Guest

Cisco IOS Software Releases 12.2 SE

Release Notes for the Cisco ME 3400E and ME 3400 Ethernet Access Switches, Cisco IOS Release 12.2(55)SE and Later

  • Viewing Options

  • PDF (483.4 KB)
  • Feedback
Release Notes for the Cisco ME 3400E and ME 3400 Ethernet Access Switches, Cisco IOS Release 12.2(55)SE and Later

Table Of Contents

Release Notes for the Cisco ME 3400E and
ME 3400 Ethernet Access Switches, Cisco IOS Release 12.2(55)SE and Later

Contents

Hardware Supported

Upgrading the Switch Software

Finding the Software Version and Feature Set

Deciding Which Files to Use

Archiving Software Images

Upgrading a Switch

Recovering from a Software Failure

Installation Notes

New Software Features

Minimum Cisco IOS Release for Major Features

Limitations and Restrictions

Bidirectional Forwarding Detection

Connectivity Fault Management (CFM)

Configuration

EtherChannel

IP

IP Service Level Agreements (SLAs)

MAC Addressing

Multicasting

REP

Routing

QoS

SPAN and RSPAN

Trunking

VLAN

Important Notes

Open Caveats

Resolved Caveats

Caveats Resolved in Cisco IOS Release 12.2(55)SE8

Caveats Resolved in Cisco IOS Release 12.2(55)SE7

Caveats Resolved in Cisco IOS Release 12.2(55)SE6

Caveats Resolved in Cisco IOS Release 12.2(55)SE5

Caveats Resolved in Cisco IOS Release 12.2(55)SE4

Caveats Resolved in Cisco IOS Release 12.2(55)SE

Documentation Updates

Update to the ME 3400 Hardware Installation Guide

Updates to the System Message Guide

New Messages

Modified Messages

Deleted Messages

Updates to the ME 3400E Regulatory Compliance and Safety Information Guide and the Getting Started Guide

All Switches

Cisco ME 3400EG-2CS-A

Cisco ME 3400E-24TS-M and Cisco ME 3400EG-12CS-M

Related Documentation

Obtaining Documentation and Submitting a Service Request


Release Notes for the Cisco ME 3400E and
ME 3400 Ethernet Access Switches, Cisco IOS Release 12.2(55)SE and Later


Revised June 28, 2013

Cisco IOS Release 12.2(55)SE and higher runs on the Cisco ME 3400E and ME 3400 Series Ethernet Access switches.

These release notes include important information about Cisco IOS Release 12.2(55)SE and any limitations, restrictions, and caveats that apply to the release. Verify that these release notes are correct for your switch:

If you are installing a new switch, see the Cisco IOS release label on the rear panel of your switch.

If your switch is on, use the show version privileged EXEC command. See the "Finding the Software Version and Feature Set" section.

If you are upgrading to a new release or different image, see the software upgrade filename for the software version. See the "Deciding Which Files to Use" section.

For the complete list of Cisco ME 3400E and ME 3400 switch documentation, see the "Related Documentation" section.

You can download the switch software from this site (registered Cisco.com users with a login password):

http://www.cisco.com/cisco/web/download/index.html

Contents

Hardware Supported

Upgrading the Switch Software

Installation Notes

New Software Features

Minimum Cisco IOS Release for Major Features

Limitations and Restrictions

Open Caveats

Resolved Caveats

Documentation Updates

Related Documentation

Obtaining Documentation and Submitting a Service Request

Hardware Supported

Table 1 Supported Hardware 

Device
Description
Supported by Minimum Cisco IOS Release

ME 3400E-24TS-M

24 10/100 ports and 2 dual-purpose ports; supports removable AC- and DC-power supplies.

Cisco IOS Release 12.2(44)EY

ME 3400EG-12CS-M

12 dual-purpose ports and 4 SFP module slots; supports removable AC- and DC-power supplies.

Cisco IOS Release 12.2(44)EY

ME 3400EG-2CS-A

2 dual-purpose ports and 2 SFP module slots, AC-power input.

Cisco IOS Release 12.2(44)EY

ME 3400-24FS-A

24 100BASE-FX SFP module ports and 2 Gigabit Ethernet SFP module ports, AC power

Cisco IOS Release 12.2(40)SE

ME 3400G-2CS

2 dual-purpose ports and 2 SFP-only module ports, AC power

Cisco IOS Release 12.2(35)SE1

ME-3400G-12CS-A

12 dual-purpose ports and 4 SFP-only module ports

Cisco IOS Release 12.2(25)SEG1

ME-3400G-12CS-D

12 dual-purpose ports and 4 SFP-only module ports

Cisco IOS Release 12.2(25)SEG1

ME-3400-24TS-A

24 10/100 ports and 2 SFP module slots, AC power

Cisco IOS Release 12.2(25)EX

ME-3400-24TS-D

24 10/100 ports and 2 SFP module slots, DC power

Cisco IOS Release 12.2(25)EX

SFP modules

ME 3400

1000BASE-T, -BX, -SX, -LX/LH, -ZX
100BASE-BX, FX, -LX
Coarse wavelength-division multiplexing (CWDM)

Cisco IOS Release 12.2(25)EX

Digital optical monitoring (DOM) support for GLC-BX, CWDM and DWDM SFPs

Cisco IOS Release 12.2(44)SE

100BASE-EX, 100BASE-ZX

1000BASE-LX/LH MMF and SMF

1000BASE-SX MMF

DOM support for GLC-ZX-SM SFP, 1000BASE-LX/LH, and 1000BASE-SX

Cisco IOS Release 12.2(46)SE

DOM support for 1000BASE-BX

Additional DWDM SFPs qualification

Cisco IOS Release 12.2(50)SE

For a complete list of ME 3400 supported SFPs and part numbers, see the ME 3400 data sheet at:

http://www.cisco.com/en/US/prod/collateral/switches/ps6568/ps6580/product_data_sheet0900aecd8034fef3.html

SFP modules

ME 3400E

1000BASE-BX10, -SX, -LX/LH, -ZX
100BASE -BX10, -EX, -FX (GLC-FE-100FX only), -LX10, -ZX
1000BASE-T and 10/100/100BASE-T—Category 5,6
   (SFP-only ports; not supported on dual-purpose ports)

Coarse wavelength-division multiplexing (CWDM)

Dense wavelength-division multiplexing (DWDM)

Digital optical monitoring (DOM) support for SFP-GE-S, SFP-GE-L, 1000BASE-BX10, 1000BASE-ZX, CWDM and DWDM SFPs

Note See the hardware installation guide for SFP model numbers.

Cisco IOS Release 12.2(44)EY

Additional DWDM SFPs qualification

Cisco IOS Release 12.2(50)SE

For a complete list of ME 3400E supported SFPs and part numbers, see the ME 3400E data sheet at:

http://www.cisco.com/en/US/prod/collateral/switches/ps6568/ps9637/data_sheet_c78-495220.html

Cable

Catalyst 3560 SFP interconnect cable

Cisco IOS Release 12.2(25)EX


Upgrading the Switch Software

Finding the Software Version and Feature Set

Deciding Which Files to Use

Archiving Software Images

Upgrading a Switch

Recovering from a Software Failure

Finding the Software Version and Feature Set

The Cisco IOS image is stored as a bin file in a directory that is named with the Cisco IOS release. The image is stored on the system board flash device (flash:).

You can use the show version privileged EXEC command to see the software version that is running on your switch. The second line of the display shows the version.

You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.

Deciding Which Files to Use

The upgrade procedures in these release notes describe how to perform the upgrade by using a combined tar file. This file contains the Cisco IOS image file. To upgrade the switch through the command-line interface (CLI), use the tar file and the archive download-sw privileged EXEC command.

Table 2 lists the filenames for this software release.


Note The ME 3400 metro base image is not supported on the Cisco ME 3400E switch.


Table 2 Cisco IOS Software Image Files 

Filename

Description

me340x-metrobasek9-tar.122-55.SE.tar

Cisco ME 3400 metro base cryptographic image.
This image has the Kerberos, Secure Shell (SSH), and basic Metro Ethernet features.

me340x-metroaccessk9-tar.122-55.SE.tar

Cisco ME 3400E and ME 3400 metro access cryptographic image.
This image has the Kerberos, SSH, and Layer 2 + Metro Ethernet features.

me340x-metroipaccess9-tar.122-55.SE.tar

Cisco ME 3400E and ME 3400 metro IP access cryptographic image.
This image has the Kerberos, SSH, Layer 2+, and full Layer 3 routing Metro Ethernet features.


Archiving Software Images

Before upgrading your switch software, make sure that you have archived copies of the current Cisco IOS release and the Cisco IOS release to which you are upgrading. You should keep these archived images until you have upgraded all devices in the network to the new Cisco IOS image and until you have verified that the new Cisco IOS image works properly in your network.

Cisco routinely removes old Cisco IOS versions from Cisco.com. See Product Bulletin 2863 for more information:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6969/ps1835/prod_bulletin0900aecd80281c0e.html

You can copy the bin software image file on the flash memory to the appropriate TFTP directory on a host by using the copy flash: tftp: privileged EXEC command.

You can also configure the switch as a TFTP server to copy files from one switch to another without using an external TFTP server by using the tftp-server global configuration command. For more information about the tftp-server command, see the "Basic File Transfer Services Commands" section of the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 at this URL:

http://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_t1.html

Upgrading a Switch

This procedure is for copying the combined tar file to the switch. You copy the file to the switch from a TFTP server and extract the files. You can download an image file and replace or keep the current image.


Note For downloading software, we recommend that you connect to the TFTP server through a network node interface (NNI). If you want to connect to the server through a user network interface (UNI), see the "Troubleshooting" chapter of the software configuration guide for methods for enabling ping capability on UNIs.


To download software, follow these steps:


Step 1 Use Table 2 to identify the file that you want to download.

Step 2 Download the software image file:

a. If you are a registered customer, go to this URL and log in.

http://www.cisco.com/cisco/web/download/index.html

b. Navigate to Switches > Service Provider Switches - Ethernet Access.

c. Navigate to your switch model.

d. Click IOS Software, then select the latest IOS release.

Download the image you identified in Step 1.

Step 3 Copy the image to the appropriate TFTP directory on the workstation, and make sure that the TFTP server is properly configured.

For more information, refer to Appendix B in the software configuration guide for this release.

Step 4 Log into the switch through the console port or a Telnet session.

Step 5 (Optional) Ensure that you have IP connectivity to the TFTP server by entering this privileged EXEC command:

Switch# ping tftp-server-address
 
   

Note By default, ping is supported on network node interfaces (NNIs), but you cannot ping from a user network interface (UNI) because the control-plane security feature drops ICMP response packets received on UNIs. See the "Troubleshooting" chapter of the software configuration guide for methods for pinging from the switch to a host connected to a UNI.


For more information about assigning an IP address and default gateway to the switch, refer to the software configuration guide for this release.

Step 6 Download the image file from the TFTP server to the switch. If you are installing the same version of software that is currently on the switch, overwrite the current image by entering this privileged EXEC command:

Switch# archive download-sw /overwrite /reload 
tftp:[[//location]/directory]/image-name.tar
 
   

The /overwrite option overwrites the software image in flash memory with the downloaded one.

The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.

For //location, specify the IP address of the TFTP server.

For /directory/image-name.tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.

This example shows how to download an image from a TFTP server at 198.30.20.19 and to overwrite the image on the switch:

Switch# archive download-sw /overwrite
 
   
tftp://198.30.20.19/image-name.tar
 
   

You can also download the image file from the TFTP server to the switch and keep the current image by using the /leave-old-sw option instead of the /overwrite option.


Recovering from a Software Failure

For recovery procedures, see the "Troubleshooting" chapter in the software configuration guide for this release.

Installation Notes

You can assign IP information to your switch by these methods:

Using the CLI-based setup program, as described in the switch hardware installation guide.

Using the DHCP-based autoconfiguration, as described in the switch software configuration guide.

Manually assigning an IP address, as described in the switch software configuration guide.

New Software Features

Support for QoS classification and marking on the drop eligibility bit (DEI) in an IEEE 802.1ad frame. (ME 3400E)

Ability to configure the split-horizon feature on an 802.1ad C-UNI or S-UNI Layer 2 switchport to prevent communication between customer-edge switches with the same VLAN IDs. (ME 3400E)

Support for the BFD Protocol on SVIs.

Support for configuration of an alternate MTU value to allow specific interfaces a different MTU than the global system MTU or jumbo MTU.

AAA guarantee-first support for enabling or disabling system accounting as the first record.

An option to suppress verbose 802.1x, authentication manager, and MAC authentication bypass syslog messages.

Support for increasing the NVRAM buffer size for saving large configuration files.

ARP tracking probe enhancement to specify a source IP address for a VLAN.

Network Edge Access Topology (NEAT) controls the supplicant port during the supplicant authentication period. When you connect a supplicant switch to the authenticator switch, the authenticator port could be error-disabled when receiving Spanning Tree Protocol (STP) bridge protocol data unit (BPDU) packets and the supplicant switch is not authenticated. The NEAT feature is now enhanced to block the supplicant port during authentication, to ensure authentication completes.

Use the dot1x supplicant controlled transient global configuration command to control access to the supplicant port during authentication. Use the no form of this command to provide access to the supplicant port during the authentication period.

Minimum Cisco IOS Release for Major Features

Table 3 lists the minimum software release (after the first release) required to support the features of the Cisco ME 3400E and ME 3400 switch. Features not listed are supported in all releases.


Note The first release for the Cisco ME3400E switch was 12.2(44)EY and it included all ME 3400 features through release 12.2(44)SE.


Table 3 Features Introduced After the First Release and the Minimum Cisco IOS Release Required 

Feature
Minimum Cisco IOS Release Required

Configuration of an alternate MTU value for specific interfaces

12.2(55)SE

BFD Protocol on SVIs

12.2(55)SE

Support for 802.1ad split horizon (ME 3400E).

12.2(55)SE

QoS classification and marking DEI bit in an IEEE 802.1ad frame (ME 3400E)

12.2(55)SE

Support for the IEEE 802.1ad standard (ME 3400E).

12.2(54)SE

CFM support on customer VLANs (C-VLANs).

12.2(54)SE

IEEE CFM MIB support.

12.2(54)SE

Ingress QoS classification enhancements

12.2(53)SE

Support for ingress QoS classification on QinQ-based ports (ME 3400E).

12.2(53)SE

Support for EEM 3.2

12.2(52)SE

Support for IP source guard on static hosts.

12.2(52)SE

IEEE 802.1x user distribution for deployments with multiple VLANs.

12.2(52)SE

Support for Network Edge Access Topology (NEAT) for changing the port host mode and applying a standard port configuration to the authenticator switch port.

12.2(52)SE

Support for 3DES and AES with version 3 of the Simple Network Management Protocol (SNMPv3).

12.2(52)SE

Support for including a hostname in the option 12 field of DHCPDISCOVER packets.

12.2(52)SE

DHCP snooping circuit-id sub-option of the Option 82 DHCP field.

12.2(52)SE

Connectivity fault management (CFM) Draft 8.1 compliance.

12.2(52)SE

Support for the TWAMP standard for measuring round-trip network performance between two devices.

12.2(52)SE

Additional IPv6 support to include IPv6 eBGP, IPv6 SNMP, Syslog, HTTP, and IPv6 MLD snooping.

12.2(52)SE

Support for QoS marking of CPU-generated traffic and queue CPU-generated traffic on the egress network ports.

12.2(52)SE

Multicast VLAN registration (MVR) enhancements.

12.2(52)SE

Resilient Ethernet Protocol (REP) hello link status layer (LSL) age timer configurable from 120 to 10000 ms in 40-ms intervals.

12.2(52)SE

Support for the LLPD-MED MIB and the CISCO-ADMISSION-POLICY-MIB.

12.2(52)SE

IPv6 routing support (metro IP access image only)

12.2(50)SE

IPv6 ACLs (metro IP access image only)

12.2(50)SE

BFD (metro IP access image only)

12.2(50)SE

REP support on ports connected to nonREP ports

12.2(50)SE

NEAT with 802.1X switch supplicant, host authorization with CISP, and auto enablement

12.2(50)SE

CPU utilization threshold trap

12.2(50)SE

EEM 2.4 (metro access image only on ME 3400)

12.2(50)SE

RADIUS server load balancing

12.2(50)SE

IP source guard in metro base image (ME 3400)

12.2(50)SE

Dynamic ARP inspection in metro base image (ME 3400)

12.2(50)SE

EOT and IP SLAs EOT static route support

12.2(46)SE (ME 3400)
12.2(50)SE (ME 3400E)

REP counter and timer enhancements

12.2(46)SE (ME 3400)
12.2(50)SE (ME 3400E)

HSRPv2 (metro IP access image only)

12.2(46)SE (ME 3400)
12.2(50)SE (ME 3400E)

DHCP server port-based address allocation

12.2(46)SE (ME 3400)
12.2(50)SE (ME 3400E)

DHCP-based autoconfiguration and image update

12.2(44)SE

Configurable small-frame arrival threshold

12.2(44)SE

Source Specific Multicast (SSM) mapping for multicast applications

12.2(44)SE

Support for the *, ip-address, interface interface-id, and vlan vlan-id keywords with the clear ip dhcp snooping command

12.2(44)SE

Flex Link Multicast Fast Convergence

12.2(44)SE

IEEE 802.1x readiness check

12.2(44)SE

Configurable control-plane queue assignment

12.2(44)SE

Configurable control plane security (support for ENIs)

12.2(44)SE

/31 bit mask support for multicast traffic

12.2(44)SE

Configuration rollback and replacement

12.2(40)SE

EEM (metro IP access image only)

Note EEM support was added to the metro access image in 12.2(44)SE

12.2(40)SE

IGMP Helper (metro IP access image only)

12.2(40)SE

IP SLAs support (metro IP access and metro access images only)

12.2(40)SE

IP SLAs enhanced object tracking (metro IP access and metro access images only)

12.2(40)SE

IP SLAs for Ethernet OAM (metro IP access image only)

12.2(40)SE

Multicast VRF Lite (metro IP access image only)

12.2(40)SE

SSM PIM (metro IP access image only)

12.2(40)SE

REP (metro IP access and metro access images only)

12.2(40)SE

LLDP-MED location TLV (metro IP access and metro access images only)

12.2(40)SE

ELMI-CE

12.2(37)SE

LLDP and LLDP-MED

12.2(37)SE

Port security on a PVLAN host

12.2(37)SE

VLAN Flex Links load balancing

12.2(37)SE

Support for Multicast VLAN Registration (MVR) over trunk ports

12.2(35)SE1

Enhanced object tracking for HSRP (metro IP access image only)

12.2(35)SE1

Ethernet OAM IEEE 802.3ah protocol (metro IP access and metro access images only)

12.2(35)SE1

Ethernet OAM CFM (IEEE 802.1ag) and E-LMI (metro IP access and metro access images only)

12.2(25)SEG

Per port per VLAN QoS (metro IP access and metro access images only)

12.2(25)SEG

Support for all OSPF network types (metro IP access only)

12.2(25)SEG

Layer 2 protocol tunneling on trunks (metro IP access and metro access images only)

12.2(25)SEG

IS-IS protocol (metro IP access only)

12.2(25)SEG

NNIs on all ports (metro IP access image only)

12.2(25)SEG

DHCP server

12.2(25)SEG

DHCP Option-82 configurable remote ID and circuit ID

12.2(25)SEG

Multiple spanning-tree (MST) based on the IEEE 802.1s standard

12.2(25)SEG

Nonstop forwarding (NSF) awareness (metro IP access image only)

12.2(25)SEG

Secure Copy Protocol

12.2(25)SEG

Flex Links sub-100-ms convergence; preemptive changeover (metro IP access and metro access images)

12.2(25)SEG

Link-state tracking (trunk failover) (metro IP access and metro access images only)

12.2(25)SEG


Limitations and Restrictions

You should review this section before you begin working with the switch. These are known limitations that will not be fixed, and there is not always a workaround. Some features might not work as documented, and some features could be affected by recent changes to the switch hardware or software.

Bidirectional Forwarding Detection

Connectivity Fault Management (CFM)

Configuration

EtherChannel

IP

IP Service Level Agreements (SLAs)

MAC Addressing

Multicasting

REP

Routing

QoS

SPAN and RSPAN

Trunking

VLAN

Bidirectional Forwarding Detection

The BFD session with the neighbor flaps when there is close to 100 percent bidirectional line- rate traffic sent through the physical links connecting the neighbors. This happens only on the sessions with Layer 3 BFD neighboring switches connected through a Layer 2 intermediate switch.

The workaround is to make sure that there is no 100 percent bidirectional unknown traffic flowing through the intermediate Layer 2 switch in the same links that connect Layer 3 switches. An alternate workaround is to always directly the Layer 3 switches when BFD is running. (CSCsu94835)

If you create a BFD session between two switches and then create an ACL that includes the permit ip any any log-input access-list configuration command, when you attach the ACL to one of the connecting interfaces, the BFD session goes down. If you remove the ACL from the interface, BFD comes back up.

The workaround is to not use the permit ACL entry with the log option on interfaces participating in BFD. (CSCtf31731)

Connectivity Fault Management (CFM)

On a switch running CFM, continuity check messages (CCMs) received on a MEP port that are a lower level than the configured MEP level should be discarded and an error message generated, regardless of whether or not the CCM has a valid CFM multicast destination address. On the ME 3400 switch, CFM C-VLAN CCMs with non-CFM multicast addresses are forwarded without CFM processing and no error messages are sent.

There is no workaround. (CSCte39713)

When the CFM start delay timer is configured to a small value, the Crosscheck-Up field in the output of the show ethernet cfm domain privileged EXEC command and the Mep-Up field in the output of the show ethernet cfm maintenance-points remote crosscheck privileged EXEC command might appear as No even if the CCM is learned in the remote database.

This is expected behavior. The workaround is to use the ethernet cfm mep crosscheck start-delay command to set the delay-start timer value larger than the continuity-check interval. (CSCtf30542)`

Configuration

The far-end fault optional facility is not supported on the GLC-GE-100FX SFP module.

The workaround is to configure aggressive UDLD. (CSCsh70244).

A static IP address might be removed when the previously acquired DHCP IP address lease expires.

This problem occurs under these conditions:

When the switch is booted without a configuration (no config.text file in flash memory).

When the switch is connected to a DHCP server that is configured to give an address to it (the dynamic IP address is assigned to VLAN 1).

When an IP address is configured on VLAN 1 before the dynamic address lease assigned to VLAN 1 expires.

The workaround is to reconfigure the static IP address. (CSCea71176 and CSCdz11708)

The DHCP snooping binding database is not written to flash memory or a remote file in any of these situations:

When the Network Time Protocol (NTP) is configured, but the NTP clock is not synchronized. You can check the clock status by entering the show NTP status privileged EXEC command and verifying that the network connection to the NTP server and the peer work correctly.

The DHCP snooping database file is manually removed from the file system. After enabling the DHCP snooping database by configuring a database URL, a database file is created. If the file is manually removed from the file system, the DHCP snooping database does not create another database file. You need to disable the DHCP snooping database and enable it again to create the database file.

The URL for the configured DHCP snooping database was replaced because the original URL was not accessible. The new URL might not take effect after the timeout of the old URL.

No workaround is necessary; these are the designed behaviors. (CSCed50819)

When dynamic ARP inspection is enabled on a switch, ARP and RARP packets greater than 2016 bytes are dropped by the switch or switch stack. This is a hardware limitation.

However, when dynamic ARP inspection is not enabled and a jumbo MTU is configured, ARP and RARP packets are correctly bridged in hardware. (CSCed79734)

Dynamic ARP inspection log entries might be lost after a switch failure. Any log entries that are still in the log buffer (have not been output as a system message) on a switch that fails are lost.

When you enter the show ip arp inspection log privileged EXEC command, the log entries from all switches in the stack are moved to the switch on which you entered the command.

There is no workaround. (CSCed95822)

When port security is enabled on an interface in restricted mode and the switchport block unicast interface command has been entered on that interface, MAC addresses are incorrectly forwarded when they should be blocked

The workaround is to enter the no switchport block unicast interface configuration command on that specific interface. (CSCee93822)

A traceback error occurs if a crypto key is generated after an SSL client session.

There is no workaround. This is a cosmetic error and does not affect the functionality of the switch. (CSCef59331)

When you enter the boot host retry timeout global configuration command to specify the amount of time that the client should keep trying to download the configuration and you do not enter a timeout value, the default value is zero, which should mean that the client keeps trying indefinitely. However, the client does not keep trying to download the configuration.

The workaround is to always enter a non zero value for the timeout value when you enter the boot host retry timeout timeout-value command. (CSCsk65142)

When an ME 3400 port is connected to an ME 3400E port, if one port is configured to 10 Mb/s and the other port is configured to 100 Mb/s (either full or half duplex), the 10 Mb/s port state appears as up/up and the 100 Mb/s port appears as down/down. This connection is a misconfiguration because the speed and duplex do not match.

The workaround is to correct the misconfiguration. (CSCtg53462)

EtherChannel

The switch might display tracebacks similar to this example when an EtherChannel interface port-channel type changes from Layer 2 to Layer 3 or the reverse:

15:50:11: %COMMON_FIB-4-FIBNULLHWIDB: Missing hwidb for fibhwidb Port-channel1 (ifindex 1632) -Traceback= A585C B881B8 B891CC 2F4F70 5550E8 564EAC 851338 84AF0C 4CEB50 859DF4 A7BF28 A98260 882658 879A58

There is no workaround. (CSCsh12472)

When an EtherChannel is configured for 802.1ad and a channel member that is up is removed from the EtherChannel, the 802.1ad configuration is removed. However, if the port channel is shut down and then removed from the EtherChannel, the 802.1ad configuration is not removed.

The workaround is to enter the no shutdown interface configuration command on the port channel before removing it from the EtherChannel. CSCtf77937 (Cisco ME 3400E only)

IP

The switch does not create an adjacent table entry when the ARP timeout value is 15 seconds and the ARP request times out. The workaround is to not set an ARP timeout value lower than 120 seconds. (CSCea21674)

IP Service Level Agreements (SLAs)

When the IP SLAs configured reaction type (configured by entering the ip sla reaction-configuration global configuration command) is round-trip time (RTT), an RTT event causes duplicate SNMP traps.

There is no workaround.

MAC Addressing

When a MAC address is configured for filtering on the internal VLAN of a routed port, incoming packets from the MAC address to the routed port are not dropped. (CSCeb67937)

Multicasting

The switch does not support tunnel interfaces, including DVMRP and PIM tunneling.

Nonreverse-path forwarded (RPF) IP multicast traffic to a group that is bridged in a VLAN is leaked onto a trunk port in the VLAN even if the port is not a member of the group in the VLAN, but it is a member of the group in another VLAN. Because unnecessary traffic is sent on the trunk port, it reduces the bandwidth of the port. There is no workaround for this problem because non-RPF traffic is continuous in certain topologies. As long as the trunk port is a member of the group in at least one VLAN, this problem occurs for the non-RPF traffic. (CSCdu25219)

If the number of multicast routes and Internet Group Management Protocol (IGMP) groups are more than the maximum number specified by the show sdm prefer global configuration command, the traffic received on unknown groups is flooded in the received VLAN even though the show ip igmp snooping multicast-table privileged EXEC command output shows otherwise. The workaround is to reduce the number of multicast routes and IGMP snooping groups to less than the maximum supported value. (CSCdy09008)

IGMP filtering is applied to packets that are forwarded through hardware. It is not applied to packets that are forwarded through software. Hence, with multicast routing enabled, the first few packets are sent from a port even when IGMP filtering is set to deny those groups on that port. There is no workaround. (CSCdy82818)

When you use the ip access-group interface configuration command with a router access control list (ACL) to deny access to a group in a VLAN, multicast data to the group that is received in the VLAN is always flooded in the VLAN, regardless of IGMP group membership in the VLAN. This provides reachability to directly connected clients, if any, in the VLAN. The workaround is to not apply a router ACL set to deny access to a VLAN interface. Apply the security through other means; for example, apply VLAN maps to the VLAN instead of using a router ACL for the group. (CSCdz86110)

If an IGMP report packet has two multicast group records, the switch removes or adds interfaces depending on the order of the records in the packet:

If the ALLOW_NEW_SOURCE record is before the BLOCK_OLD_SOURCE record, the switch removes the port from the group.

If the BLOCK_OLD_SOURCE record is before the ALLOW_NEW_SOURCE record, the switch adds the port to the group.

There is no workaround. (CSCec20128)

When IGMP snooping is disabled and you enter the switchport block multicast interface configuration command, IP multicast traffic is not blocked.

The switchport block multicast interface configuration command is only applicable to non-IP multicast traffic.

There is no workaround. (CSCee16865)

Incomplete multicast traffic can be seen under either of these conditions:

You disable IP multicast routing or re-enable it globally on an interface.

A switch mroute table temporarily runs out of resources and recovers later.

The workaround is to enter the clear ip mroute privileged EXEC command on the interface. (CSCef42436)

REP

Although you can configure a REP segment without configuring REP edge ports, we recommend that you configure REP edge ports whenever possible because edge ports enable these functions:

selecting the preferred alternate port

configuring VLAN load balancing

configuring topology change notifications (TCNs) toward STP, other REP segments, or an interface

initiating the topology collection process

preemption mechanisms

You cannot enable these functions on REP segments without edge ports.

On a switch running both Resilient Ethernet Protocol (REP) and Bidirectional Forwarding Detection (BFD), when the REP link status layer (LSL) age-out value is less than 1000 milliseconds (1 second), the REP link flaps if the BFD interface is shut down and then brought back up.

The workaround is to use the rep lsl-age-out timer interface configuration command to configure the REP LSL age timer for more than 1 second. (CSCsz40613)

If you configure two or more connected REP segments to send segment topology change notices (STCNs) by entering the rep stcn segment segment-id interface configuration command on REP interfaces, when segments inject messages simultaneously, an STCN loop occurs, and CPU usage can increase to 99 percent for 1 to 2 minutes before recovering.

The workaround is to avoid configuring multiple STCNs in connected segments. This is a misconfiguration. (CSCth18662)

Routing

The switch does not support tunnel interfaces for routed traffic.

A route map that has an ACL with a Differentiated Services Code Point (DSCP) clause cannot be applied to a Layer 3 interface. The switch rejects this configuration and displays a message that the route map is unsupported. There is no workaround. (CSCea52915)

A spanning-tree loop might occur if all of these conditions are true:

Port security is enabled with the violation mode set to protected.

The maximum number of secure addresses is less than the number of switches connected to the port.

There is a physical loop in the network through a switch whose MAC address has not been secured, and its BPDUs cause a secure violation.

The workaround is to change any one of the listed conditions. (CSCed53633)

QoS

When you use the bandwidth policy-map class command to configure more than one class in a policy map for Class-based Weighted Fair Queuing (CBWFQ), and the committed information rate (CIR) bandwidth for any of the classes is less than 2 percent of the interface rate, the CBWFQ classes in the policy may not receive the configured CIR bandwidths.

There is no workaround, but it is unlikely that a CBWFQ class would be configured with such a low CIR bandwidth. (CSCsb98219)

When several per-port, per-VLAN parent policies are attached to the input of one or more interfaces and a child policy of these parent policies is modified, the parent policies are detached from the interfaces and reattached during the process. Because the modified policy is large, the TCAM entries are being used up, and the attached policies should be removed. However, some of the parent policies are not removed from the interface, and the TCAM entries are cleared. If you save the configuration and reload the switch, the policies are detached, but the TCAM is full, and you cannot attach other policies.

This error message appears:

QOSMGR-4-QOS_TCAM_RESOURCE_EXCEED_MAX: Exceeded a maximum of QoS TCAM resources

The workaround is to manually detach the policy maps from all the interfaces by entering the no service-policy input policy-map-name interface configuration command on each interface. (CSCsk58435)

When CPU protection is disabled, you can configure 64 policers per port on most switches. However, on Cisco ME 3400EG-12CS and Cisco ME 3400G-12CS switches, due to hardware limitations, you can attach 64 per-port, per-VLAN policers to a maximum of 6 ports. If you attempt to attach more than 6 per-port, per-VLAN 64-policer policy maps, the attachment fails.

There is no workaround. (CSCsv21416)

SPAN and RSPAN

The egress SPAN data rate might degrade when multicast routing is enabled. The amount of degradation depends on the processor loading. Typically, the switch can egress SPAN at up to 40,000 packets per second (64-byte packets). As long as the total traffic being monitored is below this limit, there is no degradation. However, if the traffic being monitored exceeds the limit, only a portion of the source stream is spanned. When this occurs, the following console message appears: Decreased egress SPAN rate. In all cases, normal traffic is not affected; the degradation limits only how much of the original source stream can be egress spanned. If multicast routing is disabled, egress SPAN is not degraded.

There is no workaround. If possible, disable multicast routing. If possible, use ingress SPAN to observe the same traffic. (CSCeb01216)

Some IGMP report and query packets with IP options might not be ingress-spanned. Packets that are susceptible to this problem are IGMP packets containing 4 bytes of IP options (IP header length of 24). An example of such packets would be IGMP reports and queries having the router alert IP option. Ingress-spanning of such packets is not accurate and can vary with the traffic rate. Typically, very few or none of these packets are spanned. There is no workaround. (CSCeb23352)

When system jumbo MTU size is configured on a switch and the egress ports can support jumbo frames, the egress SPAN jumbo frames are not forwarded to the SPAN destination ports.

There is no workaround. (CSCsj21718)

Cisco Discovery Protocol (CDP) and Port Aggregation Protocol (PAgP) packets received by network node interfaces (NNIs) from a SPAN source are not sent to the destination interfaces of a local SPAN session.

The workaround is to use the monitor session session_number destination {interface interface-id encapsulation replicate} global configuration command for local SPAN. (CSCed24036)

Trunking

IP traffic with IP options set is sometimes leaked on a trunk port. For example, a trunk port is a member of an IP multicast group in VLAN X but is not a member in VLAN Y. If VLAN Y is the output interface for the multicast route entry assigned to the multicast group and an interface in VLAN Y belongs to the same multicast group, the IP-option traffic received on an input VLAN interface other than one in VLAN Y is sent on the trunk port in VLAN Y because the trunk port is forwarding in VLAN Y, even though the port has no group membership in VLAN Y. There is no workaround. (CSCdz42909).

For trunk ports or access ports configured with IEEE 802.1Q tagging, inconsistent statistics might appear in the show interfaces counters privileged EXEC command output. Valid IEEE 802.1Q frames of 64 to 66 bytes are correctly forwarded even though the port LED blinks amber, and the frames are not counted on the interface statistics. There is no workaround. (CSCec35100).

VLAN

If the number of VLANs times the number of trunk ports exceeds 13,000, the switch can stop.

The workaround is to not configure more than the recommended number of VLANs and trunks. (CSCeb31087)

A CPUHOG message sometimes appears when you configure a private VLAN. Enable port security on one or more of the ports affected by the private VLAN configuration.

There is no workaround. (CSCed71422)

Important Notes

When you upgrade the switch software to Cisco IOS release 12.2(50)SE or higher and autonegotiation is enabled on a Gigabit SFP fiber switch port (the default), but disabled on the link partner port, the switch port interface can show a state of down/down while the link partner shows up/up. This is expected behavior.

The workaround is to either enable autonegotiation on the link partner port or enter the speed nonegotiate interface command on the SFP port.

Open Caveats

CSCtt02029

A Cisco ME-3400EG-12CS-M switch could crash after reporting the following errors:

%SNMP-3-CPUHOG: Processing GetBulk of ciscoMgmt.87.1.4.1.1.36.0
%SYS-3-CPUHOG: Task is running for (2100)msecs, more than (2000)msecs
(10/5),process = SNMP ENGINE.
-Traceback= 150FFDC 1510064 15DE510 15DF8EC 15DF9F8 15B5380 15B5870 15B5A94 15B7098 
15D665C
15D67D8 1136670 1138E44 15B7770 11B74E8 11B9D6C 
%SNMP-3-CPUHOG: Processing GetBulk of ciscoMgmt.87.1.4.1.1.36.0
%SYS-3-CPUHOG: Task is running for (2100)msecs, more than (2000)msecs
(27/20),process = SNMP ENGINE.
-Traceback= 15110E0 151000C
 
   

This issue occurs with a Cisco ME-3400EG-12CS-M running Cisco IOS that is configured with SNMP and being polled by CiscoWorks.

Workaround:

There is no known workaround.

CSCty22420

On a Cisco ME-3400E, under certain rare conditions, it is possible that a fiber SFP Gigabit interface might show up as being half-duplex. This issue is cosmetic as the interface is actually operating in full-duplex mode.

Gigabit Fiber SFP should never be half-duplex. To verify the actual operating mode, use the following command:

show platform port-asic mac gig 0/1

In the output of the command, if DuplexMode is 1, the interface is actually operating in full-duplex mode. DuplexMode 0 is half-duplex.

Workaround:

Administer a shut/no shut on the port. Or, changing the media-type from SFP to RJ45 and then back to SFP usually corrects the problem.

Resolved Caveats

Caveats Resolved in Cisco IOS Release 12.2(55)SE8

Caveats Resolved in Cisco IOS Release 12.2(55)SE7

Caveats Resolved in Cisco IOS Release 12.2(55)SE6

Caveats Resolved in Cisco IOS Release 12.2(55)SE5

Caveats Resolved in Cisco IOS Release 12.2(55)SE4

Caveats Resolved in Cisco IOS Release 12.2(55)SE

Caveats Resolved in Cisco IOS Release 12.2(55)SE8

CSCtt19737

Cisco IOS IP SLAs probes fail because the control message is blocked. The firewalls block the control message when a response packet is not returned to the originating port.

The workaround is to disable IP SLAs control messages for this probe instance.

CSCty66157

The snmp-server group command does not associate both IPv6 and IPv4 ACLs simultaneously with an SNMP group.

The workaround is to use the snmp-server user command, which associates both IPv4 and IPv6 ACLs with an SNMP user.

CSCud79753

When a switch is configured with Cisco IOS IP SLAs FTP GET operation and if the target file is unavailable, the switch experiences a memory leak and may become unresponsive if it runs out of memory.

The workaround is to configure the Cisco IOS IP SLAs FTP GET operation only after verifying the availability of the remote target file and setting the permissions for the file, as appropriate. This allows the switch to retrieve the file and not experience a memory leak.

CSCue07405

When manually running on-demand diagnostic tests on a stack member using the diagnostic start switch number test all interface configuration command, the test TestPortAsicRingLoopback fails arbitrarily.

The workaround is to run only the TestPortAsicRingLoopback test (diagnostic start switch number test 4 interface configuration command) on the stack member. Isolate the stack member and then run the diagnostic start switch number test all interface configuration command on the rest of the stack.

Caveats Resolved in Cisco IOS Release 12.2(55)SE7

CSCtg52885

The Hot Standby Router Protocol (HSRP) on dot1q sub-interfaces remains in INIT state after a physical link flap on the trunk port.

The workaround is to enter the shutdown and no shutdown command on the interface.

CSCtz96168

IPv6 packets travel randomly between two isolated ports that are in the same VLAN.

There is no workaround.

CSCub04504

When the switch is configured with Resilient Ethernet Protocol (REP) and the interface constantly flaps, the switch reloads unexpectedly.

The workaround is to reload the switch.

CSCub92642

If the switch is configured with Multicast Distributed Switching (MDS), memory leaks if the multicast-routing distributed command is toggled repeatedly.

There is no workaround.

CSCud17778

Memory leaks (due to SNMP traps) cause the switch to respond slowly to commands; eventually the switch fails. This is observed when more than one SNMP server host is configured, one of the host broadcasts SNMP traps, or the snmp-server enable traps snmp authentication coldstart warmstart command is configured.

The workaround is to disable the snmp-server enable traps snmp authentication coldstart warmstart command and reload the switch.

CSCud21309

In a private VLAN, isolated ports leak ARP packets when port-based authentication is enabled.

There is no workaround.

Caveats Resolved in Cisco IOS Release 12.2(55)SE6

CSCef01541

Router process packets destined to a network address it does not have.

CSCsd67567

show ip mroute count displays twice the number of route entries under SSM setup.

CSCtc42278

%DATACORRUPTION-1-DATAINCONSISTENCY: Copy error is seen for incoming ISDN call.

CSCtd74235

Adding aggregate policers to the child policy-map crashes the switch.

CSCtg71149

When ports in an EtherChannel are linking up, the message EC-5-CANNOT_BUNDLE2 might appear. This condition is often self-correcting, indicated by the appearance of EC-5-COMPATIBLE message following the first message. On occasion, the issue does not self-correct, and the ports may remain unbundled.

CSCth09799

Performing a traceroute MPLS across an IPSec protected GRE tunnel carrying MPLS traffic may cause a traceback message at an intermediate-hop router along the path.

CSCth33165 (ME 3400E)

If you change the 802.1ad port type on an EtherChannel interface from s-uni isolate to c-uni (isolate or nonisolate), VLAN translation and EtherChannel incompatibility messages appear on the console.

CSCth77918

When the EtherChannel group mode is on and you configure 802.1ad split horizon on the EtherChannel interface by entering the ethernet dot1ad uni s-port isolate interface configuration command, after a switch reload, a PAgP flap error occurs, and the EtherChannel goes down.

CSCti26354 (ME 3400)

GLC-EX-SMD sfp is not recognized.

CSCti45681

If a switch is configured as trunk and the remote device is configured with subinterface with dot1q encapsulation, neighbor solicitation messages from IPv6 ports are not sent to other IPv6 ports outside the switch.

CSCti62848

Modifying a pre-existing policy-map crashes the ME 3400.

CSCtj03875

When you disconnect the spanning tree protocol (STP) peer link, the STP port path cost configuration changes.

CSCtj48387

Crash on ASR occurs due to corrupt values passed from DHCP component to doprnt.

CSCtj60261

Traceroute on an MPLS TE tunnel over GRE causes traceback on a next hop router.

CSCtj83964

On a switch running Protocol-Independent Multicast (PIM) and Source Specific Multicast (SSM), multicast traffic might not be sent to the correct port after the switch reloads.

CSCtj86299

If a static MAC address entry is configured for an IP address in the global routing table, ping requests are sent through the global context, and replies are sent through Virtual Routing and Forwarding (VRF). This is a VRF leak.

CSCtj88307

When you enter the default interface, switchport, or no switchport interface configuration command on the switch, this message appears: EMAC phy access error, port 0, retrying......

CSCtk00846

If Auto Smartports macros are configured, access points with the AIR-CAP prefix are not detected.

CSCtk18810

High memory usage is seen with Virtual Exec process.

CSCtl51859

Neighbor discovery fails for IPv6 hosts connected to the switch when the IPv6 MLD snooping feature is enabled globally on the switch.

CSCtn94127

An RP crash is observed at dhcpv6_server_pd_assign_pool during security tests.

CSCto14414 (ME-3400)

When you enable IP Address Resolution Protocol (IP ARP) inspection for selective Q-in-Q, IP ARP inspection drops all double-tagged packets even if you have enabled it on a C-VLAN or S-VLAN.

CSCto55124

When a member switch port security is used with port-based dot1x authentication and the switch MAC address is sticky, a connected device authenticates itself. Its MAC address is added as sticky in the switch configuration and in the port security tables of the stack switches. When the switch is shut down, the device MAC address is removed from the master switch, but it is retained in the member switch security tables. When the interface is re-enabled, the device MAC address is restored to the master switch configuration.

CSCto57605

If the Dynamic Trunking Protocol (DTP) is set to speed nonegotiate for two switches that interface each other, and the speed/duplex is configured as full/1000, the speed/duplex configuration of one of the switches changes to auto/auto when the switch is restarted. The port channel becomes incompatible and the second switch's operation is suspended. This problem applies only to the 1000BASE-LX interface.

CSCto57723

Cisco IOS Software and Cisco IOS XE Software contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. An attacker could exploit this vulnerability by sending a crafted request to an affected device that has the DHCP version 6 (DHCPv6) server feature enabled, causing a reload.

Cisco has released free software updates that address this vulnerability. This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-dhcpv6

CSCto67688

If a member switch does not have an access control list (ACL) and is running an Enforcement Policy Module (EPM) session, the client on that interface is re-authorized each time that the switch reloads.

The workaround is to configure an ACL on the interface.

CSCts03820

Auto Image Install: DHCP Option 125 / Sub Option 5 does not work.

CSCtt02313

PfR: Uncontrolled TC occurs due to Exit Mismatch.

CSCtt31901

UDLD port aggressive command needs to be used initially to sh udld nei work.

CSCtt39990

%PM-4-LIMITS appear although the VPI does not go over the maximum limit.

CSCtw56617

C3750G: Unexpected ACL sequence delete.

CSCtw58495

show epm session summary crashes the switch.

CSCtw93790

snmp-server trap timeout is not working as expected.

CSCtx20903

TACACS authentication fallback is not working.

CSCtx33436

When using the command switchport port-security maximum 1 vlan access, if an IP-phone with a PC behind it is connected to an access-port with port-security, a security violation occurs on the interface.

CSCtx37833

Constant REP interface flapping causes the ME3400 device to crash.

CSCtx53406

Unwanted IPv6 message occurs during boot-up of WS-C3750G-12S.

CSCtx61557

The switch crashes after logging "success" from "dot1x" for client (Unknown MAC).

CSCtx91976

SNMP PoE bug is seen on Cat 2960S.

CSCtx96491

A port configured and authenticated with dot1x security might not correctly detect a loop even if bpduguard is configured on the interface.

CSCtx99483

Switch crashes when removing PBR from interface.

CSCty56739 (ME 3400E)

ME-3400EG-24TS-M does not generate an external alarm trap.

CSCty93544

ACL is not fully applied when TCAM space is exhausted.

CSCtz27507

MF: 4500 crash occurs while polling ENTITY-MIB.

CSCtz54899

GLC-T in 12.2(55)SE5/ WS-C3750X-24S does not link up.

CSCtz92782

dACL is not applied on the switch interface in multi-domain mode.

CSCua09639

ARP is blocked with open authentication enabled switchports.

Caveats Resolved in Cisco IOS Release 12.2(55)SE5

CSCsy43147

During a Telnet session, the router crashes when the TACACS+ server is configured or unconfigured (tacacs-server host command) using the single-connection keyword.

The workaround is to not use the single-connection keyword.

CSCtb35715

When you enter the show running-config interface configuration command, IP Service Level Agreement notifications are shown as enabled even when you have not enabled this configuration using the ip sla enable reaction-alerts interface configuration command.

There is no workaround.

CSCtc18841

If local proxy Address Resolution Protocol (ARP) is configured on the VLAN interface, the ARP entry for the Hot Standby Router Protocol (HSRP) enters into an incomplete state.

The workaround is to remove the proxy ARP feature on the VLAN interface (by using the no ip local-proxy-arp interface configuration command) and restart the interface.

CSCtg38468

When AAA authorization is used with TACACS+, an error is displayed if the banner message (banner exec global configuration command) starts with a blank character.

The workaround is to not start the banner message with a blank character.

CSCti56444

The switch crashes unexpectedly.

There is no workaround.

CSCtj89743

CPU usage is high when a device connected to the switch is accessed using the https://IP_address command on the router.

The workaround is to reload the device.

CSCtn10697

The switch crashes when DCHP snooping is enabled with value 125 and an offer packet is received.

There is no workaround.

CSCto72927

If a Tcl policy is copied to the router, the router fails when an event manager policy is configured.

There is no workaround.

CSCtq09233

If a CLI configuration text file is copied from a Windows system to the switch, a space is appended to the end of the macro description command when the file is read from the flash of the switch. This leads to errors resulting in high CPU utilization on the switch. Another possible issue is that the macro is not removed when the link goes down or the connected device is removed from the switch.

The workaround is to copy the configuration file from a non-Windows system (like UNIX or Linux) or convert the file to an appropriate UNIX format before copying.

CSCtr28857

A vulnerability in the Multicast Source Discovery Protocol (MSDP) implementation of Cisco IOS Software and Cisco IOS XE Software could allow a remote, unauthenticated attacker to cause a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial of service (DoS) condition.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp

CSCtr91106

A vulnerability exists in the Cisco IOS Software that may allow a remote application or device to exceed its authorization level when authentication, authorization, and accounting (AAA) authorization is used. This vulnerability requires that the HTTP or HTTPS server is enabled on the Cisco IOS device.

Products that are not running Cisco IOS Software are not vulnerable.

Cisco has released free software updates that address these vulnerabilities.

The HTTP server may be disabled as a workaround for the vulnerability described in this advisory.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-pai

CSCts34688

The switch crashes due to the "HACL Acl Manager" memory fragmentation when a large access control list (ACL) is modified.

The workaround is add or remove ACE entries in sequential order when the ACL is modified.

CSCts75641

Routing Information Protocol (RIP) Version 2 packets egressing an 801.1Q tunnel interface are triplicated.

There is no workaround.

CSCtt16051

Cisco IOS Software contains a vulnerability in the Smart Install feature that could allow an unauthenticated, remote attacker to cause a reload of an affected device if the Smart Install feature is enabled. The vulnerability is triggered when an affected device processes a malformed Smart Install message on TCP port 4786.

Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20120328-smartinstall

CSCtt96298

Connectivity link is down on ports 1-2, 5-6 and 9-10 on switches that have the GLC-FE-100FX SFP module installed.

There is no workaround.

CSCtt37202

If a client switch is authorized using MAC Authentication Bypass (MAB), and then by using the 802.1x standard and dynamic VLAN assignment, the MAC address of the switch is not updated in the MAC address table of slave switches.

The workaround is to not use both the 802.1x and dynamic VLAN assignment configurations for the client switch.

CSCtu14007 (Cisco ME3400E switches only)

If a link fails and then recovers, the Resilient Ethernet Protocol (REP) continues to show the link status as failed. Consequently, no redundancy on the ring, and an outage occurs if another link fails.

The workaround is to enter the shutdown interface configuration command followed by the no shutdown command to reload the interface.

CSCtu17483

The switch crashes when an IP phone that uses LLDP and authenticates itself using MAC Authentication Bypass (MAB) or 802.1x is physically disconnected and reconnected to the switch port.

The workaround is to remove the aaa authorization network default group SG-PBA global configuration command.

Caveats Resolved in Cisco IOS Release 12.2(55)SE4

CSCta85026

The Dynamic Host Configuration Protocol (DHCP) CLI does not accept white spaces in raw ASCII option in the DHCP pool configuration submode. This issue is seen in Cisco IOS Release 12.4(24)T1 and later.

There is no workaround.

CSCtg11547

In a VPN Routing and Forwarding (VRF) aware setup, messages are not sent to the syslog server. This issue applies to Cisco IOS Release 12.2(53)SE and 12.2(53)SE1. This situation does not occur if system logging is configured in the global table.

This problem has been corrected.

CSCth87458

A memory leak occurs in the SSH process, and user authentication is required.

The workaround is to allow SSH connections only from trusted hosts.

CSCti37197

If a tunnel interface is configured with Cisco Discovery Protocol (CDP), the switch fails when it receives a CDP packet.

The workaround is to disable CDP on the interface by using the no cdp enable interface configuration command.

CSCtj56719

The switch fails when the Differentiated Services Code Point (DSCP) mutation name is longer than 25 characters.

The workaround is to configure DSCP mutation names with fewer than 25 characters.

CSCtl60151

The switch sometimes reloads after a CPU overload, regardless of the process that is overloading the CPU.

This problem has been corrected.

CSCtr79386

The switch fails when DHCP snooping is configured and packet data traffic is excessive. The traffic exhausts the I/O memory and triggers the switch to crash.

There is no workaround.

Caveats Resolved in Cisco IOS Release 12.2(55)SE

CSCsu31853

The buffer space of a switch running TCP applications is full while the TCP sessions are in the TIME_WAIT state. Buffer space becomes available after the TCP session the closed.

There is no workaround.

CSCte14603

A vulnerability in the Internet Group Management Protocol (IGMP) version 3 implementation of Cisco IOS Software and Cisco IOS XE Software allows a remote unauthenticated attacker to cause a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial of service (DoS) condition. Cisco has released free software updates that address this vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100922-igmp.shtml.

The September 22, 2010, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. Five of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory. The table at the following URL lists releases that correct all Cisco IOS Software vulnerabilities that have been published on September 22, 2010, or earlier:

http://www.cisco.com/warp/public/707/cisco-sa-20100922-bundle.shtml

Individual publication links are in "Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication" at the following link:

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep10.html

CSCtf19991

If the RADIUS authentication server is unavailable and inaccessible authentication bypass is enabled, the switch grants the client access to the network by putting the connected port in the critical-authentication state in the RADIUS-configured or the user-specified access VLAN. After the server is available, the client is not reinitialized and moved out of the critical VLAN.

There is no workaround.

CSCtf27594

When Bidirectional Forwarding Detection (BFD) or REP is enabled on an interface of a switch that is running Cisco IOS Release12.2(50)SE or later, Release 12.2(52)SE or later, or Release 12.2(54)SE, CPU spikes can occur once or twice per hour.

There is no workaround.

CSCtf33948

A PC in 802.1x or multidomain authentication (MDA) mode is connected to an IP phone and connected to a MDA-enabled switch port. After the PC and phone are authenticated on the port, the PC is down. The port does not automatically reauthenticate the PC.

There is no workaround.

CSCtf71229 (Cisco ME 3400E only)

On a Catalyst ME 3400E switch, the Gigabit Ethernet interface of an SFP module on which autonegotiation is disabled unexpectedly operates in half-duplex mode and then enters the suspended state when one of these conditions occur:

you restart a switch that is running Cisco IOS Release 12.2(50)SE3 or later, Release 12.2(53)SE or later, or Release 12.2(54)SE.

you reinsert the optical cable into the SFP module.

you enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the EtherChannel interface to which the Gigabit Ethernet interface belongs.

The workaround is to enter the duplex auto and speed auto interface configuration commands on the Gigabit Ethernet interface.

CSCtg21344 (ME 3400E only)

If multiple VLAN mapping entries are deleted across a combination of ports, and a new entry is added, the new entry can overwrite a valid existing entry. This can result in traffic that would have been mapped to the entry either being forwarded without translation or dropped if default drop is configured on that interface. Once the problem has occurred, removing a single entry and adding a new entry can re-trigger the problem and cause another valid entry to be overwritten.

The workaround to clear the problem is to either reload the switch or to remove all VLAN translation entries across all ports and add them back. After either corrective action is taken, the problem does not return unless multiple VLAN translation entries are deleted before another entry is added.

CSCtg47738

This error message is displayed after copying a configuration file to the running configuration file fails:

%Error opening system:/running-config (No such file or directory)

The output of the dir system:/ EXEC command also does not show a running configuration file.

The workaround is to reload the switch.

CSCtg92766

Switches running Cisco IOS Release 12.2(50)SE and later might reload after this sequence of events:

1. 1. A hierarchical service policy is detached from an interface.

2. 2. A child policy is removed from the hierarchical policy and replaced by a new child policy.

3. 3. The hierarchical policy is reattached to the original interface.

4. 4. The original child policy is globally removed from the configuration.

The workaround is to create a new hierarchical policy with the new child policy instead of updating the original hierarchical policy.

CSCth03022

Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device or trigger memory leaks that may result in system instabilities. Affected devices would need to be configured to process SIP messages for these vulnerabilities to be exploitable.

Cisco has released free software updates that address these vulnerabilities. There are no workarounds for devices that must run SIP; however, mitigations are available to limit exposure to the vulnerabilities.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20110928-sip.shtml.

CSCti48504

Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device or trigger memory leaks that may result in system instabilities. Affected devices would need to be configured to process SIP messages for these vulnerabilities to be exploitable.

Cisco has released free software updates that address these vulnerabilities. There are no workarounds for devices that must run SIP; however, mitigations are available to limit exposure to the vulnerabilities.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20110928-sip.shtml.

CSCto88686

Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device or trigger memory leaks that may result in system instabilities. Affected devices would need to be configured to process SIP messages for these vulnerabilities to be exploitable.

Cisco has released free software updates that address these vulnerabilities. There are no workarounds for devices that must run SIP; however, mitigations are available to limit exposure to the vulnerabilities.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20110928-sip.shtml.

CSCtj41194

Cisco IOS Software contains a vulnerability in the IP version 6 (IPv6) protocol stack implementation that could allow an unauthenticated, remote attacker to cause a reload of an affected device that has IPv6 enabled. The vulnerability may be triggered when the device processes a malformed IPv6 packet.

Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20110928-ipv6.shtml.

CSCth69364

Cisco IOS Software contains a memory leak vulnerability in the Data-Link Switching (DLSw) feature that could result in a device reload when processing crafted IP Protocol 91 packets.

Cisco has released free software updates that address this vulnerability.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20110928-dlsw.shtml.

CSCtd10712

The Cisco IOS Software network address translation (NAT) feature contains multiple denial of service (DoS) vulnerabilities in the translation of the following protocols:

NetMeeting Directory (Lightweight Directory Access Protocol, LDAP)

Session Initiation Protocol (Multiple vulnerabilities)

H.323 protocol

All the vulnerabilities described in this document are caused by packets in transit on the affected devices when those packets require application layer translation.

Cisco has released free software updates that address these vulnerabilities.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20110928-nat.shtml.

CSCso02147

The Cisco IOS Software network address translation (NAT) feature contains multiple denial of service (DoS) vulnerabilities in the translation of the following protocols:

NetMeeting Directory (Lightweight Directory Access Protocol, LDAP)

Session Initiation Protocol (Multiple vulnerabilities)

H.323 protocol

All the vulnerabilities described in this document are caused by packets in transit on the affected devices when those packets require application layer translation.

Cisco has released free software updates that address these vulnerabilities.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20110928-nat.shtml.

CSCti98219

The Cisco IOS Software network address translation (NAT) feature contains multiple denial of service (DoS) vulnerabilities in the translation of the following protocols:

NetMeeting Directory (Lightweight Directory Access Protocol, LDAP)

Session Initiation Protocol (Multiple vulnerabilities)

H.323 protocol

All the vulnerabilities described in this document are caused by packets in transit on the affected devices when those packets require application layer translation.

Cisco has released free software updates that address these vulnerabilities.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20110928-nat.shtml.

CSCti48483

The Cisco IOS Software network address translation (NAT) feature contains multiple denial of service (DoS) vulnerabilities in the translation of the following protocols:

NetMeeting Directory (Lightweight Directory Access Protocol, LDAP)

Session Initiation Protocol (Multiple vulnerabilities)

H.323 protocol

All the vulnerabilities described in this document are caused by packets in transit on the affected devices when those packets require application layer translation.

Cisco has released free software updates that address these vulnerabilities.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20110928-nat.shtml.

CSCtj04672

The Cisco IOS Software network address translation (NAT) feature contains multiple denial of service (DoS) vulnerabilities in the translation of the following protocols:

NetMeeting Directory (Lightweight Directory Access Protocol, LDAP)

Session Initiation Protocol (Multiple vulnerabilities)

H.323 protocol

All the vulnerabilities described in this document are caused by packets in transit on the affected devices when those packets require application layer translation.

Cisco has released free software updates that address these vulnerabilities.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20110928-nat.shtml.

CSCth11006

The Cisco IOS Software network address translation (NAT) feature contains multiple denial of service (DoS) vulnerabilities in the translation of the following protocols:

NetMeeting Directory (Lightweight Directory Access Protocol, LDAP)

Session Initiation Protocol (Multiple vulnerabilities)

H.323 protocol

All the vulnerabilities described in this document are caused by packets in transit on the affected devices when those packets require application layer translation.

Cisco has released free software updates that address these vulnerabilities.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20110928-nat.shtml.

CSCto07919

Cisco IOS Software is affected by two vulnerabilities that cause a Cisco IOS device to reload when processing IP version 6 (IPv6) packets over a Multiprotocol Label Switching (MPLS) domain. These vulnerabilities are:

Crafted IPv6 Packet May Cause MPLS-Configured Device to Reload

ICMPv6 Packet May Cause MPLS-Configured Device to Reload

Cisco has released free software updates that address these vulnerabilities.

Workarounds that mitigate these vulnerabilities are available.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20110928-ipv6mpls.shtml.

CSCtj30155

Cisco IOS Software is affected by two vulnerabilities that cause a Cisco IOS device to reload when processing IP version 6 (IPv6) packets over a Multiprotocol Label Switching (MPLS) domain. These vulnerabilities are:

Crafted IPv6 Packet May Cause MPLS-Configured Device to Reload

ICMPv6 Packet May Cause MPLS-Configured Device to Reload

Cisco has released free software updates that address these vulnerabilities.

Workarounds that mitigate these vulnerabilities are available.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20110928-ipv6mpls.shtml.

CSCti79848

The Cisco IOS Software contains two vulnerabilities related to Cisco IOS Intrusion Prevention System (IPS) and Cisco IOS Zone-Based Firewall features. These vulnerabilities are:

Memory leak in Cisco IOS Software

Cisco IOS Software Denial of Service when processing specially crafted HTTP packets

Cisco has released free software updates that address these vulnerabilities.

Workarounds that mitigate these vulnerabilities are not available.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20110928-zbfw.shtml.

CSCto68554

The Cisco IOS Software contains two vulnerabilities related to Cisco IOS Intrusion Prevention System (IPS) and Cisco IOS Zone-Based Firewall features.

These vulnerabilities are:

Memory leak in Cisco IOS Software

Cisco IOS Software Denial of Service when processing specially crafted HTTP packets

Cisco has released free software updates that address these vulnerabilities.

Workarounds that mitigate these vulnerabilities are not available.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20110928-zbfw.shtml.

CSCtk67073

The Cisco IOS IP Service Level Agreement (IP SLA) feature contains a denial of service (DoS) vulnerability. The vulnerability is triggered when malformed UDP packets are sent to a vulnerable device. The vulnerable UDP port numbers depend on the device configuration. Default ports are not used for the vulnerable UDP IP SLA operation or for the UDP responder ports.

Cisco has released free software updates that address this vulnerability.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20110928-ipsla.shtml.

CSCtk62453

The Cisco 10000 Series Router is affected by a denial of service (DoS) vulnerability where an attacker could cause a device reload by sending a series of ICMP packets.

Cisco has released free software updates that address this vulnerability.

Workarounds that mitigate this vulnerability are also available.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20110928-c10k.shtml.

CSCto10165

A vulnerability exists in the Smart Install feature of Cisco Catalyst Switches running Cisco IOS Software that could allow an unauthenticated, remote attacker to perform remote code execution on the affected device.

Cisco has released free software updates that address this vulnerability.

There are no workarounds available to mitigate this vulnerability other than disabling the Smart Install feature.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20110928-smart-install.shtml.

CSCtq28732

Symptoms: Memory leak is observed when device is configured parameter-map type inspectglobal.

Conditions: Device is configured with parameter-map type inspect global.

See also Cisco Security Advisory: Cisco IOS Software IPS and Zone Based Firewall Vulnerabilities, at the following link:

http://www.cisco.com/warp/public/707/cisco-sa-20110928-zbfw.shtml

Workaround: There is no workaround.

Documentation Updates

Update to the ME 3400 Hardware Installation Guide

Updates to the System Message Guide

Updates to the ME 3400E Regulatory Compliance and Safety Information Guide and the Getting Started Guide


Note For information about ME 3400 support for ingress QoS classification on QinQ-based ports, see the Configuring ME 3400E QoS Classification for QinQ-Based Service, Release 12.2(53)SE document under the ME 3400E Configuration Guides link.


Update to the ME 3400 Hardware Installation Guide

Cisco Ethernet Switches are equipped with cooling mechanisms, such as fans and blowers. However, these fans and blowers can draw dust and other particles, causing contaminant buildup inside the chassis, which can result in a system malfunction.

You must install this equipment in an environment as free as possible from dust and foreign conductive material (such as metal flakes from construction activities).

Follow these standard for guidelines for acceptable working environments and acceptable levels of suspended particulate matter:

Network Equipment Building Systems (NEBS) GR-63-CORE

National Electrical Manufacturers Association (NEMA) Type 1

International Electrotechnical Commission (IEC) IP-20

Updates to the System Message Guide

New Messages

Error Message    AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface 
[chars], new MAC address ([enet) is seen. AuditSessionID [chars]

Explanation    A host on the interface attempted to gain access to the network or attempted an authentication. The interface mode does not support the number of hosts that are attached to the interface. This is a security violation, and the interface has been error-disabled. The first [chars] is the interface, [enet] is the Ethernet address of the host, and the second [chars] is the session ID.

Recommended Action    Make sure that the interface is configured to support the number of hosts that are attached to it. Enter the shutdown interface configuration command followed by no shutdown interface configuration command to restart the interface.

Error Message    AUTHMGR-5-VLANASSIGN: VLAN [dec] assigned to Interface [chars] 
AuditSessionID [chars]

Explanation    A VLAN was assigned. [dec] is the VLAN ID, the first [chars] is the interface, and the second [chars] is the session ID.

Recommended Action    No action is required.

Error Message    AUTHMGR-7-FAILOVER: Failing over from [chars] for client ([chars]) on 
Interface [chars] AuditSessionID [chars]

Explanation    The authorization manager is failing over from the current authentication method to another method. The first [chars] is the current authentication method, the second [chars] is the client ID, the third [chars] is the interface, and the fourth [chars] is the session ID.

Recommended Action    No action is required.

Error Message    AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for 
client ([chars]) on Interface [chars] AuditSessionID [chars]

Explanation    All available authentication methods have been tried for the client, but authentication has failed. The first [chars] is the client ID, the second [chars] is the interface, and the third [chars] is the session ID.

Recommended Action    No action is required. If local authorization has been configured, the port will be authorized based on the local authorization method. Otherwise, authentication will restart according to the configured reauthentication period.

Error Message    AUTHMGR-7-RESULT: Authentication result [chars] from [chars] for 
client [chars] on Interface [chars] AuditSessionID [chars]

Explanation    The results of the authentication. The first [chars] is the status of the authentication, the second [chars] is the authentication method, the third [chars] is the client ID, the fourth [chars] is the interface, and the fifth [chars] is the session ID.

Recommended Action    No action is required.

Error Message    DOT1X-4-MEM_UNAVAIL: Memory was not available to perform the 802.1X 
action. AuditSessionID [chars] 

Explanation    The system memory is not sufficient to perform the IEEE 802.1x authentication. [chars] is the session ID.

Recommended Action    Reduce other system activity to reduce memory demands.

Error Message    DOT1X-5-FAIL: Authentication failed for client ([chars]) on Interface 
[chars] AuditSessionID [chars] 

Explanation    The authentication was unsuccessful. The first [chars] is the client ID, the second [chars] is the interface, and the third [chars] is the session ID.

Recommended Action    No action is required.

Error Message    DOT1X-5-SUCCESS: Authentication successful for client ([chars]) on 
Interface [chars] AuditSessionID [chars] 

Explanation    Authentication was successful. The first [chars] is the client ID, the second [chars] is the interface, and the third [chars] is the session ID.

Recommended Action    No action is required.

Error Message    DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: Unable to add address [enet] on 
[chars] AuditSessionID [chars] 

Explanation    The client MAC address could not be added to the MAC address table because the hardware memory is full or the address is a secure address on another port. This message might appear if IEEE 802.1x is enabled. [enet] is the client MAC address, the first [chars] is the interface, and the second [chars] is the session ID.

Recommended Action    If the hardware memory is full, remove some of the dynamic MAC addresses. If the client address is on another port, remove it from that port.

Error Message    EPM-6-AUTH_ACL: POLICY [chars]| EVENT [chars]

Explanation    The switch has sent or received a download request for a downloadable ACL (dACL). The first [chars] is the dACL policy? The second [chars] is the event.

Recommended Action    No action is required.

Error Message    HARDWARE-3-ASICNUM_ERROR: [traceback] Port-ASIC number [dec] is 
invalid

Explanation    The port ASIC number is invalid. [dec] is the port ASIC number.

Recommended Action    Copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the error by using the Output Interpreter. Use the Bug Toolkit to look for similar reported problems. If you still require assistance, open a case with the TAC, or contact your Cisco technical support representative, and provide the representative with the gathered information.

Error Message    HARDWARE-3-PORTNUM_ERROR: [traceback] port number [dec] is invalid

Explanation    The port number is out of range. [dec] is the port number.

Recommended Action    Copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the error by using the Output Interpreter. Use the Bug Toolkit to look for similar reported problems. If you still require assistance, open a case with the TAC, or contact your Cisco technical support representative, and provide the representative with the gathered information.

Error Message    IFMGR-3-IFINDEX_PERSIST_ENTRY_CORRUPT: [chars] seems to be corrupted. 
Trying to read [dec] size

Explanation    The ifIndex table is corrupted. [chars] is the path to the IfIndex file, and [dec] is the number of bytes that was being read from the ifIndex table when the corruption was detected.

Recommended Action    Delete the ifindex table.

Error Message    IFMGR-3-INVALID_PERSISTENT_DATA: Invalid persistent data

Explanation    The interface manager attempts to write invalid persistent data.

Recommended Action    Copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the error by using the Output Interpreter. Use the Bug Toolkit to look for similar reported problems. If you still require assistance, open a case with the TAC, or contact your Cisco technical support representative, and provide the representative with the gathered information.

Error Message    ILET-1-AUTHENTICATION_FAIL: This Switch may not have been manufactured 
by Cisco or with Cisco's authorization. This product may contain software that was 
copied in violation of Cisco's license terms. If your use of this product is the 
cause of a support issue, Cisco may deny operation of the product, support under 
your warranty or under a Cisco technical support program such as Smartnet. Please 
contact Cisco's Technical Assistance Center for more information.

Explanation    A license authentication failure occurred for the switch.

Recommended Action    Contact your Cisco sales representative for assistance.

Error Message    ILET-1-DEVICE_AUTHENTICATION_FAIL: The [chars] inserted in this switch 
may not have been manufactured by Cisco or with Cisco's authorization. If your use 
of this product is the cause of a support issue, Cisco may deny operation of the 
product, support under your warranty or under a Cisco technical support program 
such as Smartnet. Please contact Cisco's Technical Assistance Center for more 
information.

Explanation    A license authentication failure occurred for a component that was inserted in the switch. [chars] is the component.

Recommended Action    Contact your Cisco sales representative for assistance.

Error Message    REP-3-INVALIDPKT: received invalid pkt: [chars]

Explanation    The switch has received an invalid Resilient Ethernet Protocol (REP) packet. [chars] is information about the invalid packet.

Recommended Action    Copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the error by using the Output Interpreter. Use the Bug Toolkit to look for similar reported problems. If you still require assistance, open a case with the TAC, or contact your Cisco technical support representative, and provide the representative with the gathered information.

Error Message    REP-3-NOPPPROC: [traceback] Failed to create REP LSL Fast Hello Process

Explanation    The switch cannot exchange hello packets with its Resilient Ethernet Protocol (REP) neighbors because the Link Status Layer (LSL) age timer is set to more than 3 seconds.

Recommended Action    Reload the switch.

Error Message    SCHED-3-UNEXPECTEDEVENT: [traceback] [process information] Process 
received unknown event (maj [hex], min [hex])

Explanation    A process did not handle an event. The first [hex] is the major event number, and the second [hex] is the minor event number, both of which allow you to identify the event that occurred.

Recommended Action    Copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the error by using the Output Interpreter. Use the Bug Toolkit to look for similar reported problems. If you still require assistance, open a case with the TAC, or contact your Cisco technical support representative, and provide the representative with the gathered information.

Modified Messages

Error Message    DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client 
([chars]) on Interface [chars] AuditSessionID [chars]

Explanation    The authentication result was overridden. The first [chars] is the client ID, the second [chars] is the interface, and the third [chars] is the session ID.

Recommended Action    No action is required.

Error Message    DOT1X_SWITCH-5-ERR_INVALID_PRIMARY_VLAN: Attempt to assign primary 
VLAN [dec] to 802.1x port [chars] AuditSessionID [chars]

Explanation    An attempt was made to assign a primary VLAN to an 802.1x port, which is not allowed. [dec] is the VLAN, the first [chars] is the port, and the second [chars] is the session ID.

Recommended Action    Use a different VLAN.

Error Message    DOT1X_SWITCH-5-ERR_INVALID_SEC_VLAN: Attempt to assign invalid 
secondary VLAN [dec] to PVLAN host 802.1x port [chars] AuditSessionID [chars] 

Explanation    An attempt was made to assign a nonsecondary VLAN to a private VLAN host 802.1x port. [dec] is the VLAN, the first [chars] is the port, and the second [chars] is the session ID.

Recommended Action    Change the port mode so that it is no longer a PVLAN host port, or use a valid secondary VLAN.

Error Message    DOT1X_SWITCH-5-ERR_PRIMARY_VLAN_NOT_FOUND: Attempt to assign VLAN 
[dec], whose primary VLAN does not exist or is shutdown, to 802.1x port [chars] 
AuditSessionID [chars] 

Explanation    An attempt was made to assign a private VLAN whose primary VLAN does not exist or is shut down. [dec] is the VLAN, the first [chars] is the port, and the second [chars] is the session ID.

Recommended Action    Make sure that the primary VLAN exists and is not shut down. Verify that the private VLAN is associated with a primary VLAN.

Error Message    DOT1X_SWITCH-5-ERR_SEC_VLAN_INVALID: Attempt to assign secondary VLAN 
[dec] to non-PVLAN host 802.1x port [chars] AuditSessionID [chars] 

Explanation    An attempt was made to assign a secondary VLAN to a port that is not a private VLAN host port, which is not allowed. [dec] is the VLAN, the first [chars] is the port, and the second [chars] is the session ID.

Recommended Action    Change the port mode so that it is configured as a private VLAN host port, or use a different VLAN that is not configured as a secondary VLAN.

Error Message    DOT1X_SWITCH-5-ERR_SPAN_DST_PORT: Attempt to assign VLAN [dec] to 
802.1x port [chars], which is configured as a SPAN destination AuditSessionID 
[chars] 

Explanation    An attempt was made to assign a VLAN to an 802.1x port that is configured as a Switched Port Analyzer (SPAN) destination port. [dec] is the VLAN, the first [chars] is the port, and the second [chars] is the session ID.

Recommended Action    Change the SPAN configuration so that the port is no longer a SPAN destination port, or change the configuration so that no VLAN is assigned.

Error Message    DOT1X_SWITCH-5-ERR_VLAN_EQ_MDA_INACTIVE: Multi-Domain Authentication 
cannot activate because Data and Voice VLANs are the same on port AuditSessionID 
[chars] 

Explanation    Multi-Domain Authentication (MDA) host mode cannot start when the configured data VLAN on a port is the same as the voice VLAN. [chars] is the port session ID.

Recommended Action    Change either the voice VLAN or the access VLAN on the interface so that they are not the same. MDA then starts.

Error Message    DOT1X_SWITCH-5-ERR_VLAN_EQ_VVLAN: Data VLAN [dec] on port [chars] 
cannot be equivalent to the Voice VLAN AuditSessionID [chars]

Explanation    An attempt was made to assign a data VLAN to an 802.1x port that is the same as the voice VLAN. [dec] is the VLAN, the first [chars] is the port, and the second [chars] is the session ID.

Recommended Action    Change either the voice VLAN or the 802.1x-assigned VLAN on the interface so that they are not the same.

Error Message    DOT1X_SWITCH-5-ERR_VLAN_INTERNAL: Attempt to assign internal VLAN 
[dec] to 802.1x port [chars] AuditSessionID [chars] 

Explanation    An attempt was made to assign an invalid VLAN to an 802.1x port. The VLAN specified is used internally and cannot be assigned to this port. [dec] is the VLAN, the first [chars] is the port, and the second [chars] is the session ID.

Recommended Action    Assign a different VLAN.

Error Message    DOT1X_SWITCH-5-ERR_VLAN_INVALID: Attempt to assign invalid VLAN [dec] 
to 802.1x port [chars] AuditSessionID [chars] 

Explanation    An attempt was made to assign an invalid VLAN to an 802.1x port. The VLAN specified is out of range. [dec] is the VLAN, the first [chars] is the port, and the second [chars] is the session ID.

Recommended Action    Update the configuration to use a valid VLAN.

Error Message    DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND: Attempt to assign non-existent or 
shutdown VLAN [chars] to 802.1x port [chars] AuditSessionID [chars]

Explanation    An attempt was made to assign a VLAN to an 802.1x port, but the VLAN was not found in the VLAN Trunking Protocol (VTP) database. [dec] is the VLAN, the first [chars] is the port, and the second [chars] is the session ID.

Recommended Action    Make sure the VLAN exists and is not shut down, or use another VLAN.

Error Message    DOT1X_SWITCH-5-ERR_VLAN_ON_ROUTED_PORT: Attempt to assign VLAN [dec] 
to routed 802.1x port [chars] AuditSessionID [chars]

Explanation    An attempt was made to assign a VLAN to a supplicant on a routed port, which is not allowed. [dec] is the VLAN ID, the first [chars] is the port, and the second [chars] is the session ID.

Recommended Action    Either disable the VLAN assignment, or change the port type to a nonrouted port.

Error Message    DOT1X_SWITCH-5-ERR_VLAN_PROMISC_PORT: Attempt to assign VLAN [dec] to 
promiscuous 802.1x port [chars] AuditSessionID [chars]

Explanation    An attempt was made to assign a VLAN to a promiscuous IEEE 802.1x port, which is not allowed. [dec] is the VLAN, the first [chars] is the port, and the second [chars] is the session ID.

Recommended Action    Change the port mode so that it is no longer a promiscuous port, or change the configuration so that no VLAN is assigned.

Error Message    DOT1X_SWITCH-5-ERR_VLAN_RESERVED: Attempt to assign reserved VLAN 
[dec] to 802.1x port [chars] AuditSessionID [chars]

Explanation    An attempt was made to assign an invalid VLAN to an IEEE 802.1x port. The VLAN specified is a reserved VLAN and cannot be assigned to this port. [dec] is the VLAN, the first [chars] is the port, and the seconds [chars] is the session ID.

Recommended Action    Assign a different VLAN.

Error Message    DOT1X_SWITCH-5-ERR_VLAN_RSPAN: Attempt to assign RSPAN VLAN [dec] to 
802.1x port [chars]. 802.1x is incompatible with RSPAN AuditSessionID [chars]

Explanation    Remote SPAN should not be enabled on a VLAN with IEEE 802.1x-enabled. [dec] is the VLAN, the first [chars] is the port, and the second [chars] is the session ID.

Recommended Action    Either disable remote SPAN configuration on the VLAN, or disable IEEE 802.1x on all the ports in this VLAN.

Error Message    SPANTREE-2-BLOCK_BPDUGUARD_VP: Received BPDU on port [chars], vlan 
[dec] with BPDU Guard enabled. Disabling vlan. 

Explanation    A BPDU was received on the interface and the VLAN specified in the error message. The spanning tree BPDU guard feature was enabled and configured to shut down the VLAN. As a result, the VLAN was placed in the error-disabled state. [chars] is the interface, and [dec] is the VLAN.

Recommended Action    Either remove the device sending BPDUs, or disable the BPDU guard feature. The BPDU guard feature can be locally configured on the interface or globally configured on all ports that have Port Fast enabled. Re-enable the interface and vlan by entering the clear errdisable privileged EXEC command.

Deleted Messages

Error Message    DOT1X-4-MEM_UNAVAIL: Memory was not available to perform the 802.1X 
action.nn
Error Message    DOT1X-5-SUCCESS: Authentication successful for client ([chars]) on 
Interface [chars]
Error Message    DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: Unable to add address [enet] on 
[chars]
Error Message    \SW_VLAN-4-VTP_USER_NOTIFICATION: VTP protocol user notification: 
[chars]. 

Updates to the ME 3400E Regulatory Compliance and Safety Information Guide and the Getting Started Guide

These warnings were incorrectly documented in the guides. These are the correct warnings:

All Switches


Warning This product relies on the building's installation for short-circuit (overcurrent) protection. Ensure that the protective device is rated not greater than:
10 A Statement 1005

Cisco ME 3400EG-2CS-A


Warning To prevent the system from overheating, do not operate it in an area that exceeds the maximum recommended ambient temperature of:
140°F (60°C) Statement 1047

Cisco ME 3400E-24TS-M and Cisco ME 3400EG-12CS-M


Warning To prevent the system from overheating, do not operate it in an area that exceeds the maximum recommended ambient temperature of:
149°F (65°C) Statement 1047

Related Documentation

These documents provide complete information about the switch and are available from this Cisco.com site:

Cisco ME 3400E switch:
http://www.cisco.com/en/US/products/ps9637/tsd_products_support_series_home.html

Cisco ME 3400 switch:
http://www.cisco.com/en/US/products/ps6580/tsd_products_support_series_home.html

These are combined documents for the switches:

Cisco ME 3400E, ME 3400, and ME 2400 Ethernet Access Switches System Message Guide

These documents are available for the Cisco ME 3400E switch:

Release Notes for the Cisco ME 3400E Ethernet Access Switch

Cisco ME 3400E Ethernet Access Switch Software Configuration Guide

Cisco ME 3400E Ethernet Access Switch Command Reference

Cisco ME 3400E Ethernet Access Switch Hardware Installation Guide

Cisco ME 3400E Ethernet Access Switch Getting Started Guide

Regulatory Compliance and Safety Information for the Cisco ME 3400E Ethernet Access Switch

These documents are available for the Cisco ME 3400 switch:

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

Cisco ME 3400 Ethernet Access Switch Command Reference

Cisco ME 3400 and ME 2400 Ethernet Access Switch System Message Guide

Cisco ME 3400 Ethernet Access Switch Hardware Installation Guide

Cisco ME 3400 and ME 2400 Ethernet Access Switches Getting Started Guide

Regulatory Compliance and Safety Information for the Cisco ME 3400 and ME 2400 Ethernet Access Switches

Configuration Notes for the Cisco ME 3400G-12CS Ethernet Access Switch

Information about Cisco SFP, SFP+, and GBIC modules is available from this Cisco.com site:
http://www.cisco.com/en/US/products/hw/modules/ps5455/prod_installation_guides_list.html

SFP compatibility matrix documents are available from this Cisco.com site:
http://www.cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list.html

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.