Cisco ME 3800X Series Carrier Ethernet Switch Routers

Release Notes for the Cisco ME 3800X and ME 3600X Switches, Cisco IOS Release 12.2(52)EY

  • Viewing Options

  • PDF (377.6 KB)
  • Feedback

Table Of Contents

Release Notes for the Cisco ME 3800X and ME 3600X Switch, Cisco IOS Release 12.2(52)EY and Later Releases


Hardware Supported

Software Licenses and Features

Upgrading the Switch Software

Finding the Software Version and Feature Set

Deciding Which Files to Use

Installing Software Images and Licenses

Installation Notes

New Software Features

Important Notes

Resolved and Open Caveats

Resolved Caveats for Cisco IOS Release 12.2(52)EY4

Resolved Caveats for Cisco IOS Release 12.2(52)EY3a

Resolved Caveats for Cisco IOS Release 12.2 (52) EY3

Open Caveats for Cisco IOS Release 12.2 (52) EY2a

Resolved Caveats for Cisco IOS Release 12.2 (52) EY2a

Open Caveats for Cisco IOS Release 12.2 (52) EY2

Resolved Caveats for Cisco IOS Release 12.2 (52) EY2

Resolved Caveats for Cisco IOS Release 12.2 (52) EY1c

Resolved Caveats for Cisco IOS Release 12.2 (52) EY1b

Resolved Caveats for Cisco IOS Release 12.2 (52) EY1

Open Caveats for Cisco IOS Release 12.2 (52) EY and Cisco IOS Release 12.2 (52) EY1

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines

Release Notes for the Cisco ME 3800X and ME 3600X Switch, Cisco IOS Release 12.2(52)EY and Later Releases

January 22, 2013

These release notes include important information about the following Cisco IOS releases that run on the Cisco ME 3800X and ME 3600X switches:

Cisco IOS Release 12.2(52)EY

Cisco IOS Release 12.2(52)EY1

Cisco IOS Release 12.2(52)EY1b

Cisco IOS Release 12.2(52)EY1c

Cisco IOS Release 12.2(52)EY2

Cisco IOS Release 12.2(52)EY2a

Cisco IOS Release 12.2(52)EY3

Cisco IOS Release 12.2(52)EY3a

Cisco IOS Release 12.2(52)EY4

These release notes also include the limitations, restrictions, and caveats that apply to these releases.

You can verify that these release notes apply to your switch as follows:

If you are installing a new switch, see the Cisco IOS release label on the rear panel of your switch.

If your switch is on, use the show version privileged EXEC command. See the "Finding the Software Version and Feature Set" section.

If you are upgrading to a new release or a different image, see the software upgrade filename for the software version. See the "Deciding Which Files to Use" section.

For the complete list of Cisco ME 3800X and ME 3600X switch documentation, see the "Related Documentation" section.

You can download the switch software from this site (registered users with a login password):


"Hardware Supported" section

"Software Licenses and Features" section

"Upgrading the Switch Software" section

"Installation Notes" section

"New Software Features" section

"Important Notes" section

"Resolved and Open Caveats" section

"Related Documentation" section

"Obtaining Documentation, Obtaining Support, and Security Guidelines" section

Hardware Supported

Table 1 Supported Hardware


Cisco ME-3800X-24FS-M

24 Gigabit Ethernet SFP downlink ports and 2 SFP+ (10 Gigabit) uplink ports; supports removable, hot-swappable AC- and DC-input power supplies and fan modules.

Cisco ME-3600X-24FS-M

24 Gigabit Ethernet SFP downlink ports and 2 SFP+ (10 Gigabit) uplink ports; supports removable, hot-swappable AC- and DC-input power supplies. and fan modules

Cisco ME-3600X-24TS-M

24 10/100/1000BASE-T copper downlink ports and 2 SFP+ (10 Gigabit) uplink ports; supports removable, hot-swappable AC- and DC-input power supplies and fan modules.

SFP+ modules


SFP modules



SFP interconnect cable (50 cm)

1-meter, 3-meter, and 5-meter copper SFP+ cables

Software Licenses and Features

If you have a service support contract and order a software license or if you order a switch, you receive the universal software image, available in crypto and noncrypto versions. If you do not have a service support contract, such as a SMARTnet contract, download the image from

The ME 3600X supports these licenses:

Metro IP access is the universal image.

Advanced Metro IP access license.

10 Gigabit Ethernet upgrade license—enables 10 Gigabit Ethernet on the SFP+ uplink ports.

For differences in feature support for each license, see Table 2 and Table 3.

The ME 3800X supports these licenses plus a scaled license that can be installed with any of these licenses to increase the supported values for that license, for example, more MAC addresses, VLANs, IPv4 routes, and so on.

Metro Ethernet services is the universal image.

Metro IP service license.

Metro Aggregation services license.

Scaled license for any of the above licenses

For differences in feature support for each license, see Table 4 and Table 5.

To install a software image, see the "Upgrading the Switch Software" section and the "Working with the Cisco IOS File System, Configuration Files, and Software Images" chapter in the software configuration guide.

To install a software license, see the "Cisco IOS Software Activation Tasks and Commands" chapter in the Cisco IOS Software Activation Configuration Guide:

Table 2 ME 3600X Supported Features per License

Metro IP Access (Universal Image)
Advanced Metro IP Access license

Basic Layer 2 features (including 802.1Q)

Ethernet Virtual Circuits (EVCs)

IPv4 routing—RIP, OSFP, EIGRP, IS-IS, and BGP

Bidirectional Forwarding Detection (BFD)

Multicast routing —PIM, DM, SSM, and SSM mapping

Ethernet Operations, Administration, and Maintenance (OAM)—802.1ag, 802.3ah, and E-LMI

Multiple Spanning Tree Protocol (MSTP), Resilient Ethernet Protocol (REP), and Flex Links

Synchronous Ethernet

Multi VRF-CE (VRF-Lite) with service awareness (ARP, ping, SNMP, syslog, traceroute, FTP and TFTP)

All features in the Metro IP Access image

Multiprotocol label switching (MPLS)

MPLS traffic engineering and Fast Reroute



Ethernet over MPLS (EoMPLS)

Pseudowire redundancy

Table 3 ME 3600X License Scaling  

Supported feature
Metro IP Access
Advanced Metro IP Access

MAC addresses

8 K

16 K

IPv4 routes

20 K

20 K

IPv4 multicast groups and routes

1 K

1 K

Layer 2 multicast entries

1 K

1 K

Bridge domains

4 K

4 K

ACL entries

2 K

2 K

Table 4 ME 3800X Supported Features per License

Metro Ethernet Services (Universal Image)
Metro IP Services license
Metro Aggregation Services license

Basic Layer 2 features (including 802.1d and 802.1Q)


Ethernet OAM—802.1ag, 802.3ah, and E-LMI

MST, REP, Flex Links

Synchronous Ethernet

All features in the Metro Ethernet Services image

IPv4 routing—RIP, OSFP, EIGRP, IS-IS, and BGP


Multicast routing—PIM, DM, SSM, and SSM mapping

Multi VRF-CE with service awareness (ARP, ping, SNMP, syslog, traceroute, FTP and TFTP)

All features in the Metro IP Services license


MPLS traffic engineering and Fast Reroute




Pseudowire redundancy

Table 5 ME 3800X License Scaling

Supported feature
Metro Services
Scaled Metro Services
Metro IP Services
Scaled Metro IP Services
Metro Aggregation Services
Scaled Metro Aggregation Services

MAC table addresses

64 K

128 K

32 K

64 K

128 K

256 K

IPv4 routes

1 K

1 K

42 K

80 K

24 K

32 K

IPv4 multicast groups and routes



2 K

4 K

2 K

4 K

Layer 2 multicast entries

2 K

4 K

2 K

2 K

2 K

4 K

Bridge domains

4 K

4 K

2 K

2 K

4 K

8 K

ACL entries

4 K

8 K

4 K

8 K

4 K

16 K

Upgrading the Switch Software

"Finding the Software Version and Feature Set" section

"Deciding Which Files to Use" section

"Installing Software Images and Licenses" section

Finding the Software Version and Feature Set

The Cisco IOS image is stored as a bin file in a directory that is named with the Cisco IOS release. The image is stored on the system board flash device (flash:).

Note The flash memory can store a maximum of two IOS images or tar files. If you try to copy or archive upgrade beyond the flash memory capacity, the action aborts.

You can use the show version privileged EXEC command to see the software version that is running on your switch. The second line of the display shows the version.

You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.

Deciding Which Files to Use

The software installation procedures in these release notes describe how to perform the upgrade by using a combined tar file. This file contains the Cisco IOS image file. To upgrade the switch through the command-line interface (CLI), use the tar file and the archive download-sw privileged EXEC command.

Table 6 Cisco IOS Software Image Files 












Cisco ME 3800X universal images.










Cisco ME 3800X universal cryptographic images. These images have the Metro Ethernet features plus Kerberos and SSH.










Cisco ME 3600X universal images.










Cisco ME 3600X universal cryptographic images. These images have the Metro IP access features plus Kerberos and SSH.

Installing Software Images and Licenses

The switch is shipped with the latest software image installed. Follow the instructions in this section if you need to reinstall or upgrade the software image.

Before installing your switch software, make sure that you have archived copies of the current Cisco IOS release and the Cisco IOS release to which you are upgrading. You should keep these archived images until you have upgraded all devices in the network to the new Cisco IOS image and until you have verified that the new Cisco IOS image works properly in your network.

Cisco routinely removes old Cisco IOS versions from See Product Bulletin 2863 for more information:

You can copy the software image file on the flash memory to the appropriate TFTP directory on a host by using the copy flash: tftp: privileged EXEC command. You can also configure the switch as a TFTP server to copy files from one switch to another without using an external TFTP server by using the tftp-server global configuration command. For more information about the tftp-server command, see the "Basic File Transfer Services Commands" section of the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 at this URL:

This procedure is for copying the combined tar file to the switch. You copy the file to the switch from a TFTP server and extract the files. You can download an image file and replace or keep the current image.

To download software, follow these steps:

Step 1 Use Table 6 to identify the file that you want to download.

Step 2 Locate the software image file:

a. If you are a registered customer, go to this URL and log in.

b. For ME 3800X, navigate to Switches > Service Provider Switches - Ethernet Aggregation.

For ME 3600X, navigate to Switches > Service Provider Switches - Ethernet Access.

c. Navigate to your switch model.

d. Click IOS Software, then select the latest IOS release.

Note When you select a crypto image, you must also accept the terms and conditions of using crypto images.

Step 3 Download the image to a TFTP server and make sure that the server is properly configured.

For more information, refer to Appendix B in the software configuration guide for this release.

Step 4 Log into the switch through the console port or a Telnet session.

Step 5 (Optional) Ensure that you have IP connectivity to the TFTP server by entering this privileged EXEC command:

Switch# ping tftp-server-address

For more information about assigning an IP address and default gateway to the switch, refer to the software configuration guide for this release.

Step 6 Download the image file from the TFTP server to the switch by entering this privileged EXEC command:

Switch# archive download-sw tftp:[[//location]/directory]/image-name.tar

For //location, specify the IP address of the TFTP server.

For /directory/image-name.tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.

The /overwrite option overwrites the software image in flash memory with the downloaded one.

The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.

This example shows how to download an image from a TFTP server at and to overwrite the image on the switch:

Switch# archive download-sw /overwrite tftp://

You can also download the image file from the TFTP server to the switch and keep the current image by using the /leave-old-sw option instead of the /overwrite option.

Note There can be only two image directories in flash memory.

The installation process extracts the tar file with all the files and the IOS image, and sets the BOOT directory to the created directory in flash memory. The process takes approximately 5 to 10 minutes, and at some stages might appear to have stopped.

Step 7 The switch is configured to boot automatically, but you can ether the show boot privileged EXEC command to verify the boot path list and see if a manual boot is necessary.

Switch# show boot
BOOT path-list      : 
Config file         :    flash:/config.text
Private Config file : flash:/private-config.text
Manual Boot         : no
HELPER path-list    :  

Step 8 Save the configuration and reload the switch.

Switch# reload 

After the installation, the switch is running the universal image. Follow these steps to install a purchased license with increased capabilities. To purchase a license, contact Cisco.

Step 1 Copy the license file to flash or TFTP.

Step 2 Enter the command to install the license:

Switch# license install flash:LICENSE_FILENAME 
Switch# license install tftp://location/LICENSE_FILENAME 

Step 3 Enter these commands to boot from the new license:

Switch# configure terminal 
Switch(config)# license boot level license_name 

Step 4 If you have a a scaled license, install the scaled license

Switch# license install flash:SCALED_LICENSE_FILENAME 
Switch# license install tftp://location/SCALED_LICENSE_FILENAME 

Note To revert to a non-scaled license, enter the license clear scaled_license_name privileged EXEC command.

Step 5 Reload the switch for new license to take effect.

Switch# reload 

Installation Notes

You can assign IP information to your switch by using these methods:

The CLI-based setup program, as described in the switch hardware installation guide.

The DHCP-based autoconfiguration, as described in the switch software configuration guide.

Manually assigning an IP address, as described in the switch software configuration guide.

New Software Features

This release is the second software release for the Cisco ME 3800X and ME 3600X switch. For a detailed list of key features for this software release, refer to the "Overview" chapter of the software configuration guide for this release.

Important Notes

Approximately five minutes after the box boots up the IOS configuration, the on-board failure logging (OBFL) processes initializes, which uses CPU resources. This causes the switch to be less responsive for other functions for a short time.

If you try to configure more MPLS labels than are supported by the license installed on the switch, you might see a message similar to this:

*Mar  1 00:08:02.332: %SW_MGR-3-CM_ERROR: Connection Manager
Error - provision segment failed [ADJ:Vlan:2101760] - hardware platform error.

This does not affect functionality, but is a reminder that the number of MPLS labels is exceeding the limit.

Although you can configure a REP segment without configuring REP edge ports, we recommend that you configure REP edge ports whenever possible because edge ports enable these functions:

configuring VLAN load balancing

configuring topology change notifications (TCNs) toward STP, other REP segments, or an interface

initiating the topology collection process

preemption mechanisms

You cannot enable these functions on REP segments without edge ports.

In ME3800X platform, Cisco IOS Release 12.2(52)EY, the forward keyword is not supported for the l2protocol command. Therefore, it is impossible to forward Layer 2 control packets from a ME3800X switch to a Cisco 7600 router and vice versa. The tunnel option in ME3800X overwrites the PDU-destination MAC address with a well-known Cisco proprietary multicast address (01-00-0c-cd-cd-d0), while the forward option in Cisco 7600 simply forwards the PDU without any change or local processing; thus, the two platforms cannot cooperate.

Switch Port Analyzer (SPAN) is not supported.

Resolved and Open Caveats

The following sections provide information on resolved and open caveats:

Resolved Caveats for Cisco IOS Release 12.2(52)EY4

Resolved Caveats for Cisco IOS Release 12.2(52)EY3a

Resolved Caveats for Cisco IOS Release 12.2 (52) EY3

Open Caveats for Cisco IOS Release 12.2 (52) EY2a

Resolved Caveats for Cisco IOS Release 12.2 (52) EY2a

Open Caveats for Cisco IOS Release 12.2 (52) EY2

Resolved Caveats for Cisco IOS Release 12.2 (52) EY2

Resolved Caveats for Cisco IOS Release 12.2 (52) EY1c

Resolved Caveats for Cisco IOS Release 12.2 (52) EY1b

Resolved Caveats for Cisco IOS Release 12.2 (52) EY1

Open Caveats for Cisco IOS Release 12.2 (52) EY and Cisco IOS Release 12.2 (52) EY1

Resolved Caveats for Cisco IOS Release 12.2(52)EY4

The following are resolved in Cisco IOS Release 12.2(52)EY4:


Interface does not come up with duplex full and connected with crossover cable.

Interface does not come up when duplex is set to full and connected with crossover cable.

Workaround: shutdown/no shutdown


New number cannot be assigned to loopback IF on ME3600.

New number cannot be assigned to loopback Interface on ME3600 where 64 numbers have been used and assigned to loopback interfaces.

Workaround: None.


Router crashes on defaulting interface with BFD on HSRP.


CLI for getting PVR/SVR values for PPC.

Sometimes show version command does not show the correct revision for PPC. This issue is intermittent.

Workaround: None.


Cannot re-configure class-default under policy-map.

no class class-default


1. Delete and re-configure the policy-map.

2. Delete and re-configure the police cir command.


I/P traffic statistics getting classified under I/P policy-map applied on O/P.

Statistics gets incremented for the incorrect class in a different policy-map.

This issue occurs when there is an input policy and an output policy defined on the incoming and outgoing interfaces respectively. If you remove the egress policy and attach an input policy to the egress interface, then traffic increments on the input policy of input interface when the traffic is reversed.

Workaround: None.


Switch blocks DHCP packets with broadcast flag.

DHCP packets with broadcast flag are blocked by the switch.

This occurs on the ME-3600X-24FS-M switch, where the DHCP relay is configured using the switchport block multicast command.

Workaround: Use the no switchport block multicast command.


ME 3600X not passing Multicast packets to 224.0.0.x through EVC configuration

Unicast traffic and multicast traffic except 224.0.0.x pass through without any issues. This has been observed on tengigabit interface on ME3600 under the following conditions:

Bridge Domain is greater than 4094 or

Spanning tree mode is not MST or

Packets coming into the ME 3600 are untagged.


Make sure that the packets coming into the ME3600X are tagged with vlan id. If it is an L3 port, then create a sub-interface and configure encapsulation dot1q vlan.

Configure Spanning Tree mode as MST.

Bridge Domain should be less than 4094.


ME3600: backup PW (svi connect) flap crashes the box.

ME3600/ME3800 crashes with mac learning happening on SVI pseudowires, and ospf/bgp/ldp flaps or reconverges at the same time. This is predominantly seen when backup pseudowires are configured but can also occur on normal SVI pseudowires.

Workaround: Disable mac learning on SVI VLANs.


ME3800 SW_MGR-3-INVALID_SEGMENT: Segment Switch Manager Error.

The following log message and tracebacks may be seen:

SW_MGR-3-INVALID_SEGMENT: Segment Switch Manager Error - Invalid segment - no segment 
-Traceback= 7088F4z 1801754z 18015D8z 27DCD54z 2BFDADCz 2C05C04z 413500z 28B9508z 
28B958Cz 3B1F30z 3B22B4z 3B26A8z 3B2728z 3B2788z 3B4B88z 3B4958z

This may be seen on an ME3800 device that is using pseudowires and EVCs in the configuration.

Workaround: Reload the device. However, in come cases the device may reload however OSPF neighbors may not form a full OSPF neighbor relationship after this traceback occurs.


ME3600/ME3800 router stuck at t/b -Process= "Collection process" on ospf shut.


Rep fails periodically on TenGigabit port.

REP enabled TE port on ME3600/ME3800 goes to failed state without any trigger. TE port on ME3600/ME3800 fails without any condition, just REP enabled.

This issue is seen only when a 1000Base SFP is used with the TenGigabit port. It is not seen with Gigabit interfaces.

Workaround: Shut/No shut is a temporary workaround. The issue occurs again after a day or two.


ME3600/ME3800 crash@oce_to_sw_obj_type on frr cutover.

When attempting to trigger FRR by shutdown/no shutdown of one of the gigabit links, the switch crashes.

Workaround: None.


ME3600/ME3800 switch crashed after prolonged TE interface flapping.

Workaround: None.


ME3600/ME3800 switch crashes due to cpu-hog by collection process.

Workaround: None.


ME3600 switch crashes with diagnostic start test all command.

ME-3600X series switch running 12.2(52)EY2 and/or 15.1(2)EY IOS release crashes when the diagnostic start test all command is entered in the CLI. There are no specific configurations which trigger this error, the switch crashes with empty configuration.

Workaround: Avoid running the diagnostic start test all command on vulnerable code. Code upgrade needed when the fix is available.


show x25 hunt-group command causes %DATACORRUPTION-1-DATAINCONSISTENCY: copy error

When issuing the show x25 hunt-group command, the following error may appear:


Workaround: None.


Management port stops responding due to O/P queue wedge 40/40.

Issue is seen after 4-5 days when the box is up and traffic is passing via management port.

Workaround: Reload the box.


CHUNKBADMAGIC seen for collection process.

This message is seen at collection process when the core interface is flapped and the core IGP comes up.

Workaround: None.


122SRD: Show dot1q-tunnel command with 2 act tunnel ports crashes SUP.

Tracebacks are seen when show dot1q-tunnel is executed.

Workaround: None.


DATA Corruption image with SXI5a throttle image.

Workaround: None.


Traceback while setting cdsRelayAgentInfoOptRemoteIdSub to more than 63.

Setting the cdsRelayAgentInfoOptRemoteIdSub to more than 63 results in traceback on DUT console.

Workaround: Retrieve the size using ip dhcp snooping information option format remote-id string command.


Traffic stops forwarding with EFP over multiple member link LACP bundle.

A Cisco ME3800 may stop forwarding traffic. The problem occurs when a Port-channel interface with multiple member link on LACP is configured via EVC. By sending single Source-Destination traffic, it is seen to be moving from one member link to another.


Use etherchannel instead of LACP.

Remove EVC.


ME36xx console not working at speed 300.

A baud rate less than 1200 is not supported on ME36xx platform. The supported baud rate range is 1200 - 115200, the default baud rate is 9600.

Workaround: None.


ME3600/ME3800 QoS: Memory Leaks on DM of the policy-map.

Workaround: None.


ME3600 show process xxx are Ambiguous command in show tech.

On the ME-3600X-24FS-M switch running Cisco IOS Release 15.1(2)EY1, the following command's log is not displayed by the show tech command.

show process memory

show process cpu

show process cpu history

If you enter show process xxx command only, the command displays the following output:

Switch# show process cpu
% Ambiguous command: "show process cpu"

Workaround: Use the following commands:

show processes memory

show processes cpu

show processes cpu history


ME3600X crashes with ttl macro and SNMP access.

Switch will crash if the etsec tx ring is hanged with the below TB decodes:


Workaround: Shut down the management port.


QoS: Policer configuration has exceeded hardware limitation.

The ME-3800X-24FS-M switch running Cisco IOS Release 12.2(52)EY2 displays the following output when a service policy is applied:

ECBUDECSCR11(config)# policy-map NNI-GI0/1-IN
ECBUDECSCR11(config-pmap)# class 152
ECBUDECSCR11(config-pmap-c)# service-policy VLAN152
QoS: Policer configuration has exceeded hardware limitation. The max number of ingress 
policers supported for interface range Gig0/1-Gi0/24 is 4096.
QoS: Configuration failed. Can NOT allocate resources.
QoS: Policy attachment failed. Configuration exceeds hardware resources for policy 

However the limit of 4096 policers have not been configured on the switch.

Workaround: None.


copy running-config startup-config gives 0 bytes copied.

Workaround: None.


Mem leak at nile_qm_alloc_eqos_vmr_entry during router bootup.

Memory leaks observed after bootup. The memory leaks are observed at nile_qm_alloc_eqos_vmr_entry.

Workaround: None.


Buffer leak on ME3600X due to no VTP enabled.

ME3600X running Cisco IOS Release 12.2(52), with no VTP command configured on the interface will have buffer leak due to receiving VTP packets.

Workaround: Enable VTP on interface.


ME3600X: Egress QoS service-policy classify 'marked' packet incorrectly.

Egress QoS service-policy does not classify marked packet correctly when applied to Layer 3 port channel members. The issue is seen only when the port channel is layer 3.


Remove and reapply the service-policy on the member interfaces.


Use a layer-2 port-channel and use SVI for layer 3 peering.


ME3600 wrong optical alarm Thresholds for CWDM SFPs.

CWDM sfps on a ME3600 switch, the optical receive alarm levels do not correspond to the data sheet levels for this SFPs.

Workaround: None.


Add show logging in show tech-support command for ME3600 and ME3800.

Workaround: None.


ME3600 switch with optical SFP media can not enable receive flow control.

Flow-control negotiation setting is ignored when optical SFP is used.

Workaround: None.


ME3600/3800 tar image build failure occurs on LDS servers.

Workaround: None.


MSDP-peered router joined to a multicast group may crash.

A Cisco router crashes when the Multicast Source Discovery Protocol (MSDP) multicast routing is enabled.

This issue is seen when a Cisco router is configured with MSDP multicast routing and the router is explicitly joined to the multicast group.

Workaround: Disable ip sap listen, and do not execute the ip igmp join-group command.


Command Authorization Fails for commands delivered over HTTP.

A vulnerability exists in the Cisco IOS software that may allow a remote application or device to exceed its authorization level when authentication, authorization, and accounting (AAA) authorization is used. This vulnerability requires that the HTTP or HTTPS server is enabled on the Cisco IOS device.

Products that are not running Cisco IOS software are not vulnerable. Cisco has released free software updates that address these vulnerabilities. The HTTP server may be disabled as a workaround for the vulnerability described in this advisory.

This advisory is available at the following link:

PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 8.5/7:

CVE ID CVE-2012-0384 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL:

Resolved Caveats for Cisco IOS Release 12.2(52)EY3a

The following is resolved in Cisco IOS Release 12.2(52)EY3a:


rfp fail multicast copy Egress Port Queue and it causes packets drop.

rpf failed packets copy to SVI port which have rpf-fail oif list. It causes output queue exhaustion. The Router has SVI I/F with PIM enable and receives Join. The router receives the rfp fail packets.

Workaround: None.

Resolved Caveats for Cisco IOS Release 12.2 (52) EY3

The following caveats are resolved in Cisco IOS Release 12.2(52) EY3:



When access to CISCO-PORT-QOS-MIB and CISCO-CLASS-BASED-QOS-MIB, some of OID does not reply.

Workaround: None.


On ME3600/3800 rpf fail packets are double accounted on qos policies of L3 ports.

Higher rate seen on the qos policies attached on the L3 interface which has multicast interest. When the non-rpf packets make way into the node due to wrong handling by the hardware met, the L3 interfaces see these packets wherein they are dropped. But before they get dropped, they get accounted in the egress qos policy on the L3 interface.

Workaround: Shut the interface on which these non-rpf packets make way or clear the multicast groups once.


CPU keeps 100% while download and extract IOS(8-9 minutes).

When the IOS file is downloaded and the .tar file is extracted, the CPU usage reached 100%. The CPU usage remains at 100% for approximately 8-9 minutes.

Workaround: None.


L2PT double-commits to 12.2(52)EY03 throttle.


QoS: Router crashes on removal of service-policy configuration from the interface.


Write Core via FTP causes system crash.

Have configurations to enable core write to FTP server.

exception core-file <core_file_name>
exception protocol ftp
exception region-size 65536
exception dump <ip address>

The write core command causes a system crash.

Workaround: None.


ME3600x 10G ports multicast storm-control is broken.

When storm control is configured on the Ten Gig (0/2) interface, it does not drop packets when there is a storm.

Workaround: None.


When copper SFPs are plugged in, SFF8472 LED process causes high CPU utilization.

When a large number of copper SFPs are plugged into an me3800x device, only the sh proc cpu sorted command shows HIgh CPU utilization (~45%) with SFF8472 process consuming the cycles. This is noticed ONLY when Copper SFPs are plugged onto the device. This caused by slow low-level access to the device.

Workaround: None. This is caused by slow polling of the (i2c) bus and is only an issue with copper SFPs.


Multicast forwarding rate decreases after configuring max-metric.

ME3600x have 64SVI + 64PIM + 64 HSRP instance. When the max-metric command is configured on ME3600x, the multicast forwarding rate is decreased. Multicast traffic drops on trunk ports with output drops incrementing.

Workaround: Shut the interface on which non-rpf packets are coming on. Alternatively, change the DR priorities so that multicast forwarding happens only from one of the nodes.


Disable PCI interface when bringing down the switch before crashing.


ME3600 switch crashed when configuring the service-policy input.

ME 3600X series Ethernet Access switch crashed when configuring the service-policy input.

Workaround: Upgrade to 15.1 and later version of IOS.


ME3600: Source mac-address of a multicast frame is flapping.

This issue is seen in ME3600 running 12.2(52)EY1 release.

Workaround: None.


CDP disable resets management interface of ME3600.

An ME3600 resets the interface when disabling CDP using no cdp enable command. If the interface is configuring with no cdp enable command at bootup, the interface will be down/down.

Workaround: Shut/no shut the interface or enable cdp to bring the interface up.


The ME3600/ME3800 system hangs while writing crash information.

The ME3600/ME3800 system may be unresponsive or hang while dumping the crash information after a system crash. A reload of IOS immediately after a previous crash may cause the system to hang at boot up, or lead to garbled output on long running commands, (for example show memory command).

Workaround: None.


REP edge no neighbor with stcn stp can see stp convergence issues.

In certain conditions when running REP edge with no neighbor, where rep stcn stp command is configured a TCN may not be sent to allow STP convergence on the neighbor.

Workaround: None.


Interface does not come up when speed is set to 100 Mb/s on GI interface.


ME3600x Management Port Gig0 stays down/down while opposite side is up/up.

The Ethernet Management Port Gig0 of a ME3600x may remain in down/down state while the opposite interface is up/up. This has been observed on a ME3600x running 12.2(52)EY2 and 15.1(2)EY.

Workaround: None. To remedy the situation perform a shut/no shut on Gig0.


EoMPLS traffic stop after TE tunnel path change.

EoMPLS traffic does not flow after MPLS TE tunnel path changes after FRR. TE tunnel is used as PW. VC does not flap and label stack looks fine.

Workaround: Shut/no shut AC interface may recover from problem.


REP fails periodically on TE port.

When REP is enabled on TE port, the ME3600x/ME3800x goes to failed state without any trigger.

Workaround: Shut/No shut is a temporary workaround however the issue occurs again after a day or two.


Approximately 10 sec multicast duplication occurred when the max-metric is configured.

R1 and R2 have same cost to multicast source. R1 is AW because of big IP address. Where max-metric is configured on R1, the R1 sends PIM Assert. However, R2 does not send PIM Assert for a while, causing PIM Assert, Multicast duplication to occur.

Workaround: None.


ME3600X BGP is flapping every 55hour and 58 mins on GE interface.

No special conditions appear to cause this issue, just peer BGP neighbor and ingress numbers of BGP route from TenGE.

Workaround: None.

Open Caveats for Cisco IOS Release 12.2 (52) EY2a

The following caveats are open in Cisco IOS Release 12.2(52) EY2a:


The management ENET LED Port is not working when link is established. In the switch prompt the management port LED is not glowing though the host is alive and it is able to tftp and download the ios image.

Workaround: None. However you can ping the host manually to verify it is alive.


Asserts failure messages are seen on the device. This can result in traffic loss for some of the end-devices on certain VLANs. The issue occurs randomly and may occur a few minutes or a few days after boot up.

Workaround: None.


SD LED does not glow in the rommon prompt, even though the SD card is present.

Workaround: None.


The link polling status interval is currently constant, at 40ms.

Workaround: Use the test platform link_poll set_interval command to configure the link polling status interval. The range is 40ms to 200ms at interval of 20ms.

Resolved Caveats for Cisco IOS Release 12.2 (52) EY2a

The following caveats have been resolved in Cisco IOS Release 12.2 (52) EY2a:


SYS-2-MALLOCFAIL messages seen on console due to Management Port Failure.


CPU Hog, when running show int transceiver. When the show interface transceiver command is used for the first time after reload, it causes CPU Hog.


ME3800, STP is enabled on REP ports.


Unexpected packet drop after routing convergence.


SFF8472 process is causing CPU HOG. The following message appears after 10 min.

%SYS-3-CPUHOG: Task is running for (2246)msecs, more than (2000)msecs (15/9),process = 


Traceback observe at src-asic-nile/nile_adjmgr_l3m.c: 124: get_eaid_idex.


Bring down the forwarding path before writing the crash file.


ME3800: Equal-Cost-Multi-Path (ECMP) Load balancing does not work with Xconnect. Traffic through ME3800 may not be handled properly when it has ECMP to the destination.

Workaround: Downgrade to IOS 12.2(52)EY1.


Send break should be disabled by default.

Open Caveats for Cisco IOS Release 12.2 (52) EY2

The following caveats are open in Cisco IOS Release 12.2 (52) EY2:


OSMGR-3-LABEL_EXHAUST issue while attaching egress policy with 4k class.


ME3800x: Incorrect hardware programming for MPLS traffic.


STP and UDLD does not work in QnQ tunnel on ME3600X After reconfiguration.


Xconnect traffic is down as wrong label is being used by forwarding.

With IGMP snooping, forwarding does not happen for few entries.


Secure address count is not correct when mac security max addr config as 1.


Changing SH group may cause crash if a secure efp is in violation.


Shaping counters are incorrect on Egress QoS policy.


CPU hog messages seen on dynamic modification of qos policy.


Chunk mem leak on 3600/3800X [Niles Stats Ma, NILE EMAPD CHU, fi_handle_t].


Memory leak observed @ classmap_attach_filter_struct, filter_malloc.


OPM:IP Packets punted to CPU for routing are not being marked.


OPM: classification does not work in POP forwarding operation.


Routing table change leads to a milli-second-order packet loss.


Unable to modify xconnect configuration on hitting the scale limit.


Platform assert failures on flapping ten gig intf with ebgp sessions.


HSRP configs when config replaced show tracebacks.


Tracebacks upon removing MPLS TE Auto Tunnel configs.


ME3800X problems with Multicast Traffic.


Switch is inaccessible on reloading box with 1000 EFP QoS configuration.

Resolved Caveats for Cisco IOS Release 12.2 (52) EY2

The following caveats have been resolved in Cisco IOS Release 12.2 (52) EY2.


Egress classification does not work if the same dscp is set on ingress marking.


Traffic does not flow over EVC till mac-address table is cleared.


"no ipv6 address autoconfig" may cause crash after router advert. flood.


Fix sh int null0 display on switch.


SNMP Walk against a VLAN indexed OID causes crash k_dot1dStpPortEntry_get.


Increase the number of IPv4 routes supported on ME3600.


NAT: Crash with LDAPv3 traffic.


Failed authentication with login command changes the logged user.


Password prompted twice for AUTHEN that is falling over to line password.


Fix CSCti33534 in v122_52_ey_throttle.


Continuous Link syslog messages on Mgmt interface, with dhcp configured.


Configure prep-commit to include me360x* and me380x* images of v122_52_.


Hump crashes when switch mpls from routed to vlan with 2K vpns.


TCAM parity error seen on a few RMA units during POST.


ME3800: SW does not support DOM on Finisar SFP+ 10GE ER.


VRF aware feature does not work on ME3600X.


SFP module status is missing in show commands.


Adding more than 75 HSRP groups throws error.


Link is not coming up if 1G SFP inserted in 10G slot on humback.


Send break should be enabled by default.


Yellow alarm [RYEL bit] is set for E1 mode.


QoS: Packets from CPU does not get egress classified correctly.


ME3600: Combination speed settings not allowed.


BFD neighborship fails with ACL.


System clock cannot drive Output Clock on the switch.


IGMP snooping does not work after disable -> enable igmp snooping.


RCOM ME3800 High CPU because of label space on the ASIC is 8K.


Unknown TLV with U bit of 0 in LDP message was not handled properly.


Policer is not working on tengigabitethernet interface.


Switch is not forwarding packets properly with size >1518.


ME3600X is manufactured with identical leading 40 bit mac addresses.


REP edge nn with stcn stp, mst convergence failed on non rep peer.


QoS marking policy is not working with EVC Etherchannel.


TCAM Array Parity errors are found during POST.


Classification is broken while doing dynamic change on the policy.


Crash noticed after ASIC assert error messages.


ip->tag packets egressing switch are getting punted to host q.


Ethernet Service Instance Counters are not updated after shut/no shut.


Manipulating a policy-map causes ME3800 to crash.


ME360x crashes when polling dot1dTpFdbEntry_get.


Server crashes while generating TGN packets from client.


Platform assert errors on flapping te frr tunnels multiple times.


7600/IO memory fragmentation - SYS-2-MALLOCFAIL: Memory allocation fail.


QoS labels are not removed when classes are deleted dynamically.


Multicast does not work over SVI based EoMPLS with TE tunnels.


CFM transparency over SVI Eompls broken.


Traffic stops on HSRP active interface after reload (sometimes).


Ping from standby HSRP router and host to HSRP virtual IP fails.


Packets wrongly get classified after dynamic modification in RWN--Trunk.

Resolved Caveats for Cisco IOS Release 12.2 (52) EY1c

The following caveats have been resolved in Cisco IOS Release 12.2(52)EY1c.


TCAM parity error is seen on some RMA units during POST, and the following error is set.

POST: Port ASIC CAM Subsystem Tests: Begin

TCAM APErr is set

POST: Port ASIC CAM Subsystem Tests: End, Status Failed

The subsequent action is a crash, and the unit never boots up.


TCAM Array Parity errors are found during POST. The POST fails the Port ASIC CAM Subsystem Tests, due to TCAM ArrayParity error. This happens during power cycle and does not usually happen on subsequent reloads.

The following error is set on POST:

POST: Port ASIC CAM Subsystem Tests: Begin

TCAM APErr is set

POST: Port ASIC CAM Subsystem Tests: End, Status Failed

Subsequent action is a crash, and the unit never boots up.

Resolved Caveats for Cisco IOS Release 12.2 (52) EY1b

The following caveats have been resolved in Cisco IOS Release 12.2 (52) EY1b.


Packets with size greater than 1518 are not forwarding. When this happens, the system may not be able to send or receive any more packets.


ME3600X is manufactured with identical leading 40 bit mac addresses. The problem occurs if the switch base mac addresses have identical leading 40 bit mac addresses. If two ME3600X switches with identical leading 10 hex digits / 40 bits base mac address are directly connected they black hole traffic when the source mac of the traffic is from the switch base mac.


The null0 interface counters are not updated. Packet counters do not increment. The show platform ip unicast statistics command can be used to check the packet counts.


Increase the number of IPv4 routes supported on 3600. Currently this number is 20k ipv4 routes. This needs to be increased to 24k ipv4 routes. This can be done by taking up TCAM space from ipv6. Presently 5 TCAM blocks are reserved for ipv6 (10k ipv6 routes) and 5 blocks for ipv4 (20k ipv4 routes). This is changed to 4 blocks for ipv4 (8k ipv6 routes) and 6 blocks for ipv4 (24k ipv4 routes).

Resolved Caveats for Cisco IOS Release 12.2 (52) EY1

The following caveats have been resolved in Cisco IOS Release 12.2 (52) EY1.


When the Resilient Ethernet Protocol (REP) Link Status Layer (LSL) age timer is configured to 120 msec (implying the REP LSL hello timer is 40 msec at a retry of 3), the REP links flap occasionally.


When the user connects a Dell laptop through the console cable, the ME 3600X switch reloads.


In the presence of QoS Policy on the Ethernet Virtual Circuit (EVC), when the traffic rate goes beyond the QoS Policy, the Hot Standby Router Protocol (HSRP) packets could get dropped leading to protocol flaps.


When a class is dynamically removed from a child level (logical) policy and reattached, COS packets are incorrectly classified on the class.


When the number of unique next hop hosts learned by the system exceeds the system internal limit for Layer 2 rewrite entries, software forwarding kicks in due to incomplete adjacency.


Under certain combination of EVC/Switched Virtual Interface (SVI), Cisco Discovery Protocol (CDP) packets are not tunneled correctly.


When an attempt is made to reduce the REP LSL AGE timer below the current default value of 920 msec, the configuration is rejected.


When user breaks the auto booting of IOS image via Send break, a *** line too large *** message is displayed. This is just a warning message and is not an issue when the extra input characters are simply dropped.


No POST support for mini IOS image.

Open Caveats for Cisco IOS Release 12.2 (52) EY and Cisco IOS Release 12.2 (52) EY1

Cisco IOS Release 12.2 (52) EY and Cisco IOS Release 12.2 (52) EY1 contain these open caveats:


Packets sent to the CPU for any reason after ingress quality of service (QoS) processing and then sent out of another port are not classified correctly at egress QoS, and are not remarked per the configured input QoS set action.

Workaround: None


When you configure egress QoS, matching the outer class of service (CoS) value does not work at the egress provider edge when the egress port is configured as an EoMPLS vc type 4 xconnect (short-pipe model). When the MPLS tag is popped at the egress provider edge, the VLAN tag is exposed, and you cannot match the outer CoS value in this VLAN tag. Packets are put in the CoS 0 class or the class-default class.

Workaround: Use the pipe model instead of the short pipe model for the provider edge egress port. At the egress edge, configure QoS to match mpls exp. Configure set qos-group at the ingress and then match on the QoS group at the egress interface.


When you insert a large number of copper SFPs into a switch, a significant percentage of CPU processing cycles are used polling the SFP link status. The percentage is proportional to the number of copper SFPs used. The maximum CPU bandwidth processing copper SFPs is approximately 25 percent of the total CPU bandwidth.

Workaround: None.


When you configure static IGMP group entries on a switched virtual interface (SVI) on a switch that has multicast routing enabled with source-specific multicast (SSM) group default settings, multicast data traffic is not forwarded from the SVI.

Workaround: Toggle the state of the SVI interface by entering the shutdown command followed by the no shutdown command to ensure that the static group entry (s,g) is installed after the (*,g) entry is installed, which is the correct order.


When a policy-map is applied to an EtherChannel member port that is forwarding traffic, if the member port (for example, GigabitEthernet 0/1) is shut down, the output from the show policy-map interface GigabitEthernet 0/1 privileged EXEC command shows that the output counters are still incrementing.

Workaround: None. The counters increment even when the EtherChannel member port is shut down.


If you have configured a VRF IP DHCP pool relay destination by using the vrf and relay destination ip-address DHCP pool configuration mode commands, the relay destination line is removed from the configuration when you reload the switch.

Workaround: Edit the configuration file before rebooting to move the VRF definition before the ip dhcp pool entry.

For example, in the configuration below, move the ip vrf vrf1 configuration above the ip dhcp pool pool-vrf configuration entry.

ip dhcp pool pool-vrf
   vrf vrf1
   relay source
   relay destination
ip vrf vrf1
 rd 100:1
 route-target export 100:1
 route-target import 100:1


A traceback message might appear when you configure a DHCP session with an IP unnumbered interface for the relay agent.

Workaround: None. This is a temporary traceback condition that does not affect traffic.


If you configure an Ethernet flow point (EFP) on an interface by configuring a service instance, bridge-domain, and VLAN and save the configuration, if you then enter the config replace flash: default.cfg privileged EXEC command with the default configuration (no service instance configured), traceback messages appear.

Workaround: None. Functionality is not affected.


In a ring topology (or a topology with a loop), when you clear dynamic entries in the MAC address table, you might see MAC address flapping on interfaces in the loop that meet these all of these conditions:

The interfaces have untagged service instances in the same bridge-domain.

The interfaces are running multiple spanning tree (MST) for loop avoidance.

The interfaces have keepalive enabled.

Workaround: Use one of the following workarounds:

Configure each untagged service instance on an interface with keepalives enabled in a different bridge-domain.

Disable keepalive on interfaces with untagged service instances in the same bridge-domain that are connected in a loop and are running MSTP.


The MPLS VC receive byte counters include the 14-byte Ethernet header in the byte statistics calculations, which adds an additional 14 bytes per packet. The send byte counters might be inaccurate by 4 bytes per packet by not properly accounting for the VLAN tag.


Receive byte count:

Switch# show mpls l2 vc 1400 detail | begin vc statistics
  VC statistics:
    packet totals: receive 1000, send 0
    byte totals:   receive 142000, send 0 <--- The packet size is 142 instead of 128 
    packet drops: receive 0, send 0

Send byte count:

Switch# show mpls l2 vc 1400 detail | begin VC statistics
  VC statistics:
    packet totals: receive 0, send 1000
    byte totals:   receive 0, send 128000  <-- The packet size should be 124
    packet drops:  receive 0, send 0

Workaround: None. However, the bytes may be manually subtracted or added based on the total packets sent or received.


When you have configured service policies on a very large number of egress EFPs in different bridge domains, the system is unresponsive while the configuration is being applied. The length of time the system is unresponsive varies depending on the number of entries per policy and the TCAM resources. The delay is less for EFPs in the same bridge domain and there is no notable delay for ingress EFPs.

Workaround: None.


When you are upgrading the software, if you use TFTP/FTP to copy the switch image into flash memory, the process brings the CPU utilization to 90 percent.

Workaround: None. The cause is a slow flash file system. Routing and switching functionality and high priority traffic processing are not affected.


On a switch with AAA enabled, if you continuously and quickly enter show commands, the Ethernet management port appears to freeze up until you stop entering commands.

Workaround: None required. The problem does not occur when you enter commands at a normal rate.


If you modify the maximum transmission unit (MTU) on a port that is a member of an EtherChannel, the port might not come up even when the configured MTUs are the same on both the member port and the EtherChannel.

Workaround: Always configure the EtherChannel MTU first and then add the physical port to the port channel. To recover from the condition, shut down and then enable the port by entering the shutdown followed by the no shutdown interface command on the port.


In a Resilient Ethernet Protocol (REP) ring environment, when the number of learned IGMP snooping entries is more than the license-supported limits, the forwarding bandwidth decreases for multicast traffic. Forwarding bandwidth remains acceptable when the license limits are not exceeded.

Workaround: Limit the number of IGMP snooping learned entries to be within the limits supported for the platform license.


When you have configured the Cisco Network management System (CNS) also referred to as Cisco IOS Configuration Engine, on both the customer edge server and on the switch with an associated template, if you overwrite the startup configuration with the CNS template, the show startup-config command output is not correct.

For example, if you enter a configuration template on the customer edge server with this one line of configuration:

Router(config)# cns trusted-server all-agents

Then associate the device with the this template and configure the switch for CNS where ip-address is the IP address of the Configuration Engine server:

Switch(config)# cns trusted-server all-agents ip-address
Switch(config)# cns event ip-address 

If you enter the cns config retrieve ip-address overwrite-startup privileged EXEC command to overwrite the startup configuration with the configuration template from the server, the startup configuration is corrupted and the show startup-config privileged EXEC command output includes extraneous raw hex values and memory address space information as in this example:

Switch# show startup-config
Using 43 out of 1572864 bytes00000000:  0A636E73 20747275 73746564 2D736572 .cns  
00000010:  76657220 616C6C2D 6167656E 74732031    ver  all- agents 1
00000020:  2E312E31 2E310A65 6E640AXX XXXXXXXX    .1.1 .1.end.X XXXX

Workaround: None.


When an EtherChannel port channel contains many EFPs with MPLS running on many interfaces, if you set a 10-Gigabit port to the default setting and then enter the switchport trunk allowed vlan interface command to allow VLANs, an occasional traceback message appears.

Workaround: None.


When the number of BGP routes configured on a switch exceeds the number supported by the installed license and the switch runs for many hours, flapping might occur on VLAN interfaces with an error message similar to this:

%UTIL-3-IDTREE_TRACE: PW freelist DB:Duplicate ID free for 16785

Workaround: None. The system automatically recovers with marginal traffic loss.


When Synchronous Ethernet (SyncE) is running in 2048KHz (nonframing) mode, if the switch loses its line sources and is in holdover or free-run state, it is not able to notify the Synchronization Supply Unit (SSU) that it has lost the line sources. This could result in the switch lower quality clock driving the high quality SSU clock.

Workaround: None.


SyncE implementation on the switch does not support the option of the system clock (T0) driving the output clock (T4). Therefore, you cannot use the switch for these functions that are available in other platforms that support BITS OUT:

Monitoring the G.8262 Synchronous Equipment Timing Generator (SETG) output for on-site probe for long term measurement.

Ethernet Equipment Clock (EEC) feeding the System Equipment Clock (SEC) when there is no SSU on the site (distributing timing on a site between Ethernet and SDH equipment).

Workaround: None


When the switch is in SyncE holdover or free-run state, if no inputs are configured for output clock (BITS OUT) or if the input configurations for output clock are removed, the switch could drive the high quality SSU clock with its lower quality clock.

Workaround: None.


If you change the encapsulation type on an existing service instance that is routing traffic, the Layer 3 multicast traffic flow stops until the existing multicast route entries are cleared.

Workaround: Enter the clear ip mroute privileged EXEC command to clear and relearn the entries in the database to resume traffic forwarding.


When an SFP-10GBase-CUxM SFP+ module is inserted in the switch, the correct vendor object ID (OID) is not displayed in the ANA network management tool.

Workaround: None. Functionality is not affected.


On a secure EFP in protect or restrict violation mode, if you enter the no mac security maximum addresses or the mac security maximum addresses value service-instance configuration command to decrease the MAC security maximum address count, new addresses cannot be learned. All secure addresses are removed as expected, but the violation mode is not disabled.

Workaround: Use one of these workarounds:

Disable MAC security on the EFP, increase the maximum number of secure MAC addresses on the EFP, and then reenable MAC security by entering these service-instance configuration commands:

no mac security

mac security maximum addresses value

mac security

Change the maximum number of secure MAC addresses on the EFP to x by entering the mac security maximum addresses x-1 followed by the mac security maximum addresses x service-instance configuration command.


The minimum REP Link Status Layer (LSL) age-timer value is 920 ms.

Workaround: None.


If the switch learns more routes than the installed license supports, CPU hog messages can appear and the switch can become unstable.

Workaround: Do not allow the switch to learn more routes than the license supports. You can restrict the number of routes that can be learned per VPN routing and forwarding (VRF) instance by entering the maximum routes value command in IP VRF configuration mode.


When a GigabitEthernet port operating at 10 or 100 MB/s is in half-duplex mode, the link partner sends many more packets than it receives because the ME3800X and ME 3600X Carrier Sense Multiple Access with Collision Detection (CSMA/CD) backoff is too passive.

Workaround: None.


If a secure EFP is in restrict or protect violation mode, changing the split horizon group of another EFP in the same bridge-domain can cause unpredictable system behavior.

Workaround: Do not change the bridge-domain split-horizon group of an EFP if there is a secured EFP in same bridge-domain in MAC security restrict or protect violation mode.


In a REP ring configuration with multicast traffic, if you enter the no rep segment segment-id edge no-neighbor primary interface configuration command followed by a shutdown command on the interface, a traceback message appears with an OUTOFRANGE message, similar to this one for each VLAN that is configured.

%BIT-4-OUTOFRANGE: bit 0 is not in the expected range of 1 to 1015

Because the port is shut down and the REP configuration removed, functionality is not affected.

Workaround: To avoid traceback messages, shut down the interface first and then remove the REP edge port configuration on the interface.


When the configured Bidirectional Forwarding Detection (BFD) aging time is low, occasional BFD flaps might occur.

Workaround: Enter the bfd interval milliseconds min_rx milliseconds multiplier value interface configuration command and configure the min_rx to at least 300 ms, which sets the aging time to 900 ms or more and eliminates the BFD flaps.


In interface configuration mode, the fair-queue, priority-group and random-detect commands are duplicated.

Workaround: None.


When using a copper interface in the GigabitEthernet port on the ME 3800X or ME 3600X-24FS, the interface configuration commands speed auto 10, speed auto 100, or speed auto 1000 will return the error message:

Speed autonegotiation subset is not supported on this interface 

Workaround: None.


When the clear mac address-table dynamic command is executed, both learned and configured sticky MAC addresses are removed from the MAC address table.

Workaround: To delete only dynamically learned non-sticky and non-permit addresses, use one of these two commands:

clear ethernet service instance id interface mac table [hhhh.hhhh.hhhh]

clear bridge-domain mac table


When the ME 3600X or ME 3800X is deployed as a multicast-edge router, and the state of the multicast routing is toggled using the ip multicast-routing command. traffic forwarding is stopped.

Workaround: After disabling multicast routing using the ip multicast-routing command, use the clear ip multicast-route command to clear the state of the IOS mroute database, before re-enabling multicast routing using the ip multicast-routing command.


Ethernet Local Management Interface Provider Edge (ELMI-PE) functionality is not supported.

Workaround: None.


Connectivity Fault Management (CFM) transparency over SVI EoMPLS is not supported. CFM frames transported over SVI EoMPLS are dropped.

Workaround: Disable CFM globally on the switch.


When an interface is reset to default using the default interface command, the STP state may switch from FWD to BLK and the interface may restart.

Workaround: None.


Multicast traffic is forwarded to an interface when storm control action is set as trap.

Workaround: Remove the storm control action trap from the configuration.


When multicast storm-control is enabled on a Layer 2 port which is a member of a Layer 3 SVI interface with pim dense-mode enabled, multicast traffic is forwarded.

Workaround: None.


When a QoS shaping policy is applied to an interface, and the interface becomes congested, the output from the show policy-map interface command displays a higher shaping rate than the configured shaping rate.

Workaround: Issue the show policy-map interface command with an interval of 3 minutes (with load-interval of 30 sec on the interface). The output of the command then displays the correct shaping rate.


When ME 3800X box was in operation an exception was seen following few error messages related to bad enqueue/refcount.

Workaround: None.


A high CPU rate is observed when tunnelling through a ME 3600X or ME 3800X switch.

Workaround: Reconfigure the tunnel configuration.


Counters displayed using the show interface Null0 command are not incremented.

Workaround: Use the show platform ip unicast statistics command to display current values for the counters.


When there is an update relating to an old MAC address (e.g. switch learns a MAC address again). assert failures are seen after the MAC address change.

Workaround: None.


Upon node reload, the ip routing protocol purge interface command is automatically removed from the configuration.

Workaround: Add ip routing protocol purge interface command after router reload.

Related Documentation

These documents provide complete information about the switch and are available from these sites:

ME 3800X switch:

ME 3600X switch:

Note Before installing, configuring, or upgrading the switch, see these documents:

For initial configuration information, see the "Configuring the Switch with the CLI-Based Setup Program" appendix in the hardware installation guide.

For upgrading information, see the "Downloading Software" section in the release notes.

Cisco ME 3800X and ME 3600X Switch Software Configuration Guide

Cisco ME 3800X and ME 3600X Switch Command Reference

Cisco ME 3800X and ME 3600X System Message Guide

Cisco ME 3800X and ME 3600X Switch Hardware Installation Guide

Cisco ME 3800X and ME 3600X Switch Getting Started Guide

Installation Notes for the Cisco ME 3800X and ME 3600X Switch Power-Supply and Fan Modules

Regulatory Compliance and Safety Information for the Cisco ME 3800X and ME 3600X Switches

Cisco Small Form-Factor Pluggable Modules Installation Notes

Cisco CWDM GBIC and CWDM SFP Installation Notes

These compatibility matrix documents are available from this site:

Cisco Gigabit Ethernet Transceiver Modules Compatibility Matrix

Cisco 100-Megabit Ethernet SFP Modules Compatibility Matrix

Cisco CWDM SFP Transceiver Compatibility Matrix

Cisco Small Form-Factor Pluggable Modules Compatibility Matrix

Compatibility Matrix for 1000BASE-T Small Form-Factor Pluggable Modules

Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: