).
MPLS TE FRR Link and Node Protection is not supported on these interface types:
—Port channel interfaces
—Switch virtual interfaces (SVIs)
—Multiple link point-to-point protocol (MLPPP) interfaces
—Multilink Frame Relay (MLFR or MFR)


MPLS Traffic Engineering (TE) Interarea Tunnels—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsiarea3.html

MPLS Traffic Engineering DiffServ Aware (DS-TE)—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsdserv3.html


Note Also see MPLS Traffic Engineering (TE) Fast Reroute (FRR) Link and Node Protection.
MPLS DS-TE is not supported on these interface types:
—Port channel interfaces
—Switch virtual interfaces (SVIs)
—Multiple link point-to-point protocol (MLPPP) interfaces
—Multilink Frame Relay (MLFR or MFR)


MPLS Virtual Private Networks (MPLS VPN)—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsmvpns.html

MPLS VPN Carrier Supporting Carrier—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fs2scsc.html

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fscsclbl.html

MPLS VPN ID—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/vpnid2.html

MPLS VPN Inter-AS IPv4 BGP Label Distribution—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsiaslbl.html

MPLS VPN support for EIGRP between Provider Edge (PE) and Customer Edge (CE) —See this publication:

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsiaslbl.html


Note The MPLS VPN support for EIGRP between Provider Edge (PE) and Customer Edge (CE) feature also provides EIGRP support for VRF Lite.


MPLS VPN—OSPF and Sham-Link Support—See this publication:

http://www.cisco.com/en/US/docs/ios/iproute_ospf/configuration/guide/iro_sham_link.html

MQC: distribution of remaining bandwidth (supported only on WAN ports)—You configure QoS features on an interface using the modular QoS CLI (MQC). Using MQC, you create service policies for traffic classes and attach the policies to an interface. You can use MQC to specify how the remaining bandwidth is distributed among the interface or subinterface output queues. The remaining bandwidth is the available bandwidth left on an interface or subinterface after all guaranteed traffic is accounted for. The amount of remaining bandwidth available for use is determined by the excess information rate (EIR) configured for the queue.

The bandwidth remaining percent command allows you to configure the remaining bandwidth for output queues. The aggregate of all user-configured EIR bandwidth percentages cannot exceed 100 percent. If the aggregate of all remaining bandwidth is less than 100 percent, the remainder is evenly split among user queues (including the default queue) that do not have a remaining bandwidth percentage configured. The minimum EIR value of each output queue is 1.

This example shows how to use the bandwidth remaining percent command to distribute percentages of remaining bandwidth to various traffic classes in a policy map:

Router# configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z. 
Router(config)# policy-map myPolicy 
Router(config-pmap)# class class-default 
Router(config-pmap-c)# bandwidth remaining percent 20 
Router(config-pmap-c)# class prec1 
Router(config-pmap-c)# bandwidth remaining percent 30 
Router(config-pmap-c)# class prec2 
Router(config-pmap-c)# bandwidth remaining percent 10 
Router(config-pmap-c)# bandwidth percent 50 
Router(config-pmap-c)# end 
Router# show policy-map myPolicy 
  Policy Map myPolicy 
    Class prec1 
         bandwidth remaining percent 30 
    Class prec2 
         bandwidth percent 50 
         bandwidth remaining percent 10 
    Class class-default 
         bandwidth remaining percent 20 
Router#
 
   

Multicast-VPN: Multicast Support for MPLS VPN—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/mvpn.html

Multi-VRF for CE Routers (VRF Lite) with IPv4 forwarding between VRFs interfaces, IPv4 ACLs, and IPv4 HSRP—See this publication:

http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/mpls.html#Configuring_the_VFI_in_the_PE


Note Multi-VRF for CE Routers (VRF Lite) with the PFC3B supports multi-VRF CE functionality with EIGRP, OSPF, BGP and RIPv2 routing protocols running on a per VRF basis. Static routes are also supported. Supported on LAN and WAN ports.


Multiple-Hot Standby Routing Protocol (mHSRP)—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfip.html

Multiple-path Unicast Reverse Path Forwarding (Unicast RPF) in hardware—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/secure.html

Multipoint bridging (MPB)—See these publications:

http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/features.html

http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/mpls.html#Configuring_the_VFI_in_the_PE

http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/atm.html

NAC - L2 IP; Network Admission Control (NAC) Layer 2 Layer 2 IP validation—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/nac.html

NetFlow Aggregation (hardware-assisted)—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/nde.html

NetFlow - Bridged Flow Statistics—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/nde.html

NetFlow Data Export (NDE)—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/nde.html

NetFlow Data Export (NDE) enhancement—Population of the NDE Layer 4 source port field with the ICMP type and code values.

Netflow Multiple Export Destinations:

Allows entry of a second ip flow-export destination command

See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/nde.html

NetFlow v9 Export Format, including NetFlow Export of BGP Nexthop Information—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/netflow/configuration/12-2sx/cfg-nflow-data-expt.html

NetFlow multicast support:

Supported only with NetFlow v9 export format.

See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/netflow/configuration/12-2sx/cfg-nf-multi-acctg.html

The NetFlow Multicast Support document contains a prerequisite that does not apply when configuring NetFlow multicast support with Release 12.2(18)ZY and later 12.2ZY releases:

You do not need to configure multicast fast switching or multicast distributed fast switching (MDFS); multicast CEF switching is supported with Release 12.2(18)ZY and later 12.2ZY releases.

Network Address Translation (NAT) and Port Address Translation (PAT) for IPv4 unicast and multicast traffic (hardware-assisted)—Note the following information about hardware-assisted NAT:

PFC3B mode supports NAT and PAT for UDP traffic.

The PFC3B does not support NAT or PAT for multicast traffic.

The PFC3B does not support NAT or PAT configured with a route map that specifies length.

The PFC3B does not support NAT or PAT configured with a route map that specifies static translations.

When you configure NAT or PAT and NDE on an interface, the PFC3B sends all traffic in fragmented packets to the PISA to be processed in software. (CSCdz51590)

To configure NAT or PAT, refer to the Cisco IOS IP Configuration Guide, Release 12.2, "IP Addressing and Services," "Configuring IP Addressing," "Configuring Network Address Translation," at this URL:

http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfipadr.html

For information about configuring NAT or PAT with route maps, refer to this publication:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml

To prevent a significant volume of NAT or PAT traffic from being sent to the PISA, due to either a DoS attack or a misconfiguration, enter the mls rate-limit unicast acl {ingress | egress} command described in this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/M1.html

(CSCea23296)

Optimized ACL logging—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/acl.html

OSPF Forwarding Address Suppression in Translated Type-5 LSAs—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/12-2sx/iro-for-add-sup.html

OSPF Inbound Filtering Using Route Maps with a Distribute List—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/routmap.html

OSPF Incremental Shortest Path First (i-SPF)—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/ospfispf.html

OSPF Limit on Number of Redistributed Routes—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fsoredis.html

OSPF link state database overload protection—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/ospfopro.html

OSPF link-local signaling (LLS) per interface basis—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/ospflls.html

OSPF MIB support of RFC 1850 and latest extensions—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/ospflls.html

OSPF Shortest Path First Throttling—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fs_spftrl.html

OSPF support for BFD over IPv4—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fs_bfd.html


Note Also see "Bidirectional Forwarding Detection (BFD) standard implementation."


OSPF Support for Fast Hellos—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fasthelo.html

OSPF support for forwarding adjacencies over MPLS traffic engineered tunnels—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/ospffa.html

OSPF Support for Link State Advertisement (LSA) Throttling—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fsolsath.html

OSPF support for unlimited software VRFs per provider edge (PE) router—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/12-2sx/iro-un-sw-vrfs.html

Packet classification based on layer3 packet-length (supported on WAN ports)—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/qos_classn/configuration/12-2sx/qos-classn-ntwk-trfc.html

Per Interface Sticky ARP—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/dos.html

Per port MAC limiting—See the mac-address-table limit command in this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/cmdref.html

Per VLAN load balancing for advanced QinQ service mapping—See this publication:

http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/pwan.html#Configuring_Strict_Priority_Low_Latency_Queuing_(LLQ)_Support_on_the_OSM-24GE-WAN

PIM snooping DR flooding enhancement—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/snooppim.html

PIM Snooping—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/snooppim.html

PKI AAA authorization using the entire subject name—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-cfg-auth-rev-cert.html

Policy-based routing (PBR; hardware-assisted) for route-map sequences that use the match ip address, set ip next-hop, and set ip default next-hop PBR keywords.

To configure PBR, refer to the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2, "Classification," "Configuring Policy-Based Routing," at this URL:

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html

When configuring PBR, follow these guidelines and restrictions:

The PFC provides hardware support for PBR configured on a tunnel interface.

The PFC does not provides hardware support for PBR configured with the set ip next-hop keywords if the next hop is a tunnel interface.

If the PISA address falls within the range of a PBR ACL, traffic addressed to the PISA is policy routed in hardware instead of being forwarded to the PISA. To prevent policy routing of traffic addressed to the PISA, configure PBR ACLs to deny traffic addressed to the PISA. (CSCse86399)

Any options in Cisco IOS ACLs that provide filtering in a PBR route map that would cause flows to be sent to the PISA to be switched in software are ignored. For example, logging is not supported in ACEs in Cisco IOS ACLs that provide filtering in PBR route maps.

PBR traffic through switching module ports where PBR is configured is routed in software if the switching module resets. (CSCee92191)

—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/port_sec.html

Port Security, including:

Port security on 802.1Q tunnel ports

Port security on private VLAN ports

Port security on trunk ports

Port security with 4096 secure MAC addresses

Port security with sticky MAC addresses

See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/port_sec.html

PortFast BPDU filtering—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/stp_enha.html

Private VLANs—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/pvlans.html

Protocol-Independent MAC ACL Filtering—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos.html

QoS, including:

Ignore Port Trust

Per-VLAN and CoS-based QoS filtering in MAC ACLs

PFC QoS features on tunnels

See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos.html

QoS Data Export—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos_sde.html

QoS: Aggregated DSCP / Precedence Values for WRED—Aggregates multiple DSCP or IP Precedence values for a single minimum or maximum threshold and marks probability when specifying WRED parameters for 7600-SIP-400 ATM SPAs.

QoS: ingress shaping on FlexWAN module interfaces—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html

QoS: percentage based policing on WAN ports—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12spctpg.html

Query mode definition per trustpoint—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-cfg-auth-rev-cert.html

Query multiple servers during certificate revocation check—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-cfg-auth-rev-cert.html

RADIUS Load Balancing (RLB) IMSI sticky—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-cfg-auth-rev-cert.html

Rapid-Per-VLAN-Spanning Tree (Rapid-PVST)—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/spantree.html

Received ToS byte preservation—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos.html

Remote SPAN—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/span.html

RFC-1483 Spanning-Tree Interoperability Enhancements on WAN ports—See these publications:

http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/atm.html

http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/features.html

RFC-1483 Bridging on FlexWAN—See this publication:

http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/features.html

RFC-1490 bridging on FlexWAN interfaces—See this publication:

http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/features.html

RFC-1889 Compressed Real-Time Protocol (cRTP; supported on FlexWAN interfaces)—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfcrtp.html


Note cRTP is not supported on MLPPP bundled links.


Router-Port Group Management Protocol (RGMP)—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/rgmp.html

RSVP Interface-based Receiver Proxy—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2sx/feature/guide/rsvpprox.html

RSVP Refresh Reduction and Reliable Messaging—See this publication:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fsrelmsg.html

RSVP Scalability Enhancements—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/qos_rsvp/configuration/12-2sx/rsvp-scalability.html

RSVP Scalability Enhancements—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/qos_rsvp/configuration/12-2sx/rsvp-scalability.html

SafeNet IPsec VPN client support—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/12-2sx/sec-safenet-suppt.html

SCP health monitoring for enhanced-FlexWAN—The SCP health monitor feature provides improved debugging capabilities for problems that cause WAN module resets because of SCP keepalive failures.

Secure Copy (SCP)—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ssh/configuration/12-2sx/sec-secure-copy.html

Secure Shell (SSH) Version 2 server support in k9 images—By default, the k9 images support both SSHv1 connections and SSHv2 connections. To restrict connections to either SSHv1 or SSHv2, enter the ip ssh mode [v1 | v2] global configuration mode command. Except for the v1 and v2 keywords for the ip ssh mode command, you configure SSHv2 in the same way as SSHv1. See this publication for more information:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ssh/configuration/12-2sx/sec-usr-ssh-12-2sx-book.html

For information about SSHv1 client support, refer to the following publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ssh/configuration/12-2sx/sec-usr-ssh-12-2sx-book.html

Secure Shell SSH Version 2 Client Support—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ssh/configuration/12-2sx/sec-usr-ssh-12-2sx-book.html

Server load balancing (SLB), including:

SLB: interface-aware

SLB: stateful failover within single chassis

See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ssh/configuration/12-2sx/sec-usr-ssh-12-2sx-book.html


Note Web Cache Control Protocol (WCCP) Layer 2 PFC redirection is supported with Cisco IOS SLB. Other WCCP configurations are not compatible with Cisco IOS SLB.


Show diagnostic sanity—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/diags.html

Show Top-N—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/topn.html

SNMP ifindex persistence—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/ifindx.html

Source Specific Multicast (SSM) Mapping—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_igmp/configuration/12-2sx/imc_ssm_mapping.html


Note Do not configure SSM mapping in a VLAN that supports IGMPv3 multicast receivers.


Source-Specific Multicast with IGMPv3, IGMP v3lite, and URL Rendezvous Directory (URD)—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfssm.html

SPAN destination port permit list—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/span.html

Spanning tree PortFast, UplinkFast, and BackboneFast, and Root Guard Feature—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/stp_enha.html

Spanning Tree Protocol—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/spantree.html

SRR (Shaped Round Robin)—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos.html

SSM mapping for IPv6—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_pim/configuration/15-mt/ip6-mcast-ssm-map.html

Standard Domain Naming System (DNS) support—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfipadr.html

Strict priority low latency queueing (LLQ) on WAN ports—See this publication:

http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/pwan.html#Configuring_Strict_Priority_Low_Latency_Queuing_(LLQ)_Support_on_the_OSM-24GE-WAN

Sub interface features - phase 1—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/layer3.html

Switched Port Analyzer (SPAN)—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/span.html

TCP intercept (hardware-assisted)—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/ifindx.html

TDR cable diagnostics—TDR is supported on these switching modules:

WS-X6148-GE-TX

WS-X6148V-GE-TX

WS-X6148-GE-45AF

WS-X6548-GE-TX

WS-X6548V-GE-TX

WS-X6548-GE-45AF

WS-X6148A-GE-TX

WS-X6148A-GE-45AF

WS-X6148A-RJ-45

WS-X6148A-45AF


Note TDR can test cables up to a maximum length of 115 meters.


See these publications:

The "Checking the Cable Status Using the TDR" section of the "Configuring Interfaces" chapter at this URL:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/intrface.html

The test cable-diagnostics command in the command reference at this URL:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/cmdref.html

Traffic storm control—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/storm.html

UDI - Unique Device Identifier—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/configuration/12-2sx/Unique_Device_Identifier_Retrieval.html

Unicast flood blocking (UFB)—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/blocking.html

UniDirectional Link Detection—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/udld.html

Uni-Directional Link Routing (UDLR)—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/ude_udlr.html

User-based microflow policing—See the procedures in this publication for information about configuring microflow policing based on either source or destination addresses:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos.html

VLAN Access Control Lists (VACLs), including, VACL capture—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/vacl.html

VACL Deny Logging—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/secure.html

Virtual Router Redundancy Protocol (VRRP)—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp_fhrp/configuration/12-2sx/fhp-vrrp.html

VLAN Trunk Protocol (VTP) and VTP domains—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/vtp.html

VLANs over IP unnumbered sub-interfaces—See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-i4.html#GUID-833D9D25-1E04-4430-84D8-1AA836DE4745

VLANs, including VLAN translation—See this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/vlans.html

Voice over Frame Relay (VoFR) FRF.11 and FRF.12 (supported on FlexWAN interfaces)—See this publication:

http://www.cisco.com/en/US/docs/ios/12_2/voice/configuration/guide/vvfvofr.html


Note Because the Catalyst 6500 series switches do not support voice modules, they can act only as a VoFR tandem switch when FRF.11 or FRF.12 is configured on the FlexWAN module.


Web Cache Control Protocol (WCCP)—These WCCP features are supported:

WCCP Layer 2 PFC Redirection

WCCP Redirection on Inbound Interfaces

WCCP Version 1

WCCP Version 2

See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp/configuration/12-2sx/iap-wccp.html


Note Release 12.2ZY does not support these WCCP features:
—WCCP L2 Return
—WCCP Layer 2 Redirection/Forwarding
—WCCP Mask Assignment
—WCCP VRF Support


Unsupported Features and Commands

Hardware—See the "Unsupported Hardware" section.

Egress multicast replication

Multicast replication mode detection

All fabric configuration commands

Route Processor Redundancy Plus (RPR+) redundancy

These QoS interface commands are not supported on SPA interfaces:

traffic shape

priority-group

custom-queue-list

tx-queue-limit

fair-queue

random-detect

rate-limit

tx-ring-limit

max-reserved-bandwidth

These QoS interface commands are not supported on FlexWAN interfaces:

traffic shape

priority-group

custom-queue-list

tx-queue-limit

Random Sampled NetFlow (flow-sampler commands)

These software features are not supported:

Apollo Domain

AppleTalk EIGRP

Banyan Vines

Exterior Gateway Protocol (EGP)

HP Probe

IEEE 802.10 VLANs

IGRP

LAN Extension

Netware Asynchronous Services Interface (NASI)

Next Hop Resolution Protocol (NHRP) for IPX

Novell Link-State Protocol (NLSP)

Simple Multicast Routing Protocol (SMRP) for Appletalk

Xerox Network Systems (XNS)

Xremote

Generic routing encapsulation (GRE) tunnel IP source and destination VRF membership (the tunnel vrf command). (CSCee39138)

Warm Reload (CSCef06158)

ARP Optimization (CSCef30539)

Exterior Border Gateway Protocol (eBGP) multihop over CSC-PE interfaces (CSCea83165)

Ability to accept ingress traffic on SPAN destination ports (Cisco IOS software equivalent of set span ... inpkts enable).

Automatic QoS

Unknown unicast flood protection

Commands to globally disable EtherChannel or trunking

write tech-support command

Cisco IOS software equivalent of the set port host command

Disable port startup option

Clear counters per port or clear QoS statistics

System warning and error counter enhancements implemented in Catalyst software release 6.1(1)

Option for no VTP support

Command to display the port MAC address

Port security timer enhancement

System warnings on port counters

VLAN Management Policy Server (VMPS) client or server

Cisco IOS MAC-layer access control lists (ACLs)

Accelerated server load balancing (ASLB)

Hot Standby Router Protocol (HSRP) between redundant supervisor engines (the redundant supervisor engine and PISA are in standby mode—HSRP to external routers is supported)

Multi-Instance Spanning Tree Protocol (MISTP); IEEE 802.1s MST is supported

Common Open Policy Server (COPS)

Except to support tunnels, Resource ReSerVation Protocol (RSVP)

GARP VLAN Registration Protocol (GVRP)

GARP Multicast Registration Protocol (GMRP)

Commands present in the CLI, but not supported:

ipv6 cef accounting

ip cef accounting

module provision

Limitations and Restrictions

These sections list limitations and restrictions for the Cisco IOS for the Catalyst 6500 series switches and Cisco 7600 series routers:

Restrictions Removed by the PFC3B

General Limitations and Restrictions

FlexWAN Limitations and Restrictions

Service Module and IPsec SPA Limitations and Restrictions

Restrictions Removed by the PFC3B

The PFC3B removes these restrictions that were present with other policy feature cards:

You can configure features to use up to 3 different flow masks.

You can configure more than 1 Gateway Load Balancing Protocol (GLBP) group.

You can configure up to 255 unique HSRP group numbers.

You can configure a separate MAC address on each interface.

You can configure Unicast RPF check without reducing the number of available CEF entries.

You can configure port-based and VLAN-based QoS on a per-port basis on the WS-X6548-RJ-45 and WS-X6548-RJ-21 switching modules.

General Limitations and Restrictions

This section describes general limitations and restrictions:

When a redundant supervisor engine is in standby mode, the Ethernet ports on the redundant supervisor engine are always active.

A supervisor engine that has one ROMMON version might boot at a different rate from a supervisor engine that has another ROMMON version. To ensure that redundant supervisor engines boot at the same rate, install the same ROMMON version on both supervisor engines. (CSCef29567)

All Ethernet LAN ports on all modules, including those on a redundant supervisor engine, support EtherChannel (maximum of eight interfaces) with no requirement that the ports be contiguous.

All Ethernet ports on all modules support 802.1Q VLAN trunking.

These modules do not support Inter-Switch Link (ISL) VLAN trunking:

WS-X6502-10GE

WS-X6548-GE-TX

WS-X6148-GE-TX

The ports on all other modules support ISL VLAN trunking.

When you add a member port that does not support ISL trunking to an EtherChannel, Cisco IOS software automatically adds a switchport trunk encapsulation dot1q command to the port-channel interface to prevent configuration of the EtherChannel as an ISL trunk. The switchport trunk encapsulation dot1q command is inactive when the EtherChannel is not a trunk.

The link state messages ("LINK-3-UPDOWN" and "LINEPROTO-5-UPDOWN") are disabled by default. See the logging event link-status global and interface configuration commands in this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/I1.html

(CSCeb06765)

RSVP Traffic Engineering (TE) tunnels might stop forwarding traffic in hardware if Label Distribution Protocol (LDP) is not enabled globally. This problem occurs when a path change requires that ternary content addressable memory (TCAM) table entries be updated for all the prefixes routed over the TE tunnel. The TCAM entries are not updated correctly.

Workaround: If you enable LDP globally, a TE tunnel rewrite is created for each prefix. The hardware programming code receives an update for each prefix and will be able to program the TCAM entries correctly. (CSCee77417)

The show interface command displays the giants field, which indicates the number of packets that are larger than 1518 octets. For Layer 2 trunk ports configured with an MTU size that supports jumbo frames on WS-X6704-10GE, WS-X6748-SFP, WS-X6724-SFP, and WS-X6748-GE-TX switching modules, the giants field always indicates zero. This is a display issue and does not impact the actual handling of jumbo frames on these ports.

Workaround: None. (CSCek23592)

With the BGP multipath load sharing for both eBGP and iBGP in an MPLS-VPN feature configured, do not attach output service policies to VRF interfaces. (CSCsb25509)

To reduce CPU utilization during ACL configuration changes, use named ACLs instead of numbered ACLs whenever possible, because the ACL merge algorithm runs each time you change an ACE in a numbered ACL. With named ACLs, the ACL merge algorithm runs only when you exit the named ACL configuration mode.

With bidirectional PIM configured, you cannot configure Bootstrap Router (BSR) rendezvous point (RP) candidates.

Workaround: Use AutoRP or static RP. (CSCeg29898)

Unbalanced load-sharing between the two banks of the Layer 2 forwarding engine MAC table for non-statistical distributions of data-frame MAC Layer addresses causes a fractional performance degradation. (CSCec02266)

With a PFC3B, EoMPLS ports cannot be SPAN sources. (CSCed51245)

IPsec in software on the PISA is supported only for administrative connections to Catalyst 6500 series switches and Cisco 7600 series routers.

With a PFC3B, you can either set DSCP in a packet or apply an MPLS tag to the packet, but cannot do both. You cannot set DSCP in a packet and then apply an MPLS tag to that packet. (CSCef19599)

On a Supervisor Engine 2 with several hundred Layer 3 VLAN interfaces configured and with Rapid-Per-VLAN-Spanning Tree (Rapid-PVST) configured, after a change in the Layer 2 topology (for example, a link coming up), there might be unacceptably high CPU utilization that prevents Rapid-PVST from sending BPDUs on time in all VLANs. (CSCed52310)

There is no hardware support for fragmented multicast VPN traffic. (CSCef08631)

When a port becomes a member port of a Layer 2 EtherChannel, any service policy on that member port is displayed by the show mls qos ip command as being on the port-channel interface, but the service policy is not applied to the EtherChannel. (CSCec34784)

The time taken to execute the show spanning-tree interface command is proportional to the number of VLANs configured. With many VLANs configured, there might be a noticeable delay in the output of the command while Cisco IOS scans the VLANs for spanning tree ports. (CSCec65860)

If you set the MTU size on an LACP port-channel interface, the configured MTU size propagates to the member ports. If you change the MTU size on some of the member ports of an LACP EtherChannel, the change does not propagate to the port-channel interface. The ports configured with a different MTU size than the port-channel interface form a secondary LACP EtherChannel. The port-channel interface of a secondary LACP EtherChannel is not configurable. (CSCed18149)

See this publication for information about the supported IPv6 address formats:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/I1.html

(CSCed30692)

The PFC3B incorrectly apply egress IP ACLs to MPLS-tagged traffic. (CSCed29392, CSCed16560)

With an ingress policer, the PFC3B overpolices tunnel-decapsulated packets because of the tunnel-packet length. (CSCec71389)

ToS rewrites for bridged multicast packets do not work when TTL-failure rate limiting is configured. (CSCed07399)

With an EIGRP default network configured, if you remove the referencing network, the default route programming might remain.

Workaround: Use 0.0.0.0/0 as the default route or avoid entering the ip default-network command. Clear the EIGRP neighbors to recover. (CSCea70203)

RPR does not synchronize configuration done through SNMP to the redundant supervisor engine. (CSCeb07866, CSCea72373)

If the PISA address falls within the range of a PBR ACL, traffic addressed to the PISA is policy routed in hardware instead of being forwarded to the PISA. To prevent policy routing of traffic addressed to the PISA, configure PBR ACLs to deny traffic addressed to the PISA. (CSCse86399)

SPAN and RSPAN destination ports transmit VACL-redirected traffic. (CSCea57673)

When you apply both ingress policing and egress policing to the same traffic, both the input policy and the output policy must either mark down traffic or drop traffic. PFC QoS does not support ingress markdown with egress drop or ingress drop with egress markdown. (CSCea23571)

PFC QoS does not rewrite the payload ToS byte in tunnel traffic.

The PFC3B does not apply egress policing to traffic that is being bridged to the PISA.

The PFC3B does not apply egress policing or egress DSCP mutation to multicast traffic from the PISA.

PFC QoS does not rewrite the ToS byte in bridged multicast traffic.

The PISA supports tunnels configured with egress features on the tunnel interface. Examples of egress features are output Cisco IOS ACLs, NAT (for inside to outside translation), TCP intercept, context-based access control (CBAC), and encryption.

When you configure NAT and NDE on an interface, the PFC3B sends all traffic in fragmented packets to the PISA to be processed in software. (CSCdz51590)

The PFC3B does not provide hardware switching for ICMP traffic if you configure NAT.

If you configure Unicast RPF check to filter with an ACL, the PFC determines whether or not traffic matches the ACL. The PFC sends the traffic denied by the RPF ACL to the PISA for the Unicast RPF check. Packets permitted by the ACL are forwarded in hardware without a Unicast RPF check. (CSCdz35099)

The PFC3B does not provide hardware supported Unicast RPF check for policy-based routing (PBR) traffic. (CSCea53554)

If you have a network device in your network with MAC address reduction enabled, you should also enable MAC address reduction on all other Layer-2 connected network devices to avoid undesirable root bridge election and spanning tree topology issues.

When MAC address reduction is enabled, the root bridge priority becomes a multiple of 4096 plus the VLAN ID. With MAC address reduction enabled, a switch bridge ID (used by the spanning-tree algorithm to determine the identity of the root bridge, the lowest being preferred) can only be specified as a multiple of 4096. Only the following values are possible: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440.

If another bridge in the same spanning-tree domain does not run the MAC address reduction feature, it could win root bridge ownership because of the finer granularity in the selection of its bridge ID.

Traffic flow and SNMP connectivity is interrupted briefly if you perform an online insertion and removal (OIR) that changes the number of fabric-enabled modules so that the switch must use a different fabric channel switching mode. (CSCdx39882)

The Ethernet port ASICs drop frames that are invalid (for example, frames that are shorter than the minimum valid length). The Ethernet port ASICs do not keep a count of dropped frames. (CSCdx14209)

Any options in Cisco IOS ACLs that provide filtering in a policy-map class that would cause flows to be sent to the PISA to be switched in software are ignored. For example, logging is not supported in ACEs in Cisco IOS ACLs that provide filtering in QoS policy-map classes.

The PFC does not provide QoS for flows that match an ACE in a Cisco IOS ACL configured with options that cause the flows to be sent to the PISA to be switched in software, except when the Cisco IOS ACL provides filtering in a QoS policy-map class. For example, the PFC does not provide QoS for flows that match an ACE in a Cisco IOS ACL with logging configured. (CSCds72804)

For multicast flows, the PFC does not provide Layer 3 switching on output interfaces with MTU sizes smaller than the flow's input interface MTU size.

Workaround: Configure the same MTU size on both the input and output interfaces. (CSCds42685)

Entering the clear mls qos command affects the policing token bucket counters and might briefly allow traffic to be forwarded, which would otherwise be policed. (CSCdt40470)

Catalyst 6500 series switches and Cisco 7600 series routers do not support:

Integrated routing and bridging (IRB)

Concurrent routing and bridging (CRB)

Remote source-route bridging (RSRB)

Use bridge groups on VLAN interfaces, sometimes called fall-back bridging, to bridge nonrouted protocols. Bridge groups on VLAN interfaces are supported in software on the PISA.

Catalyst 6500 series switches and Cisco 7600 series routers do not support the IEEE bridging protocol for bridge groups. Configure bridge groups to use the VLAN-bridge or the DEC spanning-tree protocol.

Ingress IP Packets with TTL=1 that are not addressed to the PISA and that match QoS filtering parameters might cause overpolicing of other ingress traffic on the same ingress interface.

When the outgoing interface list for group G traffic transitions to null on a last-hop multicast router, the router sends a (*,G) prune message to the PIM neighbor toward the rendezvous point (RP) to stop the flow of group G traffic (if any) down the shared tree, but does not send an (S,G) prune message to stop the flow of traffic down the shortest path tree (SPT). The transition of the outgoing interface list to null does not trigger an (S,G) prune message. (S,G) prune messages are triggered by the arrival of (S,G) traffic.

If the last-hop multicast router is a Catalyst 6500 series switch, traffic is forwarded in hardware. In most cases, RPF-MFD is installed for the (S,G) entries. The PISA does not see the multicast traffic flowing down the SPT and does not send any traffic-triggered (S,G) prunes to stop the flow of traffic down the SPT. This situation does not have any adverse effect on the PISA because the PFC processes and drops the unwanted (S,G) traffic.

The ip multicast rate-limit command is not supported on LAN ports. (CSCds22281)

Catalyst 6500 series switches and Cisco 7600 series routers do not support network booting.

The IP HTTP server feature is disabled by default. Enter the ip http server command to use the feature.

For LAN switching modules, the Cisco IOS show controllers command generates no output on a Catalyst 6500 series switch or Cisco 7600 series router. Enter the show module command instead.

To avoid the case where all traffic is out of profile, the burst size specified in a QoS policing rule must be at least as large as the maximum packet size permissible in the traffic to which the rule is applied.

By default, the PISA sends Internet Control Message Protocol (ICMP) unreachable messages when a packet is denied by an access group.

With the ip unreachables command enabled (which is the default), the supervisor engine drops most of the denied packets in hardware and sends only a small number of packets (10 packets per second, maximum) to the PISA to be dropped, which generates ICMP-unreachable messages.

To eliminate the load imposed on the PISA CPU by the task of dropping denied packets and generating ICMP-unreachable messages, you can enter the no ip unreachables interface configuration command to disable ICMP unreachable messages, which allows all access-group denied packets to be dropped in hardware.

MAC address-based Cisco IOS ACLs are not supported for packets that are Layer 3 switched in hardware. MAC address-based Cisco IOS ACLs will be applied on software-switched packets.

If you enable multicast routing globally, then you should also enable multicast routing (using the ip pim command) on all Layer 3 interfaces on which you anticipate receiving IP multicast traffic. This command causes the packets to be sent to the process switching level to create the route entry. If you disable multicast routing on the RPF interface, the entry cannot be created and the packet is dropped. If the source traffic rate exceeds what can be handled by the process level, it can have an undesirable impact on the system. For example, routing protocol packets, such as EIGRP hello packets, might get dropped.

24-port 100FX switching modules (WS-X6224-100FX-MT) with a hardware version of 1.1 or lower only support IEEE 802.1Q VLAN trunking; they do not support ISL trunking. Do not configure ISL trunks on 24-port 100FX switching modules (WS-X6224-100FX-MT) with a hardware version of 1.1 or lower. The restriction against ISL VLAN trunking is the only known problem with hardware version 1.1 or lower of these modules. If you do not require ISL VLAN trunking, these modules are fully functional. The ISL VLAN trunking problem has been corrected in hardware version 1.2 or later. If you want to return a WS-X6224-100FX-MT module with a hardware version of 1.1 or lower, contact Cisco Systems. You can identify WS-X6224-100FX-MT hardware versions using one of these two methods:

Command-line interface (CLI) method—Enter the show module command to identify the hardware version of the WS-X6224-100FX-MT module.

Physical inspection method—The part number is printed on a label on the outer edge of the component side of the module. Versions 73-3245-04 or lower do not support ISL trunking.

The RJ-21 connectors on the 48-port 10/100TX switching module (WS-X6248-TEL) do not support Category 3 RJ-21 telco connectors and cabling. Category 3 connectors and cabling cause carrier sense errors. Use Category 5 RJ-21 telco connectors and cables (the module is keyed for Category 5 telco connectors and cables).

The in and out ports displayed in Layer 3 table entries are set by the hardware at the time the entry is created. They are not guaranteed to be accurate in case multiple flows use the same entry (for example, if the flow mask is Dest-only and some kind of load sharing is active) or if the source or destination of the Layer 3 entry moves in the Layer 2 topology. The port information is not always available when the Layer 3 entry is established. This is the case if the destination port of the rewritten packet is unknown when the shortcut is created.

For EtherChannels, you can configure the QoS trust state and default CoS directly on the EtherChannel interface with the mls qos trust or mls qos cos commands, respectively. These two parameters must be the same for all physical interfaces in the channel. No other QoS queueing configuration commands can be applied to EtherChannel interfaces. Other QoS queueing configuration commands can be applied, however, to individual EtherChannel physical interfaces. After the physical interfaces are bundled into an EtherChannel, QoS classification, marking, and policing by the Policy Feature Card (PFC) for the channel packets is determined by the service-policy attached to the EtherChannel interface. The service policies attached to the individual physical interfaces of the EtherChannel do not matter. The same is true for the port-based and VLAN-based QoS state of the EtherChannel interface. You can disable the PFC QoS features using the no mls qos interface configuration command on the EtherChannel interface.

The maximum recommended number of Layer 3 multicast entries is 10,000. The maximum recommended number of multicast entries supported in the Layer 2 forwarding table is 12,000.

After enabling Protocol Independent Multicast (PIM) on an interface, you need to enter the ip mroute-cache command on the interface to enable multicast fast-switching. If you have "no ip mroute-cache" configured, multicast packets that are not hardware switched will go to the process level that increases the load on the router.

The show ibc command misleadingly displays Inter-Switch Link (ISL) trunk status as "disabled" and the GBIC as "missing," because the IBC in a Catalyst 6500 series switch or Cisco 7600 series router is the internal electrical interface between the switch processor and the route processor. Trunk and media types are not given for this type of interface. (CSCdp21121, CSCdp21380)

The show access-list command displays statistics only for traffic that matches ACLs processed in software on the PISA. The show access-list command does not display statistics for traffic that matches an ACL supported in hardware on the PFC. (CSCdt14386)

The show interface stats command does not display statistics for traffic that is Layer 3 switched by the PFC. The show interface command displays statistics (labelled L2 and L3) for traffic that is Layer 3 switched by the PFC. (CSCds41388)

To avoid subjecting routing protocol packets to policy-based routing, configure filtering in route maps so that it does not match routing protocol packets. (CSCds44369)

Microflow policing does not support policing of identical flows arriving on different interfaces simultaneously. Attempts to do so lead to incorrectly policed flows. (CSCdt72147)

Because the system does not boot from PISA bootflash, if the NVRAM configuration is not valid (or not present), the service config option defaults to "on," and the service config feature is enabled after the erase startup-config command is issued. (CSCdp12598)

In a VTP version 1 domain with some switches running Catalyst software and some switches running Cisco IOS software on both the supervisor engine and the PISA, if the VLANs were created on a switch running Catalyst software and then propagated through VTP to switches running Cisco IOS software, if you enter commands on the switches running Cisco IOS software to configure VTP version 2, you might receive messages about invalid VLAN configuration.

Workaround: Perform VLAN configuration on a switch running Catalyst software or enter VLAN configuration commands to correct all VLAN configuration errors reported in the messages. (CSCdp47622)

The interface range command is not supported by the HTTP user interface. The command will execute on only the first interface in the specified range. Do not use the interface range command with the HTTP interface. (CSCdm54471)

When using the UplinkFast feature, the system does not send out the dummy multicast packets used to notify upstream users of forwarding-path changes. Normal Layer 2 aging is used to delete invalid entries. (CSCdm65881)

Running an SNMP topology discovery application might cause high CPU utilization. (CSCef12458)

Following power up or a reload, you might see "%ALIGN-3-TRACE: -Traceback=" messages. (CSCed76016)

A high CPU usage might occur when ERSPAN jumbo frames exceed the frame size of the adjacency MTU of the egress interface. The ERSPAN packets are processed by the PISA, which causes the CPU usage to increase. The ERSPAN packets are dropped because the Don't Fragment (DF) bit is set.

Workaround: The MTU failure packets are rate-limited when you enter the global configuration command mls rate-limit all mtu-failure. (CSCsd55182)

When traffic with a multicast destination IP address and a broadcast destination MAC address is replicated to one or more VLANs, the destination MAC addresses in the replicated traffic are not rewritten, which preserves the broadcast destination MAC address. Systems that receive the traffic classify it as broadcast traffic instead of multicast traffic. IGMP snooping cannot constrain broadcast traffic.

Workaround: none. (CSCse07679)

FlexWAN Limitations and Restrictions

PISA-accelerated features are not supported on FlexWAN module interfaces.

FlexWAN ports do not support SPAN or RSPAN.

MPLS on the FlexWAN module does not support Virtual Private LAN Service (VPLS).

On FlexWAN ports configured for EoMPLS, the counters displayed by the show mpls command for parallel links between LERs do not update. (CSCdw04208, CSCdu87648)

On FlexWAN ports, an EoMPLS virtual circuit stays up when the VLAN interface is down. (CSCdv69982)

Ethernet over Multiprotocol Label Switching (EoMPLS) per-VLAN traffic shaping does not work with a FlexWAN egress port. (CSCdx10583)

On FlexWAN ports, an EoMPLS virtual circuit stays up when the VLAN interface is down. (CSCdv69982)

To use the interfaces on the FlexWAN module, you must enable IP routing on the PISA. (CSCdp34896)

Service Module and IPsec SPA Limitations and Restrictions

PISA-accelerated features are not supported on service module switch virtual interfaces (SVIs).

Generating an Revisit, Shamir, and Adelman (RSA) usage key pair with modulo 360 fails.

Workaround: Use a higher modulo value. (CSCec49861)

When the NAM is configured as the NDE destination and the NAM is down, the NDE traffic is flooded.

Workaround: Clear the NDE configuration for the NAM or enter the clear arp-cache command. (CSCdy55261)

You cannot SPAN ingress traffic from the Firewall Services Module (WS-SVC-FWM-1-K9). (CSCec79733)

With the tunnel MTU size configured to 9216 bytes, tunnel packets larger than 9211 bytes are corrupted.

Workaround: None. (CSCec04627)

Additional Limitations and Restrictions

Identifier
Technology
Description

CSCso36139

Unknown

PISA-FWSM:Mix MTU on PISA NBAR Protocol-tagging behavior

CSCso83818

Unknown

Nbar: PD not working for Ip-Option pkts.

CSCso83934

Unknown

NBAR AIM ver 6 AOL protocol pdl not classifying packets

CSCsq85641

Unknown

NBAR: AOL messenger classified as http when http proxy configured.

CSCsr15153

Unknown

VACL capture on a Layer2 trunk port not working with Ingress Pisa Policy

CSCsr39414

Unknown

PTS: Netflow features are working in software with PTSacl deny traffic

CSCsy97776

Unknown

Auto discovery QoS stats get cleared on creating a custom protocol

CSCsz00970

Unknown

Unexpected behaviour on usage of AutoQoS suggested policy and class map

CSCsz15987

Unknown

Unknown flows not recognised by NBAR are not exported

CSCsz28860

Unknown

Layer-2 flows are not created when Nbar enabled on corresponding SVI

CSCsz30671

Unknown

PISA features not supported on secondary aggregator of LACP Etherchannel


Caveats

Open Caveats in Release 12.2ZY

Resolved Caveats in Release 12.2(18)ZYA3b

Resolved Caveats in Release 12.2(18)ZYA3b

Resolved Caveats in Release 12.2(18)ZYA3a

Resolved Caveats in Release 12.2(18)ZYA3

Resolved Caveats in Release 12.2(18)ZYA2

Resolved Caveats in Release 12.2(18)ZYA1

Resolved Caveats in Release 12.2(18)ZYA

Resolved Caveats in Release 12.2(18)ZY2

Resolved Caveats in Release 12.2(18)ZY1

Resolved Caveats in Release 12.2(18)ZY


NoteAll caveats in Release 12.2(18)S also apply to Release 12.2(18)ZY. See the "Caveats" section in the Cross-Platform Release Notes for Cisco IOS Release 12.2S publication:

http://www.cisco.com/en/US/docs/ios/12_2s/release/notes/122Srn.html

All caveats in Release 12.2(17d) also apply to Release 12.2(18)ZY.

All caveats in Release 12.2(17b) also apply to Release 12.2(18)ZY.

All caveats in Release 12.2(17a) also apply to Release 12.2(18)ZY.

For information about Release 12.2(17a), Release 12.2(17b), and Release 12.2(17d), refer to this publication:

http://www.cisco.com/en/US/docs/ios/12_2s/release/notes/122Srn.html

All caveats in Release 12.2(14)S also apply to Release 12.2(18)ZY. See the "Caveats" section in the Cross-Platform Release Notes for Cisco IOS Release 12.2S publication:

http://www.cisco.com/en/US/docs/ios/12_2s/release/notes/122Srn.html

For information about caveats in Release 12.2(18)SXF and rebuilds, see this publication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/release/notes/OL_4164.html#Caveats_in_Release_12.2(18)SXF_and_Rebuilds

The caveat information for Release 12.2(18)ZY and rebuilds is updated frequently.

If you have a Cisco.com account that supports access to the Bug Toolkit, you can search for the most current Release 12.2ZY caveat information at this URL:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

Select "Catalyst 6000 Series Switches" and then select a 12.2ZY release.


Open Caveats in Release 12.2ZY

Identifier
Technology
Description

CSCsi36204

Unknown

able to configure po256 via IOS startup dialog

CSCsm09533

Unknown

MQC - switchport output policy error msg not clear

CSCsm90876

Unknown

L2PIsa:Port Manager Internal sw Error TBs, adding uplink in to pisa-chan

CSCso05141

Unknown

MQC_REMOVE_POLICY:Failed to remov policy msgs after SSO for shut/ports

CSCso41566

Unknown

URLF: Unexpected reset with a large number of UFS servers configured

CSCso41934

Unknown

NBAR: eMule: file search traffic not classified

CSCso60817

Unknown

PISA: Custom protocol with Static ID setting for NBAR tagging

CSCso81457

Unknown

NBAR: syslog PD error on intf for vlan 0 when ena/dis PD on shut intf

CSCso89069

Unknown

NBAR Unable to undo port-map change for softphone protocol

CSCsq10755

Unknown

PISA:Sup32-8GE port 8,9 and S32-10GE port 3 LED off in admin-down state

CSCsq69769

Unknown

Per-uri mode: More than one URL not filtered per packet

CSCsq90704

Unknown

PISA: NBAR incorrectly classifies remote desktop protocol as edonkey

CSCsr06455

Unknown

Escape character usage inconsistant in NBAR PDLMs

CSCsr07614

Unknown

PISA: Remove CLI command for configuring GRE key for protocol tagging

CSCsr16405

Unknown

NBAR-NAT: FTP data traffic getting classified as eDonkey and unknown.

CSCsr59046

Unknown

NBAR: Yahoo messenger connections on tcp 119 classifies as NNTP

CSCsu04441

Unknown

PTS: trf redirected to PISA w/o accel feature after reconfig switchport

CSCsv35900

Unknown

pm_mp_notify_cp_port_admin_state:Gi5/10 vl_id1025 swidb-> with reload

CSCsw37516

Unknown

bootup PISA Maj Error - test_acl failed(rc=1) for IP (input: L2 redirect

CSCsw50072

Unknown

PTS: L3 non-selected pkts seen by IXP on egress after HA swovr

CSCsz16083

Unknown

Syslog message: autoqos config not synced to the standby

CSCsz46542

Unknown

Flows not recognized by NFC after changing source interface IP

CSCsz93351

Unknown

ARP not working with gig spa

CSCsz94158

Unknown

Disabling urlf will not remove X-list entries and logging functionality

CSCta02845

Unknown

Unexpected behaviour on deleting service policy from autoqos enabled i/f

CSCta08310

Unknown

Rmon event/alarm generated by cos 5 traffic on AutoQos enabled interface

CSCta29897

Unknown

Misclassification of rtp audio & video on creating custom protocol


Resolved Caveats in Release 12.2(18)ZYA3b

Resolved Infrastructure Caveats

CSCti25339—Resolved in 12.2(18)ZYA3c

Symptoms: Cisco IOS device may experience a device reload.

Conditions: This issue occurs when the Cisco IOS device is configured for SNMP and receives certain SNMP packets from an authenticated user. Successful exploitation causes the affected device to reload. This vulnerability could be exploited repeatedly to cause an extended DoS condition.

Workaround: There is no workaround.

PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C

CVE ID CVE-2010-3050 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html

Resolved IPServices Caveats

CSCtd10712—Resolved in 12.2(18)ZYA3c

The Cisco IOS Software network address translation (NAT) feature contains multiple denial of service (DoS) vulnerabilities in the translation of the following protocols:

NetMeeting Directory (Lightweight Directory Access Protocol, LDAP)
Session Initiation Protocol (Multiple vulnerabilities)
H.323 protocol

All the vulnerabilities described in this document are caused by packets in transit on the affected devices when those packets require application layer translation.

Cisco has released free software updates that address these vulnerabilities.

This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110928-nat

Resolved LegacyProtocols Caveats

CSCth69364—Resolved in 12.2(18)ZYA3c

Cisco IOS Software contains a memory leak vulnerability in the Data-Link Switching (DLSw) feature that could result in a device reload when processing crafted IP Protocol 91 packets.

Cisco has released free software updates that address this vulnerability.

This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110928-dlsw.

Other Caveats Resolved in Release 12.2(18)ZYA3c

Identifier
Technology
Description

CSCtl63017

Cisco IOS

Sup32 PISA - Packets to local IP address not reaching CPU

CSCtn59243

Security

Tunnel interfaces remain down after WAN recovery.


Resolved Caveats in Release 12.2(18)ZYA3b

Resolved WAN Caveats

CSCtd75033—Resolved in 12.2(18)ZYA3b

Symptom: Cisco IOS Software is affected by NTP mode 7 denial-of-service vulnerability. Note: The fix for this vulnerability has a behavior change affect on Cisco IOS Operations for Mode 7 packets. See the section Further Description of this release note enclosure.

Conditions: Cisco IOS Software with support for Network Time Protocol (NTP) contains a vulnerability processing specific NTP Control Mode 7 packets. This results in increased CPU on the device and increased traffic on the network segments.

This is the same as the vulnerability which is described in http://www.kb.cert.org/vuls/id/568372

Cisco has release a public facing vulnerability alert at the following link: http://tools.cisco.com/security/center/viewAlert.x?alertId=19540

Cisco IOS Software that has support for NTPv4 is NOT affected. NTPv4 was introduced into Cisco IOS Software: 12.4(15)XZ, 12.4(20)MR, 12.4(20)T, 12.4(20)YA, 12.4(22)GC1, 12.4(22)MD, 12.4(22)YB, 12.4(22)YD, 12.4(22)YE and 15.0(1)M.

All other versions of Cisco IOS and Cisco IOS XE Software are affected.

To see if a device is configured with NTP, log into the device and issue the CLI command show running-config | include ntp. If the output returns either of the following commands listed then the device is vulnerable:

ntp master <any following commands> 
ntp peer <any following commands> 
ntp server <any following commands> 
ntp broadcast client ntp multicast client 
 
   

The following example identifies a Cisco device that is configured with NTP:

router#show running-config | include ntp ntp peer 192.168.0.12 
 
   

The following example identifies a Cisco device that is not configured with NTP:

router#show running-config | include ntp router# 
 
   

To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output.

The following example identifies a Cisco product that is running Cisco IOS Software Release 12.3(26) with an installed image name of C2500-IS-L:

Router#show version Cisco Internetwork Operating System Software IOS (tm) 2500 
Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2) Technical Support: 
http://www.cisco.com/techsupport Copyright ) 1986-2008 by cisco Systems, Inc. Compiled 
Mon 17-Mar-08 14:39 by dchih 
<output truncated> 
 
   

The following example shows a product that is running Cisco IOS Software release 12.4(20)T with an image name of C1841-ADVENTERPRISEK9-M:

Router#show version Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), 
Version 12.4(20)T, RELEASE SOFTWARE (fc3) Technical Support: 
http://www.cisco.com/techsupport Copyright ) 1986-2008 by Cisco Systems, Inc. Compiled 
Thu 10-Jul-08 20:25 by prod_rel_team 
<output truncated> 
 
   

Additional information about Cisco IOS Software release naming conventions is available in "White Paper: Cisco IOS and NX-OS Software Reference Guide" at the following link: http://www.cisco.com/web/about/security/intelligence/ios-ref.html

Workaround: There are no workarounds other than disabling NTP on the device. The following mitigations have been identified for this vulnerability; only packets destined for any configured IP address on the device can exploit this vulnerability. Transit traffic will not exploit this vulnerability.


Note NTP peer authentication is not a workaround and is still a vulnerable configuration.


NTP Access Group

Warning: Because the feature in this vulnerability utilizes UDP as a transport, it is possible to spoof the sender's IP address, which may defeat access control lists (ACLs) that permit communication to these ports from trusted IP addresses. Unicast Reverse Path Forwarding (Unicast RPF) should be considered to be used in conjunction to offer a better mitigation solution.

!--- Configure trusted peers for allowed access 
access-list 1 permit 171.70.173.55 
!--- Apply ACE to the NTP configuration 
ntp access-group peer 1 
 
   

For additional information on NTP access control groups, consult the document titled "Performing Basic System Management" at the following link:

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_basic_sys_manage.html#wp1034942

Infrastructure Access Control Lists

Warning: Because the feature in this vulnerability utilizes UDP as a transport, it is possible to spoof the sender's IP address, which may defeat ACLs that permit communication to these ports from trusted IP addresses. Unicast RPF should be considered to be used in conjunction to offer a better mitigation solution.

Although it is often difficult to block traffic that transits a network, it is possible to identify traffic that should never be allowed to target infrastructure devices and block that traffic at the border of networks.

Infrastructure ACLs (iACLs) are a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The iACL example below should be included as part of the deployed infrastructure access-list, which will help protect all devices with IP addresses in the infrastructure IP address range:

!--- 
!--- Feature: Network Time Protocol (NTP)
!--- 
access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD 
INFRASTRUCTURE_ADDRESSES WILDCARD eq 123 
!--- Note: If the router is acting as a NTP broadcast client
!--- via the interface command "ntp broadcast client"
!--- then broadcast and directed broadcasts must be
!--- filtered as well. The following example covers
!--- an infrastructure address space of 192.168.0.X 
access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD host 192.168.0.255 eq 
ntp access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD host 
255.255.255.255 eq ntp 
!--- Note: If the router is acting as a NTP multicast client
!--- via the interface command "ntp multicast client"
!--- then multicast IP packets to the mutlicast group must
!--- be filtered as well. The following example covers
!--- a NTP multicast group of 239.0.0.1 (Default is
!--- 224.0.1.1) 
access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD host 239.0.0.1 eq ntp 
!--- Deny NTP traffic from all other sources destined
!--- to infrastructure addresses. 
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES WILDCARD eq 123 
!--- Permit/deny all other Layer 3 and Layer 4 traffic in
!--- accordance with existing security policies and
!--- configurations. Permit all other traffic to transit the
!--- device. 
access-list 150 permit ip any any 
!--- Apply access-list to all interfaces (only one example
!--- shown) 
interface fastEthernet 2/0 ip access-group 150 in 
 
   

The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection access lists and is available at the following link

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml

Control Plane Policing

Provided under Control Plane Policing there are two examples. The first aims at preventing the injection of malicious traffic from untrusted sources, whilst the second looks at rate limiting NTP traffic to the box.

Filtering untrusted sources to the device.

Warning: Because the feature in this vulnerability utilizes UDP as a transport, it is possible to spoof the sender's IP address, which may defeat ACLs that permit communication to these ports from trusted IP addresses. Unicast RPF should be considered to be used in conjunction to offer a better mitigation solution.

Control Plane Policing (CoPP) can be used to block untrusted UDP traffic to the device. Cisco IOS software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP can be configured on a device to help protect the management and control planes and minimize the risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic that is sent to infrastructure devices in accordance with existing security policies and configurations. The CoPP example below should be included as part of the deployed CoPP, which will help protect all devices with IP addresses in the infrastructure IP address range.

!--- Feature: Network Time Protocol (NTP) 
access-list 150 deny udp TRUSTED_SOURCE_ADDRESSES WILDCARD any eq 123 
!--- Deny NTP traffic from all other sources destined
!--- to the device control plane. 
access-list 150 permit udp any any eq 123 
!--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and
!--- Layer4 traffic in accordance with existing security policies
!--- and configurations for traffic that is authorized to be sent
!--- to infrastructure devices
!--- Create a Class-Map for traffic to be policed by
!--- the CoPP feature 
class-map match-all drop-udp-class match access-group 150 
!--- Create a Policy-Map that will be applied to the 
!--- Control-Plane of the device. 
policy-map drop-udp-traffic class drop-udp-class drop 
!--- Apply the Policy-Map to the
!--- Control-Plane of the device 
control-plane service-policy input drop-udp-traffic 
 
   

In the above CoPP example, the access control list entries (ACEs) that match the potential exploit packets with the "permit" action result in these packets being discarded by the policy-map "drop" function, while packets that match the "deny" action (not shown) are not affected by the policy-map drop function.

Rate Limiting the traffic to the device The CoPP example below could be included as part of the deployed CoPP, which will help protect targeted devices from processing large amounts of NTP traffic.

Warning: If the rate-limits are exceeded valid NTP traffic may also be dropped.

!--- Feature: Network Time Protocol (NTP) 
access-list 150 permit udp any any eq 123 
!--- Create a Class-Map for traffic to be policed by
!--- the CoPP feature 
class-map match-all rate-udp-class match access-group 150 
!--- Create a Policy-Map that will be applied to the
!--- Control-Plane of the device.
!--- NOTE: See section "4. Tuning the CoPP Policy" of
!--- for more information on choosing the most
!--- appropriate traffic rates 
policy-map rate-udp-traffic class rate-udp-class police 10000 1500 1500 
conform-action transmit exceed-action drop violate-action drop 
!--- Apply the Policy-Map to the
!--- Control-Plane of the device 
control-plane service-policy input drop-udp-traffic 
 
   

Additional information on the configuration and use of the CoPP feature can be found in the documents, "Control Plane Policing Implementation Best Practices" and "Cisco IOS Software Releases 12.2 S - Control Plane Policing" at: http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html

Further Description

Cisco IOS Software releases that have the fix for this Cisco bug ID, have a behavior change for mode 7 private mode packets.

Cisco IOS Software release with the fix for this Cisco bug ID, will not process NTP mode 7 packets, and will display a message "NTP: Receive: dropping message: Received NTP private mode packet. 7" if debugs for NTP are enabled.

To have Cisco IOS Software process mode 7 packets, the CLI command ntp allow mode private should be configured. This is disabled by default.

Other Caveats Resolved in Release 12.2(18)ZYA3b

Identifier
Technology
Description

CSCtf92354

ATM

spurious memory access seen at @ atmdx_hqf_tx_poll

CSCsu67919

Unknown

SIP crashes - hqf_cwpa_pak_enqueue_local

CSCth10980

Unknown

cbQosCMPrePolicyBitRate / cbQosCMPostPolicyBitRate always return 0


Resolved Caveats in Release 12.2(18)ZYA3a

Resolved MPLS Caveats

CSCsz45567—Resolved in 12.2(18)ZYA3a

A device running Cisco IOS Software, Cisco IOS XE Software, or Cisco IOS XR Software is vulnerable to a remote denial of service condition if it is configured for Multiprotocol Label Switching (MPLS) and has support for Label Distribution Protocol (LDP).

A crafted LDP UDP packet can cause an affected device running Cisco IOS Software or Cisco IOS XE Software to reload. On devices running affected versions of Cisco IOS XR Software, such packets can cause the device to restart the mpls_ldp process.

A system is vulnerable if configured with either LDP or Tag Distribution Protocol (TDP).

Cisco has released free software updates that address this vulnerability.

Workarounds that mitigate this vulnerability are available.

This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100324-ldp.shtml

Resolved Multicast Caveats

CSCtc68037—Resolved in 12.2(18)ZYA3a

Symptom: A Cisco IOS device may experience an unexpected reload as a result of mtrace packet processing.

Conditions:

Workaround: None other than avoiding the use of mtrace functionality.

Other Caveats Resolved in Release 12.2(18)ZYA3a

Identifier
Technology
Description

CSCsz72591

IPServices

Router configured as a DHCP client crashes with crafted DHCP packet.

CSCta64900

Unknown

PISA reload due to NBAR

CSCte69627

Unknown

After upgrading to 12.2(18)ZYA3 POE fails to work on POE modules.


Resolved Caveats in Release 12.2(18)ZYA3

Resolved Routing Caveats

CSCsv30595—Resolved in 12.2(18)ZYA3

Symptoms: Cisco IOS device may crash.

Conditions: A Cisco IOS device may crash upon receiving a malformed OSPF message.

Before the issue can be triggered, the Cisco IOS device must be able to establish adjacency with an OSPF peer. The issue will then occur when the processing an OSPF message sent by the peer.

Workaround: There is no workaround. Using OSPF authentication can reduce/minimize the chance of hitting this issue.

CSCsx73770—Resolved in 12.2(18)ZYA3

Symptom: A Cisco IOS device that receives a BGP update message and as a result of AS prepending needs to send an update downstream that would have over 255 AS hops will send an invalid formatted update. This update when received by a downstream BGP speaker triggers a NOTIFICATION back to the sender which results in the BGP session being reset.

Conditions: This problem is seen when a Cisco IOS device receives a BGP update and due to a combination of either inbound, outbound, or both AS prepending it needs to send an update downstream that has more than 255 AS hops.

Workaround: The workaround is to implement bgp maxas-limit X on the device that after prepending would need to send an update with over 255 AS hops. Since IOS limits the route-map prepending value to 10 the most that could be added is 21 AS hops (10 on ingress, 10 on egress, and 1 for normal eBGP AS hop addition). Therefore, a conservative value to configure would be 200 to prevent this condition.

Resolved Security Caveats

CSCsh97579—Resolved in 12.2(18)ZYA3

Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.

Cisco has released free software updates that address this vulnerability.

This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090923-tunnels.

CSCsx70889—Resolved in 12.2(18)ZYA3

Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.

Cisco has released free software updates that address this vulnerability.

This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090923-tunnels

CSCsq31776—Resolved in 12.2(18)ZYA3

Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.

Cisco has released free software updates that address this vulnerability.

This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090923-tunnels

Resolved Unknown Caveats

CSCsy15227—Resolved in 12.2(18)ZYA3

Cisco IOS Software configured with Authentication Proxy for HTTP(S), Web Authentication or the consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the authentication proxy server or bypass the consent webpage.

There are no workarounds that mitigate this vulnerability.

This advisory is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090923-auth-proxy

Other Caveats Resolved in Release 12.2(18)ZYA3

Identifier
Technology
Description

CSCei16552

Infrastructure

cannot remove snmp-server engineID from running-config

CSCin79116

Infrastructure

show memory summary could push the CPU util to 100%

CSCsa91716

Infrastructure

Command sh archive config diff hangs with a remote file in argument

CSCsc33389

Infrastructure

When snmp-server host is deleted, the trap is not sent to other hosts

CSCse09553

Infrastructure

no snmp-server sparse-table: ds1 physical layer has none 0 for HC

CSCsj06593

Infrastructure

CPU hog msgs for RFSS worker process and Async write process

CSCsk41686

Infrastructure

PARSER-3-CFGLOG_NOMEM: constanlty in log

CSCsr17897

Infrastructure

SXF : increase the buffer size for config generation

CSCsr60789

Infrastructure

W1.3: VSL crash after preemptive switchover in ifs_open_file_decrement

CSCsx05021

Infrastructure

Router crashes when filesystem becomes full

CSCsx32841

Infrastructure

ceImageDescription may exceed 255 characters

CSCta43093

Infrastructure

Add a check similar to CSCek58956

CSCef09586

IPServices

CMs stuck in init(d) if DHCP ser. ip addr. overlaps with diff VRF

CSCsa41736

IPServices

Router crash after enable NAT rate-limit feature

CSCsg00102

IPServices

SSLVPN service stops accepting any new SSLVPN connections

CSCsh49973

IPServices

NAT-ALG corrupts offset value of DNS PTR response

CSCsk23972

IPServices

Telnet failed with "No wild listener" error

CSCso42170

IPServices

CPUHOG & Traceback messages seen for IP NAT Ager process.

CSCsx15358

IPServices

Router Crashes when DNS server and DNS views are used

CSCsx33622

IPServices

Fix MSS calcuation issue in TCP

CSCsy88271

IPServices

6500 - SXF - Nat add-route does not work

CSCsz56393

IPServices

Modular IOS - SUP720 - Sends malformed syslog packet

CSCsz63733

IPServices

Traceback seen with FM Nat configuration

CSCsz89107

IPServices

high cpu due to ip_input process during SNMP trap

CSCta24043

IPServices

"%IPNAT-4-ADDR_ALLOC_FAIL" message seen when all ports are not allocated

CSCtb12332

IPServices

NAT: switch crashes at ipnat_find_map_entry with cat6k SXF16 image

CSCtc26840

IPServices

HSRP-CISCO-MIB snmpwalk results in "OID not incrementing" error

CSCsz71787

LegacyProtocols

Router crash by crafted IP packet.

CSCsw85254

MPLS

Bus error and crash at p_enqueue when modifying main:text

CSCsz19255

MPLS

LFIB: Tag rewrites are missing on LC for one of load sharable paths

CSCsz30515

MPLS

SUP720 crash due to tsptun_frr_process process hang

CSCsx15396

Multicast

Mcast IIF stays up while physical interface is down

CSCsx34506

Multicast

RPF failure with no PIM neighbor triggers PIM Hello

CSCsw43022

platform-76xx

HSRP Virtual IP Unreachable for some users

CSCsy38911

platform-76xx

MPLS TE Forwarding broken when enable LDP on TE tunnel

CSCta26106

QoS

RSVP-3-CONSISTENCY error followed by an unexpected reboot.

CSCsh15066

Routing

VRF has 2 ospf process, when one process is removed the router crashed

CSCsh23176

Routing

Router crashes @ rip_timer_process .

CSCsm57494

Routing

BGP update is not sent after reloading opposite router

CSCso07476

Routing

One way audio when RTP header compression is turned on

CSCsq49201

Routing

Password in BGP peer-session template not inherited

CSCsr11662

Routing

EIGRP active routes never go to SIA, queries not sent

CSCsr27794

Routing

BGP updates stuck during peer flap

CSCsr90248

Routing

"aggregate-address advertise-map" not updated dynamically

CSCsx06457

Routing

BGP may modify routes it does not own

CSCsx51299

Routing

Crash when remove and configure ipv6 ACL via telnet and console

CSCsx51596

Routing

TCAM ACL entry not correct after removing IP accounting

CSCsy58115

Routing

Continuous BGP mem increase with non established neighbors

CSCsy84134

Routing

ARP table is flushed when deleting secondary IP address

CSCuk55357

Routing

ALIGN-3-TRACE at ip_broadcast

CSCsb80803

Security

SSH Process: SCHED-3-UNEXPECTEDEVENT error message

CSCsd91182

Security

crypto pki export pkcs12 hangs when used with SCP

CSCsg56609

Security

Crash on talk /tmp/tbdaemon-99/../os/connect.c:1105 seen at bootup

CSCsy17893

Security

Ping to itself doesn't work on IPIP tunnels

CSCsz84055

Security

System crashed unexpected while open ssh2 session

CSCek68108

Unknown

Router crashed at ace_policyloader_util.c after remove crypto map .

CSCek74844

Unknown

sysObjectID is wrong for 7603-S and 7609-S

CSCek77996

Unknown

High CPU caused by data traffic with crypto map in crypto connect mode

CSCsb25490

Unknown

Data is not being hardware switched after OIR/SSO on WS-X6148X2-RJ45

CSCsb88996

Unknown

slb traceback spurious memory access after slb statefull switchover

CSCsb96452

Unknown

IGMPV3 TO_INC{} leave mac entry table do not expire

CSCsc85962

Unknown

Replaying Main Mode packet causing IKE SA deletion

CSCsc92676

Unknown

Rainier:Traffic captured even after vacl config is removed

CSCsd45698

Unknown

Cat6K: SLB punted to CPU if src_index is port-channel index

CSCsf05390

Unknown

CPU HOG @ hwidb_iftype_unlist followed by router crash.

CSCsf10203

Unknown

MLD gces not freed even after MLD leaves and L3 traffic stopped

CSCsf27621

Unknown

False Command-Active condition blocking execute-on on MWAM processor

CSCsg32319

Unknown

Probe connections not cleaned up when access/vrf is configured .

CSCsg37484

Unknown

Bus Error in crypto_map

CSCsi54373

Unknown

OSM maps EXP into dBus-CoS during SVI based EoMPLS disposition

CSCsj26698

Unknown

Acct-Session-Id in Accounting-Request is different from in Access-Reques

CSCsk38024

Unknown

VS2: EtherChannel state on standby is incorrect due to out of order FEC

CSCsk87604

Unknown

Device crashes on configuring LPIP with multiple hosts.

CSCsl69123

Unknown

SIP-400:QoS:Police drops MPLSCP, CDPCP negotiation packets - SRA,SRB

CSCso35659

Unknown

L3 traffic rate limited after adding and removing Xcon to a SVI

CSCso75862

Unknown

Negative counter values for input queue on layer 3 interfaces

CSCso93350

Unknown

Boot string fails to set in rommon but no error message

CSCsq69567

Unknown

SSO Switchover + unicast-routing chg cause MC traffic loss for 2 minutes

CSCsr06037

Unknown

the monitor session source is removed by deleting sub-interface

CSCsr12976

Unknown

High CPU in ION ios-base process

CSCsr39272

Unknown

%DATACORRUPTION-1 due to spa sensor temp overruning buffer

CSCsr97097

Unknown

VS: RP IPC-5-WATERMARK msgs due to CARD_RESET, after SSO

CSCsr99518

Unknown

Granikos should not init rekey after recieving new outbound SA at QM3

CSCsu29301

Unknown

C2W21: Ingress SPAN on Sup - ACE module duplicates packets

CSCsu31088

Unknown

Not able to execute any commands under intf after running SPA FPGA bert

CSCsu76360

Unknown

Memory Leak in IPSec Key Engine with HA on Sup720 RP

CSCsw17070

Unknown

18SXF: SSO switchover cause portchannel configuation lost in sup uplink

CSCsw21852

Unknown

CSM: memory leak in process "Laminar Icc Event"

CSCsw28582

Unknown

IPSec Tunnels go down after a "show run"

CSCsw43377

Unknown

add user warning for empty classes in OSM qos policy SXF7 and later

CSCsw52819

Unknown

Kernel dumper needs a few enhancements.

CSCsw53362

Unknown

c2w2b: Device crashes with NAT stress test

CSCsw68514

Unknown

SLB probes iin TESTing state while using client cmd in Vserver config

CSCsw87563

Unknown

packets with multicast mac and unicast ip are software routed by cat6500

CSCsw92171

Unknown

multiple "power-input" for new 6kW DC PS do not exist on Standby

CSCsx16206

Unknown

Traffic loss issue from SFM capable modules to other device through DEC

CSCsx21886

Unknown

ISSU switchover command sync issue

CSCsx23929

Unknown

MLPP link are not able pass traffic after SSO even when UP/UP stat on os

CSCsx39263

Unknown

TCAM entries are not installed for TCP intercept after SSO

CSCsx49889

Unknown

SPA-IPSEC-2G-3-ACEI0TCAMFAILE:SpdSpInstall:cannot install Sp TmInsertSp

CSCsx51231

Unknown

Service-policy removed from the interface, but FIE still has NBAR active

CSCsx58248

Unknown

Disable Crypto ACL in SXF

CSCsx67510

Unknown

Memory leak on SP when add/deleting channel groups on PA-MC-2T3+

CSCsx76308

Unknown

HA client crashing attempting to free unassigned memory

CSCsy06804

Unknown

DSCP not preserved during SVI based Eompls Disposition

CSCsy08838

Unknown

Zamboni allows clear packet inbound on protected interface

CSCsy24691

Unknown

entPhysicalTable has power-input 3 Sensor for 6kW DC PS1 and not PS2

CSCsy34566

Unknown

Disable VLAN mapping on ME6524, 6148A-GE-TX

CSCsy54365

Unknown

frequent datapath recovery and traffic loss on WS-X6704 with DFC

CSCsy74418

Unknown

Ping fail with bridging on interface - 6500 w/SUP2 and 6816

CSCsy78994

Unknown

Memory leak in Service Task

CSCsy82121

Unknown

IGMP Source only not working due to MC_CAP not set

CSCsy83830

Unknown

IOS-RLB crashes while deleting the username sticky

CSCsy85171

Unknown

CDL2 Read Error: Time out

CSCsy94866

Unknown

C2W2B: CSM Config sync causes memory leak

CSCsz01976

Unknown

Need a cli to dump the rommon environment and unset rommon variable

CSCsz14742

Unknown

EZVPN config not downloaded on the SPA/VPNSM

CSCsz20625

Unknown

Error message seen if SIP Is OIR'd during Standby SUP bootup

CSCsz42143

Unknown

WS-X6148A-GE-TX module fails keepalives when excessive errors on port.

CSCsz43438

Unknown

Encapsulation change on T1/E1 removes QoS Service Policy

CSCsz55834

Unknown

GLBP may provided BIA MAC instead of Virtual MAC for mobile users

CSCsz55950

Unknown

EoMPLS:DFC LTL programming is not correct for SRP as Core

CSCsz62046

Unknown

Crash at memcpy after CPUHOG in SNMP ENGINE

CSCsz67334

Unknown

ciscoEnvMonTemperatureStatus trap sent sporadically as NotFunctioning

CSCsz76015

Unknown

C2W2: Need cli to set PF_BIAS to ensure lower slot# Sup boots as active

CSCsz84544

Unknown

output drops increment on not-connected interface of 6548GE-TX module

CSCsz87648

Unknown

SP/RP and redundant system handshake broken when the kernel crashes.

CSCsz92508

Unknown

SPA module reloads when no response to keep-alive polling

CSCsz94158

Unknown

Disabling urlf will not remove X-list entries and logging functionality

CSCta12382

Unknown

Udld port config does not sync to standby in rpr-plus mode

CSCta12543

Unknown

Linecard takes MAC address from the linecard.

CSCta15614

Unknown

MQC / PD / FPM Classification fails if conf app. before acc vlan conf

CSCta21771

Unknown

%CONST_DIAG-SP-3-HM_FCI_0_STUCK: Flow control stuck at 0 error on modul

CSCta26529

Unknown

Standby Reset set entPhysicalAssetID on PS1

CSCta27279

Unknown

WCCP s/w switching with Ingress redirection & interface ACL

CSCta32802

Unknown

Umbrella ddts for porting SR HA fixes+ 2T3E3 SPA fixes into SXF

CSCta34959

Unknown

ECHOREP not sent to ECHOREQ when MSFC is PISA and PPP multilink is used

CSCta42989

Unknown

"%CSM parser state" configuring CLI when configuring via XML also

CSCta47653

Unknown

Cat6k: SXF: Console hangs on reapplying running config with ACL

CSCta48521

Unknown

%DATACORRUPTION-1-DATAINCONSISTENCY: copy error

CSCta48968

Unknown

Modular IOS kernel crashinfo has missing information

CSCta52689

Unknown

cat6k crash in RP due to address error with wccp configuration

CSCta53157

Unknown

SPA-4XT3/E3 int in SIP-200 admin-down on standby after fpd upgrade

CSCta55498

Unknown

[Modular IOS] MIPS CP0 registers save algorthim needs a few improvements

CSCta62394

Unknown

RP crashes @crypto_ipsec_profile_map_val on removing vlan with HA config

CSCta71873

Unknown

Mcast traffic stops flowing across fabric to required fpoes

CSCta72199

Unknown

"aggregate-address advertise-map" not updated dynamically with ION image

CSCta76808

Unknown

add CLI command for medium buffer pool

CSCtb01060

Unknown

PISA: Second ACK drop in HTTPS using wccp in cat6k with CE(ACNS)

CSCtb02774

Unknown

PI_E scanner needs to check high LTL index(0x740-0x77f) for PO interface

CSCtb23289

Unknown

Major temperature alarm has to force system shutdown

CSCtb23840

Unknown

%SYS-3-CPUHOG in Time Range Process with QoS Time based ACL

CSCtb28032

Unknown

Changing module corrupts Flex Link

CSCtb38547

Unknown

Incorrect CP0 values and empty kernel variable section in kernel crashin

CSCtb68478

Unknown

"Illegal nextSsIndex value" message should be removed

CSCsi56413

WAN

PA-POS-OC3SMI interface output stuck .


Resolved Caveats in Release 12.2(18)ZYA2

Resolved AAA Caveats

CSCsv73509—Resolved in 12.2(18)ZYA2

Symptoms: When "no aaa new-model" is configured, authentication happens through the local even when tacacs is configured. This happens for the exec users under vty configuration.

Conditions: Configure "no aaa new-model", configure login local under line vty 0 4 and configure login tacacs under line vty 0 4.

Workaround: There is no workaround.

Resolved Infrastructure Caveats

CSCse85652—Resolved in 12.2(18)ZYA2

Symptom: The Cisco IOS HTTP server and the Cisco IOS HTTPS server provide web server functionality to be used by other Cisco IOS features that require it to function. For example, embedded device managers available for some Cisco IOS devices need the Cisco IOS HTTP server or the Cisco IOS HTTPS server to be enabled as a prerequisite.

One of the functionalities provided by the Cisco IOS HTTP server and the Cisco  IOS HTTPS server is the WEB_EXEC module, which is the HTTP-based IOS EXEC Server. The WEB_EXEC module allows for both "show" and "configure" commands to be executed on the device through requests sent over the HTTP protocol.

Both the Cisco IOS HTTP server and the Cisco IOS HTTPS server use the locally configured enable password (configured by using the enable password or enable secret commands) as the default authentication mechanism for any request received. Other mechanisms can also be configured to authenticate requests to the HTTP or HTTPS interface. Some of those mechanisms are the local user database, an external RADIUS server or an external TACACS+ server.

If an enable password is not present in the device configuration, and no other mechanism has been configured to authenticate requests to the HTTP interface, the Cisco IOS HTTP server and the Cisco IOS HTTPS server may execute any command received without requiring authentication. Any commands up to and including commands that require privilege level 15 might then be executed on the device. Privilege level 15 is the highest privilege level on Cisco IOS devices.

Conditions: For a Cisco IOS device to be affected by this issue all of the following conditions must be met:

An enable password is not present in the device configuration

Either the Cisco IOS HTTP server or the Cisco IOS HTTPS server is enabled

No other authentication mechanism has been configured for access to the Cisco IOS HTTP server or Cisco IOS HTTPS server. Such mechanisms might include the local user database, RADIUS (Remote Authentication Dial In User Service), or TACACS+ (Terminal Access Controller Access-Control System)

The Cisco IOS HTTP server is enabled by default on some Cisco IOS releases.

Workaround: Any of the following workarounds can be implemented:

Enabling authentication of requests to the Cisco IOS HTTP Server or the Cisco IOS HTTPS server by configuring an enable password

Customers requiring the functionality provided by the Cisco IOS HTTP server or the Cisco IOS HTTPS server must configure an authentication mechanism for any requests received. One option is to use the enable password or enable secret commands to configure an enable password. The enable password is the default authentication mechanism used by both the Cisco IOS HTTP server and the Cisco IOS HTTPS server if no other method has been configured.

In order to configure an enable password by using the enable secret command, add the following line to the device configuration:

enable secret mypassword  

Replace mypassword with a strong password of your choosing. For guidance on selecting strong passwords, please refer to your site security policy. The document entitled "Cisco IOS Password Encryption Facts" explains the differences between using the enable secret and the enable password commands to configure an enable password. This document is available at the following link: http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00809d38a7.shtml

Enabling authentication of requests to the Cisco IOS HTTP Server or the Cisco IOS HTTPS server by configuring an authentication mechanism other than the default

Configure an authentication mechanism for access to the Cisco IOS HTTP server or the Cisco IOS HTTPS server other than the default. Such authentication mechanism can be the local user database, an external RADIUS server, an external TACACS+ server or a previously defined AAA (Authentication, Authorization and Accounting) method. As the procedure to enable an authentication mechanism for the Cisco IOS HTTP server and the Cisco IOS HTTPS server varies across Cisco IOS releases and considering other additional factors, no example will be provided. Customers looking for information about how to configure an authentication mechanism for the Cisco IOS HTTP server and for the Cisco IOS HTTPS server are encouraged to read the document entitled "AAA Control of the IOS HTTP Server", which is available at the following link: http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml

Disabling the Cisco IOS HTTP Server and/or the Cisco IOS HTTPS server functionality

Customers who do not require the functionality provided by the Cisco IOS HTTP server or the Cisco IOS HTTPS server can disable it by adding the following commands to the device configuration:

no ip http server no ip http secure-server  

The second command might return an error message if the Cisco IOS version installed and running on the device does not support the HTTPS server feature. This error message is harmless and can safely be ignored.

Please be aware that disabling the Cisco IOS HTTP server or the Cisco IOS HTTPS server may impact other features that rely on it. As an example, disabling the Cisco IOS HTTP server or the Cisco IOS HTTPS server will disable access to any embedded device manager installed on the device.

Further Problem Description: In addition to the explicit workarounds detailed above it is highly recommended that customers limit access to Cisco IOS HTTP server and the Cisco IOS HTTPS server to only trusted management hosts. Information on how to restrict access to the Cisco IOS HTTP server and the Cisco IOS HTTPS server based on IP addresses is available at the following link:

http://www.cisco.com/en/US/docs/ios-xml/ios/https/configuration/12-4/nm-http-web.html#GUID-BB57C0D5-71DB-47C5-9C11-8146773D1127

Customers are also advised to review the "Management Plane" section of the document entitled "Cisco Guide to Harden Cisco IOS Devices" for additional recommendations to secure management connections to Cisco IOS devices. This document is available at the following link: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

CSCsi13344—Resolved in 12.2(18)ZYA2

Symptom: Three separate Cisco IOS Hypertext Transfer Protocol (HTTP) cross-site scripting (XSS) vulnerabilities and a cross-site request forgery (CSRF) vulnerability have been reported to Cisco by three independent researchers.

The Cisco Security Response is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090114-http

Conditions: See "Additional Information" section in the posted response for further details.

Workarounds: See "Workaround" section in the posted response for further details.

CSCsr72301—Resolved in 12.2(18)ZYA2

Symptom: Three separate Cisco IOS Hypertext Transfer Protocol (HTTP) cross-site scripting (XSS) vulnerabilities and a cross-site request forgery (CSRF) vulnerability have been reported to Cisco by three independent researchers.

The Cisco Security Response is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090114-http

Conditions: See "Additional Information" section in the posted response for further details.

Workarounds: See "Workaround" section in the posted response for further details.

Resolved IPServices Caveats

CSCsk64158—Resolved in 12.2(18)ZYA2

Several features within Cisco IOS Software are affected by a crafted UDP packet vulnerability. If any of the affected features are enabled, a successful attack will result in a blocked input queue on the inbound interface. Only crafted UDP packets destined for the device could result in the interface being blocked, transit traffic will not block the interface.

Cisco has released free software updates that address this vulnerability.

Workarounds that mitigate this vulnerability are available in the workarounds section of the advisory.

This advisory is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-udp

CSCsm27071—Resolved in 12.2(18)ZYA2

A vulnerability in the handling of IP sockets can cause devices to be vulnerable to a denial of service attack when any of several features of Cisco IOS Software are enabled. A sequence of specially crafted TCP/IP packets could cause any of the following results:

The configured feature may stop accepting new connections or sessions.

The memory of the device may be consumed.

The device may experience prolonged high CPU utilization.

The device may reload.

Cisco has released free software updates that address this vulnerability.

Workarounds that mitigate this vulnerability are available in the "workarounds" section of the advisory.

The advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-ip

CSCso81854—Resolved in 12.2(18)ZYA2

Multiple Cisco products are vulnerable to DNS cache poisoning attacks due to their use of insufficiently randomized DNS transaction IDs and UDP source ports in the DNS queries that they produce, which may allow an attacker to more easily forge DNS answers that can poison DNS caches.

To exploit this vulnerability an attacker must be able to cause a vulnerable DNS server to perform recursive DNS queries. Therefore, DNS servers that are only authoritative, or servers where recursion is not allowed, are not affected.

Cisco has released free software updates that address these vulnerabilities.

This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080708-dns

This security advisory is being published simultaneously with announcements from other affected organizations.

CSCsv04836—Resolved in 12.2(18)ZYA2

Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system.

In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.

Cisco has released free software updates for download from the Cisco website that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.

This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090908-tcp24.

CSCsw18636—Resolved in 12.2(18)ZYA2

Symptoms: High CPU utilization occurs after device receives a ARP packet with protocol type as 0x1000.

Conditions: This problem occurs on Supervisor 32 running Cisco IOS Release 12.2(33)SXI. This problem may also occur on Supervisor 720. The problem is only seen when you have bridge-group CLI being used, which leads to ARP packets with protocol types as 0x1000 being bridged. The problem does not apply for IP ARP packets.

Workaround: Filter the ARP packet. The device configuration should have bridge-group creation first, followed by interface-specific bridge-group options.

CSCsr29468—Resolved in 12.2(18)ZYA2

Cisco IOS Software contains a vulnerability in multiple features that could allow an attacker to cause a denial of service (DoS) condition on the affected device. A sequence of specially crafted TCP packets can cause the vulnerable device to reload.

Cisco has released free software updates that address this vulnerability.

Several mitigation strategies are outlined in the workarounds section of this advisory.

This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-tcp

Resolved LAN Caveats

CSCsv05934—Resolved in 12.2(18)ZYA2

Summary: Cisco's VTP protocol implementation in some versions of Cisco IOS and CatOS may be vulnerable to a DoS attack via a specially crafted VTP packet sent from the local network segment when operating in either server or client VTP mode. When the device receives the specially crafted VTP packet, the switch may crash (and reload/hang). The crafted packet must be received on a switch interface configured to operate as a trunk port.

Workarounds: There are no workarounds available for this vulnerability.

This response is posted at http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20081105-vtp

Resolved Multicast Caveats

CSCso90058—Resolved in 12.2(18)ZYA2

Symptoms: MSFC crashes with Red Zone memory corruption.

Conditions: This problem is seen when processing an Auto-RP packet and NAT is enabled.

Workaround: There is no workaround.

Resolved Security Caveats

CSCsh97579—Resolved in 12.2(18)ZYA2

Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.

Cisco has released free software updates that address this vulnerability.

This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090923-tunnels.

CSCsx70889—Resolved in 12.2(18)ZYA2

Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.

Cisco has released free software updates that address this vulnerability.

This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090923-tunnels

CSCsq31776—Resolved in 12.2(18)ZYA2

Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.

Cisco has released free software updates that address this vulnerability.

This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090923-tunnels

Resolved Unknown Caveats

CSCsu57182—Resolved in 12.2(18)ZYA2

Symptoms: The Cisco IOS may experience high CPU utilization.

Conditions: ISAKMP is enabled.

Workaround: None.

Further Information: This issue can occur if the Cisco IOS device processes a malformed IKE message.

Resolved Voice Caveats

CSCsi60004—Resolved in 12.2(18)ZYA2

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at

http://www.cisco.com/en/US/products/csa/cisco-sa-20070808-IOS-voice.html.

Other Caveats Resolved in Release 12.2(18)ZYA2

Identifier
Technology
Description

CSCef97900

AAA

AAAA-3-DROPACCTLOWMEM warning message somewhat misleading

CSCin40015

AAA

telnet to NAS fails when user profile has access-profile

CSCsl29214

AAA

AAA server change leads to bus error crash after "show run" is issued

CSCso95210

AAA

AAA Client creates bad Message Authenticator attr for every first packet

CSCsx28646

ATM

Unable to configure atm pvp l2transport

CSCsx40747

Content

Router hangs while doing ip casa configurations

CSCsc86307

Infrastructure

c3845 crashed @ show_systat

CSCsm32392

Infrastructure

memory corruption crash at nv_ifs_open and nv_ifs_close

CSCso49598

Infrastructure

Stby reloads cont. when upto MAXINT logical int created thru int ran

CSCsq03621

Infrastructure

Timestamps in "show rmon events" wrap at 2^32-1 milliseconds (7+ weeks)

CSCsw35917

Infrastructure

SP syslog messages not sent as SNMP traps by RP's SNMP agent

CSCec72958

IPServices

Software forced crash when translating LDAP packet

CSCsg00102

IPServices

SSLVPN service stops accepting any new SSLVPN connections

CSCsk16821

IPServices

DHCP does not NAK after DHCPREQUEST from unknown client .

CSCso02053

IPServices

NAT does not add dynamic aliases after reload.

CSCso04657

IPServices

SSLVPN service stops accepting any new SSLVPN connections

CSCso42170

IPServices

CPUHOG & Traceback messages seen for IP NAT Ager process.

CSCso54027

IPServices

Spurious memory access in ttcp_rcv_stats

CSCsq60504

IPServices

Modular IOS Sup720: crashed with tcp timeout logs

CSCsr08771

IPServices

Crash seen @ dhcpd_pool_nvgen and dhcpd_copy_bootfile

CSCsx32283

IPServices

Malformed L field in LDAP crashes 6k with NAT

CSCsh33167

LegacyProtocols

Dlsw transparent cache holds MAC address for disconnected circuit

CSCsk41552

Management

T/B %SCHED-3-THRASHING of cdp2.iosproc process_wait_for_event

CSCsb52253

MPLS

IPv4 iBGP multipath in MPLS network needs to be blocked or hardcoded

CSCsc78971

MPLS

LDP:Incorrect address withdraw after IP address removal on shutdown i/f

CSCse22900

MPLS

w/mis-config'd dup vrf CEF/BGP table MPLS label mismatch may occur

CSCsk99530

MPLS

LFIB untagged entries while LIB has valid lables in CSC MPLS VPN c12000

CSCsm70668

MPLS

OIR over E3:POS impacting complete Traffic with biscuit tunnel

CSCsu45425

MPLS

FIB/LFIB not updated correctly after route-flap

CSCsw19951

MPLS

SP & DFC crash when forwarding a packet with MPLS

CSCse03637

Multicast

PIM Dense Mode - Prune sent in error after assert is won .

CSCsj88725

Multicast

Wrong (S,G) RPF after route change, no upstream join

CSCsm77608

Multicast

IP Multicast packets are Process switched.

CSCsr49316

Multicast

Crash ipv6_static_route_find after configured & executed show ipv6 rpf x

CSCsv99150

platform-76xx

status led of ge-wan module not showing proper status

CSCsg25664

PPP

dLIFoMLPPPoATM PA: Corrupted PC crash PR

CSCsr81271

PPP

Invalid VCD error messages upon PVC flap

CSCek63384

QoS

Service-Policy is Lost When the Multilink Interface is Reset .

CSCsv85791

QoS

Flexwan+/PA-MC-2T3+ introduce 5+ seconds delay on egress

CSCsy90758

QoS

NBAR doesn't reconize PASV FTP traffic based on ports in control channel

CSCee30355

Routing

Memory leak at ip_multicast_ctl

CSCeg49075

Routing

MSFC2 remark lines in ACLs duplicated in the NDR MSFC

CSCei86031

Routing

changing match command on fly does not filter route correctly .

CSCej49366

Routing

Removing default-metric under EIGRP deletes routes erroneously

CSCek75079

Routing

Problem in type7 to type5 translation if summary-addr configured

CSCsa72878

Routing

ISIS: clns route from end-system not in database

CSCsb15164

Routing

Security holes while configuring a standard ACE with host address

CSCsc01880

Routing

%FIB-4-FIBCBLK: Missing cef table for tableid 770 during routing table e

CSCse53019

Routing

redistribution not triggered when BGP as-path/community changes

CSCse68877

Routing

CEF/BGP table MPLS label mismatch YW3 Non Multi-path

CSCsg46366

Routing

OSPF NSSA LSA forwarding address set even when P bit wil be clear.

CSCsg68717

Routing

A weird behavior in maxpath configuration in ebgp+ibgp case

CSCsi01324

Routing

Modifying acl concerned with distribute-list withdraw summary route

CSCsi03434

Routing

Memory leak @ ospf_redist_work_enqueue

CSCsj09838

Routing

RR some prefix might not be sent after bgp neighbor flaps .

CSCsj13911

Routing

Cat3750:EIGRP does not receive reply for query between some Vlan

CSCsk35688

Routing

Aggregate routes not processed if child routes are deleted pre-maturely

CSCsk72259

Routing

Auto-repair not updating inconsistent cef entries

CSCsl32318

Routing

OSPF: new fix for CSCsk36324 SPF loop

CSCsl84712

Routing

Error- %OSPF-4-FLOOD_WAR: Process 123 re-originates LSA ID 10.55.122.148

CSCsm50741

Routing

Removal of DCbitless LSA causes problems

CSCsm91959

Routing

Code review: aggregation child routes can miss aggregation logic

CSCsm95129

Routing

"no ip next-hop-self eigrp" not working when redistribute from BGP

CSCsm96901

Routing

Unable to ping between vrfs through transparent bridge

CSCso08786

Routing

Standby reloads due to config sync failure on inherit peer-policy cmd.

CSCso54167

Routing

BGP peer stuck with table version 0

CSCsr88362

Routing

eigrp routes aren't updated after SSO switchover

CSCsu24087

Routing

Cisco7609 crashes after "clear ip bgp neighbor x.x.x.x soft in"

CSCsu36709

Routing

Unable to boot IOS image on PE (vrf-enabled) router - software fault

CSCsv01474

Routing

'ip rip advertise' command lost after interface flap/clear ip route

CSCsv27607

Routing

BGP: Outbound route-map updating withdraw only one member

CSCsv97472

Routing

CSCso62166_dcq_issue_rn_walktree_timed_locking is changed

CSCsw28893

Routing

Cost no longer showing with each eigrp route after IOS upgrade

CSCsw65441

Routing

ARP packets drops due to excessive ARP requests sourced from SVI

CSCsx15841

Routing

aggregate-address does not NVGEN upon switchover on cat6k

CSCsc91824

Security

SSH from router disconnects vty session if there is no matching cipher

CSCsd81870

Security

Teraterm + TTSSH2 does not work in SSH Ver.2

CSCeh00399

Unknown

RRI: refcount not inc on rekey in certain circ lead to route removal

CSCei29284

Unknown

Rockies3 SUP32 SNMP:Traceback msg when execute private vlan script

CSCek28863

Unknown

Need to change default SCP keepalive timeout on IOS to CSM module

CSCek77996

Unknown

High CPU caused by data traffic with crypto map in crypto connect mode

CSCsc73409

Unknown

IGMPv3 report suppression doesnt send out group records correctly

CSCsc98850

Unknown

ZAMBONI:Could not send pmtu information vlan 65535 pmtu 0 Error

CSCsd04937

Unknown

Crash in chunk_free called from mfib_const_rp_free after (*,G) HW enable

CSCse12518

Unknown

MET optimized update can cause blackholing and duplicates

CSCsg14926

Unknown

Standby can not boot because of insufficient memory with 32K interfaces

CSCsg53526

Unknown

Some packets to vip are denied by inbound acl after server nat

CSCsh22225

Unknown

CWAN_HA-STDBY-4-IFCFG_PLAYBACK_ERROR:

CSCsh98849

Unknown

SIERRA: Active and stby SP and active RP crashed@rf_proxy_fatal_error

CSCsi14145

Unknown

runt counter not implemented correctly

CSCsi36204

Unknown

able to configure po256 via IOS startup dialog

CSCsi66012

Unknown

2 garbage values in show module csm x ft details

CSCsi88920

Unknown

MLD rcvr in SVI stops receiving v6 mcast trffc if another rcvr leaves

CSCsk23521

Unknown

EARL-SPSTBY-2-SWITCH_BUS_IDLE is seen with SW switched traffic

CSCsl02190

Unknown

ICMPv6 to all node multicast address fail .

CSCsm31178

Unknown

policy-map stops working on a good int if wrongly applied on another int

CSCsm43962

Unknown

Cat6k L2TP packet looped through blocked port

CSCsm66023

Unknown

IPv6 VTI RP crashed ace_reverse_map when changing tnlsrc from v4 to v6

CSCsm75286

Unknown

bgp route-map doesn't work correctly when deleted part of sequences

CSCsm76792

Unknown

PM HA bulk sync posting RF_DONE before bulk sync has finished

CSCsm85936

Unknown

UUT cpu at 40% with bi-dir traffic across a single tunnel

CSCsm93648

Unknown

C2W2:080226 Rtr crashed when moving tunnels from VTI to GRE/TP

CSCso11822

Unknown

LACP PC switchport, on OIR, "channel group 112 active" config gets lost

CSCso29141

Unknown

DFC installs drop index for MAC-address

CSCso88042

Unknown

Wism module Allowed-Vlan statements lost on reload

CSCso88772

Unknown

sp-inband tx capture causes primary SUP to hang

CSCsq22383

Unknown

SP crash due to CPU hog by online diags

CSCsq42885

Unknown

Line card crashes with %IPC-2-ONINT error on OSM

CSCsq51378

Unknown

ATM PA Interface shows up/up after force redundancy, no cables connected

CSCsq56941

Unknown

6500 - Static MAC cleared from port-channel member ints after reload

CSCsq73122

Unknown

Proxy-ARP returns BIA instead of VMAC with LAM

CSCsq75704

Unknown

FW2 FE PA Interface stays up/down with no conn and goes up/up after sso

CSCsq80145

Unknown

VACL does not work against self initiated packet

CSCsq83789

Unknown

LTL for unknow unicast is wrongly programmed for some L3 interfaces

CSCsq84116

Unknown

Cisco 7604 with OC3, Flexwan crashes into ROMMON

CSCsq90844

Unknown

bridge-group config make packets be routed

CSCsq94136

Unknown

Burst of traffic cause anti-replay check to fail

CSCsr29559

Unknown

WCCP flap corrupts mcast CEF adjacency

CSCsr37131

Unknown

buginf calls in l2trace when 'debug l2trace' is disabled

CSCsr45495

Unknown

PBR with deny statements : TCAM running out of masks

CSCsr46399

Unknown

PISA - NO_PARTICLE:

CSCsr51799

Unknown

pa-mc-8t1 interface down after stopping BERT prematurely

CSCsr69929

Unknown

ACL based uRPF check is causing acl permit packets to be dropped

CSCsr88625

Unknown

Seeing ME_AR#0 WARNING: Cannot FLUSH Dic#0 when WS-X6708-10GE boots

CSCsr88845

Unknown

unicast BootP replies dropped by DHCP snooping

CSCsu05800

Unknown

C2W2: need to extend the wait time for bus sync after sso

CSCsu07931

Unknown

cbQosPoliceConformedByte64 counter displays aggregate instead conformed

CSCsu18231

Unknown

IKE process fails to start phase1 if in up-no-ike and DPD triggered

CSCsu33707

Unknown

Multicast traffic will not stop after PIM prune

CSCsu37481

Unknown

Netflow Incorrect Octet value with packet-based sampling

CSCsu37899

Unknown

SXF15: autostate configuration missing after SSO

CSCsu45210

Unknown

Upgrade 12.2SXF-> 12.2SXH with Port-Security causes standby boot loop

CSCsu46982

Unknown

I/O rate counter inaccurate when applying serv policy and MPLS traffic

CSCsu49002

Unknown

ciscoIpMRouteBps sometimes indicates wrongful value

CSCsu49257

Unknown

Cstn-id timer should be restarted when access-request is seen

CSCsu57958

Unknown

DHCP-Snooping not intercepting DHCP messages from the Server

CSCsu68698

Unknown

No syslogs and stack on console when SP crashes due RP boot timeout

CSCsu86524

Unknown

IKMP process leak: check_ipsec_proposal

CSCsu91725

Unknown

Bus crash problem due to cipSecGlobalStats MIB query

CSCsu99270

Unknown

CPUHOG observed when configuring more vlan interfaces

CSCsv07858

Unknown

IfIndex for unconfigured VLAN on 7613

CSCsv10229

Unknown

Failed to assert Physical Port Administrative State Down alarm

CSCsv17989

Unknown

interface in SIP200 show "admin down" when it is physical down

CSCsv18579

Unknown

'recognized & transferred a satvcl packet' observed on 6708 / module 1

CSCsv63144

Unknown

Controller remains DOWN after switchover

CSCsv64079

Unknown

SXF7: Patching fails with WiSM Card on Cat6500

CSCsv66827

Unknown

Clearing the SSH session from a different vty session crashes the box.

CSCsv85551

Unknown

SP crash due to consume all scp triggered by OIR loop when PS go off

CSCsw21852

Unknown

CSM: memory leak in process "Laminar Icc Event"

CSCsw35155

Unknown

reduce move count for SAs in SXF

CSCsw38075

Unknown

%SYS-2-GETBUF: Bad getbuffer error messages after IOS upgrade

CSCsw43953

Unknown

Card not identified SIP Is OIR'd during Standby SUP bootup

CSCsw65477

Unknown

MLD snooping broken in SXF16 engg (pre-release) images

CSCsw68032

Unknown

Serial links UP/DOWN after SSO on OSM Module

CSCsw69911

Unknown

SIP-400 POS WRED queues tail dropping without random drops

CSCsw75293

Unknown

18SXF: RP Mapping not seen in last hop router in Sup2 image

CSCsw82431

Unknown

18SXF16:Device crashes while unconfiguring PBR configs.

CSCsw96891

Unknown

CPUHOG observerd after issuing exec commands

CSCsx67510

Unknown

Memory leak on SP when add/deleting channel groups on PA-MC-2T3+

CSCsy46645

Unknown

PISA fallback bridging fail to receive some routing protocol packets

CSCsz04297

Unknown

Cat6k: False Dynamic MAC entry is installed with format 0000.<LTL>.0000

CSCta15614

Unknown

MQC / PD / FPM Classification fails if conf app. before acc vlan conf

CSCei77073

WAN

NTP client need to reset auto learnt source IP address


Resolved Caveats in Release 12.2(18)ZYA1

Resolved Infrastructure Caveats

CSCse85652—Resolved in 12.2(18)ZYA1

Symptom: The Cisco IOS HTTP server and the Cisco IOS HTTPS server provide web server functionality to be used by other Cisco IOS features that require it to function. For example, embedded device managers available for some Cisco IOS devices need the Cisco IOS HTTP server or the Cisco IOS HTTPS server to be enabled as a prerequisite.

One of the functionalities provided by the Cisco IOS HTTP server and the Cisco  IOS HTTPS server is the WEB_EXEC module, which is the HTTP-based IOS EXEC Server. The WEB_EXEC module allows for both "show" and "configure" commands to be executed on the device through requests sent over the HTTP protocol.

Both the Cisco IOS HTTP server and the Cisco IOS HTTPS server use the locally configured enable password (configured by using the enable password or enable secret commands) as the default authentication mechanism for any request received. Other mechanisms can also be configured to authenticate requests to the HTTP or HTTPS interface. Some of those mechanisms are the local user database, an external RADIUS server or an external TACACS+ server.

If an enable password is not present in the device configuration, and no other mechanism has been configured to authenticate requests to the HTTP interface, the Cisco IOS HTTP server and the Cisco IOS HTTPS server may execute any command received without requiring authentication. Any commands up to and including commands that require privilege level 15 might then be executed on the device. Privilege level 15 is the highest privilege level on Cisco IOS devices.

Conditions: For a Cisco IOS device to be affected by this issue all of the following conditions must be met:

An enable password is not present in the device configuration

Either the Cisco IOS HTTP server or the Cisco IOS HTTPS server is enabled

No other authentication mechanism has been configured for access to the Cisco IOS HTTP server or Cisco IOS HTTPS server. Such mechanisms might include the local user database, RADIUS (Remote Authentication Dial In User Service), or TACACS+ (Terminal Access Controller Access-Control System)

The Cisco IOS HTTP server is enabled by default on some Cisco IOS releases.

Workaround: Any of the following workarounds can be implemented:

Enabling authentication of requests to the Cisco IOS HTTP Server or the Cisco IOS HTTPS server by configuring an enable password

Customers requiring the functionality provided by the Cisco IOS HTTP server or the Cisco IOS HTTPS server must configure an authentication mechanism for any requests received. One option is to use the enable password or enable secret commands to configure an enable password. The enable password is the default authentication mechanism used by both the Cisco IOS HTTP server and the Cisco IOS HTTPS server if no other method has been configured.

In order to configure an enable password by using the enable secret command, add the following line to the device configuration:

enable secret mypassword  

Replace mypassword with a strong password of your choosing. For guidance on selecting strong passwords, please refer to your site security policy. The document entitled "Cisco IOS Password Encryption Facts" explains the differences between using the enable secret and the enable password commands to configure an enable password. This document is available at the following link:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00809d38a7.shtml

Enabling authentication of requests to the Cisco IOS HTTP Server or the Cisco IOS HTTPS server by configuring an authentication mechanism other than the default

Configure an authentication mechanism for access to the Cisco IOS HTTP server or the Cisco IOS HTTPS server other than the default. Such authentication mechanism can be the local user database, an external RADIUS server, an external TACACS+ server or a previously defined AAA (Authentication, Authorization and Accounting) method. As the procedure to enable an authentication mechanism for the Cisco IOS HTTP server and the Cisco IOS HTTPS server varies across Cisco IOS releases and considering other additional factors, no example will be provided. Customers looking for information about how to configure an authentication mechanism for the Cisco IOS HTTP server and for the Cisco IOS HTTPS server are encouraged to read the document entitled "AAA Control of the IOS HTTP Server", which is available at the following link:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml

Disabling the Cisco IOS HTTP Server and/or the Cisco IOS HTTPS server functionality

Customers who do not require the functionality provided by the Cisco IOS HTTP server or the Cisco IOS HTTPS server can disable it by adding the following commands to the device configuration:

no ip http server no ip http secure-server  

The second command might return an error message if the Cisco IOS version installed and running on the device does not support the HTTPS server feature. This error message is harmless and can safely be ignored.

Please be aware that disabling the Cisco IOS HTTP server or the Cisco IOS HTTPS server may impact other features that rely on it. As an example, disabling the Cisco IOS HTTP server or the Cisco IOS HTTPS server will disable access to any embedded device manager installed on the device.

Further Problem Description: In addition to the explicit workarounds detailed above it is highly recommended that customers limit access to Cisco IOS HTTP server and the Cisco IOS HTTPS server to only trusted management hosts. Information on how to restrict access to the Cisco IOS HTTP server and the Cisco IOS HTTPS server based on IP addresses is available at the following link:

http://www.cisco.com/en/US/docs/ios-xml/ios/https/configuration/12-4/nm-http-web.html#GUID-BB57C0D5-71DB-47C5-9C11-8146773D1127

Customers are also advised to review the "Management Plane" section of the document entitled "Cisco Guide to Harden Cisco IOS Devices" for additional recommendations to secure management connections to Cisco IOS devices. This document is available at the following link:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

Resolved IPServices Caveats

CSCsk64158—Resolved in 12.2(18)ZYA1

Several features within Cisco IOS Software are affected by a crafted UDP packet vulnerability. If any of the affected features are enabled, a successful attack will result in a blocked input queue on the inbound interface. Only crafted UDP packets destined for the device could result in the interface being blocked, transit traffic will not block the interface.

Cisco has released free software updates that address this vulnerability.

Workarounds that mitigate this vulnerability are available in the workarounds section of the advisory.

This advisory is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-udp

CSCsm27071—Resolved in 12.2(18)ZYA1

A vulnerability in the handling of IP sockets can cause devices to be vulnerable to a denial of service attack when any of several features of Cisco IOS Software are enabled. A sequence of specially crafted TCP/IP packets could cause any of the following results:

The configured feature may stop accepting new connections or sessions.

The memory of the device may be consumed.

The device may experience prolonged high CPU utilization.

The device may reload.

Cisco has released free software updates that address this vulnerability.

Workarounds that mitigate this vulnerability are available in the "workarounds" section of the advisory.

The advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-ip

CSCsr29468—Resolved in 12.2(18)ZYA1

Cisco IOS Software contains a vulnerability in multiple features that could allow an attacker to cause a denial of service (DoS) condition on the affected device. A sequence of specially crafted TCP packets can cause the vulnerable device to reload.

Cisco has released free software updates that address this vulnerability.

Several mitigation strategies are outlined in the workarounds section of this advisory.

This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-tcp

CSCsv04836—Resolved in 12.2(18)ZYA1

Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system.

In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.

Cisco has released free software updates for download from the Cisco website that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.

This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090908-tcp24.

Resolved LAN Caveats

CSCsv05934—Resolved in 12.2(18)ZYA1

Summary: Cisco's VTP protocol implementation in some versions of Cisco IOS and CatOS may be vulnerable to a DoS attack via a specially crafted VTP packet sent from the local network segment when operating in either server or client VTP mode. When the device receives the specially crafted VTP packet, the switch may crash (and reload/hang). The crafted packet must be received on a switch interface configured to operate as a trunk port.

Workarounds: There are no workarounds available for this vulnerability.

This response is posted at http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20081105-vtp

Resolved PPP Caveats

CSCsa49019—Resolved in 12.2(18)ZYA1

Symptoms: A memory leak may occur in the "Multilink Events" process, which can be seen in the output of the show memory summary command:

0x60BC47D0 0000000024 0000000157 0000003768    MLP bundle name
0x60BC47D0 0000000028 0000000003 0000000084    MLP bundle name
0x60BC47D0 0000000044 0000000001 0000000044    MLP bundle name
0x60BC47D0 0000000048 0000000001 0000000048    MLP bundle name
0x60BC47D0 0000000060 0000000001 0000000060    MLP bundle name
0x60BC47D0 0000000064 0000000013 0000000832    MLP bundle name
0x60BC47D0 0000000068 0000000008 0000000544    MLP bundle name
0x60BC47D0 0000000072 0000000001 0000000072    MLP bundle name
0x60BC47D0 0000000076 0000000001 0000000076    MLP bundle name
0x60BC47D0 0000000088 0000000018 0000001584    MLP bundle name
 
   

Conditions: This symptom is observed when two interfaces are configured in the same multilink group or are bound to the same dialer profile.

Workaround: There is no workaround.

Resolved Security Caveats

CSCsj85065—Resolved in 12.2(18)ZYA1

A Cisco IOS device may crash while processing an SSL packet. This can happen during the termination of an SSL-based session. The offending packet is not malformed and is normally received as part of the packet exchange.

Cisco has released free software updates that address this vulnerability. Aside from disabling affected services, there are no available workarounds to mitigate an exploit of this vulnerability.

This advisory is posted at

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-ssl.

Resolved Unknown Caveats

CSCek49649—Resolved in 12.2(18)ZYA1

Symptoms: Cisco Catalyst 6500 and Cisco 7600 modules are reachable via 127.0.0.x addresses.

Conditions: Cisco Catalyst 6500 and Cisco 7600 series devices use addresses from the 127.0.0.0/8 (loopback) range in the Ethernet Out-of-Band Channel (EOBC) for internal communication.

Addresses from this range that are used in the EOBC on Cisco Catalyst 6500 and Cisco 7600 series devices are accessible from outside of the system. The Supervisor module, Multilayer Switch Feature Card (MSFC), or any other intelligent module may receive and process packets that are destined for the 127.0.0.0/8 network. An attacker can exploit this behavior to bypass existing access control lists; however, an exploit will not allow an attacker to bypass authentication or authorization. Valid authentication credentials are still required to access the module in question.

Per RFC 3330, a packet that is sent to an address anywhere within the 127.0.0.0/8 address range should loop back inside the host and should never reach the physical network. However, some host implementations send packets to addresses in the 127.0.0.0/8 range outside their Network Interface Card (NIC) and to the network. Certain implementations that normally do not send packets to addresses in the 127.0.0.0/8 range may also be configured to do so..

Destination addresses in the 127.0.0.0/8 range are not routed on the Internet. This factor limits the exposure of this issue.

This issue is applicable to systems that run Hybrid Mode (Catalyst OS (CatOS) software on the Supervisor Engine and IOS Software on the MSFC) and Native Mode (IOS Software on both the Supervisor Engine and the MSFC).

Workaround: Administrators can apply an access control list that filters packets to the 127.0.0.0/8 address range to interfaces where attacks may be launched.

    ip access-list extended block_loopback 
      deny   ip any 127.0.0.0 0.255.255.255  
      permit ip any any 
 
    interface Vlan x 
     ip access-group block_loopback in 
 

Control Plane Policing (CoPP) can be used to block traffic with a destination IP address in the 127.0.0.0/8 address range sent to the device. Cisco IOS Software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP may be configured on a device to protect the management and control planes to minimize the risk and effectiveness of direct infrastructure attacks. CoPP protects the management and control planes by explicitly permitting only authorized traffic that is sent to infrastructure devices in accordance with existing security policies and configurations.

    !-- Permit all traffic with a destination IP 
    !-- addresses in the 127.0.0.0/8 address range sent to 
    !-- the affected device so that it will be policed and 
    !-- dropped by the CoPP feature 
    ! 
    access-list 111 permit icmp any 127.0.0.0 0.255.255.255 
    access-list 111 permit udp any 127.0.0.0 0.255.255.255 
    access-list 111 permit tcp any 127.0.0.0 0.255.255.255 
    access-list 111 permit ip any 127.0.0.0 0.255.255.255 
    ! 
    !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 
    !-- and Layer4 traffic in accordance with existing security 
    !-- policies and configurations for traffic that is authorized 
    !-- to be sent to infrastructure devices 
    ! 
    !-- Create a Class-Map for traffic to be policed by the 
    !-- CoPP feature 
    ! 
    class-map match-all drop-127/8-netblock-class 
      match access-group 111 
    ! 
    !-- Create a Policy-Map that will be applied to the 
    !-- Control-Plane of the device. 
    ! 
    policy-map drop-127/8-netblock-traffic 
      class drop-127/8-netblock-class 
        police 32000 1500 1500 conform-action drop exceed-action drop 
    ! 
    !-- Apply the Policy-Map to the Control-Plane of the 
    !-- device 
    ! 
    control-plane 
      service-policy input drop-127/8-netblock-traffic 
    ! 

Additional information on the configuration and use of the CoPP feature is available at the following links:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html

Infrastructure Access Control Lists (iACLs) are also considered a network security best practice and should be considered as, long-term additions to effective network security as well as a workaround for this specific issue. The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection ACLs. The white paper is available at the following link:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml

Other Caveats Resolved in Release 12.2(18)ZYA1

Identifier
Technology
Description

CSCdu79630

AAA

Username on vty not displayed if accounting is not configured

CSCsg18288

AAA

Enable authentication ignores Tacacs+ configuration in rare situation

CSCsl57645

AAA

tacacs-server directed-request fails for enable authentication on 6500

CSCso95426

AAA

Exposure of Radius-Keys in debugs.

CSCsj88665

Access

Bus error with PA-MC-2T3+ when deleting channel-group

CSCei33231

ATM

ATM PVC bundle protected group test failed with bumping exhausted

CSCek74474

ATM

no/default proto ip inarp cmd ineffective until ATM VC bounced.

CSCsm12247

Content

WCCP: hash assignment may be lost after service group change

CSCek58956

Infrastructure

Need process_ok_to_reschedule check in process_may_suspend

CSCsd37499

Infrastructure

%IFS-3-FSMAX: Failed to add ?, maximum filesystems 64 msg with Traceback

CSCsd62013

Infrastructure

Traceback on Standby RP@add_lpmapping_entry_private+74

CSCsk70446

Infrastructure

NRT: tracebacks @ data_inconsistency_error - 7200 for HTTP config .

CSCsl06515

Infrastructure

Sup720 Crash with 11 eFlexWan linecards

CSCsl60092

Infrastructure

Active SP crashed @ipc_fragment_cleanup with VSL shut/no shut test

CSCsm01126

Infrastructure

PRE-B crashes while in progress to standby cold-config

CSCso99219

Infrastructure

Match ip address with Named ACL not work in route-map

CSCsq19159

Infrastructure

RP crashes in chassismib_add_sub_card_entry after linecard reload

CSCec51750

IPServices

Router reloads do to bus error. and illegal access to low address

CSCsi57927

IPServices

FTP session hangs TCP in closewait after CLI times out . .

CSCsl23788

IPServices

Dlsw+ peer waits in AB_PENDING or WAIT_WR status with modular IOS

CSCsl70070

IPServices

CPUHOG when doing HSRP SNMP query

CSCsm36306

IPServices

NAT creates overlapping translation entries using the same IG address

CSCsm59037

IPServices

no service dhcp command causes switch to reload

CSCsm70580

IPServices

c2w2:ciscoFtpClientMIB: ftp_fs.proc extra processes can deadlock & crash

CSCso04657

IPServices

SSLVPN service stops accepting any new SSLVPN connections

CSCso68344

IPServices

Switch acting as DHCP server crashes on issuing no service dhcp command.

CSCsq48201

IPServices

c7300:Bridge IRB-Router crash and traffic flow issue

CSCsr08771

IPServices

Crash seen @ dhcpd_pool_nvgen and dhcpd_copy_bootfile

CSCsk32095

LAN

PA-2FE-TX port flaps on applying qos policy

CSCsk94676

LegacyProtocols

dlsw with tbridge, COMMON_FIB-4-FIBIDBMISMATCH

CSCsq68529

LegacyProtocols

After reload, there is no mac-address on SVI not running DECnet

CSCsl78965

MPLS

High CPU in SNMP engine, mplsVpnVrfRouteEntry

CSCsm30973

MPLS

bgp multipath with ipv4+label nexthop: label missing in cef

CSCso22730

MPLS

Prefixes get assigned imp-null local label after OIR linecard

CSCso47703

MPLS

Spurious Access error on rsvp_frr_event_lsp_down_psb

CSCek75931

Multicast

LNS: %SYS-3-CPUHOG When sessions have multicast

CSCsd14706

Multicast

PIMV2 router send PIMV1 RP-reachable messages loading recieve router CPU

CSCsk26429

Multicast

Router configured for IGMP Proxy may not send IGMP Join

CSCsl20158

Multicast

SNMP:msdpPeer counters should be able to compare with CLI counters.

CSCsl92316

Multicast

LNS: %SYS-3-CPUHOG when clear l2tp tunnel, sessions have multicast

CSCsm17426

Multicast

RP-bit not cleared on s,g; traffic outage for 4 minutes

CSCsm44620

Multicast

Shutdown interface present in PIM interface list

CSCsm48322

Multicast

IPv6 Multicast RP ignores embedded RP register messages

CSCsq14151

Multicast

RPF of (S,G) is set to NULL, When (S, G, R) entry is convered to (S, G)

CSCsq47166

platform-76xx

GE-WAN interface stays down with autonegotiation enabled

CSCsc69804

PPP

SIP1-ChOC3:Initial packets fail with SW-MLP on SIP-200

CSCse40966

PPP

MLP links down after SSO switchover if aaa new-model cfged

CSCsq37078

PPP

Input errors incrementing on Multilink 5 in admin down state

CSCsj60595

QoS

SIP-400 : offered rate in sh policy-map int is not accurate

CSCsm00570

QoS

cwpa2 crashes at hqf_cwpa_pak_enqueue_local

CSCsm29181

QoS

Crash when NBAR applied to sub-interface

CSCsm49062

QoS

cwan2: show queueing interface reports double count for wfq drops

CSCef16315

Routing

default-information originate route-map causes default route aging

CSCek47667

Routing

clear bgp ipv6 unicast * does not work .

CSCsa73179

Routing

Memory corruption/crash when 'no default-information orig' under RIP

CSCsc58258

Routing

OSPFv3: 64-bits long keys for LSDB

CSCsc72090

Routing

EIGRP doesn't honor interface IP MTU when sending packets

CSCsc96014

Routing

EIGRP neighbors from primary add space deleted when sec add removed

CSCsd92325

Routing

Config sync: no neighbor 192.168.240.34 triggers standby reset

CSCse65277

Routing

MU:default isis metric maximum returns parser error

CSCse85383

Routing

OSPFv3: Restructure link-state request list (CSCsd03021)

CSCsf06946

Routing

Removing loopback interface causes continuous standby RP reloading

CSCsh38140

Routing

CEF drops when using CEF LB paths and active link recovers from failure

CSCsi15183

Routing

change MTU value causes %DUAL-3-INTERNAL in ipigrp2_add_item_dest

CSCsi27696

Routing

oldest ebgp bestpath not retained in eibgp multpath cases

CSCsi68795

Routing

PE wrongly assigns local label to a vpnv4 confederation prefix

CSCsi98730

Routing

CEF/BGP table MPLS label mismatch in IOS 12.4(6)T5

CSCsj21785

Routing

TE tunnel does not reoptimize after mtu change

CSCsj56281

Routing

BGP inherit peer-policy not working after router reload

CSCsk35985

Routing

OSPFv3: router crashes for "show ipv6 ospf lsdb" after redist of routes

CSCsl06336

Routing

removing 'maximum-paths import 6' causes duplicate paths in VRF table

CSCsl30331

Routing

Prefixes permitted despite the deny action on route-map continue

CSCsl70287

Routing

RIP default-originate not working after a switchover

CSCsl92283

Routing

Unable to add into routing table if static route use interface + gateway

CSCsm04442

Routing

Router crash at rip_find_sum_idb

CSCsm43938

Routing

stby resets when large config/arp table to sync over to it

CSCsm45634

Routing

BGP VPNv4 route is not actived immediately after receving update

CSCsm91801

Routing

ASBR not updating metric in LSA-5 redistributing from 2-nd OSPF process

CSCso60089

Routing

7200: KBOOT image build failed

CSCso62166

Routing

Crash @ bgp_netlist_validate when ibgp established with metric

CSCso64274

Routing

0.0.0.0/0 redistributed entry not removed RIP DB after deleting command

CSCso73076

Routing

can not delete ACE enties in ACL

CSCso93535

Routing

Upon removing a VRF, BGP route timers in other VRF's get reset

CSCsq13938

Routing

reload on 'show ip bgp vpnv4' when import src delinked by BGP deconfig

CSCsq21198

Routing

PE loses VPNv4-MDTs from a RR when another RR fails (or shuts neighbor)

CSCsu03167

Routing

SXF15: IPv4/v6 BGP routes not cleared when source routes is gone

CSCsc92417

Security

Secure copy feature intreaction issues with Archive command

CSCsg03753

Security

cat6k memory leak in map->peers and peering_info_list_chunk

CSCsl34391

Security

Output of 1st page of "sh crypto ipsec sa" is blank

CSCso03917

Security

Rtr crash on "sh cry ipsec sa" @ crypto_ipsec_manipulate_ident_tree

CSCso26788

Security

Re-work CSCin91851 for SXF

CSCsr60782

Security

Fix SA warnings in ssh2_support.c

CSCsr85093

Security

SXF15: SSH session fails withRSA signature verification failed after SSO

CSCef71952

Unknown

EzVPN server disconnects all PAT users of same IP address

CSCeg35237

Unknown

Watchdog crash after sh crypto session

CSCek37984

Unknown

Inconsistent BERT behaviour observed on TE1 SPA

CSCek74347

Unknown

Router crash after ip address slarp retry

CSCek78066

Unknown

Whitney:CLI & MIB mismatch for aux-1 temperature Sensor SUP32

CSCsb56931

Unknown

The SWIDB subblock named QM was not removed, on PPP to FR encap change

CSCsb60078

Unknown

After SSO switchover, mcast ergess Vlan gets out of sync among DFCs

CSCsb81527

Unknown

sup2:Need enhanced FIB fatal error handling

CSCsb97997

Unknown

dot1dTpFdbAddress is broken

CSCsd42319

Unknown

SIP400 crashes during bootup with current pikespeak image

CSCsd58422

Unknown

%IXP_MAP-3-QOS_CONFIG: error detected: Can't download policymap

CSCsd78210

Unknown

FPD upgrade file search failed although the file is present.

CSCsd82457

Unknown

EOU Policy can't exempt Cisco 7935 Conference Station & Wireless phones

CSCse53517

Unknown

WiSM: Tracebacks seen after SSO switchover

CSCsf17163

Unknown

TCAM mask/entry resource not released after conf/unconf pacl

CSCsg00173

Unknown

v4 Sparse/SSM traffic when src is in PVLAN src port/DFC is not routed

CSCsg16964

Unknown

Sup32 crashes with 23rd image tb@_shmwin_error

CSCsg19793

Unknown

Psecure absolute aging on DFC causes MAC inconsistency w/ Central EARL

CSCsg22830

Unknown

Standby not coming up after sso switchover

CSCsg39754

Unknown

DHCP snooping redirect ACL permits more than just bootpc and bootps port

CSCsg87747

Unknown

RECV_PVID_ERR message received with bringing up etherchannel trunk

CSCsh16213

Unknown

Disabling MLDsnooping does not clean special MACs 3333.0000.0016, 3333.0

CSCsh57238

Unknown

SXF6:sh int cmd on 6148 cards display zero o/p drops even with qos drops

CSCsi00712

Unknown

Connected ipv4 routes for WAN interfaces missing on reload

CSCsi41749

Unknown

ITP-76:%SYS-2-INTSCHED: 'sleep for' at level 2 (Process- "MIP Mailbox")

CSCsi52715

Unknown

PISA:SIP200 and FW2 reboots on SSO switchover

CSCsi63649

Unknown

%SYS-3-TIMERNEG:Cannot start timer with negative offset,TTY Background

CSCsi74360

Unknown

packet loops between icpu and ocpu while sending clear mcast traffic

CSCsi76936

Unknown

Crash in GLBP if debug is enabled and it rcvs pkt from unknown group

CSCsi77983

Unknown

RP crashed ipflow_pak_pre_check on shutdown the trunk port

CSCsi97434

Unknown

A router may crash when ipsec is established

CSCsi99875

Unknown

BOOM: spa_eeprom_read_bit on BOOTUP

CSCsj25906

Unknown

Configuration changes made after scheduling a reload do not get saved

CSCsj28026

Unknown

WhitneyVS: Unable to mibwalk clcFdbVlanInfoTable . .

CSCsj43677

Unknown

Active Sup720 crash when removing Standy supervisor

CSCsj48453

Unknown

AW: CAT6k does not forward multicast traffic to WISM in L3 mode

CSCsj49293

Unknown

POS Interface Output Rate (200 mbps) > Line rate (155 Mbps)

CSCsj91738

Unknown

Non-ip packet with mcast-mac addr cause high CPU with VPN-SPA VRF mode.

CSCsk07255

Unknown

Sip-600 crash on SSO

CSCsk09552

Unknown

New varbinds showing real & virtual server info needed in SLB traps

CSCsk44233

Unknown

While raising the interrupt level, bgp_route_map_inform tries to suspend

CSCsk67578

Unknown

Flow End sysUpTime higher value than the Router sysUpTime

CSCsk80552

Unknown

Shut and no shut of interface causes the delay in forming rp mapping

CSCsk87262

Unknown

Switch crashes when polling port security MIB for SIP or Flexwan

CSCsk88760

Unknown

122SR:Routers crashes on unconfiguring vlan in the LACP mode

CSCsk93587

Unknown

TestFabricCh0Health test failure with unidir traffic via Ch1on Berytos

CSCsl02812

Unknown

TCP SYN packet lost for web applications when NAT outside IF is ATM

CSCsl04386

Unknown

%BIT-STDBY-4-OUTOFRANGE : Traceback on Bootup .

CSCsl18958

Unknown

IOS-SLB: Multicast packets are droped in SUP22 when FWLB is operational

CSCsl26998

Unknown

Switch crashes on applying PBR with next-hop verify-availability

CSCsl28371

Unknown

SPA-IPsec-2G VRF: L2 loop and broadcast storm may occur on default vlans

CSCsl39710

Unknown

cat6000 mac-address-table does not add entries for local fwsm mac . .

CSCsl52748

Unknown

SUP32 crash in tyfib_get_hw_index

CSCsl72912

Unknown

VS2: WS-X6708 DFC crash in local_cb1(Segment violation)

CSCsl74456

Unknown

VPN-SPA : TCAM not programmed on POS sub-interface after a reload

CSCsl74976

Unknown

Punted MPLS-tagged traffic causes control plane instabilities

CSCsl80682

Unknown

SPA crashes if crypto acl changed

CSCsl98238

Unknown

QoS statistics-export only exports to directly-connected destinations

CSCsm04256

Unknown

CPUHOG and crash after 'show memory detailed all statistics' issued

CSCsm11898

Unknown

IOS:SLB: Incorrect NAT Translation when Nat client is enabled

CSCsm13389

Unknown

RRI is not called be if QM rekey timer expiry forces SA deletion

CSCsm18546

Unknown

Root port is not selected with frameraly and bridge domain configs

CSCsm30858

Unknown

PIM register packets upmarked to TOS 6 by PTcam redirection

CSCsm31037

Unknown

URL maps are not properly downloaded to CSG

CSCsm32363

Unknown

Netflow SLB sw-installed entries not aging out

CSCsm37673

Unknown

Traffic from SSLM service module not going over multi-module etherchanne

CSCsm45453

Unknown

Missing 'lbusDrops' counter for WS-X6516A-GBIC in Native IOS

CSCsm48398

Unknown

mls cef adj leaking

CSCsm48410

Unknown

Vlan-based qos applied to channel when not configured after reload

CSCsm48913

Unknown

Transient SPI aging window is too long

CSCsm53873

Unknown

Module 1/0 failed in health monitoring configuration (error code 23)

CSCsm59926

Unknown

RP receives 2 copies of each PIM register with MVPN

CSCsm69112

Unknown

Multicast output drop w/ IGMP snooping @ near line rate 1Gbps

CSCsm69827

Unknown

%SYS-2-MALLOCFAIL:Process= "GraphIt" in SXH1_fc3

CSCsm70774

Unknown

Router crashes at cfg_kron_plcy_sbmd_cmd.

CSCsm73173

Unknown

Spurious memory access seen @ slb_lam_cfg_ft_track_interf

CSCsm75020

Unknown

EARL7 Additional ECC Error Handling enhancements

CSCsm78651

Unknown

malloc memory issue in standby SP supervisor

CSCsm79163

Unknown

Commit 8.6(0.306)R3V25 C2 FW libraries to the v122_18_sxf_throttle

CSCsm82382

Unknown

7600 standby RP memory leaking cause CEF disable

CSCsm82958

Unknown

radius sticky entry deleted even if the idle timer is not 0

CSCsm83948

Unknown

CISCO7609 returns sysObjectId as ciscoProducts.402 (which is cisco7606)

CSCsm84257

Unknown

crash in ipflow_periodic context due to watchdog timeout

CSCsm86027

Unknown

B2B failover,ace_tunnel_compare:Invalid address_type, router crashed

CSCsm87735

Unknown

OSM CHOC12/T1 - t1 shutdown does not disable Serial interface

CSCsm89251

Unknown

IPSec SA lifetime gets reduced during rekey

CSCsm94421

Unknown

Configuring STP cost in an etherchannel to the defaulthas no effect

CSCsm95456

Unknown

Duplicate L3 packets with 6708 and DEC

CSCsm97669

Unknown

Cat6K with NAT-T through PAT: IKE packets with src_port != 4500 dropped

CSCsm97775

Unknown

fix compile error for earl6

CSCso00793

Unknown

ITP-76: Flexwan Memory version "VI4DP647228EBK-MD" causes reload

CSCso10819

Unknown

LC not reset after 10 consecutive failures of TestMacNotification

CSCso12903

Unknown

RE MET address check missing while running MET patch on IO bus timeout

CSCso17569

Unknown

VPN-SPA: WAN interface mtu incorrectly programmed on the SPA

CSCso20519

Unknown

Cheronia: Fix SMB drive strength programming.

CSCso30038

Unknown

A OIL is not registerd properly in mroute table with static igmp group

CSCso31506

Unknown

IPv6 AH Extension Headers Punted to Software on PFC-3B & 3C

CSCso37640

Unknown

DHCP snooping ACL's are not getting programmed after switchover.

CSCso38129

Unknown

Tracebacks seen on standby & switch crash after switchover w/ct3 config

CSCso44072

Unknown

High CPU due to multicast traffic getting punted to software

CSCso53741

Unknown

VPNSPA does not handle duplicate IPSec SA correctly in nested tunnel

CSCso71355

Unknown

PVLAN - 6500 - Multicast flood broken from pvlan port to promiscuous

CSCso78097

Unknown

OSM-ct3 MFR interface is flapping

CSCso81945

Unknown

removing natpool doesn't remove from the slb-policy automatically

CSCso84567

Unknown

6500 with WCCP and CoPP punts non-TCP packets into CoPP policy.

CSCso85395

Unknown

Unable to add the 256th vlan

CSCso87348

Unknown

Corruption in subflow code

CSCso87838

Unknown

HSRP: with aggressive timers HSRP peer flaps when "wr mem"

CSCso89069

Unknown

NBAR Unable to undo port-map change for softphone protocol

CSCso89550

Unknown

cat6k crash due to SP: Supervisor has bad local fabric channel

CSCso89823

Unknown

Pos interface "rxload" and "input bytes" counters incorrectly increment

CSCso97524

Unknown

Packet drop after TCAM exception happened

CSCsq00884

Unknown

"mls qos trust" cmd lost under port-channel interface when upgrading IOS

CSCsq04355

Unknown

Fix in CSCso81632 is not complete

CSCsq12119

Unknown

SXF13 Crash on VPNSM OIR due to chunk memory double free.

CSCsq14259

Unknown

TX Flowcontrol goes on when link negotiation is disabled

CSCsq19146

Unknown

FPD creation for new pegasus rx (1.6) FPA image for Sip-1 CR

CSCsq19476

Unknown

DMVPN over POS - wrong spa vlan in cef adj after boot, gre sent in clear

CSCsq20970

Unknown

ATM option missing, while configuring T1 controller for mode atm

CSCsq29165

Unknown

Rockies-sup3:UUT hangs during installation

CSCsq37376

Unknown

Packet Buffer Capture May Crash a 6500 in IOS

CSCsq39079

Unknown

SPA-IPSEC-2G Crash under load due to IKE session establishment

CSCsq41311

Unknown

I/O memory leak in Medium buffers

CSCsq47140

Unknown

67xx module may not come online

CSCsq48271

Unknown

adding redundant CSM causes config sync to indicate in sync when not

CSCsq50429

Unknown

OSM card unexpected reload @ cwtlc_qos_create_global_qid_info

CSCsq53822

Unknown

Monitor session removal may affect traffic through WS-X6148A-RJ-45

CSCsq59297

Unknown

port-channel IDB gets mixed up

CSCsq60553

Unknown

Create cwslc-rommon3.bin for cwpa2 to accomodate release Rommon (1.8)

CSCsq77381

Unknown

W2: Diag - TestL3Capture2 failed after LV-SSO

CSCsq77464

Unknown

mls rate-limit unicast cef receive value re-written upon TCAM exception

CSCsq79253

Unknown

Pinnacle interrupts not re-enabled after memory inconsistency detected

CSCsq85850

Unknown

Opnext GLC-LH-SM :remote port stays up when local RX cable is removed

CSCsq89415

Unknown

"no bert" indicates "abort request" instead of "stopped"

CSCsr09554

Unknown

Move SIBYTE SB_RMON_OVRFL messages under debug

CSCsr28305

Unknown

Packet drops on L2 portchannel on WS-X6708-10G

CSCsr54630

Unknown

Patch workaround and s222 build fix for CSCso53756

CSCsr99933

Unknown

FWLB: High purge rate causes CPU to increase by 15%

CSCsu03772

Unknown

Dot1q native vlan tagging is not working with "switchpot nonegotiate"

CSCsu36712

Unknown

cpu spike on "pim process" with SUP32PISA with looping PIM JOIN/PRUNE

CSCsv34544

Unknown

Unexpectedly low throughput on PISA with NBAR enabled

CSCsw45069

Unknown

tx stats incorrect imcrement for debug purpose

CSCsg32308

WAN

copy/paste of ntp-authentication-key statement is not possible

CSCsl90285

WAN

POS-APS: CWPA-3-NODISPATCH messages seen when configuring APS


Resolved Caveats in Release 12.2(18)ZYA

Resolved Caveats for Product `all' and Component `aaa'

CSCsj91123—Resolved in 12.2(18)ZYA

Symptoms: Router reloads after authentication attempt fails on console.

Conditions: Occurs while performing AAA accounting. The accounting structure was freed twice, which results in crash. Occurs when the aaa accounting send stop-record authentication failure command is configured, which sends a stop record for authentication failure.

Workaround: Remove the aaa accounting send stop-record authentication failure command.

Resolved Caveats for Product `all' and Component `dlsw'

CSCsk73104—Resolved in 12.2(18)ZYA

Cisco IOS contains multiple vulnerabilities in the Data-link Switching (DLSw) feature that may result in a reload or memory leaks when processing specially crafted UDP or IP Protocol 91 packets.

Cisco has released free software updates that address these vulnerabilities. Workarounds are available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20080326-dlsw.html

Resolved Caveats for Product `all' and Component `ifs'

CSCsk61790—Resolved in 12.2(18)ZYA

Symptoms: Syslog displays password when copying the configuration via FTP.

Conditions: This symptom occurs when copying via FTP. The Syslog message displays the password given by the user as part of syntax of FTP copy.

Workaround: There is no workaround.

Resolved Caveats for Product `all' and Component `ipsec-isakmp'

CSCsg35077—Resolved in 12.2(18)ZYA

Symptoms: A device that is running Cisco IOS software may crash during processing of an Internet Key Exchange (IKE) message.

Conditions: The device must have a valid and complete configuration for IPsec. IPsec VPN features in Cisco IOS software that use IKE include Site-to- Site VPN tunnels, EzVPN (server and remote), DMVPN, IPsec over GRE, and GET VPN.

Workaround: Customers that do not require IPsec functionality on their devices can use the no crypto isakmp enable command in global configuration mode to disable the processing of IKE messages and eliminate device exposure.

If IPsec is configured, this bug may be mitigated by applying access control lists that limit the hosts or IP networks that are allowed to establish IPsec sessions with affected devices. This assumes that IPsec peers are known. This workaround may not be feasible for remote access VPN gateways where the source IP addresses of VPN clients are not known in advance. ISAKMP uses port UDP/500 and can also use UDP/848 (the GDOI port) when GDOI is in use.

Further Problem Description: This bug is triggered deep into the IKE negotiation, and an exchange of messages between IKE peers is necessary.

If IPsec is not configured, it is not possible to reach the point in the IKE negotiation where the bug exists.

Resolved Caveats for Product `all' and Component `os'

CSCsk33054—Resolved in 12.2(18)ZYA

This is the Cisco Product Security Incident Response Team (PSIRT) response to a vulnerability that was reported on the Cisco NSP mailing list on August 17, 2007 regarding the crash and reload of devices running Cisco IOS after executing a command that uses, either directly or indirectly, a regular expression. The original post is available at the following link:

http://puck.nether.net/pipermail/cisco-nsp/2007-August/043002.html

The Cisco PSIRT posted a preliminary response on the same day and is available at the following link:

http://puck.nether.net/pipermail/cisco-nsp/2007-August/043010.html

Preliminary research pointed to a previously known issue that was documented as Cisco bug ID CSCsb08386 (registered customers only), and entitled "PRP crash by show ip bgp regexp", which was already resolved. Further research indicates that the current issue is a different but related vulnerability.

There are no workarounds available for this vulnerability. Cisco will update this document in the event of any changes.

The full text of this response is available at http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070912-regexp

Resolved Caveats for Product `all' and Component `ssh'

CSCsi17158—Resolved in 12.2(18)ZYA

Symptoms: Devices running Cisco IOS may reload with the error message "System returned to ROM by abort at PC 0x0" when processing SSHv2 sessions. A switch crashes. We have a script running that will continuously ssh-v2 into the 3560 then close the session normally. If the vty line that is being used by SSHv2 sessions to the device is cleared while the SSH session is being processed, the next time an ssh into the device is done, the device will crash.

Conditions: This problem is platform independent, but it has been seen on Cisco Catalyst 3560, Cisco  Catalyst 3750 and Cisco Catalyst 4948 series switches. The issue is specific to SSH version 2, and its seen only when the box is under brute force attack. This crash is not seen under normal conditions.

Workaround: There are mitigations to this vulnerability: For Cisco IOS, the SSH server can be disabled by applying the command crypto key zeroize rsa while in configuration mode. The SSH server is enabled automatically upon generating an RSA key pair. Zeroing the RSA keys is the only way to completely disable the SSH server.

Access to the SSH server on Cisco IOS may also be disabled via removing SSH as a valid transport protocol. This can be done by reapplying the transport input command with 'ssh' removed from the list of permitted transports on VTY lines while in configuration mode. For example: line vty 0 4 transport input telnet end

If SSH server functionality is desired, access to the server can be restricted to specific source IP addresses or blocked entirely using Access Control Lists (ACLs) on the VTY lines as shown in the following URL:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swacl.html#Applying_the_ACL_to_an_Interface_or_Terminal_Line

More information on configuring ACLs can be found on Cisco's public website: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

Resolved Caveats for Product `all' and Component `ssl'

CSCsj85065—Resolved in 12.2(18)ZYA

A Cisco IOS device may crash while processing an SSL packet. This can happen during the termination of an SSL-based session. The offending packet is not malformed and is normally received as part of the packet exchange.

Cisco has released free software updates that address this vulnerability. Aside from disabling affected services, there are no available workarounds to mitigate an exploit of this vulnerability.

This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-ssl.

Resolved Caveats for Product `all' and Component `ts'

CSCsj86725—Resolved in 12.2(18)ZYA

This DDTS addresses the issue in the Cisco Product Security Incident Response Team (PSIRT) response to an issue discovered and reported to Cisco by Andy Davis from IRM, Inc. regarding a stack overflow in the Cisco IOS Line Printer Daemon (LPD) Protocol feature.

This security response is posted at: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20071010-lpd

Other Caveats Resolved in Release 12.2(18)ZYA

Identifier
Product
Component
Description

CSCsj83102

all

7x00-t1e1

crash upon card type configuration on WS-X6582-2PA / PA-MC-8TE1+

CSCee89849

all

aaa

Router reloaded at vtemplate_build_command_strings

CSCsc98046

all

aaa

TACACS Accounting isn't sending stop time in the stop packet.

CSCsf30451

all

aaa

radius-server attrib 32 include-in-access-req/accounting-req not sent

CSCsh23142

all

aaa

aaa local authentication not happening for authproxy .

CSCsh46990

all

aaa

Console hangs with enable/line as aaa fall-back methods

CSCsh59019

all

aaa

Avoiding AAA client hangs, if a protocol subsystem is not present.

CSCsj89305

all

aaa

RADIUS/NAS-IP address is sent out as 0.0.0.0

CSCsj97165

all

aaa

%AAA-3-BADMETHODERROR: Router crash @ aaa_get_new_acct_reg_type .

CSCsl33966

all

aaa

C6509 : attribute 32 nas-Id not sent for Auth (missed by CSCsf30451 ) .

CSCsm06740

all

aaa

Memory Leak in AAA accounting and Virtual Exec

CSCeb69473

all

analysis

connect '/terminal-type' command memory corruption

CSCei79855

all

ata-filesystem

IOS resilience fails to work properly with secure boot command .

CSCse20115

all

ata-filesystem

System hangs when writing to a file, when the disk space is full

CSCsg15939

all

ata-filesystem

Switches crash after remove/plug in compact flash

CSCsh48919

all

ata-filesystem

Embedded spaces in DOSFS dirs/file names cause crash in some platforms

CSCek61180

all

atmcommon

crash @ write_to_url, doprintc_core, atm_remove_vc

CSCsd84347

all

atmcommon

PVC stops sending OAM loopback if AIS/RDI received

CSCeg25475

all

bgp

Distribute-list configured in ipv4 acts in vpnv4 address-family

CSCei93768

all

bgp

check heaps CHUNKBADMAGIC crash at BGP Router when remove dmzlink ba .

CSCek62005

all

bgp

ip prefix list deletes lists before sending notif (causing rtr crash

CSCsc75426

all

bgp

Crash when BGP sends update with bad attribute .

CSCsc98835

all

bgp

CPUHOG when access-list is modified causes OSPF and BGP session drops .

CSCsg16778

all

bgp

router may crash at bgp_update_nbrsoo after deleting BGP neighbor .

CSCsg55591

all

bgp

MPLS VPN Local label not allocated/programmed for sourced BGP network

CSCsh88825

all

bgp

bgp: advertisement-interval not nvgened for peer-groups

CSCsj78403

all

bgp

clear ip bgp causes crash to RR client with conditional route injection

CSCsj99269

all

bgp

BGP: VPNv4 general scanner runtime close to 1 hour at boot time .

CSCsk34344

all

bgp

Wrong share-count 1:10 via confed-external BGP peers using dmzlink-bw

CSCsk70844

all

bgp

%SYS-4-REGEXP: new engine: regexp compilation had failed -BGP Router

CSCsl07297

all

bgp

SXF11: BGP "no neighbor" command caused Address Error exception .

CSCsj64230

all

bidir-pim

bidir DF election should not be restarted on a downstream interface

CSCek72777

all

c6k-wan-common

%CWAN_HA-STDBY-4-IFCFG_PLAYBACK_ERROR for 7600 SIP card .

CSCsi91324

all

c7600-mcast

MCAST packet drop when other interface goes down on DFC

CSCsg99914

all

c7600-sip-200

sip-200 power-cycles after BGP flap (not responding to keepalive)

CSCsi87837

all

c7600-ssc-400

IF-MIB does not support gig interfaces on SPA-IPSEC-2G

CSCsj56086

all

cat6000-acl

WCCP and VACL cause Cisco router CPU High

CSCsk41374

all

cat6000-acl

device crash seen when auth-proxy enabled on the LPIP vlan .

CSCsh99116

all

cat6000-fib

bits/sec counter is way off in show int vlan

CSCsl89176

all

cat6000-l2

Cat6k may crash when vlanTrunkPortEntry is polled via snmp

CSCsj68774

all

cat6000-mpls

SIP-600 SXF bus error in const_mpls_collect_imp_te_stats .

CSCsk20887

all

cat6000-routing

Packets are route cached on multilink bundle .

CSCsl21106

all

cat6000-sw-fwding

Tunnel destination command crashes MSFC running in hybrid mode .

CSCsg88433

all

cdp

IP Telephone issues seen with Dhcp snooping and NAC posture validation

CSCsg21418

all

clns

Bus error related to CLNS fast switching

CSCsg95101

all

clns

ALIGN-3-SPURIOUS: Spurious memory access

CSCdz55178

all

cmts-docsis

QoS profile name of more then 32 chars will crash the router .

CSCsa79984

all

comm-serv

CTRLC_ENBL should be cleared when line is reset

CSCsi10974

all

dhcp

Error configuring dhcp option 67

CSCse13882

all

dlsw

Show dlsw peer caused router to crash

CSCsh92031

all

eapoudp

Sierra: Standby RP crashed at auth_proxy_posture_clear_nacl

CSCee04271

all

eigrp

eigrp does not send update of poisoned route to stub router

CSCsc73725

all

eigrp

EIGRP packet pacing should have lower minimum value

CSCsh82953

all

eigrp

EIGRP pece routes missing extcomm attrs after redistribution to BGP .

CSCsi14346

all

eigrp

EIGRP: neighbor command missing in VRF.

CSCsi58303

all

eigrp

eigrp resync peer graceful-restart repeatedly after reload .

CSCsj25940

all

eigrp

%SYS-2-NOTQ: unqueue didn't find 6433F698 in queue .

CSCsj53663

all

eventmgr

EEM: RP crashed at fh_fd_syslog_event_match

CSCsj77819

all

fib

After SSO traffic is punted to the CPU for 20 seconds

CSCsk27685

all

fib

FIB-DFC2-4-FIBMSG: Invalid message received On bootup .

CSCei22295

all

fr

Traceback is seen at fr_svc_teardown_calls

CSCsb87686

all

fr

Spurious Access when attempting to configure a connection on MFR bundle

CSCsc38968

all

fr

Frame-relay EEK failure does not keep subinterface down

CSCsh58099

all

ftp

ftp process should call a registry cleanup- Message Could not register..

CSCsl36293

all

hsrp

Bus Error crash at standby_arp_add_if while config-change .

CSCsk29013

all

igmp

IGMP groups in the vrf not rejoined after executing a cle ip mr vrf

CSCsh64639

all

iml

VS2: [dead threads] process takes a large chunk of CPU util

CSCsj84641

all

install

some patches failed to commit during install commit of 41 patches.

CSCsh52941

all

ios-authproxy

AUTHPROXY:CLI to increase the number of HTTP Proxy process

CSCsi10945

all

ios-authproxy

Http Auth-proxy with OTP does not display token/SNK challange

CSCsi22243

all

ios-authproxy

Memory leak in *Dead* process due to HTTP Proxy Server

CSCee19119

all

ip

IP installs route for PPP interfaces that did not complete IPCP

CSCek76776

all

ip

ip interface settings persistent after deleting/adding sub-interface

CSCsi58867

all

ip

CPUHOG After show ip route static or show ip route connected

CSCsk46195

all

ip

Arp entry does not age out with private vlans and no ip sticky-arp

CSCsm27979

all

ip

router may crash for "address error exception" doing sh ip route vrf

CSCsk26719

all

ip-acl

show ip access crash with per-user acl

CSCeg85087

all

ipmulticast

S,G expire timer set to 3:00 when no downstream pim join

CSCsg24505

all

ipmulticast

PIM-DM Assert winner does not always send prune

CSCsh78277

all

ipmulticast

Sierra: mwheel CPUhog on RPF link failure causing crash .

CSCee73221

all

ip-rip

Split Horizon is in effect on redistributed static routes .

CSCsh57509

all

ip-rip

RIPv2 does not delete redundant paths with different next hops .

CSCsi20281

all

ip-rip

Static route redistribution into RIP fails on ACL change

CSCsi80057

all

ip-rip

RIP default-information originate with route-map not working correctly .

CSCsl47915

all

ip-rip

Redistribution of ospf in rip with prefix-list not working properly

CSCsm22805

all

ipsec

hsrp crypto map config got removed after reload

CSCsm32840

all

ipsec

Router crash in dmvpn-vrf setup after cheronia reset

CSCin67370

all

ipsec-core

Changing ACL or the crypto map leaves it empty ident tree .