Downloads |
Table Of Contents
Cross-Platform Release Notes for Cisco IOS Release 12.0SY
Supported Modules for the Cisco 10720 Router
Supported Line Cards for the Cisco 12000 Series Routers
Determining the Software Version
Upgrading to a New Software Release
Shared Port Adapter FPD Image Packages for the Cisco 12000 Series
New Hardware Features in Cisco IOS Release 12.0(32)SY8
New Software Features in Cisco IOS Release 12.0(32)SY8
New Hardware Features in Cisco IOS Release 12.0(32)SY4
New Software Features in Cisco IOS Release 12.0(32)SY4
Cisco 12000 Series Router SIP and SPA Software Configuration Guide
New Hardware Features in Cisco IOS Release 12.0(32)SY3
New Software Features in Cisco IOS Release 12.0(32)SY3
Enhanced Ingress Hierarchical Policing on Engine 5
New Hardware and Software Features in Cisco IOS Release 12.0(32)SY1 to Cisco IOS Release 12.0(32)SY2
New Hardware Features in Cisco IOS Release 12.0(32)SY
SPA-2XOC12-POS SPA Support on Cisco 12000
SPA-4XOC12-POS SPA Support on Cisco 12000
SPA-8XOC12-POS SPA Support on Cisco 12000
SPA-4XOC3-POS-V2 SPA Support on Cisco 12000
SPA-8XOC3-POS SPA Support on Cisco 12000
New Software Features in Cisco IOS Release 12.0(32)SY
BGP Multipath Load Sharing for MPLS VPN over IP Tunnels for Cisco 12000 Engine 5 Line Cards
Cisco 12000 Series Router SIP and SPA Software Configuration Guide
Configuring RTP Header Compression for Cisco 12000 Series Routers
Cos-Based Tunnel Selection on Engine 5 Line Cards
DPT (SRP) Support for the 1-port OC-192 SPA on 12000-SIP-600/601
DPT (SRP) Support for the 2-port OC-48 SPA on 12000-SIP-600/601
Hierarchical QoS for MPLS VPN over IP Tunnels for Cisco 12000 Engine 5 and Engine 3 Line Cards
Hierarchical Shaping for MPLS VPNs over IP Tunnels on the Cisco 12000 Series Internet Router
Inter-AS Hybrid for MPLS VPN over IP Tunnels
L2TPv3 Layer 2 Packet Fragmentation
L2TPv3 Like-to-Like Native for Cisco 12000 Engine 5 Line Cards
Layer 2 Tunnel Protocol Version 3 on Cisco 12000 Engine 5 Line Cards
Layer 2 Virtual Private Network Interworking
Microcode Manager for Multiservice Engine Line Cards on Cisco 12000 Series Routers
MPLS Embedded Management—LSP Ping/Traceroute for LDP
MPLS—LDP MD5 Global Configuration
MPLS VPN Carrier Supporting Carrier Support on the Cisco 10720 Router
MPLS VPN Carrier Supporting Carrier over IP Tunnels for Cisco 12000 Engine 5 Line Cards
Multicast-VPN—IP Multicast Support for MPLS VPNs
PXF Accelerated IPv6 Multicast for 802.17 RPR
QoS: Enhanced show Commands for Active Policies
Virtual Private LAN Service over MPLS on Cisco 12000 Series Router Line Cards
Important Notes for Cisco IOS Release 12.0(32)SY9
The bgp default ipv6-nexthop Command
Resolved Caveats—Cisco IOS Release 12.0(32)SY10
Resolved Caveats—Cisco IOS Release 12.0(32)SY9a
Resolved Caveats—Cisco IOS Release 12.0(32)SY9
Resolved Caveats—Cisco IOS Release 12.0(32)SY8
Resolved Caveats—Cisco IOS Release 12.0(32)SY7
Resolved Caveats—Cisco IOS Release 12.0(32)SY6
Resolved Caveats—Cisco IOS Release 12.0(32)SY5
Resolved Caveats—Cisco IOS Release 12.0(32)SY4
Resolved Caveats—Cisco IOS Release 12.0(32)SY3
Resolved Caveats—Cisco IOS Release 12.0(32)SY2
Resolved Caveats—Cisco IOS Release 12.0(32)SY1
Open Caveats—Cisco IOS Release 12.0(32)SY
Cisco IOS Software Documentation Set
Cisco IOS Release 12.0S Documentation Set Contents
Obtaining Documentation and Submitting a Service Request
Cross-Platform Release Notes for Cisco IOS Release 12.0SY
September 25, 2009
Cisco IOS Release 12.0(32)SY10
Part Number: OL-10924-01 Rev. Q0
These release notes support Cisco IOS Release 12.0(32)SY, up to and including Cisco IOS Release 12.0(32)SY10. These release notes are updated as needed to describe new features, memory requirements, hardware support, software platform deferrals, and related documents.
Cisco IOS Release 12.0(32)SY is based on Cisco IOS Release 12.0(32)S and is tailored for service provider and large-scale enterprise networks. Cisco IOS Release 12.0(32)S includes features that were initially supported in Cisco IOS Release 12.0.
For a list of the software caveats that apply to Cisco IOS Release 12.0S, see the "Caveats" section and the caveat parts of the Cross-Platform Release Notes for Cisco IOS Release 12.0S document located on Cisco.com. The caveats document is updated for every maintenance release and is located on Cisco.com.
Use these release notes in conjunction with the Cross-Platform Release Notes for Cisco IOS Release 12.0S document located on Cisco.com.
We recommend that you view the field notices for this release to see if your software or hardware platforms are affected. If you have an account on Cisco.com, you can find field notices at http://www.cisco.com/warp/public/tech_tips/index/fn.html. If you do not have a Cisco.com login account, you can find field notices at http://www.cisco.com/warp/public/tech_tips/index/fn.html.
Contents
•
MIBs
•
Introduction
Cisco IOS Release 12.0(32)SY is the first general availability release of this software. Many of the features and the hardware supported in this software have been previously released to customers on other software releases.
For information on new features and Cisco IOS commands that are supported by Cisco IOS Release 12.0(32)SY, see the "New and Changed Information" section and the "Caveats" section.
System Requirements
This section describes the system requirements for Cisco IOS Release 12.0(32)SY and includes the following sections:
•
•
Memory Recommendations
The memory recommendation tables have been removed from the Cisco IOS Release 12.0(32)SY release notes to improve the usability of the release notes documentation. The memory recommendations provided by these tables are available through Cisco Feature Navigator.
Cisco Feature Navigator is a web-based tool that enables you to determine which Cisco IOS and Catalyst OS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or by feature set (software image). Under the release section, you can compare Cisco IOS software releases side by side to display both the features unique to each software release and the features that the releases have in common.
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at:
For frequently asked questions about Cisco Feature Navigator, refer to the FAQs at:
http://tools.cisco.com/ITDIT/CFN/jsp/help.jsp
Determining Memory Recommendations for Software Images
To determine memory recommendations for software images (feature sets) in Cisco IOS Release 12.0(32)SY, go to the Cisco Feature Navigator home page and perform the following steps.
Step 1
Step 2
a.
b.
The Search Results table will list all the software images (feature sets) that support the release that you chose, plus the DRAM and flash memory recommendations for each image.
Step 3
a.
b.
c.
d.
The Search Results table lists all of the software images (feature sets) that support the release that you choose, plus the DRAM and flash memory recommendations for each image.
Supported Hardware
This section consists of the following subsections:
•
•
Supported Platforms
Cisco IOS Release 12.0(32)SY supports the following platforms:
•
•
For additional information about supported hardware for this platform and release, please see the Hardware/Software Compatibility Matrix in the Cisco Software Advisor at the following location:
http://www.cisco.com/pcgi-bin/front.x/Support/HWSWmatrix/hwswmatrix.cgi
For detailed descriptions of the new hardware features, see the "New and Changed Information" section.
Supported Modules for the Cisco 10720 Router
Table 1 lists the modules (also referred to as cards) that are supported for the Cisco 10720 in Cisco IOS Release 12.0(32)SY. The number in the "In" column indicates the Cisco IOS 12.0S release in which the module was introduced. For example, (22) means that a module was introduced in Cisco IOS Release 12.0(22)S. Note that, before their introduction in Cisco IOS Release 12.0(32)SY, most of these modules were introduced in Cisco IOS Release 12.0S.
Table 1 Supported Line Cards for the Cisco 10720 Router
24-port Fast Ethernet
10720-FE-TX
24-port 10/100 Ethernet access module
(22)
10720-FE-FX-MM
24-port 100 Mbps fiber Ethernet access module,
multimode, 2 km(22)
10720-FE-FX-SM
24-port 100 Mbps fiber Ethernet access module,
single mode, 15 km(22)
4-port Gigabit Ethernet + 8-port Fast Ethernet
10720-GE-FE-TX
Combined 4-port Gigabit Ethernet 8-port 10/100 Ethernet TX access module
(22)
10720-GE-FE-TX-B
Combined 4-port Gigabit Ethernet 8-port 10/100 Ethernet TX access module, Revision B
(25)
GE SFP
10720-GE-SFP-SX
GE SFP module—short reach (550 m)
(22)
10720-GE-SFP-LH
GE SFP module—intermediate reach (10 km)
(22)
GLC-ZX-SM
GE SFP module—long reach (70 km)
(23)
SFP-GE-T
GE SFP module—1000BASE-T
(31)
SFP-GE-S
GE SFP module—short reach (550 m), extended temperature
(31)
SFP-GE-L
GE SFP module—intermediate reach (10 km), extended
temperature(31)
CWDM SFP
CWDM-SFP-1470
CWDM SFP module—longwave 1470 nm laser, single mode, gray
(31)
CWDM-SFP-1490
CWDM SFP module—longwave 1490 nm laser, single mode, violet
(31)
CWDM-SFP-1510
CWDM SFP module—longwave 1510 nm laser, single mode, blue
(31)
CWDM-SFP-1530
CWDM SFP module—longwave 1530 nm laser, single mode, green
(31)
CWDM-SFP-1550
CWDM SFP module—longwave 1550 nm laser, single mode, yellow
(31)
CWDM-SFP-1570
CWDM SFP module—longwave 1570 nm laser, single mode, orange
(31)
CWDM-SFP-1590
CWDM SFP module—longwave 1590 nm laser, single mode, red
(31)
CWDM-SFP-1610
CWDM SFP module—longwave 1610 nm laser, single mode, brown
(31)
2-port OC-48/STM-16 POS
10720-SR-LC-POS
2-port OC-48c/STM-16c POS/SDH uplink module, short reach (2 km)
(23)
10720-IR-LC-POS
2-port OC-48c/STM-16c POS/SDH uplink module,
intermediate reach (15 km)(23)
10720-LR1-LC-POS
2-port OC-48c/STM-16c POS/SDH uplink module, long reach (40 km)
(23)
10720-LR2-LC-POS
2-port OC-48c/STM-16c POS/SDH uplink module, (extra) long reach (80 km)
(23)
2-port OC-48/STM-16 SRP
10720-SR-LC
2-port OC-48c/STM-16c SRP uplink module, short reach (2 km)
(22)
10720-IR-LC
2-port OC-48c/STM-16c SRP uplink module, intermediate reach (15 km)
(22)
10720-LR1-LC
2-port OC-48c/STM-16c SRP uplink module, long reach (40 km)
(22)
10720-LR2-LC
2-port OC-48c/STM-16c SRP uplink module, (extra) long reach (80 km)
(22)
Console/Auxiliary
10720-CON-AUX=
10720 console/auxiliary module
(22)
RPR/SRP
10720-RPR-SFP=
Dual-Mode IEEE 802.17 RPR/SRP uplink module
(30)
1 For a spare product number, append an equal sign (=) to the product number. For End-of-Sale (EOS) and End-of-Life (EOL) information about modules, refer to the Cisco product bulletins at:
http://www.cisco.com/en/US/products/hw/routers/ps147/prod_eol_notices_list.html2 DPT modules are also referred to as Spatial Reuse Protocol (SRP) modules.
Supported Line Cards for the Cisco 12000 Series Routers
Table 2 lists the line cards that are supported for the Cisco 12000 series routers in Cisco IOS Release 12.0(32)SY and uses the following conventions:
•
•
•
Table 2 Supported Line Cards for Cisco 12000 Series Routers
1-port OC-48 POS6
OC48E/POS-SR-SC-B
2
1-port OC-48c/STM-16c POS/SDH short reach
(10)
Yes
Yes
Yes
OC48E/POS-LR-SC-B
2
1-port OC-48c/STM-16c POS/SDH long reach
(10)
Yes
Yes
Yes
1-port OC-48 POS ISE
OC48X/POS-SR-SC
3
1-port OC-48c/STM-16c POS/SDH ISE short reach
(21)
Yes
Yes
Yes
OC48X/POS-LR-SC
3
1-port OC-48c/STM -16c POS/SDH ISE long reach
(21)
Yes
Yes
Yes
4OC48E/POS-SR-SC9
4+
4-port OC-48c/STM-16c POS/SDH ES short reach
(15)
No
Yes
Yes
4OC48E/POS-LR-SC10
4+
4-port OC-48c/STM-16c POS/SDH ES long reach
(15)
No
Yes
Yes
8-port OC-48 POS11
8OC48/POS-SFP
6
8-port OC-48c/STM-16c POS/SDH Small Form-Factor Plugable (SFP)
(27)
No
Yes
Yes
1-port OC-192 POS
OC192R0/POS-SR-SC
2
1-port OC-192c/STM-64c POS Enabler short reach
(10)
Yes
Yes
Yes
OC192R0/POS-IR-SC
2
1-port OC-192c/STM-64c POS Enabler intermediate reach
(10)
Yes
Yes
Yes
1-port OC-192 POS ES8
OC192E/POS-VSR
4+
1-port OC-192c/STM-64c POS/SDH ES very short reach
(21)
No
Yes
Yes
OC192E/POS-SR-SC
4+
1-port OC-192c/STM-64c POS/SDH ES short reach
(21)
No
Yes
Yes
OC192E/POS-IR-SC
4+
1-port OC-192c/STM-64c POS/SDH ES intermediate reach
(21)
No
Yes
Yes
OC192E/POS-LR-SC
4+
1-port OC-192c/STM-64c POS/SDH ES long reach
(24)
No
Yes
Yes
2-port OC-192 POS11
2OC192/POS-VSR
6
2-port OC-192c/STM-64c POS/SDH very short reach
(27)
No
Yes
Yes
2OC192/POS-SR-SC
6
2-port OC-192c/STM-64c POS/SDH short reach
(27)
No
Yes
Yes
2OC192/POS-IR-SC
6
2-port OC-192c/STM-64c POS/SDH intermediate reach
(27)
No
Yes
Yes
6-port DS312
6DS3-SMB-B
0
6-port DS3 with ECC
(10)
Yes
Yes
Yes
12-port DS312
12DS3-SMB-B
0
12-port DS3 with ECC
(10)
Yes
Yes
Yes
6-port E312
6E3-SMB
0
6-port E3 with ECC
(15)
Yes
Yes
Yes
12-port E312
12E3-SMB
0
12-port E3 with ECC
(15)
Yes
Yes
Yes
8-port OC-3 POS
8OC3/POS-SM
2
8-port OC-3c/STM-1c POS/SDH single mode
(10)
Yes
Yes
Yes
8OC3/POS-MM
2
8-port OC-3c/STM-1c POS/SDH multimode
(10)
Yes
Yes
Yes
16-port OC-3 POS
16OC3/POS-SM
2
16-port OC-3c/STM-1c POS/SDH single mode
(10)
Yes
Yes
Yes
16OC3/POS-MM
2
16-port OC-3c/STM-1c POS/SDH multimode
(10)
Yes
Yes
Yes
4-port7 OC-3 POS
LC-4OC3/POS-SM
0
4-port OC-3c/STM-1c POS/SDH single mode
(5)
Yes
Yes
Yes
LC-4OC3/POS-MM
0
4-port OC-3c/STM-1c POS/SDH multimode
(5)
Yes
Yes
Yes
4OC3/POS-LR-SC
0
4-port OC-3c/STM-1c POS/SDH long reach
(5)
Yes
Yes
Yes
4-port7 OC-3 POS ISE
4OC3X/POS-MM-MJ-B
3
4-port OC-3c/STM-1c POS/SDH ISE multimode
(22)
Yes
Yes
Yes
4OC3X/POS-IR-LC-B
3
4-port OC-3c/STM-1c POS/SDH ISE intermediate reach
(22)
Yes
Yes
Yes
4OC3X/POS-LR-LC-B
3
4-port OC-3c/STM-1c POS/SDH ISE long reach
(22)
Yes
Yes
Yes
8-port OC-3 POS ISE
8OC3X/POS-MM-MJ-B
3
8-port OC-3c/STM-1c POS/SDH ISE multimode
(22)
Yes
Yes
Yes
8OC3X/POS-IR-LC-B
3
8-port OC-3c/STM-1c POS/SDH ISE intermediate reach
(22)
Yes
Yes
Yes
16-port OC-3 POS ISE
16OC3X/POS-M-MJ-B
3
16-port OC-3c/STM-1c POS/SDH ISE multimode
(22)
Yes
Yes
Yes
16OC3X/POS-I-LC-B
3
16-port OC-3c/STM-1c POS/SDH ISE intermediate reach
(21)
Yes
Yes
Yes
1-port OC-12 POS
LC-1OC12/POS-SM13
0
1-port OC-12c/STM-4c POS/SDH single mode
(10)
Yes
Yes
Yes
LC-1OC12/POS-MM14
0
1-port OC-12c/STM-4c POS/SDH multimode
(10)
Yes
Yes
Yes
4OC12/POS-IR-SC-B
2
4-port OC-12c/STM-4c POS/SDH single mode
(8)
Yes
Yes
Yes
4OC12/POS-MM-SC-B
2
4-port OC-12c/STM-4c POS/SDH multimode
(8)
Yes
Yes
Yes
4-port7 OC-12 POS ISE
4OC12X/POS-I-SC-B
3
4-port OC-12c/STM-4c POS/SDH ISE single mode
(21)
Yes
Yes
Yes
4OC12X/POS-M-SC-B
3
4-port OC-12c/STM-4c POS/SDH ISE multimode
(21)
Yes
Yes
Yes
2-port CHOC-3, DS1/E1
2CHOC3/STM1-IR-SC
0
2-port channelized OC-3/STM-1 (DS1/E1)
(17)
Yes
Yes
Yes
1-port CHOC-12, DS3
LC-OC12-DS3
0
1-port channelized OC-12 (DS3)
(5)
Yes
Yes
Yes
1-port CHOC-12, OC-3
CHOC12/STS3-IR-SC
0
1-port channelized OC-12/STM-4 (OC-3/STM-1)
(5)
Yes
Yes
Yes
1-port CHOC-12,
OC-3 ISE11CHOC12/DS1-IR-SC
3
1-port channelized OC-12/STM-4 (DS1/E1) ISE
(27)
Yes
Yes
Yes
4-port7 CHOC-12 ISE
4CHOC12/DS3-I-SCB
3
4-port channelized OC-12/STM-4 (DS3/E3, OC-3c/STM-1c) POS/SDH ISE
(21)
Yes
Yes
Yes
1-port CHOC-48 ISE
CHOC48/DS3-SR-SC
3
1-port channelized OC-48/STM-16 (DS3/E3, OC-3c/STM-1c, OC-12c/STM-4c) POS/SDH ISE
(21)
Yes
Yes
Yes
6-port Ch T3
6CT3-SMB
0
6-port channelized T3 (T1)
(14)
Yes
Yes
Yes
4-port7 OC-3 ATM
4OC3/ATM-IR-SC
0
4-port OC-3c/STM-1c ATM
single mode(5)15
Yes
Yes
Yes
4OC3/ATM-MM-SC
0
4-port OC-3c/STM-1c ATM multimode
(5)15
Yes
Yes
Yes
4-port OC-3 ATM ISE11
4OC3X/ATM-IR-SC
3
4-port OC-3/STM-1 ATM ISE single mode
(27)
Yes
Yes
Yes
4OC3X/ATM-MM-SC
3
4-port OC-3/STM-1 ATM ISE multimode
(27)
Yes
Yes
Yes
8-port OC-3 ATM
8OC03/ATM/TS-IR-B
2
8-port OC-3c/STM-1c ATM
single mode(22)
Yes
Yes
Yes
8OC03/ATM/TS-MM-B
2
8-port OC-3c/STM-1c ATM multimode
(22)
Yes
Yes
Yes
1-port OC-12 ATM
LC-1OC12/ATM-SM
0
1-port OC-12c/STM-4c ATM single mode
(5)15
Yes
Yes
Yes
LC-1OC12/ATM-MM
0
1-port OC-12c/STM-4c ATM multimode
(5)15
Yes
Yes
Yes
4-port7 OC-12 ATM
4OC12/ATM-IR-SC
2
4-port OC-12c/STM-4c ATM single mode
(13)
Yes
Yes
Yes
4OC12/ATM-MM-SC
2
4-port OC-12c/STM-4c ATM multimode
(13)
Yes
Yes
Yes
4-port7 OC-12 ATM ISE
4OC12X/ATM-IR-SC
3
4-port OC-12c/STM-4c ATM ISE single mode
(25)
Yes
Yes
Yes
4OC12X/ATM-MM-SC
3
4-port OC-12c/STM-4c ATM ISE multimode
(25)
Yes
Yes
Yes
1-port GE
GE-GBIC-SC-B
1
1-port Gigabit Ethernet with ECC
(5)
Yes
Yes
Yes
10-port GE
10x1GE-SFP-LC-B
4
10-port Gigabit Ethernet
(19)
Yes
Yes
Yes
8-port FE12
8FE-FX-SC-B
1
8-port Fast Ethernet, 100BASE-FX, with ECC memory
(10)
Yes
Yes
Yes
8FE-TX-RJ45-B
1
8-port Fast Ethernet, 100BASE-TX, with ECC memory
(10)
Yes
Yes
Yes
3-port GE
3GE-GBIC-SC
2
3-port Gigabit Ethernet
(11)
Yes
Yes
Yes
4-port7 GE ISE
4GE-SFP-LC
3
4-port Gigabit Ethernet ISE
(25)
Yes
Yes
Yes
1-port 10-GbE
1X10GE-LR-SC
4+
1-port 10-Gigabit Ethernet
long reach(23)
No
Yes
Yes
1X10GE-ER-SC
4+
1-port 10-Gigabit Ethernet extended reach
(23)
No
Yes
Yes
Modular GbE
EPA-GE/FE-BBRD and
EPA-3GE-SX/LH-LC4+
Modular Gigabit Ethernet:
Gigabit Ethernet modular baseboard and 3-port Gigabit Ethernet port adapter(23)
No
Yes
Yes
2-port OC-12 DPT12
OC12/SRP-IR-SC-B
1
2-port OC-12c/STM-4c DPT with ECC single mode
intermediate reach(10)
Yes
Yes
Yes
OC12/SRP-LR-SC-B
1
2-port OC-12c/STM-4c DPT with ECC single mode long reach
(10)
Yes
Yes
Yes
OC12/SRP-XR-SC
1
2-port OC-12c/STM-4c DPT with ECC single mode extra long reach
(10)
Yes
Yes
Yes
OC12/SRP-MM-SC-B
1
2-port OC-12c/STM-4c DPT with ECC multimode
(10)
Yes
Yes
Yes
4-port7 OC-12 DPT ISE
4OC12X/SRP-IR-LC
3
4-port OC-12c/STM-4c DPT ISE intermediate reach
(24)
Yes
Yes
Yes
4OC12X/SRP-XR-LC
3
4-port OC-12c/STM-4c DPT ISE extended long reach
(24)
Yes
Yes
Yes
1-port OC-48 DPT6
OC48/SRP-SR-SC-B16
2
1-port OC-48c/STM-16c DPT single mode short reach
(15)
Yes
Yes
Yes
OC48/SRP-LR-SC-B17
2
1-port OC-48c/STM-16c DPT single mode long reach
(15)
Yes
Yes
Yes
4-port7 OC-48 DPT
4OC48/SRP-SFP
4+
4-port OC-48c/STM-16c DPT
(23)
No
Yes
Yes
1-port OC-192 DPT
OC192/SRP-VSR
4+
1-port OC-192c/STM-64c DPT very short reach
(23)
No
Yes
Yes
OC192/SRP-SR-SC
4+
1-port OC-192c/STM-64c DPT short reach
(23)
No
Yes
Yes
OC192/SRP-IR-SC
4+
1-port OC-192c/STM-64c DPT intermediate reach
(23)
No
Yes
Yes
2-port T3/E3 Serial
SPA-2XT3/E3
3
2-port clear channel T3/E3
(31)
Yes
Yes
Yes
4-port T3/E3 Serial
SPA-4XT3/E3
3
4-port clear channel T3/E3
(31)
Yes
Yes
Yes
2-port CT3
SPA-2XCT3/DS0
3
2-port channelized T3 to DS0
(31)
Yes
Yes
Yes
4-port CT3
SPA-4XCT3/DS0
3
4-port channelized T3 to DS0
(31)
Yes
Yes
Yes
1-port CHOC-3
SPA-1XCHSTM1/OC3
5
1-port channelized STM-1/OC-3
(32)
No
Yes
Yes
8-port Ch T1/E1
SPA-8XCHT1/E1
5
8-port channelized T1/E1
(32)
No
Yes
Yes
8-port FE
SPA-8XFE
5
8-port Fast Ethernet
(32)
No
Yes
Yes
1-port 10GE
SPA-1XTENGE-XFP
5
1-port 10-Gigabit Ethernet
(31)
No
Yes
Yes
2-port GE
SPA-2X1GE
5
2-port Gigabit Ethernet SPA
(32)
No
Yes
Yes
5-port GE
SPA-5X1GE
5
5-port Gigabit Ethernet
(31)
No
Yes
Yes
10-port GE
SPA-10X1GE
5
10-port Gigabit Ethernet
(31)
No
Yes
Yes
2-port OC-48 POS
SPA-2XOC48c
5
2-port OC-48 POS/RPR
(31)S2
No
Yes
Yes
1-port OC-192 POS/RPR VSR
SPA-OC192POS-VSR
5
1-port OC-192/STM64 POS/RPR VSR Optics
(32)
No
Yes
Yes
1-port OC-192 POS/RPR
SPA-OC192POS-LR
5
1-port OC-192/STM64 POS/RPR SMLR Optics
(31)
No
Yes
Yes
1-port OC192 POS/RPR XFP
SPA-OC192POS-XFP
5
1-port OC-192/STM64 POS/RPR XFP Optics
(31)
No
Yes
Yes
SIP-400
12000-SIP-400
3
2.5G ISE SPA Interface Processor.
(31)
Yes
Yes
Yes
SIP-600
12000-SIP-600
5
10G Engine 5 SPA Interface Processor.
(31)
No
Yes
Yes
SIP-40118
12000-SIP-401
5
2.5G Multiservice Engine SPA Interface Processor.
(32)
Yes
Yes
Yes
SIP-501
12000-SIP-501
5
5G Multiservice Engine SPA Interface Processor.
(32)
No
Yes
Yes
SIP-601
12000-SIP-601
5
10G Multiservice Engine SPA Interface Processor.
(32)
No
Yes
Yes
1 For a spare product number, append an equal sign (=) to the product number. For End-of-Sale (EOS) and End-of-Life (EOL) information about line cards, refer to the Cisco product bulletins at:
http://www.cisco.com/en/US/partner/products/hw/routers/ps167/prod_eol_notices_list.html2 Engine 3 (E3) is commonly referred to as IP Services Engine (ISE); Engine 4 plus (E4+) is commonly referred to as Enhanced Services (ES) engine.
3 Cisco 12006, Cisco 12008, Cisco 12010, Cisco 12012, and Cisco 12016 routers. SIPs and SPAs are only supported on the Cisco 12006 and Cisco 12010 chassis. None of the SIP cards and SPAs are supported in either the Cisco 12008 or the Cisco 12012 routers (reference note 18 for Cisco 12016 support). The enhanced fabric which supports Single Router APS, BITS and Dual Priority is available in Cisco IOS Release 12.0(32)SY2 and higher for the Cisco 12010 and Cisco 12016 routers. The enhanced fabric without the Single Router APS, BITS and Dual Priority functionalities can also be used on the Cisco 12006 routers with Cisco IOS 12.0(32)SY8 or later releases. For support of these features on Cisco 12006 chassis, reference the Cisco IOS Release 12.0(33)S release notes. The Cisco Part Number for the Cisco 12010 fabric option and fabric kit is 12010E/50 and 12010E/50=. The Cisco Part Number for the Cisco 12016 fabric option and fabric kit is 12016E/80 and 12016E/80=. The Cisco Part Number for the Cisco 12006 fabric option and fabric kit is 12006E/30 and 12006E/30=. The SR APS feature is supported using the Engine3 ATM line cards. BITS feature is supported on Engine3 and Engine5 POS and ATM line cards. DP feature is supported on Engine5 (2.5G mode) line cards.
4 Cisco 12404, Cisco 12406, Cisco 12410, and Cisco 12416. The enhanced fabric which supports Single Router APS, BITS and Dual Priority is available in Cisco IOS Release 12.0(32)SY2 and higher for the Cisco 12410 and Cisco 12416 routers. The enhanced fabric without the Single Router APS, BITS and Dual Priority functionalities can also be used on the Cisco 12406 routers with Cisco IOS 12.0(32)SY8 or later releases. For support of these features on Cisco 12406 chassis, reference the Cisco IOS Release 12.0(33)S Release notes. The Cisco Part Number for the Cisco 12410 fabric option and fabric kit is 12410E/200 and 12410E/200=. The Cisco Part Number for the Cisco 12416 fabric option and fabric kit is 12416E/320 and 12416E/320=. The Cisco Part Number for the Cisco 12406 fabric option and fabric kit is 12406E/120 and 12406E/120=. The SR APS feature is supported using the Engine3 ATM line cards. BITS feature is supported on Engine3 and Engine5 POS and ATM line cards. DP feature is supported on Engine4, Engine4+ and Engine5 line cards.
5 Cisco 12810 and Cisco 12816. The enhanced fabric which supports Single Router APS, BITS and Dual Priority is available in Cisco IOS Release 12.0(31)S and higher for the Cisco 12810 and Cisco 12816 routers. The Cisco Part Number for the Cisco 12810 fabric option and fabric kit is 12810E/800 and 12810E/800=. The Cisco Part Number for the Cisco 12816 fabric option and fabric kit is 12816E/1280 and 12816E/1280=. The SR APS feature is supported using the Engine3 ATM line cards. BITS feature is supported on Engine6 POS line cards in addition to those listed in note 4. DP feature is supported on Engine4, Engine4+, Engine5 and Engine6 line cards.
6 Revision B replaces the initial version.
7 A 4-port line card is also referred to as a "Quad" line card.
8 This Engine 4+ version replaces the initial Engine 4 version.
9 The part number may also be referred to as 4OC-48E/POS-SR-SC.
10 The part number may also be referred to as 4OC-48E/POS-LR-SC.
11 This line card was released in Cisco IOS Release 12.0(27)S1.
12 This version with ECC memory replaces the initial version without ECC memory.
13 The part number may also be referred to as LC-1OC12-POS-SM.
14 The part number may also be referred to as LC-1OC12-POS-MM.
15 Cisco IOS Release 12.0(10)S is recommended.
16 The part number may also be referred to as OC-48/SRP-SR-SC-B.
17 The part number may also be referred to as OC-48/SRP-LR-SC-B.
18 SIP-401 is not supported on the Cisco 12008, Cisco 12012 and Cisco 12016 (with non-enhanced fabric) routers. This line card is supported on a Cisco 12016 router that is configured with the enhanced fabric.
Determining the Software Version
To determine the version of Cisco IOS software that is running on your Cisco router, log in to the router and enter the show version EXEC command:
Router> show versionCisco Internetwork Operating System SoftwareIOS (tm) 10720 Software (c10700-p-mz), Version 12.0(32)SY, EARLY DEPLOYMENT RELEASE SOFTWAREUpgrading to a New Software Release
For information about selecting a new Cisco IOS software release, see How to Choose a Cisco IOS Software Release at:
http://www.cisco.com/warp/public/130/choosing_ios.shtml
For information about upgrading to a new software release, see the appropriate platform-specific document:
•
http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a0080094c07.shtml
•
http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a0080094c07.shtml
For Cisco IOS upgrade ordering instructions, see the document at:
http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/957_pp.htm
To choose a new Cisco IOS software release by comparing feature support or memory requirements, use Cisco Feature Navigator. Cisco Feature Navigator is a web-based tool that enables you to determine which Cisco IOS and Catalyst OS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or by feature set (software image). Under the release section, you can compare Cisco IOS software releases side by side to display both the features unique to each software release and the features that the releases have in common.
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at:
To choose a new Cisco IOS software release based on information about defects that affect that software, use Bug Toolkit at:
http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl
Microcode Software
This section consists of the following subsections:
•
Shared Port Adapter FPD Image Packages for the Cisco 12000 Series
Field-Programmable Device (FPD) image packages are used to update Shared Port Adapter (SPA) FPD images. If a discrepancy exists between an SPA FPD image and the Cisco IOS image that is running on the router, the SPA is deactivated until this discrepancy is resolved. For additional information on FPDs, including the upgrade process, see the "Upgrading Field-Programmable Devices" section of the Cisco 12000 Series Router SIP and SPA Software Configuration Guide:
http://www.cisco.com/univercd/cc/td/doc/product/core/cis12000/linecard/lc_spa/spa_swcs/index.htm
Note
Shared Port Adapter FPD Image Package for Cisco IOS Release 12.0(32)SY
The FPD image package that is used to upgrade SPAs on a router that runs Cisco IOS Release 12.0(32)SY is the c12k-fpd-pkg.120-32.S.pkg file. This SPA FPD image package file is accessible from the page from which you download your specific Cisco IOS image in the Software Center on Cisco.com and contains the components that are listed in Table 3.
Feature Support
Cisco IOS software is packaged in feature sets that consist of software images that support specific platforms. The feature sets available for a specific platform depend on which Cisco IOS software images are included in a release. Each feature set contains a specific set of Cisco IOS features.
Caution
Note
Cisco Feature Navigator is a web-based tool that enables you to determine which Cisco IOS and Catalyst OS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or by feature set (software image). Under the release section, you can compare Cisco IOS software releases side by side to display both the features unique to each software release and the features that the releases have in common.
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at:
For frequently asked questions about Cisco Feature Navigator, see the FAQs at:
http://www.cisco.com/support/FeatureNav/FNFAQ.html
Determining Which Software Images Support a Specific Feature
To determine which software images (feature sets) in Cisco IOS Release 12.0(32)SY support a specific feature, go to the Cisco Feature Navigator home page and perform the following steps.
Step 1
Step 2
Step 3
Note
Repeat this step to add additional features. A maximum of 20 features can be chosen for a one search.
Step 4
Step 5
Step 6
Step 7
Determining Supported Features in a Specific Software Image
To determine which features are supported in a specific software image (feature set) in Cisco IOS Release 12.0(32)SY, go to the Cisco Feature Navigator home page and perform the following steps.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
New and Changed Information
This section lists the new hardware and software features supported by Cisco IOS Release 12.0(32)SY and contains the following subsections:
•
•
•
•
•
•
•
•
•
Note
New Hardware Features in Cisco IOS Release 12.0(32)SY8
There are no new hardware features in Cisco IOS Release 12.0(32)SY8.
New Software Features in Cisco IOS Release 12.0(32)SY8
This section describes new and changed features in Cisco IOS Release 12.0(32)SY8. Some features may be new to Cisco IOS Release 12.0(32)SY but were released in earlier Cisco IOS software releases. Some features may have been released in earlier Cisco IOS software releases and have been changed in Cisco IOS Release 12.0(32)SY8. To determine if a feature is new or changed, see the feature history table at the beginning of the feature module for that feature. Links to feature modules are included below. If a feature listed below does not have a link to a feature module, that feature is documented only in the release notes, and information about whether the feature is new or changed will be available in the feature description provided below.
BGP Support for 4-Byte ASN
Platform: Cisco 12000-GRP, Cisco 12000-PRP
The BGP Support for 4-Byte ASN feature introduces support for 4-byte autonomous system numbers. Because of increased demand for autonomous system numbers, in January 2009 the IANA will start to allocate 4-byte autonomous system numbers in the range from 65536 to 4294967295. The Cisco implementation of 4-byte autonomous system numbers uses asplain as the default output display format for autonomous system numbers, but you can configure 4-byte autonomous system numbers in both the asplain format and the asdot format as described in RFC 5396. In addition, the default format for matching 4-byte autonomous system numbers in regular expressions is asplain, so you must ensure that any regular expressions to match 4-byte autonomous system numbers are written in the asplain format. If you want to change the default show command output to display autonomous system numbers in the asdot format, use the bgp asnotation dot command under router configuration mode. When the asdot format is enabled as the default, any regular expressions to match 4-byte autonomous system numbers must be written using the asdot format, or else the regular expression match will fail. Cisco also supports RFC 4893, which was developed to allow BGP to support a gradual transition from 2-byte autonomous system numbers to 4-byte autonomous system numbers.
For detailed information about this feature, see the "Cisco BGP Overview" and "Configuring a Basic BGP Network" modules of the Cisco IOS IP Routing Protocols Configuration Guide and the Cisco IOS IP Routing Protocols Command Reference at the following URLs:
http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_bgp_overview.html
http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_bgp_basic_net.html
http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_book.html
QinQ and QinAny over L2TPv3
The purpose of the IEEE 802.1 QinQ VLAN tag is to expand the VLAN space by tagging the tagged packets to produce a double-tagged frame. In the QinAny tag, the incoming packet is also doubled-tagged, where the user specifies only the outer tag explicitly and the inner tag can be any number (1 to 4095).
•
•
The Stacked VLAN Processing feature supports the encapsulation of IEEE 802.1Q VLAN tags within a second layer of 802.1Q tag on provider edge (PE) routers to allow service providers to use a single VLAN to support customers who have multiple VLANs. The core service-provider network carries traffic with double-tagged, stacked VLAN (802.1 QinQ) headers of multiple customers while maintaining the VLAN and Layer 2 protocol configurations of each customer and without impacting the traffic of other customers. The Stacked VLAN Processing feature preserves VLAN IDs and keeps traffic in different customer VLANs segregated.
For more information, see the Layer 2 Tunnel Protocol Version 3 document at the following URL:
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/l2tpv30s.html
New Hardware Features in Cisco IOS Release 12.0(32)SY4
This section describes new and changed features in Cisco IOS Release 12.0(32)SY. Some features may be new to Cisco IOS Release 12.0(32)SY but were released in earlier Cisco IOS software releases. Some features may have been released in earlier Cisco IOS software releases and have been changed in Cisco IOS Release 12.0(32)SY. To determine if a feature is new or changed, see the feature history table at the beginning of the feature module for that feature. Links to feature modules are included below. If a feature listed below does not have a link to a feature module, that feature is documented only in the release notes, and information about whether the feature is new or changed is available in the feature description provided below.
SPA-2X1GE-V2
This release introduces the SPA-2X1GE-V2. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/core/cis12000/linecard/lc_spa/spa_hw/32sy/index.htm
http://www.cisco.com/univercd/cc/td/doc/product/core/cis12000/linecard/lc_spa/spa_swcs/1232sy/index.htm
New Software Features in Cisco IOS Release 12.0(32)SY4
This section describes new and changed features in Cisco IOS Release 12.0(32)SY4. Some features may be new to Cisco IOS Release 12.0(32)SY but were released in earlier Cisco IOS software releases. Some features may have been released in earlier Cisco IOS software releases and have been changed in Cisco IOS Release 12.0(32)SY4. To determine if a feature is new or changed, see the feature history table at the beginning of the feature module for that feature. Links to feature modules are included below. If a feature listed below does not have a link to a feature module, that feature is documented only in the release notes, and information about whether the feature is new or changed will be available in the feature description provided below.
•
Cisco 12000 Series Router SIP and SPA Software Configuration Guide
This release introduces support for the following SPAs:
•
For details about software configuration support for these SPAs, see the Cisco 12000 Series Router SIP and SPA Software Configuration Guide at the following location:
http://www.cisco.com/univercd/cc/td/doc/product/core/cis12000/linecard/lc_spa/spa_swcs/1232sy/index.htm
New Hardware Features in Cisco IOS Release 12.0(32)SY3
There are no new hardware features in Cisco IOS Release 12.0(32)SY3.
New Software Features in Cisco IOS Release 12.0(32)SY3
This section describes new and changed features in Cisco IOS Release 12.0(32)SY3. Some features may be new to Cisco IOS Release 12.0(32)SY but were released in earlier Cisco IOS software releases. Some features may have been released in earlier Cisco IOS software releases and have been changed in Cisco IOS Release 12.0(32)SY3. To determine if a feature is new or changed, see the feature history table at the beginning of the feature module for that feature. Links to feature modules are included below. If a feature listed below does not have a link to a feature module, that feature is documented only in the release notes, and information about whether the feature is new or changed will be available in the feature description provided below.
•
Enhanced Ingress Hierarchical Policing on Engine 5
This release introduces an enhancement to Ingress Hierarchical Policing. The policer does not discard the conforming traffic on the child policy. Excess credits of the parent policer are shared.
New Hardware and Software Features in Cisco IOS Release 12.0(32)SY1 to Cisco IOS Release 12.0(32)SY2
There are no new hardware or software features in Cisco IOS Release 12.0(32)SY1 to Cisco IOS Release 12.0(32)SY2.
New Hardware Features in Cisco IOS Release 12.0(32)SY
This section describes new and changed features in Cisco IOS Release 12.0(32)SY. Some features may be new to Cisco IOS Release 12.0(32)SY but were released in earlier Cisco IOS software releases. Some features may have been released in earlier Cisco IOS software releases and have been changed in Cisco IOS Release 12.0(32)SY. To determine if a feature is new or changed, see the feature history table at the beginning of the feature module for that feature. Links to feature modules are included below. If a feature listed below does not have a link to a feature module, that feature is documented only in the release notes, and information about whether the feature is new or changed is available in the feature description provided below.
•
•
•
•
•
SPA-8X1FE-TX-V2
This release introduces the SPA-8X1FE-TX-V2. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/core/cis12000/linecard/lc_spa/spa_hw/32sy/index.htm
http://www.cisco.com/univercd/cc/td/doc/product/core/cis12000/linecard/lc_spa/spa_swcs/1232sy/index.htm
SPA-1X10GE-L-V2
This release introduces the SPA-1X10GE-L-V2. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/core/cis12000/linecard/lc_spa/spa_hw/32sy/index.htm
http://www.cisco.com/univercd/cc/td/doc/product/core/cis12000/linecard/lc_spa/spa_swcs/1232sy/index.htm
SPA-5X1GE-V2
This release introduces the SPA-5X1GE-V2. For details about this feature, see the Cisco documents at the following locations:
http://www.cisco.com/univercd/cc/td/doc/product/core/cis12000/linecard/lc_spa/spa_hw/32sy/index.htm
http://www.cisco.com/univercd/cc/td/doc/product/core/cis12000/linecard/lc_spa/spa_swcs/1232sy/index.htm
SPA-10X1GE-V2
This release introduces the SPA-10X1GE-V2. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/core/cis12000/linecard/lc_spa/spa_hw/32sy/index.htm
http://www.cisco.com/univercd/cc/td/doc/product/core/cis12000/linecard/lc_spa/spa_swcs/1232sy/index.htm
SPA-2XOC12-POS SPA Support on Cisco 12000
This release introduces the SPA-2XOC12-POS SPA support on the Cisco12000 router. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/core/cis12000/linecard/lc_spa/spa_hw/32sy/index.htm
http://www.cisco.com/univercd/cc/td/doc/product/core/cis12000/linecard/lc_spa/spa_swcs/1232sy/index.htm
SPA-4XOC12-POS SPA Support on Cisco 12000
This release introduces the SPA-4XOC12-POS SPA support on the Cisco12000 router. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/core/cis12000/linecard/lc_spa/spa_hw/32sy/index.htm
http://www.cisco.com/univercd/cc/td/doc/product/core/cis12000/linecard/lc_spa/spa_swcs/1232sy/index.htm
SPA-8XOC12-POS SPA Support on Cisco 12000
This release introduces the SPA-8XOC12-POS SPA support on the Cisco12000 router. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/core/cis12000/linecard/lc_spa/spa_hw/32sy/index.htm
http://www.cisco.com/univercd/cc/td/doc/product/core/cis12000/linecard/lc_spa/spa_swcs/1232sy/index.htm
SPA-4XOC3-POS-V2 SPA Support on Cisco 12000
This release introduces the SPA-4XOC3-POS-V2 SPA support on the Cisco12000 router. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/core/cis12000/linecard/lc_spa/spa_hw/32sy/index.htm
http://www.cisco.com/univercd/cc/td/doc/product/core/cis12000/linecard/lc_spa/spa_swcs/1232sy/index.htm
SPA-8XOC3-POS SPA Support on Cisco 12000
This release introduces the SPA-8XOC3-POS SPA support on the Cisco12000 router. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/core/cis12000/linecard/lc_spa/spa_hw/32sy/index.htm
http://www.cisco.com/univercd/cc/td/doc/product/core/cis12000/linecard/lc_spa/spa_swcs/1232sy/index.htm
New Software Features in Cisco IOS Release 12.0(32)SY
This section describes new and changed features in Cisco IOS Release 12.0(32)SY. Some features may be new to Cisco IOS Release 12.0(32)SY but were released in earlier Cisco IOS software releases. Some features may have been released in earlier Cisco IOS software releases and have been changed in Cisco IOS Release 12.0(32)SY. To determine if a feature is new or changed, see the feature history table at the beginning of the feature module for that feature. Links to feature modules are included below. If a feature listed below does not have a link to a feature module, that feature is documented only in the release notes, and information about whether the feature is new or changed appears in the feature description below.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
BGP Multipath Load Sharing for MPLS VPN over IP Tunnels for Cisco 12000 Engine 5 Line Cards
This release introduces BGP Multipath Load Sharing for MPLS VPN over IP Tunnels support on Engine 5 shared port adapters (SPAs) and SPA Interface Processors (SIPs) on Cisco 12000 series router. For details about this feature, see the Cisco documents at the following location:
MPLS VPNs over IP Tunnels:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s30/csgl3vpn.htm
BGP Multipath Load Sharing for Both eBGP and iBGP in an MPLS-VPN:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122sx/12218sxe/fsxeibmp.htm
Cisco 12000 Series Router SIP and SPA Software Configuration Guide
This release introduces support for the following SPAs:
•
•
•
•
•
•
•
•
•
For details about software configuration support for these SPAs, see the Cisco 12000 Series Router SIP and SPA Software Configuration Guide at the following location:
http://www.cisco.com/univercd/cc/td/doc/product/core/cis12000/linecard/lc_spa/spa_swcs/1232sy/index.htm
Configuring RTP Header Compression for Cisco 12000 Series Routers
This release introduces Configuring RTP Header Compression for Cisco 12000 series routers. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120sy/120sy32/iphdcmp.htm
Cos-Based Tunnel Selection on Engine 5 Line Cards
This release introduces Cos-based Tunnel Selection (CBTS) on Engine 5 line cards. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s29/gscbts.htm
DPT (SRP) Support for the 1-port OC-192 SPA on 12000-SIP-600/601
This release introduces DPT (SRP) Support for 1-port OC-192 SPA on 12000-SIP-600/601. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s27/srpapsgs.htm
DPT (SRP) Support for the 2-port OC-48 SPA on 12000-SIP-600/601
This release introduces DPT (SRP) Support for the 2-port OC-48 SPA on 12000-SIP-600/601. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s27/srpapsgs.htm
Hierarchical QoS for MPLS VPN over IP Tunnels for Cisco 12000 Engine 5 and Engine 3 Line Cards
This release introduces Hierarchical QoS for MPLS VPN over IP Tunnels for IP Services Engine (ISE) for Engine 5 and Engine 3 line cards on the Cisco 12000 series router. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120sy/120sy32/hiershap.htm
Hierarchical Shaping for MPLS VPNs over IP Tunnels on the Cisco 12000 Series Internet Router
This release introduces Hierarchical Shaping for MPLS VPNs over IP Tunnels on the Cisco 12000 Series Internet Router. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120sy/120sy32/hiershap.htm
Inter-AS Hybrid for MPLS VPN over IP Tunnels
This release introduces Inter-AS Hybrid for MPLS VPN over IP Tunnels support on Engine 5 shared port adapters (SPAs) and SPA Interface Processors (SIPs) on the Cisco 12000 series router. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s31/hybrd10b.htm
IP Header Compression
This release introduces IP Header Compression. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120sy/120sy32/iphdcmp.htm
IP SLAs—LSP Health Monitor
For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124newft/124t/124t6/ht_hmon.htm
L2TPv3 Layer 2 Packet Fragmentation
For details about this feature, see the Cisco documents at the following locations:
Cisco IOS Software Configuration for the Cisco 10720 Internet Router:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s24/10720.htm
Layer 2 Tunnel Protocol Version 3:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s31/l2tpv31s.htm
L2TPv3 Like-to-Like Native for Cisco 12000 Engine 5 Line Cards
This release introduces support for customer-facing interfaces on Engine 5 shared port adapters (SPAs) and SPA Interface Processors (SIPs) on the Cisco 12000 series router. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s27/fslocal.htm
Layer 2 Local Switching
On the Cisco 12000 series Internet router, support was added for like-to-like local switching on customer-facing interfaces on Engine 5 shared port adapters (SPAs) and SPA Interface Processors (SIPs). For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s27/fslocal.htm
Layer 2 Tunnel Protocol Version 3:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s31/l2tpv31s.htm
Layer 2 Tunnel Protocol Version 3 on Cisco 12000 Engine 5 Line Cards
On the Cisco 12000 series Internet router, support was added for Engine 5 line cards, including shared port adapters (SPAs) and SPA interface processors (SIPs). For detailed information about this feature, see the Cisco document at the following location:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s31/l2tpv31s.htm
Layer 2 Virtual Private Network Interworking on Cisco 12000 IP Services Engine and Engine 5 Line Cards
This release introduces L2TPv3 Interworking for IP Services Engine (ISE) and Engine 5 line cards on the Cisco 12000 series router. For details about this feature, see the Cisco documents at the following locations:
Layer 2 Tunnel Protocol Version 3 on Cisco 12000 Engine 5 Line Cards:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s31/l2tpv31s.htm
Layer 2 Virtual Private Network Interworking
On the Cisco 12000 series router, support was added for IP Services Engine (ISE) and Engine 5 line cards that are configured for L2TPv3 tunneling. For details about this feature, see the Cisco documents at the following location:
Layer 2 Virtual Private Network Interworking:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s26/fsinterw.htm
Layer 2 Tunnel Protocol Version 3:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s31/l2tpv31s.htm
Microcode Manager for Multiservice Engine Line Cards on Cisco 12000 Series Routers
This release introduces Microcode Manager for Multiservice Engine Line Cards on Cisco 12000 Series Routers. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120sy/120sy32/microbun.htm
MPLS Embedded Management—LSP Ping/Traceroute for LDP
This release introduces MPLS Embedded Management—LSP Pin/Traceroute for LDP. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124newft/124t/124t6/ht_lspng.htm
MPLS LDP Autoconfiguration
This release introduces MPLS LDP Autoconfiguration. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s30/fsldpaut.htm
MPLS LDP—IGP Synchronization
This release introduces MPLS LDP—IGP Synchronization. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s30/fsldpsyn.htm
MPLS—LDP MD5 Global Configuration
This release introduces MPLS—LDP MD5 Global Configuration. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122sb/newft/122sb28/sb_md5.htm
MPLS VPN—Show Running VRF
This release introduces MPLS VPN—Show Running VRF. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122sb/newft/122sb28/sb_svrf.htm
MPLS VPN Carrier Supporting Carrier Support on the Cisco 10720 Router
Starting in Cisco IOS Release 12.0(32)SY, the Carrier Supporting Carrier feature is supported in an MPLS VPNs over IP Tunnels configuration on the Cisco 10720 router. For details about this feature, see the Cisco documents at:
Cisco IOS Software Configuration for the Cisco 10720 Internet Router:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s24/10720.htm
MPLS VPNs over IP Tunnels:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s30/csgl3vpn.htm
MPLS VPN Carrier Supporting Carrier over IP Tunnels for Cisco 12000 Engine 5 Line Cards
This release introduces support for the MPLS VPN Carrier Supporting Carrier over IP Tunnels feature on Engine 5 line cards, including shared port adapters (SPAs) and SPA Interface Processors (SIPs), on the Cisco 12000 series router. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s//120s31/hybrd10b.htm
MPLS VPNs over IP Tunnels
This release introduces MPLS VPNs over IP Tunnels support for Engine 5 shared port adapters (SPAs) and SPA Interface Processors (SIPs) on the Cisco 12000 series router. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s30/csgl3vpn.htm
Multicast-VPN—IP Multicast Support for MPLS VPNs
This release introduces the Multicast-VPN—IP Multicast Support for MPLS VPNs feature on Engine 5 shared port adapters (SPAs) and SPA Interface Processors (SIPs) on the Cisco 12000 series router. This feature allows a service provider to configure and support multicast traffic in a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) environment. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122s/122snwft/release/122s14/fs_mvpn.htm
PXF Accelerated IPv6 Multicast for 802.17 RPR
This release introduces support for PXF Accelerated IPv6 Multicast on the Dual Mode IEEE 802.17 RPR/SRP uplink card in SRP and RPR-IEEE mode on the Cisco 10720 internet router. For details about this feature, see the Cisco documents at:
Cisco IOS Software Configuration for the Cisco 10720 Internet Router:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s24/10720.htm
QoS: Enhanced show Commands for Active Policies
This release introduces support for the QoS: Enhanced Show Commands for Active Policies feature on Engine 5 shared port adapters (SPAs) and SPA Interface Processors (SIPs) on the Cisco 12000 series router. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122sb/newft/122sb28/sb_acpm.htm
Virtual Private LAN Service over MPLS on Cisco 12000 Series Router Line Cards
This release introduces Virtual Private LAN Service (VPLS) over MPLS on edge facing Engine 5 shared port adapters (SPAs) and SPA Interface Processors (SIPs) on the Cisco 12000 series router. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s32/vpls_qos.htm
VPLS Fast Reroute
This release introduces the VPLS Fast Reroute feature. For details about this feature, see the Cisco documents at the following location:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s32/vpls_qos.htm
VPLS QinQ
This release introduces support for 802.1ad (QinQ) on VPLS for version 2 Engine 5 shared port adapters (SPAs) and SPA Interface Processors (SIPs) on the Cisco 12000 series router. For details about this feature, see the Cisco documents at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s32/vpls_qos.htm
VRF-aware PBR
This release introduces the VRF-aware PBR (Policy-Based Routing) feature on IP Services Engine (ISE) and Engine 5 line cards. A VRF is an IOS route table instance for connecting a set of sites to a VPN service. This feature adds the ability to configure Policy-Based Routing on a VPN routing/forwarding instance.
For a detailed description of Policy-Based Routing, see the Cisco documents at:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide_chapter09186a00800c60da.html#xtocid37534
For a details on configuring Policy-Based Routing, see the Cisco documents at:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide_chapter09186a00800c60d2.html#23550
MIBs
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at:
http://tools.cisco.com/RPF/register/register.do
Limitations and Restrictions
The following sections contain information about limitations and restriction in Cisco IOS Release 12.0(32)SY that can apply to the Cisco 10720 series routers and Cisco 12000 platform.
Important Notes
The following sections contain important notes about Cisco IOS Release 12.0S that can apply to the Cisco 10720 series routers and Cisco 12000 platform.
Deferrals
Cisco IOS software images are subject to deferral. We recommend that you view the deferral notices at the following location to determine if your software release is affected:
http://www.cisco.com/public/sw-center/sw-ios-advisories.shtml
Field Notices and Bulletins
For general information about the types of documents listed in this section, see the following document:
http://www.cisco.com/warp/public/cc/general/bulletin/software/general/1654_pp.htm
•
•
•
•
Important Notes for Cisco IOS Release 12.0(32)SY9
This section describes important issues that you should be aware of for Cisco IOS Release 12.0(32)SY9.
The bgp default ipv6-nexthop Command
The bgp default ipv6-nexthop command has been introduced in Cisco IOS Release 12.0(32)SY9. This command enables BGP to choose the IPv6 next hop automatically for IPv6 address family prefixes. This command is enabled by default and is not shown in the running configuration. Use the no bgp default ipv6-nexthop command to disable automatic next-hop selection in situations when IPv6 next-hop selection is configured to propagate over IPv4 sessions. For more information about this new command, see the Cisco IOS IPv6 Command Reference at:
http://www.cisco.com/en/US/docs/ios/ipv6/command/reference/ipv6_01.html
Caveats
Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious. Severity 3 caveats are moderate caveats, and only select severity 3 caveats are included in this section.
Because Cisco IOS Release 12.0(32)SY is based on Cisco IOS Release 12.0S, many caveats that apply to Cisco IOS Release 12.0S also apply to Cisco IOS Release 12.0(32)SY. For information on severity 1 and 2 caveats in Cisco IOS Release 12.0(32)SY, see the caveat parts of the Cross-Platform Release Notes for Cisco IOS Release 12.0S document located on Cisco.com.
In this section, the following information is provided for each caveat:
•
•
•
Note
This section consists of the following subsections:
Release 12.0(32)SY and Its Rebuilds
•
•
•
•
•
•
•
•
•
•
•
•
Resolved Caveats—Cisco IOS Release 12.0(32)SY10
Cisco IOS Release 12.0(32)SY10 is a rebuild release for Cisco IOS Release 12.0(32)SY. The caveats in this section are resolved in Cisco IOS Release 12.0(32)SY10 but may be open in previous Cisco IOS releases.
•
Symptoms: All packets toward a specific adjacency get black-holed. The output of show controllers rewrites command on the output E4 linecard indicates that a bad destination MAC is being used for the rewrite.
For example:
LC-Slot1# show controllers rewrites | b 192.168.2.1
Port-channel2 192.168.2.1 0x0E0307CC GigabitEthernet1/2/1 00E0812B28E5000E393CF5010800 ------------ incorrect
Conditions: This symptom is observed on a Cisco 12000 series Internet router that is running Cisco IOS Release 12.0(30)S and that is connected via a link-bundling interface (E4 LC) through a switch to numerous BGP peers, after one of the peers went down because of a long maintenance window.
Workaround: Clearing the adjacencies does not help; the only workaround possible is to remove link-bundling.
•
Symptoms: In certain configurations, when the neighbor router restarts, the following message and some tracebacks may appear:
%CLNS-3-LSPLISTERR: ISIS: LSP list traversal incomplete (ISIS)
Conditions: This symptom is observed when an ION image is running and ISIS is enabled.
Workaround: Configure "no isis optimize lspdb-walk" under "router isis."
•
Symptoms: An OSPFv3 neighbor may go down because of missing OSPFv3 hellos.
Conditions: This symptom is observed after upgrading to Cisco IOS Release 12.0(32)S.
Workaround: There is no workaround.
•
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
•
Symptoms: On a Cisco 12000 series router that is running Cisco IOS Release 12.0(31)S6, a Malloc failure is seen on "L3 Engine: 6 - Backbone 2P OC192/ 8P OC48 (20 Gbps)":
SLOT 10:Mar 29 12:41:01: %SYS-2-MALLOCFAIL: Memory allocation of 65556 bytes failed from 0x400DD7C8, alignment 32 Pool: Processor Free: 152456 Cause: Memory fragmentation Alternate Pool: None Free: 0 Cause: No Alternate pool
Conditions: Multicast should be enabled because the memory leak happens from "MDFS LC Process."
Workaround: Reload the linecard.
•
Symptoms: A static address may have an aggregate out label in the BGP and MPLS forwarding entry.
Conditions: This symptom is observed when there is a static route in a VRF, a directly connected network is added, and both the static and connected routes are redistributed to BGP. The BGP table will then have the connected prefix, and both the BGP and forwarding entries will match and have the aggregate out label. But when the connected network is shut down, BGP gets the static route, but the out label remains "aggregate."
Workaround: There is no workaround.
•
Symptoms: Multicast data loss may be observed while changing the PIM mode of MDT-data groups in all core routers.
Conditions: The symptom is observed while changing the PIM mode of MDT-data groups from "Sparse" to "SSM" or from "SSM" to "Sparse" in all core routers in a Multicast Virtual Private Network (MVPN).
Workaround: Use the clear ip mroute MDT-data group command to resolve the issue.
•
Symptoms: There were two symptoms reported for this problem:
1. Continuous increment in the mdfs reload count for some linecards.
2. Clearing of all entries in the global multicast routing table.
This leads to the loss of PIM neighborship with some peer routers.
Conditions: This problem is seen when the number of swidb or hwidb interfaces is at least 1638 in number, and the traffic is active.
Workaround: Configure additional interfaces, like a loopback interface, to resolve the reported issue. But there could still be wrong statistic updates and wrong show interface output.
•
Symptoms: Traffic engineering (TE) tunnel reoptimization fails and tunnel stuck in "RSVP signaling proceeding."
Conditions: Occurs when explicit path with loose next hops and one of the next hops is still reachable and that next hops is a dead-end.
Workaround: Use strict next hop addresses.
•
Symptoms: BGP router filters outbound routes to the peers when doing soft reset with specifying peer address using the clear ip bgp ip-address soft out command. However, the routes to be filtered are not deleted from the routing table on the BGP peer router.
Conditions: The symptom happens when removing and then reapplying an outbound route-map. When issuing the clear ip bgp neighbor-address soft out command for each peer in an update-group after applying the outbound route-map filtering policy. The withdraw for filtered prefixes is sent to the first peer specified in soft reset, but the next peers in the same update-group do not withdraw the routes.
Workaround: Perform a hard BGP reset using the clear ip bgp ip-address command.
•
Symptoms: A CHOC12 T1 continuously flaps when the T1 link that is connected to a third-party CE router flaps. With the Cisco router, the same issue is not observed.
Conditions: This symptom is observed under the following conditions:
–
–
Workaround: Disable "yellow detection" on the CHOC12 T1 link. For example, serial interface 12/0.7/6:0:
controller sonet 12/0
sts-1 7
no t1 6 yellow detection
! Wait for the T1 to stabilize.
t1 6 yellow detection
!•
Symptoms: The source MAC address is not learned properly for the bridge domain associated with a VFI instance.
Conditions: Traffic is from CE2------PE1------CE1 (locally switched). Source MAC addresses of packets from CE2 are not learned correctly. NetFlow is enabled on the interfaces of the PE.
Workaround: Disable NetFlow on the main interface.
•
Symptoms: A PVC flaps with the following error message:
ATM(ATM3/0/0.504): VC(17) Bad SAP received 00AD
Conditions: This symptom is observed on a Cisco 7600 with a FlexWAN and PAA3 when connected to a Cisco 12000 ATM interface and when the PVC is configured for bridging.
Workaround: There is no workaround.
•
Symptoms: The following traceback is seen on the console, and all the channelized serial links on the E3 LC flap.
SLOT 5:1d00h: %EE48-3-INVALID_CFG_DATA: Channel 4: Invalid configuration data. Channel type= 5 -Traceback= 40030F00 40417F44 40418208 40418444 404184B4 40418588 SLOT 5:1d00h: %EE48-3-INVALID_CFG_DATA: Channel 5: Invalid configuration data. Channel type= 5 -Traceback= 40030F00 40417F44 40418208 40418444 404184B4 40418588
Conditions: This symptom occurs with all the serial links configured on a Channelized OC48-DS3/Engine 3 card. Serial interfaces flap, bringing down BGP/OSPF for no apparent reason. No configs were done.
Workaround: There is no workaround.
•
Symptoms: A Cisco 12000 series Internet router that is running Cisco IOS Release 12.0(32)SY7 crashes by Unexpected exception to CPUvector 300.
Conditions: This crash occurs after deleting a couple of subinterfaces that belong to different VRFs. There are many different VRFs and different subinterfaces configured on the router that runs Cisco IOS Release 12.0(32) SY7.
Workaround: Make sure to always shut down the subinterfaces before deleting them.
•
Symptoms: Traffic is not flowing for some VCs through an SR-APS interface.
Conditions: This symptom is observed after a linecard reload and router reload.
Workaround: Shut/no shut the SR-APS interface.
•
Symptoms: Given the following topology:
CE1 <-->PE1 <---->P<---->PE2<------>CE2
xconnect is configured on the serial link, and after the following steps are performed, a ping fails for the xconnect interface.
1) Configure xconnect with HDLC encapsulation.
2) Remove the encapsulation and add PPP encapsulation.
Conditions: All interfaces should be up and running.
Workaround: Remove and add the xconnect configuration.
•
Symptoms: "no int loopback" with "advertise passive-only" causes a stuck prefix.
Conditions: This symptom is observed on a Cisco 7600 series router that is using an RSP720 with Cisco IOS Release 12.2(33)SRD.
Workaround:
–
Or with "advertise passive-only":
–
–
•
Symptoms: A session may go down one or more times before stabilizing in the up state.
Conditions: This symptom is observed when a BFD session is first coming up and the network is suffering from congestion.
Workaround: There is no workaround.
•
Symptoms: A SIP-601 is reset after local switching is configured. After the linecard comes up, traffic does not flow end to end on the local switching attachment circuit.
The issue is seen only when the Frame Relay frame size is less than 12 bytes (4 bytes FR header + 4 bytes FCS + 0-4 bytes payload) and when the NLPID value is 0x00 (that is, an invalid Frame Relay encapsulation). From RFC 2427:
An NLPID value of 0x00 is defined within ISO/IEC TR 9577 as the Null Network Layer or Inactive Set. Because it cannot be distinguished from a pad field, and because it has no significance within the context of this encapsulation scheme, an NLPID value of 0x00 is invalid under the Frame Relay encapsulation.
Conditions: Traffic should be enabled while doing local switching configurations.
Workaround: There is no easy workaround. Shut down the interface before the hw-module reload of the linecard.
•
Symptoms: 8-port OC48 E6 linecards crash when trying to bring up back-to-back connected or looped back (between two OC48 interfaces on the same E6 linecard) interfaces. This can also be seen when the optic cable/SFP is removed and inserted continuously between the back-to-back or loopback OC48 interfaces on the E6 linecard.
Conditions: On back-to-back connected or loopback (through two ports on the same linecard) connected E6 OC48 ports, performing a shut/no shut crashes the E6 linecards. Also, removing and inserting the optic cable/SFP repeatedly in the back-to-back or loopback connection (which is in the "no shut" state) between two OC48 ports on E6 cards crashes the E6 linecard.
Workaround: Configure clock source internal before configuring no shut.
•
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
•
Symptoms: An Engine 5 line card (SIP-x01) crashes when a QoS configuration is applied to a serial interface.
Conditions: This symptom is observed when applying a service policy to a serial interface with several classes with a Police + WRED configuration, with more than two of the following:
1. Class-default with WRED+Police action.
2. One or more classes matching on prec/dscp with WRED+Police action.
3. One or more classes matching on Access-group with WRED+Police action.
4. Any class with a "Match Any" condition with WRED+Police.
Workaround: There is no workaround. Such a policy is not supported.
•
Symptoms: A SIP 601 crashes in a PE router mvpn scenario.
Conditions: This symptom is observed while flapping core-facing or edge- facing interface.
Workaround: There is no workaround.
•
Symptoms: While redistributing OSPFv3 into BGP, the redistributed route flaps when the OSPFv3 topology changes.
Conditions: This symptom is observed when the cost of the redistributed route becomes better.
Workaround: There is no workaround.
Further Problem Description: As seen from the BGP debugs, RIB sends a DEL and ADD instead of a MODIFY.
•
Symptoms: Ping and traffic drops occur on LB local switching circuits.
Conditions: This symptom is observed when an RPR+ switchover is performed.
Workaround: There is no workaround.
•
Symptoms: The CEF process is hogging the CPU because of many incomplete fibidbs, because CEF was disabled and re-enabled.
Conditions: This symptom is observed in a scale testbed when an RPR+ switchover is performed.
Workaround: There is no workaround.
•
Symptoms: Entries for ABRs and ASBRs are missing from the OSPF route table. This results in inter-area and external routes being omitted from the Routing Information Base (RIB).
Conditions: The bug will only be seen when MPLS-TE tunnels are being used. Also, specifying non-default SPF timer values with timers throttle spf will increase the risk of hitting this bug.
Workaround: There is no workaround.
•
Symptoms: An E5 crashes when the show contr rewrite command is executed.
Conditions: This symptom is observed on a Cisco 12000 series Internet router that is configured with LB.
Workaround: There is no workaround.
•
Symptoms: The serial interface on a channelized OC48 linecard stays in the UP/DOWN state after encountering Layer 1 alarms (PRID or PAIS). The interface continues to be in the UP/DOWN state even after the Layer 1 alarms are cleared.
The interface is configured for PPP encapsulation, and path level delay triggers are enabled on this interface. The link shows UP, but the PPP negotiation will be stuck in Echo Request Sent.
Conditions: This symptom is observed with a 12.0(32)S11o-based image for channelized DS3 Engine 3 linecards with alarm delay triggers configured. The problem will be seen only with momentary path level alarms.
Workaround:
1. Perform a shut/no shut on the serial interface that is in the UP/DOWN state. However, this needs manual intervention every time.
2. Remove the alarm-delay triggers path 2500 command from the serial interface configuration. However, the side effect of this would cause the serial interface to flap.
•
Symptoms: A Cisco 12000 series Internet router may have missing lfib entries on linecards.
Conditions: This symptom is observed in Cisco IOS Release 12.0(32)s11o.
Workaround: Reload the linecard.
•
Symptoms: A customer experienced a single T1 flapping on controller 0/3/0. It would take between 2,500 and 3,000 path code violations and then drop and come back. It would do this about once every 15 minutes. Problems with our phones losing connectivity to a central call manager when a WAN circuit experiences a problem.
We use Multilink PPP to bundle three T1s for a 4.5-Mb circuit. If any one of the three T1s experiences even a minor issue, phones are resetting. However, we never lose Layer 3 connectivity. The edge router maintains its BGP peering across the Multilink PPP bundle, and none of our management applications ever sees a loss in connectivity.
We recently switched over to Multilink PPP from Multilink Frame due to a requirement by our MPLS provider. We did not have an issue using Multilink Frame; hence, we believe it is an issue with our configuration for Multilink PPP.
Conditions: This issue was first noticed in a 32S6r image, and some nodes running 32s11 showed similar symptoms.
Workaround: Perform a shut/no shut on the serial interface on the Cisco 12000 series side.
Further Problem Description: The root cause of this issue is that the customer was getting exposed to an inherent limitation of a timer that was being used in the T1/E1 line-state processing routine at the PLIM level. The malfunctioning of the timer would result in the PLIM not sending a line-state update message to the linecard and the route processor when a link flapped, and therefore the route processor would not bring the link down even when an alarm was present on the line. This would cause blackholing of traffic for some time until the L2 times out and the protocol comes down.
•
Symptom: A linecard crashes continuously when a microcode reload is performed.
Conditions: The interfaces of the crashing linecard are part of port-channel, and traffic is flowing via that linecard.
Workaround: There is no workaround.
•
Symptoms: Some packet loss is observed when traffic is fragmented on a Cisco 12000 series linecard. The issue has been reported using ping packets with a packet size larger than the egress interface MTU size.
Conditions: This symptom is observed on:
–
–
Workaround: Change the MTU size to prevent fragmentation from happening on the linecard.
•
Symptoms: IP-to-MPLS packets that need to be fragmented might be dropped.
Conditions: This symptom is observed when an E4+ line card is used as ingress and an E4+, E5, or E3 line card is used as egress.
Workaround: There is no workaround.
•
Symptoms: Tag rewrites are missing on linecards for one of the load-shareable interfaces.
Conditions: This symptom is observed on a Cisco 12000 series router that is running Cisco IOS Release 12.0(32)S11o.
Workaround: Shut/no-shut the interface.
•
Symptoms: A router crashes when NetFlow export configurations are applied and removed.
Conditions: This symptom is observed only when NetFlow export version 9 configurations are toggled.
Workaround: Use NetFlow export version 5 to export the flows.
•
Symptoms: For some VCs, traffic is not flowing through the SR-APS interface.
Conditions: This symptom is observed after a linecard reload and router reload.
Workaround: Perform a shut/no shut of the SR-APS interface.
•
Symptoms: Traffic stops flowing.
Conditions: This symptom is observed after the following procedure is performed:
1) First try ETH(vlan) to FR over MPLS (traffic is fine).
2) Change the dot1q interface to a QINQ interface on both the PE and the CE.
3) Then change back to dot1q on both the PE and the CE (traffic fails).
Workaround: Reload the linecard.
•
Symptoms: MVPN traffic is punted to the line-card CPU.
Conditions: This symptom is observed on the decap side of data mdt traffic.
Workaround: There is no workaround.
•
Symptoms: On the "P" router with four POS links, where two links are working as the primary and two links are working for redundancy; after a telco issue, both POS links go down due to transmission problems. The trigger for this issue is both links going down.
The P router sets LIB local binding changes to implicit null for several prefixes. After that, the PE routers have connectivity issues in some VRFs and do not go through a backup path using POS interface.
Looking into the PE routers that are connected to this P router, the following deviation was observed in their LFIB tables:
Router_PE# show mpls for 10.38.193.192 deLocal Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 37 Pop tag 10.38.193.192/32 0 Gi3/0 10.125.93.222 MAC/Encaps=30/30, MRU=1530, Tag Stack{} 0000000000000000000000010100000000055FFF99FE000197D0ED808847 No output feature configuredRouter_PE# show ip cef 10.38.193.192 de10.38.193.192/32, version 72378, epoch 0, cached adjacency 10.125.93.222 0 packets, 0 bytes tag information set, shared, all rewrites owned local tag: 37 via 10.125.93.222, GigabitEthernet3/0, 3 dependencies next hop 10.125.93.222, GigabitEthernet3/0 valid cached adjacency tag rewrite with Gi3/0, 10.125.93.222, tags imposed {}It looks as though the P router sends a pop to the PE routers.
Conditions: This symptom is observed under the following conditions:
–
–
Workaround:
–
–
–
•
Symptoms: When the PE routes traffic with a default network, it suddenly stops forwarding the packets from the CE. The PE is still able to reach the Internet.
Conditions: The PE is configured with the ip default network command and has an Engine 5.
Workaround: Remove and re-add the ip default network command.
Further Problem Description: The issue was already reproduced on the CALO case.
•
Symptoms: The ISIS redistribution RIB has a stale route that is not removed after the original ISIS route is deleted when an interface is shut down. This can cause wrong ISIS database information and wrong routing information in the routing table.
Conditions: This symptom is observed when the router is an L1L2 router and the old ISIS route to be deleted after interface shutdown has a backup route from other routing protocols. If the ip routing protocol purge interface command is configured, the issue will not happen.
Workaround: Either configure the ip routing protocol purge interface command or enter the clear isis * command, which may resolve the problem temporarily.
•
Symptoms: When the delay triggers line command is executed under a controller, the configured values are not reflected in the running configuration.
Conditions: This symptom is observed in Cisco IOS Release 12.0(33)S and 12.0 (32)SY9 images.
Workaround: There is no workaround.
•
Symptoms: CPU utilization is high when there is a scaled configuration of more than 1000 interfaces and 100-pps traffic is being sent on UUT along with BGP and multicast traffic.
Conditions: This symptom is observed when several sessions are active and generating traffic.
Workaround: There is no workaround.
•
Symptoms: Upon an RPR+ switchover, a few MLPPP interfaces that are configured on an E3 1xChOC12 may start having ping failures.
Conditions: This symptom is observed with a Cisco IOS 12.0(32)S11p fc1 image.
Workaround: Perform a shut/no-shut on the ML interface.
•
Symptoms: PIM checksum errors are causing the joins to be dropped in the MVPN.
Conditions:
Topology:
ce3------BR(Pe)(IOS-XR)---------Pe1(IOS)---------source
Initially, we observed a null olist in the VRF mroutes on the Cisco IOS router. Ideally, in this case, a tunnel should have been there in the olist.
Then we checked if the tunnel joins are sent and received by the Cisco IOX and IOS routers, respectively, by enabling the PIM debugs on both routers.
The XR debugs confirmed that joins are sent out by the XR node. Then we checked the debugs on the Cisco IOS router.
Initially, we suspected that the problem is due to "not to us" messages. Then we checked the IP traffic statistics.
PE1# show ip trafficIP statistics: >>>>> PIMv2 statistics: Sent/Received Total: 2087399/4842053, 245046 checksum errors, 0 format errors Registers: 0/0, Register Stops: 0/0, Hellos: 571945/560676 Join/Prunes: 1515499/4036576, Asserts: 0/0, grafts: 0/0 Bootstraps: 0/0, Candidate_RP_Advertisements: 0/0 Queue drops: 0PIMv2 statistics: Sent/Received Total: 2092509/4848529, 245374 checksum errors, 0 format errors Registers: 0/0, Register Stops: 0/0, Hellos: 573425/561965 Join/Prunes: 1519100/4041190, Asserts: 0/0, grafts: 0/0 Bootstraps: 0/0, Candidate_RP_Advertisements: 0/0 Queue drops: 0PIMv2 statistics: Sent/Received Total: 2092834/4848711, 245396 checksum errors, 0 format errors Registers: 0/0, Register Stops: 0/0, Hellos: 573515/562041 Join/Prunes: 1519335/4041274, Asserts: 0/0, grafts: 0/0 Bootstraps: 0/0, Candidate_RP_Advertisements: 0/0 Queue drops: 0 >>>>>We observed checksum errors.
Workaround: After seeing checksum errors in the IP traffic statistics, we tried shutting the core-facing interface in the olist. After that, the problem disappeared. When we added that interface back, the problem was reproduced again. We suspect the following to cause this issue.
When we have core and VRF interfaces on the egress LC (E5), the PIM packet has to be forwarded on the core-facing interface and also has to be punted to the RP. In the E5, this is done by recycling the packet. In the first cycle, the packet will be sent to the core interface; in the second cycle, the packet will be decapsulated and punted to the LC CPU.
Only the head gets recycled for different passes. The tail will be stored in the stingray. When the packet is punted to the LC CPU, the LC CPU will copy the tail from the stingray, attach it to the head, and send it to the RP. We suspect that this copy is not happening properly and the RP is seeing PIM checksum errors.
•
Symptoms: In an MVPN setup with a CE connected via an MLPPP interface, auto- RP packets are not being punted to the RP and the RP entry times out after 180 seconds.
Conditions: This symptom is observed either when a link flaps on a member of the MLPPP interface or when output QoS is applied on the MLPPP interface.
Workaround:
1) RP# clear ip mroute vrf <vpn> 224.0.1.40
2) LC# clear ip mds all
3) Configure static RP.
4) Remove the output policy on the outgoing Multilink.
•
Symptoms: A Cisco 7200 PE is dropping *small* frames on an AToM FRoMPLS tunnel.
Conditions: This symptom is observed in an FR IP IW case when frames that are less than 60 bytes are sent from a Cisco 12000 series router (PE on the other side).
Workaround: There is no workaround.
•
Symptoms: On a Cisco 12000 series router with ISE line cards and an IPv6 ACL, after a reload or RP switchover, the ACL does not match traffic correctly.
Conditions: This applies to IPv6 ACL.
Workaround: Delete and recreate the ACL.
•
Symptoms: IPv6 multicast traffic drops are observed when IPv6 multicast traffic is sent at a high rate. These multicast packets are punted to the RP; this can be seen through the show ipv6 mflib <multicast address> CLI.
Conditions: This symptom is observed upon router reload.
Workaround: There is no workaround.
•
Symptoms: An IPv6 ACL is not working on the ingress of an E3 engine.
Conditions: Apply the IPv6 ACL on the ingress of the E3 engine, remove the ACL, and then reapply the same ACL on the same interface.
Workaround: Reload the linecard.
Resolved Caveats—Cisco IOS Release 12.0(32)SY9a
Cisco IOS Release 12.0(32)SY9a is a rebuild release for Cisco IOS Release 12.0(32)SY9. The caveats in this section are resolved in Cisco IOS Release 12.0(32)SY9a but may be open in previous Cisco IOS releases.
•
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
•
Symptoms: When a large number of AS numbers (both 2-byte AS numbers and 4- byte AS numbers) are included in the update message from a new neighbor to an old neighbor, the update message, although sent from the new neighbor, is not accepted on the old neighbor. Hence the path is not propagated further.
Conditions: This issue occurs only with an update message from a new neighbor to an old neighbor and only if the update message contains a large number of 2-byte and 4-byte AS numbers. This issue is applicable to all trains where the 4-byte AS feature is implemented.
Workaround: This issue is seen only when the neighbor that supports 4-byte AS sends an update to neighbors that do not support the 4-byte AS and when the path has a large number of AS numbers. This would not occur if both neighbors are 4-byte AS compliant.
Normally in the Internet, the number of AS values on a normal path or prefix is somewhere between 2 and 20, and for VPN prefixes it would be even fewer with a range of around 2 to 7. So if some erroneous upstream peer sends prefixes with a large number of AS numbers, it should be stopped from propagating further. The current issue will not be seen if the AS numbers are limited. This can be done by using the bgp maxas-limit command under router bgp. As a conservative approach, it would be safe to configure the bgp maxas-limit command to a value of 40 because this is a pretty decent value of the number of AS numbers that a prefix should have and is quite higher than the normal Internet values mentioned earlier. This would enable all the prefixes to be exchanged properly without encountering the current problem and would also stop the prefixes with a large number of AS values from being propagated further.
Further Problem Description: When a new neighbor sends an update message to an old neighbor, it must include both 4-byte AS numbers and 2-byte AS numbers (23456) corresponding to each 4-byte AS. While allocating size for the update message, only the total AS path length is considered; the extra space 2-byte AS inclusion for each 4-byte is not considered. This leads to the update message skipping inclusion of nlri and nexthop, which are appended after the AS path, due to a size constraint; hence the problem.
•
Symptoms: IP-to-MPLS packets that need to be fragmented might be dropped.
Conditions: This symptom is observed when an E4+ line card is used as ingress and an E4+, E5, or E3 line card is used as egress.
Workaround: There is no workaround.
•
Symptoms: MVPN traffic is punted to the line-card CPU.
Conditions: This symptom is observed on the decap side of data mdt traffic.
Workaround: There is no workaround.
•
Recent versions of Cisco IOS Software support RFC4893 ("BGP Support for Four-octet AS Number Space") and contain two remote denial of service (DoS) vulnerabilities when handling specific Border Gateway Protocol (BGP) updates.
These vulnerabilities affect only devices running Cisco IOS Software with support for four-octet AS number space (here after referred to as 4-byte AS number) and BGP routing configured.
The first vulnerability could cause an affected device to reload when processing a BGP update that contains autonomous system (AS) path segments made up of more than one thousand autonomous systems.
The second vulnerability could cause an affected device to reload when the affected device processes a malformed BGP update that has been crafted to trigger the issue.
Cisco has released free software updates to address these vulnerabilities.
No workarounds are available for the first vulnerability.
A workaround is available for the second vulnerability.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml
•
Symptoms: In an MVPN setup with a CE connected via an MLPPP interface, auto- RP packets are not being punted to the RP and the RP entry times out after 180 seconds.
Conditions: This symptom is observed either when a link flaps on a member of the MLPPP interface or when output QoS is applied on the MLPPP interface.
Workaround:
1) RP# clear ip mroute vrf vpn 224.0.1.40
2) LC# clear ip mds all
3) Configure static RP.
4) Remove the output policy on the outgoing Multilink.
Resolved Caveats—Cisco IOS Release 12.0(32)SY9
Cisco IOS Release 12.0(32)SY9 is a rebuild release for Cisco IOS Release 12.0(32)SY. The caveats in this section are resolved in Cisco IOS Release 12.0(32)SY9 but may be open in previous Cisco IOS releases.
Basic System Services
•
Symptoms: Multicast traffic is getting dropped due to "Runt Packets."
Conditions: On the Engine 5 line card when multicast traffic is going out of two interfaces, of which one is a QinQ, then the other interface might detect runt or corrupt packets.
Workaround: There is no workaround.
•
Symptoms: When "no aaa new-model" is configured, authentication happens through the local even when tacacs is configured. This happens for the exec users under vty configuration.
Conditions: Configure "no aaa new-model," configure login local under line vty 0 4, and configure login tacacs under line vty 0 4.
Workaround: There is no workaround.
•
Symptoms: All L2VPN traffic is dropped for more than 1 minute around 20 to 30 seconds after another linecard is reinserted.
Conditions: This symptom is observed under the following conditions:
–
–
–
–
Workaround: Remove the rx-slot-cos part of the configuration.
•
Symptoms: In a Carriers Carrier, the CSC-PE router advertises wrong out-label. This causes the end-to-end LSP to be broken in the CSC network, and all traffic is dropped.
This problem is observed by enabling the show ip bgp label command on CSC-CE. See "Out Label" of the route is "imp-null."
Conditions: This condition is observed in routers that are running Cisco IOS Release 12.0(32)SY6.
Workaround: Configure neighbor {ip-address | peer-group-name} next-hop-self on CSC-PE.
•
Symptoms: A SIP 601 crashes in a PE router MVPN scenario.
Conditions: This symptom is observed while flapping core-facing or edge-facing interface.
Workaround: There is no workaround.
•
Symptoms: "oam-ac emulation" gets disabled.
Conditions: This symptom is observed when we configure "oam-ac emulation" or when the router is reloaded or the RP gets switched over "twice."
Workaround: Re-apply the commands to all L2 VCs after a switchover or after the router reloads.
•
Symptoms: In reloading the E5 with CT3, it resets three to four times, and also the core-facing E5 with 10x1GE crashes a couple of times before stabilizing.
Conditions: This symptom is observed in a scale testbed that is running an MVPN profile.
Workaround: Stop the traffic until the linecard comes up and then start the traffic.
•
Symptoms: QoS class of service queues are in an unallocated state on the standby RP on a router configured in SSO mode upon router reload.
Conditions: The following conditions should exist to hit this DDTS:
–
–
–
Workaround: There are two workarounds:
–
–
•
Symptoms: Entries for ABRs and ASBRs are missing from the OSPF route table. This results in inter-area and external routes being omitted from the Routing Information Base (RIB).
Conditions: The bug will only be seen when MPLS-TE tunnels are being used. Also, specifying non-default SPF timer values with timers throttle spf will increase the risk of hitting this bug.
Workaround: There is no workaround.
•
Symptoms: The standby PRP2 crashes many times during a reload.
Conditions: The problem occurs only during the boot-up process. The router:
–
–
–
–
Workaround: There is no workaround.
Further Problem Description: The standby processor crashes many times during boot-up when the router has a high scale (a large configuration) and many MLPPP interfaces.
The problem happens on a Cisco 12000 series Internet router with two PRP2s that are working in SSO mode and that are running Cisco IOS Release 12.0(32) SY6e.
After the reload, exactly when MLPPP is coming up (establishing), the Cisco 12000 series Internet router suffers high CPU utilization and it loses communication with the standby router for some seconds. When the timeout occurs (when the time expires), the router requests the standby PRP to reset.
•
Symptoms: ISIS adjacency is not established with an E4 SRP linecard.
Conditions: This symptom is observed when ISIS is configured between SRP interfaces with at least one end having an E4 SRP linecard.
Workaround: There is no workaround.
•
Symptoms: A remote third-party device is resetting the IPv6 BGP session with a Cisco 12000 router.
Conditions: BGP is exchanging only IPv6 capability with the remote EBGP peer, but IPv4 capability will be enabled by default. The remote EBGP peer is sending only IPv6 capability, and we should advertise only IPv6 prefixes because that is the capability negotiated. We are wrongly marking IPv4 capability as negotiated and advertising IPv4 prefixes, and the remote neighbor is resetting the session because IPv4 capability is not negotiated at the peer end.
Workaround: Configure a route map to deny all IPv4 prefixes, and apply it as follows:
Route-map deny-ipv4 deny 10
Router bgp <asnum>
address-family ipv4
Neighbor <IPv6Address> activate
Neighbor <IPv6Address> route-map <deny-ipv4> outResolved Caveats—Cisco IOS Release 12.0(32)SY8
Cisco IOS Release 12.0(32)SY8 is a rebuild release for Cisco IOS Release 12.0(32)SY. The caveats in this section are resolved in Cisco IOS Release 12.0(32)SY8 but may be open in previous Cisco IOS releases.
•
Symptoms: After a Stateful Switchover (SSO) occurs on a Cisco 7500 series, the traffic interruption may last longer than you would expect.
Conditions: This symptom is observed on Cisco 7500 series that runs Cisco IOS Release 12.2(22)S and that is configured with a Route Switch Processor 4 or 8 (RSP4 or RSP8) when the router is configured with a large number (100,000) of Border Gateway Protocol (BGP) routes and Ethernet interfaces that process traffic.
Workaround: There is no workaround. One way to help reduce the length of the traffic interruption is to add static ARP entries.
•
Symptoms: Upon an SSO switchover, on the new active RP, the MFR interface shows the default bandwidth value instead of the actual bandwidth, which is based on the available bundle links.
Conditions: This symptom is observed on a Cisco 7600 router that is running 12.2SR software and on a Cisco 12000 series Internet router that is running 12.0SY software.
Workaround: Recycle the MFR interface to reset the bandwidth to the correct value.
•
Symptoms: IS-IS protocol packets may not be classified as high-priority. When this situation occurs during stress conditions and when the IS-IS protocol packets are mixed with other packets, the IS-IS protocol packets may be dropped because of their low-priority.
Conditions: This symptom is observed on a Cisco platform that is configured for Selective Packet Discard (SPD).
Workaround: Ensure that DSCP rewrite is enabled and then enter the following command:
mls qos protocol isis precedence 6
•
Symptoms: SSLVPN service stops accepting any new SSLVPN connections.
Conditions: A device configured for SSLVPN may stop accepting any new SSLVPN connections, due to a vulnerability in the processing of new TCP connections for SSLVPN services. If "debug ip tcp transactions" is enabled and this vulnerability is triggered, debug messages with connection queue limit reached will be observed. This vulnerability is documented in two separate Cisco bug IDs, both of which are required for a full fix: CSCso04657 and CSCsg00102.
•
Symptoms: An ATM local switching connection is up on a Cisco 7600. If the ATM interfaces are removed via the SONET controller (these are channelized ATM interfaces; hence they are dynamically created from "controller SONET..." configuration), the Cisco 7600 will reload when a "show running-config" command is issued.
Conditions: This symptom always occurs for SONET controller ATM interfaces doing local switching if the above sequence of steps is done.
Workaround: Unconfigure all ATM local switching connections (configured via the "connect ..." command) before removing the ATM interfaces via the SONET controller.
•
Symptoms: On a pseudowire that is configured on an OC-12 ATM interface, when you delete the oam-ac emulation-enable command, enter the write memory command, and then initiate an SSO switchover, the new standby PRE continues to reboot because of a configuration mismatch with the new active PRE.
Conditions: This symptom is observed on a Cisco 10000 series when the new active PRE has the oam-ac emulation-enable command in its configuration but the new standby PRE does not, causing a configuration mismatch. The symptom may not be platform-specific.
Workaround: Reload the new active PRE, then remove the oam-pvc manage 0 command from its configuration.
•
Symptoms: A PE that is part of a confederation and that has received a VPNv4 prefix from an internal and an external confederation peer, may assign a local label to the prefix despite the fact that the prefix is not local to this PE and that the PE is not changing the BGP next-hop.
Conditions: The symptoms are observed when receiving the prefix via two paths from confederation peers.
Workaround: There is no workaround.
Further Problem Description: Whether or not the PE will chose to allocate a local label depends on the order that the multiple paths for this VPNv4 prefix are learned. The immediate impact is that the local label allocated takes up memory in the router as the router will populate the LFIB with the labels.
•
Symptoms: Netflow cache runs out of space for new flow entry when customer uses heavy traffic.
Conditions: Large amount of traffic which could exhaust netflow cache.
Workaround: There is no workaround.
•
Symptoms: When you remove the neighbor peer-group-name fall-over bfd command for a peer group, the configuration is not removed from the members of the peer group, and the members may still register with through Bidirectional Forwarding Detection (BFD).
Conditions: This symptom is observed on a Cisco router that has the following configuration:
router bgp as-number
neighbor peer-group-name peer-group
neighbor peer-group-name remote-as as-number
neighbor peer-group-name fall-over bfd
neighbor ip-address peer-group peer-group-nameWhen you enter the neighbor peer-group-name fall-over bfd command, the IP address that is associated with this command is not removed.
Workaround: Remove and reconfigure the neighbor.
•
Symptoms: MPLS LDP autoconfig functionality is broken in OSPF.
Conditions: This symptom is observed in the following two scenarios:
–
–
Workaround: Enable the specific area with the following command:
mpls ldp autoconfig area X
•
Symptoms: Several features within Cisco IOS software are affected by a crafted UDP packet vulnerability. If any of the affected features are enabled, a successful attack will result in a blocked input queue on the inbound interface. Only crafted UDP packets destined for the device could result in the interface being blocked, transit traffic will not block the interface.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the workarounds section of the advisory. This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
•
Symptoms: The v6-vrf-lite configuration does not synch properly with the standby; hence 100 percent of the traffic is lost after an SSO switchover.
Conditions: The conditions under which this symptom is observed are unknown.
Workaround: There is no workaround.
•
Symptoms: Router may crash @ipflow_fill_data_in_flowset when changing flow version.
Conditions: Occurs when netflow is running with data export occurring while manually changing the flow-export version configuration from version 9 to version 5 and back to version 9 again.
Workaround: Do not change the netflow flow version while the router is exporting data and routing traffic.
•
A vulnerability in the handling of IP sockets can cause devices to be vulnerable to a denial of service attack when any of several features of Cisco IOS software are enabled. A sequence of specially crafted TCP/IP packets could cause any of the following results:
–
–
–
–
Workarounds that mitigate this vulnerability are available in the "workarounds" section of the advisory. The advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
•
Problem Description: When eBGP sessions that carry a full routing table (200,000+ routes) are brought up, a prolonged period of 100-percent CPU utilization (5 to 7 minutes) is experienced.
During this time, the router is unresponsive in the CLI, and it stops responding to icmp/snmp polls.
The router is a Cisco 12406/PRP and is running Cisco IOS Release 12.0(32)S5 (c12kprp-k4p-mz.120-32.S5).
When bringing up a BGP session with a full routing table, the router seems to load the first several thousand prefixes quickly and then stops dead for several minutes before loading the rest.
Workaround: After changing the outbound prefix list on the eBGP session to a deny all (ip prefix-list test-nothing-out seq 1 deny 0.0.0.0/0 le 32), clearing the BGP session does not produce the problem anymore.
•
Symptoms: The line protocol of the serial interface keeps flapping.
Conditions: This symptom is observed after the Atlas BERT pattern is run on a fractional T1 (1 or 2 timeslots).
Workaround: Add/Remove the T1.
•
Symptoms: SSLVPN service stops accepting any new SSLVPN connections.
Conditions: A device configured for SSLVPN may stop accepting any new SSLVPN connections, due to a vulnerability in the processing of new TCP connections for SSLVPN services. If "debug ip tcp transactions" is enabled and this vulnerability is triggered, debug messages with connection queue limit reached will be observed. This vulnerability is documented in two separate Cisco bug IDs, both of which are required for a full fix: CSCso04657 and CSCsg00102.
•
Symptoms: BGP peers are stuck with table versions of 0. BGP peers do not announce any routes to neighbors.
Conditions: Whenever the interfaces flap with online insertion and removal (OIR) multiple times, all of the BGP peers using such interfaces for peering connections encounter this issue.
Workaround: Delete and reconfigure the neighbor.
•
Symptoms: A Catalyst 6500 or a Cisco 7600 may reload unexpectedly.
Conditions: Occurs when NetFlow is configured on one of the following:
–
–
Workaround: Disable NetFlow. This is done with the following commands:
no ip flow ingress
no ip flow egress
no ip route-cache flowEnter the appropriate command for each subinterface for which NetFlow is currently configured.
Other Notes:
Only the 12.2SRC and 12.2SXH code trains are affected. The specific versions affected are 12.2(33)SXH, 12.2(33)SXH1, 12.2(33)SXH2, 12.2(33)SXH2a, 12.2(33)SRC, and 12.2(33)SRC1.
The issue is fixed in the two affected code trains from the 12.2SXH3 and 12.2SRC2 releases onwards. However, for the SXH train, Cisco would recommend the use of SXH4 due to ddts CSCso71955.
The following release trains do not have this issue: 12.2(18)SXF, 12.2(33)SRA, 12.2(33)SRB, 12.2(33)SXI, and all other release trains after those affected.
•
Symptoms: A traceback is seen on the E3 and E5 line cards.
Conditions: This symptom is observed under normal traffic conditions after a clear ip route * command is issued.
Workaround: There is no workaround.
•
Symptoms: The following error messages are received on a 1xoc12 eng3 line card:
SEC 8:May 16 06:41:09.216: %IDBINDEX_SYNC-3-IDBINDEX_ENTRY_SET: Cannot set
entry to interface index table: "", 73
-Process= "RP Standby", ipl= 0, pid= 63
-Traceback= 20A640 20A748 11D29D8 27F7A8 281F80 439B64 436AC4 5187B8 4FF360
5006FC 523434 240B7C 5C0514 5C0A14 34BC74 350B0C
SEC 8:May 16 06:41:09.216: %FIB-2-HW_IF_INDEX_ILLEGAL: Attempt to create CEF
interface for Serial4/0.1/1:1 with illegal index: -1
-Traceback= 20A640 20A748 178438 17A198 17A7E8 17A980 439C1C 436ACC 5187B8
4FF360 5006FC 523434 240B7C 5C0514 5C0A14 34BC74
SEC 8:May 16 06:41:09.216: %EERP-2-UIDB_ERR: Unable to allocate resources.
Null fibhwidb for free 0Conditions: This symptom is observed when either of the two tasks mentioned below is performed in the specific order and HA is configured in SSO mode.
A. Configure/Unconfigure channels:
1. Under sonet framing, configure some T1 lines.
2. Unconfigure these T1 lines.
3. Change the framing to sdh and configure some E1 lines.
4. Unconfigure these E1 lines.
5. Change the framing to sonet and configure some T1 lines.
B. Change framing:
1. Change the framing without deleting all the channels; a warning message to delete all channels before changing the framing will be issued.
2. Delete all the channels.
3. Change the framing multiple times from sonet to sdh, from sdh to sonet, and then from sonet to sdh again.
Workaround: There is no workaround.
•
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
•
Symptom: Serials that are part of MLPPP/MFR remain in a down state. This issue can also happen for serial interfaces with PPP, FR, and HDLC encapsulation.
Conditions: This symptom is observed when T1/E1 controllers remain down. Trigger for this issue is not clear.
Workaround: There is no workaround.
•
Symptoms: Line cards get stuck in the WAITRTRY state after an RP switchover and a router reload.
Conditions: This symptom is observed on a Cisco 12810 and 12816 Internet series router that is booted with Cisco IOS Release 12.0(32)S11. The symptom is seen on both E4+ and E6 line cards and also during reload.
Workaround: There is no workaround.
•
A series of TCP packets may cause a denial of service (DoS) condition on Cisco IOS devices that are configured as Easy VPN servers with the Cisco Tunneling Control Protocol (cTCP) encapsulation feature. Cisco has released free software updates that address this vulnerability. No workarounds are available; however, the IPSec NAT traversal (NAT-T) feature can be used as an alternative.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml.
Note: The March 25, 2009, Cisco IOS Security Advisory bundled publication includes eight Security Advisories. All of the advisories address vulnerabilities in Cisco IOS Software. Each advisory lists the releases that correct the vulnerability or vulnerabilities in the advisory. The following table lists releases that correct all Cisco IOS Software vulnerabilities that have been published in Cisco Security Advisories on March 25, 2009, or earlier.
http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml
•
Symptoms: A controller goes into an admin down state.
Conditions: This symptom is observed when an STS path under the SONET controller is shut down.
Workaround: Perform a no shutdown on the controller.
•
Symptoms: A TE tunnel from a mesh group disappears after the tailend router is reloaded.
Conditions: The IGP is OSPF, and OSPF is used to advertise the mesh-group membership. The problem appears only if the OSPF network type is point-to- point.
Workaround: Enter the clear mpls traffic-eng auto-tunnel mesh command after the TE tunnel disappears from the mesh group.
•
Symptoms: A router crashes because of a block overrun (overwriting the memory block).
Conditions: This symptom is observed only when NetFlow version 5 is used.
Workaround: NetFlow version 9 could be used for exporting.
•
Symptoms: Low BGP keepalive timer sessions flap too often during periods of high CPU utilization.
Conditions: This symptom is observed when low BGP keepalive timers are set (for example, 20/60, 10/30, 1/3). This symptom is specific to Cisco IOS Release 12.0S and 12.4T.
Workaround: Do not configure very aggressive BGP keepalive timers. Also, try not to overload the CPU.
•
Symptoms: An Engine 3 (E3) Channelized OC12 (CHOC12) line card can reload after a switchover in Route Processor Redundancy Plus (RPR+) mode.
Conditions: This symptom is observed on a Cisco 12416 Internet series router:
The router is booted with Cisco IOS Release 12.0(32)S11n and contains the following:
–
–
–
Workaround: There is no workaround.
•
Symptoms: When there is heavy traffic on the 10-GE SPA (that is, 80 percent or more of line rate), and the interface is shut/no shut, there is a low probability that the interface may become stuck and incorrectly send pause frames on the connected link, interrupting traffic flow.
Conditions: This symptom is observed when the link is shut/no shut while there is a high level of traffic on the link.
Workaround: Add and remove auto-negotiation on the interface configuration to recover the link.
•
Symptoms: The following messages are displayed in the syslog:
%QM-4-SW_SWITCH: Interface GigabitEthernet7/0/1.558 routed traffic will be software switched in egress direction(s)
Another symptom is that the "show policy-map interface" command for the affected interface displays "Class of service queue: 0" for all queues.
Conditions: These symptoms are observed on Engine 5 line cards when attaching to an interface a policy map that requires more WRED resources than what is available in the line card.
Workaround: Verify whether the line card has enough WRED resources available before attaching a new policy map to one of its interfaces.
Further Problem Description: On Engine 5 line cards, when attaching to an interface a policy map that requires more WRED resources than what is available in the line card, no verification for available WRED resources is performed and the command is accepted. This is because Engine 5 line cards, as opposed to Engine 3 line cards, have Line Card Based QoS Manager. Because the policy cannot be programmed in hardware (there are not enough RED resources), the traffic is punted to the line card CPU (that is, it is software-switched). This fix makes the error message more prominent.
•
Symptoms: The member link of a multilink bundle goes into an up/down state.
Conditions: This symptom is observed when multilink is swapped from one multilink bundle to another multilink bundle through a script.
Workaround: Enter the hw-module subslot slot/subslot reload command.
•
Symptoms: On removal of an xconnect from the L2 transport PVC (ATM portmode), the policy map is not removed and entries still exist.
Conditions: This symptom is observed when an xconnect is removed from the L2 transport PVC (ATM portmode).
Workaround: Remove the policy map first and then remove the xconnect configuration.
•
Symptoms: Redistributed routes are not being advertised after a neighbor flap.
Conditions: This symptom is observed if BGP is redistributing local routes and if there are multiple neighbors in the same update-group and then a neighbor flaps. For the flapped neighbor, some redistributed routes are not being advertised.
Workaround: Undo and redo the redistribution.
•
Symptoms: An engine 5 line card is queueing on egress the GRE precedence rather than the original IP packet precedence.
Conditions: This symptom is observed under the following conditions:
1. Send MVPN traffic.
2. Configure an egress QoS policy on the decap side.
3. Configure a QoS policy in the core to set the GRE IP precedence.
Workaround: There is no workaround.
•
Symptoms: A SIP-601 crashes while changing the CRC/encap/MTU on MLPPP and MFR.
Conditions: This symptom is observed under the following conditions:
1. Change the CRC of the members of the bundle (from crc 16 to 32 and then back again to crc 16).
2. Remove the members from the bundle.
3. Add serials back to MFR and MLPPP.
4. Change the MTU.
5. Flap the links (serials and bundle).
Workaround: There is no workaround.
•
Symptoms: On a Cisco 12404 that is running Cisco IOS Release 12.0(32)SY5, a SIP-401 reloads when lawful intercept (LI) is used on it.
Conditions: This symptom is observed when LI is activated.
Workaround: Deactivate LI.
•
Symptoms: IPv6 PIM RP embedded functionality is not working properly in Cisco IOS Release 12.0(32)S or Release 12.0(32)SY even after the fix for CSCsf28907.
Conditions: If a first-hop router (that is connected to the IPv6 multicast source) is configured for a PIM RP embedded operation, the register packets will not be sent to the RP and the mroute table will remain in the Registering state. No IPv6 multicast traffic will flow.
Workaround: Configure an IPv6 PIM static RP.
•
Symptoms: A router cannot be reloaded after the RP switches over three times.
Conditions: The router restarts three times, and each time due to watchdog timeout due to failure to allocate memory. This symptom is related to a flood of multicast messages. Once this symptom occurs, attempts to manually reload the router are unsuccessful as the NVRAM is locked, indicating that it is being updated.
Workaround: There really is no workaround except to manually remove and re- insert the RP or power-cycle the chassis.
•
Symptoms: Set cos is not being applied for VPLS packets in E5 Gig. The source MAC address of the VPLS packet from the disposition PE is getting corrupted.
Conditions: This symptom is observed only for VPLS packets in E5 cards when a service policy with set cos is applied to the egress interface of the disposition PE.
Workaround: There is no workaround.
•
Symptoms: An RP becomes stuck.
Conditions: This symptom is observed after an SSO mode redundancy force switchover is executed.
Workaround: Reload the secondary RP.
•
Symptoms: The following message is continuously seen on SSO switchover even if the maximum scale numbers are not configured.
%RP-3-ENCAP: Failure to allocate encap table entry, exceeded max number of entries, slot 3 (info 0xC0000
Conditions: This symptom is observed upon SSO switchover.
Workaround: Reload the RP.
•
Symptoms: The prefix of a serial interface that is configured for PPP or HDLC and that functions as a passive interface for IS-IS may not be installed in the local IS-IS database.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2(18)SXF6 but is not release-specific.
Workaround: Remove and reconfigure the passive-interface command.
First Alternate Workaround: Enter the clear isis * command.
Second Alternate Workaround: Enter any command that triggers the generation of the local IS-IS database.
•
Symptoms: The delay triggers path delay command does not function as it is provisioned on an E3 CHOC12 controller.
Conditions: This symptom is observed on a Cisco 12000 Internet series router booted with c12kprp-p-mz.120-32.S11n. This router contains an E3 CHOC12 line card.
Workaround: There is no workaround.
•
Symptoms: If "set exp" is configured on the ingress AC, local switching (AC - AC) traffic does not copy the exp value to the cos bits in the egress direction.
Conditions: This symptom is observed with E3 as ingress and "set exp" configured on VPLS interface.
Workaround: There is no workaround.
•
Symptoms: In the case of E5 AToM QinQ, set cos is being set on the inner vlan_id.
Conditions: This symptom is observed in an E5 AToM with QinQ configuration that has set cos in the policy map.
Workaround: There is no workaround.
•
Symptoms: In E5 L2TPv3 dot1q set cos is not setting on the vlan-id.
Conditions: This symptom is observed in a configuration that has set cos in the policy.
Workaround: There is no workaround.
•
Symptoms: Before this BGP aspath memory optimization, the memory consumption for aspath has increased. With this memory optimization, the memory consumption for aspath has reduced.
Workaround: There is no workaround.
•
Symptoms: The show mac address-table bridge-domain domain command may display unexpected MAC addresses.
Conditions: This symptom has been reported on a Cisco 12000 series Internet router that is configured with VPLS. When a service policy with input policing is applied on an interface that also has bridge-domain configured and when police drops happen, ghost MAC addresses are present in the MAC address table for that bridge-domain ID.
Workaround: There is no workaround. But no immediate impact on system behavior has been observed.
Further Problem Description: This issue can occur with either ACL drops or policer drops on a VPLS-enabled interface. If there are no ACL or CAR drops, this issue will not occur.
This unexpected MAC address might conflict with another real MAC address and may lead to some other issues such as traffic being sent over the wrong interface for the same customer.
Let us assume that the customer is having two ACs on the same PE and that AC1 learned the proper MAC address and the unexpected MAC address. If this unexpected MAC address is a valid MAC address on AC2, then the traffic for this MAC address may be sent to AC1 instead of to AC2.
•
Symptoms: A line card on a Cisco 12000 series Internet router generates tracebacks during LI provisioning while installing a 50th tap request. After the appearance of the first traceback, LI functionality stops working for newly requested taps.
Conditions: This symptom is observed when there are 48 active taps and 2 new taps arrive.
Workaround: Reload the line card or the whole router.
•
Symptoms: When PEM PS is inserted, there is an increase in CPU utilization by the PowerMgr Main process. The utilization is from 10 percent to 99 percent; the difference is caused by inserting timing.
Conditions: This issue is observed under the following conditions:
–
–
–
–
Workaround: There is no workaround.
•
Symptoms: Pings fail on an MLPPP interface.
Conditions: There is an MFR interface used for L2 services such as xconnect and an MLPPP interface on the same SPA. When the member links are removed/added from these bundles back-to-back, the ping on the MLPPP interface may fail. This symptom is observed so far only on E5 cards.
Workaround: Reload the line card.
•
Symptoms: Whenever a service policy that has an action as bandwidth or shaping is applied as output to the core-facing interface in an imposition PE in a VPLS setup, the egress multicast packets that are passing through the core-facing interface are being dropped.
Conditions: This symptom is observed when:
–
–
Workaround:
1) Remove and re-add the bridge-domain.
2) Reload the ingress line card that has bridge-domain configured on it.
•
Symptoms: A customer observed the following messages in the log:
SLOT 0:Sep 26 13:30:48.693: %TX192-3-PAM_MODULE: status = 0x2, mask= 0x3F - MODULE: Error signal from PIM module. SLOT 0:Sep 26 13:30:48.697: %TX192-3-PAM_PIM: status = 0x2D6, mask= 0x181 - PIM: header start offset >= 16kB. SLOT 0:Sep 26 13:30:58.313: %TX192-3-PAM_MODULE: status = 0x2, mask= 0x3F - MODULE: Error signal from PIM module. SLOT 0:Sep 26 13:30:58.317: %TX192-3-PAM_PIM: status = 0x356, mask= 0x181 - PIM: header pkt length >= 16kB. SLOT 15:Sep 26 13:33:37.718: %TX192-3-PAM_MODULE: status = 0x2, mask= 0x3F - MODULE: Error signal from PIM module.
The PAM_PIM created confusion as it was being referred to Protocol Independent Multicast and not to the Packet Assembly Module/Packet Interface Module.
Conditions: This symptom occurs because of a corrupted packet.
Workaround: There is no workaround.
•
Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system.
In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.
Cisco has released free software updates for download from the Cisco website that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml.
•
Symptoms: A router may crash due to a bus error due to an illegal access to a low address because IPC is processing a message that is already returned back to the pool, but still the message's reference is present in IPC's retry table.
Conditions: The conditions under which this symptom occurs are not known.
Workaround: There is no workaround.
•
Symptoms: E4+ on a Cisco 12000 series Internet router stops exporting netflow. Show commands display that packets are correctly captured and exported.
Conditions: Traffic should flow through an E4+ and go out through an E5, which has to be MPLS enabled.
Workaround:
1) Change the outbound interface configuration to IP.
2) Add a static route for the NFC using the non-recursive next hop.
•
Symptoms: Default Q-limit is not getting doubled for low-speed interfaces.
1) Non-channelized SPA
2) For policy without queueing action on non-channelized SPA
Conditions: Default Q-limit for low-speed interfaces should be doubled as required.
This should be done only for low-speed interfaces. Rates that will get 64K queue-limit and above. i.e starting from 32K, the queue-limits will not get doubled.
For example, 64K in will be trimmed to 32K from this release onward and likewise for further queue-limits. Also, it is taken care that the class rate ranges 2097152 - above will get max_queue_depth of 256K as they always got.
For more info, please also refer to DDTS CSCsu60240.
Workaround: Reload the SPA.
•
Symptoms: An Engine 3 CHOC12 fails to bring the T1 controller link down when the delay triggers path command is configured.
Conditions: Shutting down the remote end T1 controller or CHOC12 T1 controller receive AIS will not cause the T1 link to go to down state.
Workaround: Do not configure the delay triggers path command on the CHOC12 SONET controller.
•
Symptoms: A router is not learning MAC addresses when unknown multicast traffic (packet size greater than min_mtu for that VFI towards core) is sent.
Conditions: This symptom is observed when the MTU of the core-facing interface is changed to some value less than the default value and then is increased back to the default. The min_mtu is stuck on the lesser value.
Workaround: There is no workaround.
•
Symptom: If a linecard is reset (either due to error or a command such as hw-module slot reload) at the precise time an SNMP query is trying to communicate with that LC, the RP could reset due to a CPU vector 400 error.
Conditions: In order to experience these symptoms the linecard is reset (either due to error or a command such as hw-module slot reload) at the precise time an SNMP query is received.
Workaround: There is no workaround.
•
Symptoms: On a Cisco 12000 series Internet router E5/SPA POS interface, FRR reroute may take up to 700 msec.
Conditions: This symptom is observed when the far-end RX fiber of the POS link is removed.
Workaround: Configure the pos delay triggers command on the interface to reduce delay in FRR.
Further Problem Description: When the RX fiber is removed on the far-end of the POS interface, the far-end router is supposed to send LRDI to the Cisco 12000 series Internet router, and the LRDI will trigger the FRR reroute. The E5/SPA current implementation is that remote end SONET alarm does not trigger FRR in interrupt mode; it triggers FRR only in process context, which may take up to 700 msec to converge.
•
Symptoms: A SIP-400 and SIP-601 crash continuously after the image is loaded.
Conditions: After the 32SY 11_23-date-coded image is loaded, SIP crashes when channelized SPAs come up.
Workaround: There is no workaround.
•
Symptoms: A SPA_PLIM-3-HEARTBEAT failure and tracebacks are seen for channelized SPAs. All the traffic in the ingress direction is dropped.
Conditions: With traffic present, configure aggregate NF scheme on 4XT3/E3 SPA; channelized SPAs get stuck in the booting state. (SIP comes up fine to IOS RUN state.)
Workaround: Perform a microcode reload to make the SPAs come up.
•
Cisco IOS software contains two vulnerabilities within the Cisco IOS WebVPN or Cisco IOS SSLVPN feature (SSLVPN) that can be remotely exploited without authentication to cause a denial of service condition. Both vulnerabilities affect both Cisco IOS WebVPN and Cisco IOS SSLVPN features:
1.
2.
Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
•
Symptoms: CEF Scanner takes high CPU for sustained periods of time around 10 minutes.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.0(32)S11n. It is seen under the following conditions:
–
–
–
Workaround: Configure a static route.
•
Symptoms: After a reboot, GEs remain down/down on a SPA-10X1GE-V2.
Conditions: This symptom is observed on a Cisco 12000 series Internet router that is using a 12000-SIP-601 with a SPA-10X1GE-V2 and Cisco IOS Release 12.0 (32)SY6.
Workaround: Shut and unshut the port that is down/down.
•
Symptoms: When a Cisco router is the Merge Point (MP) for a protected TE tunnel, and FRR is triggered, two things happen:
–
–
Conditions: When a competitor's router is a point of local repair (PLR) and a Cisco router is a merge point, then when FRR is triggered, the Cisco router drops the backup tunnel (in some cases immediately and in other cases after 3 minutes). This causes the primary tunnel that is protected by this backup to go down. The issue has been identified as related to the fact that session attribute flags (link/node protection desired) are being cleared by the competitor PLR when the Path is sent over the backup tunnel.
Workaround: There is no workaround.
•
Symptoms: An IPv6 ping fails on an E3 Gigabit line card because of a PRECAM 1 Exception.
Conditions: This issue pertains to the dropping of IPv6 packets because of a precam exception on the egress side. It looked as if the profile for IPv6 was wrong when IPv4 QoS was already applied even on different subinterfaces on the same port.
Workaround:
1) Add/Remove an ACL.
2) Add/Remove the subinterface.
•
Symptoms: In the case of egress MVPN QoS, some packets are going to the wrong queue.
Conditions: This symptom is observed with an egress MVPN QoS configuration.
Workaround: There is no workaround.
•
Symptoms: The no ppp lcp fast-start command is added to all PPP-encapsulation interfaces.
Conditions: This symptom is observed after a router is upgraded from Cisco IOS Release 12.0(32)SY7 to the latest 32sy throttle image.
Workaround: There is no workaround.
•
Symptoms: Given the following topology:
PE1 (CT32/2/1) <------- > (CT34/0/1) CE1
Configuring t1 <1-28> loopback remote line feac at PE1 and then removing the loopback causes the serial interface at CE1 to start flapping continuously.
Conditions: All the interfaces should be up and running.
Workaround: There is no workaround.
•
Symptoms: Policy is not applied, and CEF gets disabled.
Conditions: Load the latest 32sy8 with a large QoS policy on the E3 Gigabit line card.
Workaround: There is no workaround.
•
Symptoms: RTP timestamp is getting corrupted with a sequence of RTP packets.
Conditions: Conditions are FH/cRTP/cUDP/cRTP. cUDP is sent if there is some change in RTP header like the Marker bit is set, the payload type changes, the CSRC list is there. This symptom is seen only with the IPHC compression format.
Workaround: Configure the IETF compression format.
•
Symptoms: A router crashes.
Conditions: This symptom is observed when the copy scp: disk0: command is issued to transfer the file to disk0: of the router.
Workaround: There is no workaround.
•
Symptoms: A SIP-601 crashes continuously. The line card (LC) stops crashing when the SPA-1XCHSTM1/OC3 SPA is shut. The LC does not stop crashing with any other exercise like LC OIR, SPA OIR, or router reload.
Conditions: This symptom was observed while the router was being brought up. The router was initially shut and was later powered up.
Workaround: Shut the SPA to cause the LC to stop crashing.
•
Symptoms: In a scaled mVPN setup, expect PIM with other PEs over tunnel to flap when the master line card is reloaded.
Conditions: This defect can be observed with the latest 12.0(32)S- and 12.0(32)SY-based Cisco IOS images on the Cisco 12000 series Internet router.
Workaround: There is no workaround.
•
Symptoms: The following message is received from the standby RP:
SEC 8:Jan 13 23:11:09.991: SPA CHOCX ALARM MSG:
spa_chocx_update_sonet_ctrlr_alarm_status : mib is NULL plugin = 0xA7357E4
line_id = 0
SEC 8:Jan 13 23:11:09.991: -Traceback= 20E8FC 929F50 929E1C 929D64 928B58
928A98 9335D8 4FAA38 4C09E0 362A84 35EED8 35EF30 2F92DC
Jan 13 23:11:10.987 UTC: %SONET-4-ALARM: SONET 14/2/0: SLOS
Jan 13 23:11:10.987 UTC: %CONTROLLER-5-UPDOWN: Controller SONET 14/2/0,
changed state to down
SEC 8:Jan 13 23:11:10.991: spa_chocx_update_sonet_ctrlr_alarm_status :
mib is NULL plugin = 0xA7357E4 line_id = 0
SEC 8:Jan 13 23:11:10.991: -Traceback= 20E8FC 929F50 929E1C 929D64 928B58
928A98 9335D8 4FAA38 4C09E0 362A84 35EED8 35EF30 2F92DCConditions: This symptom is observed after the framing on the chstm1 spa card is changed.
Workaround: There is no workaround.
•
Recent research (1) has shown that it is possible to cause BGP sessions to remotely reset by injecting invalid data, specifically AS_CONFED_SEQUENCE data, into the AS4_PATH attribute provided to store 4-byte ASN paths. Since AS4_PATH is an optional transitive attribute, the invalid data will be transited through many intermediate ASes which will not examine the content. For this bug to be triggered, an operator does not have to be actively using 4-byte AS support.
The root cause of this problem is the Cisco implementation of RFC 4893 (4-byte ASN support) - this RFC states that AS_CONFED_SEQUENCE data in the AS4_PATH attribute is invalid. However, it does not explicitly state what to do if such invalid data is received, so the Cisco implementation of this RFC sends a BGP NOTIFICATION message to the peer and the BGP session is terminated.
RFC 4893 is in the process of getting updated to avoid this problem, and the fix for this bug implements the proposed change. The proposed change is as follows:
"To prevent the possible propagation of confederation path segments outside of a confederation, the path segment types AS_CONFED_SEQUENCE and AS_CONFED_SET [RFC5065] are declared invalid for the AS4_PATH attribute. A NEW BGP speaker MUST NOT send these path segment types in the AS4_PATH attribute of an UPDATE message. A NEW BGP speaker that receives these path segment types in the AS4_PATH attribute of an UPDATE message MUST discard these path segments, adjust the relevant attribute fields accordingly, and continue processing the UPDATE message."
The only affected version of Cisco IOS that supports RFC 4893 is 12.0(32)S12, released in December 2008.
For more information, please visit:
http://www.merit.edu/mail.archives/nanog/msg14345.html
•
Symptoms: With a nested policy map, when EF traffic is sent at police rate or above police rate, BFD flaps. The BFD timer is set to 999 ms*3, while the EF traffic average latency is only 50 to 70 microseconds.
Conditions: This symptom is observed when a nested policy is applied to ocpos3 and cht3 SPA with FR encapsulation.
Workaround: There is no workaround.
•
Symptoms: With a Cisco IOS Release 12.0(32)SY image, BGP I/O spikes CPU up to 9 percent because of a BGP neighbor flap with a single BGP neighbor. When multiple eBGP neighbors flap at the same time, the BGP I/O can sometimes spike up to approximately 20 percent.
Conditions:
bgp neighbor reset
Workaround: There is no workaround.
•
Symptoms: Packets get corrupted along the path. Extra padding is added to the packets, and the packets become unusable by the receiver application.
Conditions: Frame Relay VPWS between Cisco 12000 series Internet router's with small 25-byte non-IP packets.
Workaround: There is no workaround.
•
Symptoms: In MPLS VPN each tunnel is associated with one or more virtual routing and forwarding (VRF) instances. A VRF defines the VPN membership of a customer site attached to a PE router. Traffic entering a network on a non-VRF interface may be incorrectly forwarded to a VRF.
Note: Traffic from a VRF to another private or a public network is not incorrectly routed.
Conditions: This issue is only experienced in Cisco 12000 Series Internet Routers running Cisco IOS versions 12.0(32)S and 12.0(32)SY. Additionally, the affected device must have Netflow enabled and configured with an Engine 3 Line Card (LC).
This issue is only experienced in very rare conditions where routing table fluctuations take place as the result of route flapping.
Workarounds: As a workaround, create a default IP route destined to null 0 in the global routing table, as demonstrated in the following example:
ip route 0.0.0.0 0.0.0.0 null 0
•
Symptoms: In case of E5 FRoMPLS, small-sized frames that are less than 34 bytes are getting corrupted because of the padding that is being added. Traffic is not getting dropped as the L2 header (DLCI) is intact; only the extra padding that gets added to the payload is being dropped.
Conditions: This symptom is observed when E5 is acting as edge for FRoMPLS.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.0(32)SY7
Cisco IOS Release 12.0(32)SY7 is a rebuild release for Cisco IOS Release 12.0(32)SY. The caveats in this section are resolved in Cisco IOS Release 12.0(32)SY7 but may be open in previous Cisco IOS releases.
•
Symptoms: Adding a /31 netmask route on a Cisco router may not overwrite an existing /32 CEF entry.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.1(13)E4, Release 12.2, other 12.1 E releases, or Release 12.3. Any 12.2S release past 12.2(20)S is not affected.
Workaround: There is no workaround.
Further Problem Description: The fix for this caveat enables prefixes that are derived from adjacencies in the FIB to be periodically validated against covering prefixes that originate from the RIB. Validation ensures that an adjacency prefix is only active when it points out of the same interface as a covering attached prefix. To enable this validation, enter the ip cef table adjacency-prefix validate global configuration command.
Note that because validation is periodic, there could be a time lag between RIB changes and subsequent validation or withdrawal of covered adjacencies in the FIB.
•
Symptoms: A Data-link switching plus (DLSw+) circuit may not function when a TCP connection gets stuck. After about 90 seconds, the TCP connection is closed by DLSw+, and a new TCP connection is built for DLSw+. Once the new TCP connection is up, the DLSw+ circuit starts functioning again.
Conditions: This symptom is observed on a Cisco router that is configured with both a DLSw+ interface and an ATM interface.
Workaround: This is a possible workaround. Remove the ATM interface from the router. When you configure the DLSw+ interface and the ATM interface on different routers, the symptom does not occur.
•
Symptoms: The following message is observed in syslog/console.
%UTIL-3-IDTREE_TRACE: SSM SEG freelist DB:Duplicate ID free
Conditions: This symptom was observed during scalability testing of a large number (over 2000) of PPP sessions being brought up and torn down continuously.
Workaround: There is no workaround.
•
Symptoms: Memory corruption, possibly leading to a crash or other undesired behavior, can occur when the no default-information originate command is entered in router RIP configuration mode.
Conditions: This symptom occurs only if both the RIP routing protocol and the OSPF routing protocol are configured on a router.
Workaround: There is no workaround.
•
Symptoms: BGP convergence is very slow, and CPU utilization at the BGP Router process is always near 100 percent during the convergence at the aggregation router. This issue obviously shows the following tendencies:
1) The greater the number of component prefixes that belong to the aggregate- address entry, significantly slower convergence is seen at the aggregation router.
2) The greater the number of duplicate aggregation component prefixes for the aggregate-address entry, seriously slower convergence is seen at the aggregation router.
Conditions: Any release would be affected if "aggregate-address" is configured and routing updates are received every few seconds.
Workaround: Remove the "aggregate-address."
Further Problem Description: If you configure "aggregate-address" lines after BGP convergence has been achieved, the BGP process only holds about 60 or 80 percent of the CPU for about 1 minute. However, if you do peer reset after "aggregate-address" entries have been configured, the convergence time is about 32 minutes (it is about 6 minutes if "aggregate-address" entries are removed).
•
Symptoms: A static map configuration for an ATM PVC that uses the protocol ip ip-address command is rejected, giving an ambiguous command error.
Conditions: This symptom is observed when you configure a static map on an ATM PVC using the protocol ip ip-address command.
Workaround: Explicitly configure the [broadcast | no broadcast] option:
Router(config-if-atm-vc)# protocol ip 10.10.100.2 broadcast Router(config-if-atm-vc)# protocol ip 10.10.100.2 ? <cr> broadcast Pseudo-broadcast no Prevent Pseudo-broadcast on this connection <cr>Router(config-if-atm-vc)# protocol ip 10.10.100.2 no broadcast Router(config-if-atm-vc)#•
Symptoms: After executing the no ipv6 multicast-routing command on a dual-RP router, IPC communication to the standby RP may be broken, and the following messages may be seen every minute:
%IPCGRP-3-ERROR: standby set time: timeout seen
Conditions: This symptom is observed on a Cisco 12000 series router that is running the c12kprp-p-mz image of Cisco IOS Release 12.0(32)SY.
Workaround: Reload the router.
Further Problem Description: This bug is seen only while operating in SSO mode (not in RPR mode).
•
Symptoms: Bundle links are added or removed when an MFR bundle is in the Administrative Down state; when the bundle is brought back to the Up state, its interface bandwidth value is not properly reflected.
Conditions: This symptom is observed with Cisco IOS Release 12.2SRB software.
Workaround: Shutting a bundle link interface down and bringing it back up can refresh the bundle interface bandwidth value.
•
Symptoms: When many MLP sessions come up at once, the router may leak packet memory. In some cases, this may cause the router to reload.
Conditions: This symptom has been observed on Cisco 7600 and Cisco 12000 series routers. It may also occur on other models.
Workaround: There is no workaround.
•
Symptoms: The standby RP may reload unexpectedly because of a Redundancy Facility (RF) synchronization error.
Conditions: This symptom is observed on a Cisco router that is configured for SNMP, dMLP, and SSO.
Workaround: Do not configure SSO. Rather, configure RPR+.
•
Symptoms: A router may crash and return to ROMmon when it is configured with BGP and VPNs.
Conditions: This symptom is observed on a Cisco router when with BGP VPN import, a locally sourced path from VRF A is imported into VRF B and the bestpath of the exporting net is lost. The loss of the bestpath will trigger the crash if RIB installation takes place before import manages to clean up the imported path.
Workaround: There is no workaround.
•
Symptoms: CEF-switching does not function, and the output of the show adjacency interface interface-number detail command does not show any packets.
Conditions: This symptom is observed on a Cisco router when packets are switched to a multilink interface via CEF and when you enter the show adjacency interface interface-number detail command or a multilink interface.
Workaround: There is no workaround.
•
Symptoms: The standby router may crash in SSO mode.
Conditions: This symptom is observed when a multilink interface is removed and the partner router is reloaded.
Workaround: Use RPR-PLUS mode.
•
Symptoms: ARP may be refreshed excessively on the default interface, causing high CPU usage in the "Collection Process."
Conditions: This symptom is observed on a Cisco router that has point-to-point interfaces that have non-/32 interface addresses or secondary addresses and that constantly come up or go down.
Workaround: There is no workaround.
•
Symptoms: A ping does not yield a 100-percent result after you have entered the no set-overload-bit command for an IS-IS configuration.
Conditions: This symptom is observed on a Cisco 7200 series but is not platform-specific.
Workaround: There is no workaround.
•
Symptoms: A device crashes with a bus error when the show ip bgp dampening dampened-paths command is used.
Conditions: This symptom is observed when the show ip bgp dampening dampened-paths command is used and the device is at the "More" prompt to continue with remaining output, if the BGP session goes down at that time (for example, receiving a notification) or because of a clear ip bgp command from another vty.
Workaround: There is no workaround.
If dampening is configured, do not run:
sh ip bgp neighbors <x.x.x.x> dampened-routes
sh ip bgp dampening dampened-pathsWhich can cause this problem.
•
Symptoms: A VIP crashes when a multilink interface flaps.
Conditions: LFI on a multilink interface and QoS is configured on a port adapter installed in the VIP. When either the multicast interface, through which traffic is flowing, is cleared or the shut and no shut commands are entered.
Trigger: Multilink interface flap noticed.
Impact: Impacts normal functioning of the router.
Workaround: There is no workaround.
•
Symptom: After a reload, the following error message may be displayed if an OSPFv3 router redistributes large numbers of the external routes:
%OSPFv3-3-DBEXIST: DB already exist
No impact to the operation of the router has been observed.
Conditions: Redistribution is configured, and then router is reloaded.
Workaround: There is no workaround.
•
Symptoms: A few seconds after OSPF adjacencies come up, a router crashes because of a bus error.
Conditions: This symptom is observed on a Cisco router that functions as an ISR that is configured for OSPF.
Workaround: Add area 0 in the OSPF VRF processes.
Alternate Workaround: Enter the no capability transit command in the OSPF VRF processes.
•
Symptoms: OSPFv3 installs a reachability path without checking that the discard route is already there. As a result, the RIB has a route that load- balances between reachability and drop paths.
Conditions: This symptom may be observed if the summary- address command is configured with exactly the same address as one of the external routes received from a different router.
Workaround: There is no workaround.
•
Symptoms: Using the show isis timers command causes the router to crash.
Conditions: This symptom is observed on a router that is running Cisco IOS Release 12.0(31)S2y.
Workaround: There is no workaround.
•
Symptoms: Changing the encapsulation on a member of a multilink bundle while the bundle is up may cause the router to reload.
Conditions: This symptom has been observed when changing an interface that is an active member of a multilink bundle from PPP to Frame Relay encapsulation.
Workaround: Shut down the interface before changing the encapsulation.
•
Symptoms: In Eng3 ATM, when a subinterface flaps, traffic to certain destinations is forwarded to the wrong subinterface.
Conditions: This symptom is observed in Cisco IOS Release 12.0(32)S05 and 12.0 (32)S06. The symptom is not found in Cisco IOS Release 12.0(31)S2.
Workaround: There is no workaround; however, reloading the line card solves the problem.
•
Symptom: Using CLI to delete a child policy on a Cisco 7500 Series Router causes the VIP to crash.
Conditions: The router has a hierarchical QoS policy attached to an interface. Traffic is flowing through the QoS policy. There are BGP updates happening on the router. The no policy- map command is executed to delete the child policy. The router is running Cisco IOS Release 12.0(32)S6.
Workaround: There is no workaround.
•
Symptoms: Egress E0 - Two ports OC3 channelized to DS1/E1 are crashing continuously just as traffic starts.
Conditions: E0 - In an IP->Tag fragmentation case with E4/E4P/E6 POS cards as the ingress and E0 as the egress card, for certain frame sizes larger than the egress MTU, the E0 egress card crashes. This happens only with the E0 card as egress.
Workaround: Make sure that the packets sent are less than the egress MTU of the E0 linecard to avoid any fragmentation.
•
Symptoms: A policy gets detached from an mLPPP interface.
Conditions: This symptom is observed under the following conditions:
1. Configure a policy-map with strict priority and Police.
2. Apply this service-policy on an mLPPP interface.
3. Unconfigure and reconfigure the priority.
4. Perform a shut/no shut on one of the member links of the multilink bundle.
Workaround: Always configure strict priority before configuring the police command.
•
Symptoms: The system crashes when the show ipv6 ospf lsdb-radix hidden command is entered.
Conditions: This symptom is observed when the show ipv6 ospf lsdb-radix hidden command is entered.
Workaround: Do not enter the show ipv6 ospf lsdb-radix command.
•
Symptoms: The error message "eelc_add_a_port_to_root: port number not contiguous" is displayed, and SPAs may eventually go out of service.
Conditions: This symptom is observed under a race condition due to a back-to-back removal and addition of a member from the bundle.
Workaround: Shut down the member before removing it from the bundle.
•
Symptoms: A CE-CE ping is failing in an AAL5oMPLS scenario.
Conditions: This symptom is observed when an E3 POS card is being used as disposition.
Workaround: There is no workaround.
•
Symptoms: The show ip mds stats linecard command shows MDFS reloads on all line cards.
Conditions: This symptom is observed when multicast distributed routing is added on a VRF through the configuration of the ip multicast-routing vrf vpn distributed command.
Workaround: There is no workaround.
Further Problem Description: Note that while the MDFS reload is a real reload, it is without a preceding clear, so it will not generally cause traffic interruption because it merely causes the same information to be downloaded to the line cards again. However, in a highly scaled system that is running close to the limit, the additional load introduced by a full MDFS reload of every line card may cause additional failures owing to maxing out of the CPUs.
•
Symptoms: MQC input poling on Eng5 will stop working.
Conditions: This symptom is observed after an L2 link flaps.
Workaround: Performing an administrative shutdown/no shutdown on the interface could be useful to recover. Detaching/attaching the service policy would also be useful to recover.
•
Symptoms: OSPF routes are not populated in the Routing Information Base (RIB) with the next hop as traffic engineering (TE) tunnels.
Conditions: Occurs when multiple TE tunnels are configured and the tunnels come up or are shut/no shut simultaneously.
Workaround: Shut/no shut tunnels one at a time.
•
Symptoms:
–
–
Conditions: This symptom is observed when running RPR+.
Workaround: Reapply the original configuration.
Further Problem Description: Deletion of a multilink interface and subsequent creation using the same name may cause portions of the original configuration to return even if not explicitly configured. The hold- queue command is not being synchronized to the standby RP.
•
Symptoms: Perm one-way traffic.
Conditions: Setting Scorpion int MTU < packets injected.
Workaround: Reload the card/sublsot.
Further Problem Description: Setting Scorpion interface MTU to a value momentarily less than inject traffic packet size results in one-way traffic after the MTU is returned to the default value. This issue is specific to 1x10G only.
•
Symptoms: A Cisco 12000 series router with an Engine 0 ATM OC12 line card may experience a problem in which a Layer 2 adjacency rewrite string for an ATM PVC becomes invalid. The invalid rewrite results in packets being forwarded out the interface with the wrong Layer 2 details prepended.
Conditions: This symptoms is observed on a Cisco 12000 series router with an Engine 0 ATM OC12 line card.
Workaround: Use the following command for the affected IP address:
clear ip arp x.x.x.x
Further Problem Description: This problem can be identified using the execute-on [slot#] show controller rewrite Cisco IOS command, compared to the rewrite string in the show adjacency internal command:
Router# execute-on 1 show controller rewrite========= Line Card (Slot 1) =========Local MAC rewrite table Interface Address Output_Info -------------------------------------------------------- ... ATM1/0.1 192.168.1.1 0x1C062340 4BA72000AABA031180C2000700000004 757122D600081008B0560800 <-- incorrect ...Router# execute-on all show adjacency internal========= Line Card (Slot 1) =========Protocol Interface Address ... IP ATM1/0.1 192.168.1.1(9) 131229862 packets, 74135640171 bytes 02710100AABA031180C2000700000017 E0DC040200072009B0450800 <-- correct ...Router# clear ip arp 192.168.1.1Router# execute-on 1 show controller rewrite========= Line Card (Slot 1) =========Local MAC rewrite table Interface Address Output_Info -------------------------------------------------------- ... ATM1/0.1 192.168.1.1 0x1C025340 6EA82000AABA031180C2000700000017 E0DC040200072009B0450800 <-- correct ...•
Symptoms: An E3 linecard may drop packets larger than a certain size because of a buffer carving problem when the mtu command is used for multilink interfaces.
Conditions: This symptom is observed with images based on Cisco IOS Release 12.0(32)S10.
Workaround: Changing the MTU or reloading the linecard may clear the problem.
•
Symptoms: When multicast VPN routing/forwarding instance (mVRF) is un-configured, memory leak may occur in line cards.
Conditions: This symptom is observed in Cisco 12000 Series Routers and Cisco 7500 series routers when multicast distributed routing is enabled on VPN routing/forwarding instance.
Workaround: There is no workaround.
•
Symptoms: When removing a subinterface from the configuration that contains an IP address that falls into the major net of the static route, the static route is no longer injected into the BGP table. Since the route is not in the BGP table, it is not advertised to any peers.
Conditions: This symptom is observed with auto-summary enabled in BGP. A static summary route is configured to null0 and is injected into the BGP table with a network statement.
Workaround: There are four possible workarounds:
1) Use an "aggregate-address" configuration instead of the static route to generate the summary.
2) Remove auto-summary from the BGP process.
3) Enter the clear ip bgp * command.
4) Remove and reconfigure the BGP network statement for the summary route.
•
Symptoms: Line cards on a Cisco 12000 series router or a Cisco 7500 router might crash.
Conditions: This symptom is observed when the no ip multicast- routing distributed command for a VRF is issued when multicast tunnels are up. This symptom is also observed when MVRFs are deleted.
Workaround: Stop multicast traffic before deleting VRFs or issuing the no ip multicast-routing distributed command.
•
Symptoms: E5 BF/CFI on same line card, PIM-DM traffic may not flow for CFI or Auto-RP information may also not flow. So far the problem is identified to be in E5 BFI/CFI card which drops the DM data packets instead of punting them which is needed for the (*,G)/(S,G) state creation and packet flooding for DM to work.
Conditions: This defect is observed with Cisco IOS Release 12.0(32)SY5.
Workaround: Use the clear ip mds line command on the E5 and core line cards to solve the problem.
•
Symptoms: The "set metric" clause in the continue route-map sequence is not setting metric correctly in some particular conditions. This is also applicable in case where the nexthop setting is done via route-map with a continue clause.
Conditions: The symptom is observed on a Cisco 12000 series router that is running Cisco IOS Release 12.0(32)SY4. This is platform independent. This symptom occurs if the route-map has a continue clause and the match condition does not allow the continue clause to be executed. The following route-map sequence which has to be executed will not execute properly if the metric or nexthop of the prefix are to be modified via the route-map.
Workaround: Avoid using "continue" in a route-map and modifying metric or nexthop via the following route-map sequence.
•
Symptoms: An unexpected reboot occurs because of a software-forced crash.
Conditions: This symptom is observed when changes are made in the policy map.
Workaround: There is no workaround.
•
Symptoms: A device may crash when the show clns interface command is issued on the wrong interface.
Conditions: The symptom is observed when there are a number (around 100 or more) CLNS interfaces on the device.
Workaround: There is no workaround.
•
Symptoms: A customer upgraded to Cisco IOS Release 12.0(32)Sy4, and now the customer is seeing a memory leak in the BGP process. The memory leak is happening with the BGP router process at the rcache chunk memory when the route map has a "continue" clause in the configuration.
Conditions: The leak is seen when a "continue" statement is configured in an outbound route map.
Workaround: There is no workaround.
•
Symptoms: The local PE is sending graft messages even after receiving data from the remote PE on an MVPN network.
Conditions: This symptom is observed when the graft-ack messages are lost in transit (could be due to misconfiguration/ACL, etc.).
Workaround: Fix the misconfiguration so that graft-ack messages are forwarded as expected.
•
Symptoms: Line card crashes when packet over SONET (POS) shared port adapter (SPA) is present.
Conditions: Occurs the first time router is reloaded.
Workaround: There is no workaround.
•
Symptoms: Configuring a PBR at the E5 GE subinterface may cause buffer depletion. The buffer cannot be released except by reloading the linecard.
Conditions: This symptom is observed when a PBR is configured at the subinterface.
Workaround: There is no workaround.
•
Symptoms: IPv6 multicast unnecessarily copied when join -> prune is repeated multiple times.
Conditions: Occurs when IPv6 multicast routing is enabled on a Cisco 12000 series router.
Workaround: Reload the router.
•
Symptoms: New T1s cannot be provisioned on a CT3 SPA.
Conditions: When a customer tries to create a new T1 on one of the controllers of a CT3-SPA that is inserted into a SIP-401, the following errors are displayed:
Router(config-controller)# t1 15 channel-group 7 timeslots 1-24 %Failed to configure channel group Router(config-controller)#Apr 24 22:51:05.283 UTC: %GRPSPA-3-VC_PROV_ERROR: Provision T1 15 channel group 7 of T3 4/0/1 unsuccessful (error code 44) -Traceback= 20A640 20A748 954AA4 94DB80 94DC90 9582D0 4FF4E0 5006FC 240B7C 2563B0 13D7410 13C6F3C 2F517C SLOT 4:Apr 24 22:51:05.271 UTC: %SPA_CHOC_DSX-3-SPA_SW_ERR: SPA on Subslot 0: HDLC controller device driver failure: Failed to start operation Software error was encountered.-Traceback= 40031128 408B4020 408BCE40 408BD374 408BF114 408C004C 408C0ED8 408D24E0 408D25F8Workaround: There is no workaround.
•
Symptoms: Newer SDRAM devices on the 2- and 4-port OC48 POS/RPR SPA require an additional initialization sequence as recommended by the vendor. Without this new initialization sequence, packets that go through the transit buffer in RPR/SRP mode or in subscription mode may get corrupted, or packet loss may occur.
Conditions: Card initialization after inserting the SPA or removing an unpowered shutdown.
Workaround: Perform an OIR on the SPA.
Customers are advised to upgrade to the newer image with this new initialization sequence. Newer software will be backward compatible with older SPA boards.
•
Symptoms: The MDFS state of the line card stays in a "disabled" state, which may lead to multicast traffic being punted to the RP.
Conditions: This symptom may be observed with the following sequence of operation:
1. The router is booted without configuring the ip multicast-routing distributed command.
2. The ip multicast-routing distributed command is configured.
The issue will not be seen if the ip multicast-routing distributed command is present in the startup configuration when the router is reloaded.
Workaround: Enter the clear ip mds linecard slot-number command.
•
Symptoms: An input service policy with only the class-default class shows no matches.
Conditions: This symptom is observed after a reload of Cisco 12000 series routers, Linecard Engine 3, with an ATM interface configured for AToM, Port Mode.
Workaround: Move traffic and the configuration to another interface.
•
Symptoms: Performance Route Processor (PRP) crashes after loading image from disk0.
Condition: Occurs when multiservice edge (MSE) router reloads with the image in the disk0. The RP crashes, and tracebacks are displayed. Both the active and standby RPs toggle each time.
Workaround: There is no workaround.
•
Symptoms: Ping packets of 8180 or larger cause sourcing POS linecard/SIP to reload and remain in a boot state waiting for IPC connection.
Conditions: This symptom is observed with ping packets that are sourced from PRP2 with part number 800-27058-03.
Workaround: Reload the router.
Further Problem Description: This symptom is observed only on PRP2 with part number 800-27058-03.
•
Symptoms: Low CPS may be observed.
Conditions: The symptoms are seen with PPPoA and PPPoE sessions.
Workaround: There is no workaround.
•
Symptoms: This is not a bug but rather a build breakage.
Conditions: Build breakage.
Workaround: There is no workaround.
•
Symptoms: A copy tftp operation failed with a Socket error when the FPD of an SPA was updated or when the SPA was reloaded, OIRed.
Conditions: This symptom is related to the number of (nnets) non-virtual interfaces on the box. Depending on that, a number of SPA reloads must be done.
Workaround:
1. Reload the SPA or the router.
2. Configure one loopback interface.
•
Symptoms: CPU hogs are seen in a 1-port E3 channelized OC48.
Conditions: This symptom is observed when any of the following is done:
–
–
–
Workaround: There is no workaround.
•
Symptoms: The following error messages appear:
SLOT 5:*May 9 21:43:48.547: %LC_SPA_DMLP-1-SPAHWBUNDLEERROR: Could not perform required operation in SPA H/w for bundle Multilink2 in bflc_cx3_dmlp_frag_on_off SLOT 5:*May 9 21:44:10.727: %SPA_CHOC_DSX-3-ERROR: Multilink2 (cmd 203) Serial5/0/1/8:0: response parsing failed. chnl 36, bid 1 -Traceback= 40031008 408924C0 4072B1BC 40899F64 4033DB90 4033E190 4033E5C0 4033E930 4033F448 4033F600 4015B53C 4015C020 SLOT 5:*May 9 21:44:10.735: %LC_SPA_DMLP-3-CFG_FAIL: bundle Multilink2 (id 1): bay 0 err 7 (del rx link)
Conditions: When we remove/add/remove all members from all the configured MLP bundles once or several times, these tracebacks are seen.
Workaround: There is no workaround.
Further Problem Description: spabrg EFC mapping goes to a mismatch state, and the following is seen:
SLOT 5:*May 9 21:59:26.771: %SPA_CHOC_DSX-3-HDLC_CTRL_ERR: SPA 5/0: 20 TX Chnl Queue Overflow events on HDLC Controller were encountered.
•
Symptoms: The hw-module slot x qos account layer2 encapsulation command does not take effect for an AToM connection.
Conditions: This symptom is observed when xconnect is configured under a VLAN.
Workaround: There is no workaround.
•
Symptoms: MDFS may get disabled in a scaled mVPN environment that has many global mroutes. Once disabled, it may keep on changing between the "active" and "disabled" states. Linecard CPU utilization may also go high.
Conditions: This symptom is observed with a Cisco IOS Release 12.0(32)S10 image.
Workaround: There is no workaround.
•
Symptoms: After a router reloads, sometimes the configuration for the gigE and POS OC12 SPA is lost from the running configuration.
Conditions: This symptom is observed when the router is reloaded.
Workaround: There is no workaround.
•
Symptoms: If both L2 and L3 services co-exist on the same interface, you can no longer configure urpf on the L3 subinterface after the fix for CSCsl09772. After the router reloads, the urpf command will be erased from the L3 subinterface. You have to use the workaround to reapply the urpf command.
Conditions: This symptom is observed when both L2 and L3 services are configured on the same interface.
Workaround: Do the following:
1. Remove the L2 connection.
2. Add urpf on the L3 subinterface.
3. Re-add the L2 connection.
•
A heartbeat error is showing up only on subslot 9/1, and there are no traceback errors. Based on the observation that "all spa's experienced the HB in the same LC at the same time," it seems that the Qs are stuck and that is the reason for IPC failures that are resulting in HBs.
•
Symptoms: CPU Hog and related tracebacks are seen from the E3 Gig linecard.
Conditions: Attach a scaled policy/LC reload/router reload.
Workaround: There is no workaround.
•
Symptoms: The pos delay triggers line command is configurable at the interface level of E3 channelized POS interfaces.
Conditions: This symptom is observed on a Cisco 12416 Internet series router that is booted with the Cisco IOS Release 12.0(32)S nightly build of 05/19/08. The router contains an E3 CHOC48 linecard.
Workaround: There is no workaround.
•
Symptoms: ACLs are not programmed in hardware (TCAM) for the E4+ Gig (10GE E4+) line card after an RPR+ switchover.
Conditions: This symptom is observed when an RPR+ switchover is executed with ACLs applied on E4+ Gig interfaces. This issue is specific to 10GE Engine4+ line cards. This issue does not apply to E4+ POS or any other line cards.
Workarounds: Remove and reapply the ACLs.
•
Symptoms: FRF12 packets are dropped by a PE router.
Conditions: This symptom is observed on a Cisco 12000 series Internet router that has a SPA-1XCHSTM1/OC3, SPA-2XCT3/DS0, or SPA-8XCHT1/E1.
Workaround: There is no workaround.
•
Symptoms: A router crashes because of a block overrun (overwriting the memory block).
Conditions: This symptom is observed only when templates are exported in the export packet, which is used in only version 9 of exporting.
Workaround: Version 5 could be used for exporting.
•
Symptoms: EFC clock interrupts are causing a line card to crash.
Conditions: The conditions under which this symptom occurs are unknown.
Workaround: There is no workaround.
•
Symptoms: Slow-path multicast fragmentation is not happening correctly. One of the output interfaces is not receiving the packets in case of MVPN traffic.
Conditions: This symptom is observed with MVPN traffic with fragmentation on one of the interfaces on E5.
Workaround: There is no workaround.
•
Symptoms: A Cisco 12000 works as a PE, and an Eng5 SIP line card is used to face the CE. In the VRF, the default route 0.0.0.0 is learned from the remote PE. When the problem occurs, all traffic from the CE that is forwarded via the VRF default route is dropped.
Conditions: This symptom is observed on a Cisco 12000 Eng5 SIP line card that is running Cisco IOS Release 12.0(32)SY04, 12.0(32)SY05, or 12.0(32)SY06. When VRFs are created and deleted, new VRFs that are created will have a problem if they are allocated with a table ID allocated for older deleted VRFs.
Workaround:
1. Reload the ingress Eng5 line card that is facing the CE.
or
2. If the customer does not want to reload the line card, a second workaround can be attempted, but it is not a reliable workaround and may not always be successful. Create a new VRF without removing any VRFs, which gets a new table ID, and apply the VRF configuration completely wherever the old VRF configuration is applied.
Further Problem Description: This problem cannot be cleared by using the clear cef linecard x or clear ip route vrf xxx 0.0.0.0 commands.
•
Symptoms: Performance Route Processor (PRP) crashes after loading image from disk0.
Condition: Occurs when multiservice edge (MSE) router reloads with the image in the disk0. The RP crashes, and tracebacks are displayed. Both the active and standby RPs toggle each time.
Workaround: There is no workaround.
•
Symptoms: There is a heartbeat failure, and an SPA goes out of service.
Conditions: This symptom is observed when a link is swapped from MLPPP to MLFR.
Workaround: Reload the line card.
•
Symptoms: Removal of a subinterface may cause memory corruption or a crash. The symptoms are unpredictable.
Conditions: The symptoms are rare and will only be observed if a sub- interface is configured for mpls traffic-eng auto-tunnel primary use, and the sub-interface is later removed from the configuration.
Workaround: Do not remove sub-interfaces.
•
Symptoms: MVPN inner packet with IP option causes depletion of FrFab buffers of Cisco 12000-SIP-401.
Conditions: This symptom occurs on Cisco 12000 routers that are running the c12kprp-k4p-mz.120-32.SY2g image and with Cisco 12000-SIP-401. This is triggered by multicast traffic.
Workaround: Only a reload of the card solves the problem.
•
Symptoms: After a router reloads, the SPAs on the SIP601 may take twice as long to come up in OK mode. When this occurs, the problem documented in CSCsq55258 is also experienced.
Conditions: This symptom is observed after the router reloads.
Workaround: There is no workaround.
•
Symptoms: In rare situations, the show controller SONET port command might crash the RP.
Conditions: This symptom has been observed on a 4CHOC12/DS3-I-SCB= line card, but it can be seen on other similar channelized line cards. It may be reproducible by executing the show controller SONET port command on a nonexistent port like sonet 3/4 (that is, only sonet 0/0, 0/1, 0/2, and 0/3 are valid on a 4CHOC line card). When the problem can be seen, the CLI help indicates an incorrect unit number:
Router# show controller sonet 12/?<0-48> Controller unit numberIf the controller unit number is shown fine (for example, <0-3>), then the crash will not occur.
Workaround: There is no workaround.
•
Symptoms: The pos delay triggers line command is configurable on APS-enabled interfaces of E3 clear channel POS line cards. After the commit of CSCsq45452, the pos delay triggers path command is not configurable on APS-enabled interfaces of E3 channelized POS line cards.
Conditions: This issue is seen on a Cisco 12000 series Internet router that is booted with Cisco IOS Release 12.0(32)S. The router contains ISE OC48 POS and ISE CHOC48 POS line cards.
Workaround: There is no workaround.
•
Due to eng3 HW limitation, there is more overhead added to like to like ethernet PW or ethernet interworking PW if hw-module slot <> qos account layer2 encapsulation length <> is configured. "Without" the fix of CSCsq42803, the overhead impact is less. Request to return the behavior of 12.0(32)SY back to pre-CSCsq42803.
•
Symptoms: On router reload, many SPA-related tracebacks may pop up for 1xChOC3/STM1 SPA.
Conditions: This defect is observed with a Cisco IOS 12.0(32)SY datecode 20080713 image.
Workaround: There is no workaround.
•
Symptoms: All line cards may crash after a switchover in Route Processor Redundancy Plus mode.
Conditions: This issue is seen on Cisco Gigabit Switch Routers with PRP2 processors. This issue usually requires multiple line card reloads prior to the switchover. This is seen under conditions of high utilization on line cards.
Workaround: There is no workaround.
•
Symptoms: After a router reload, sometimes there may be mbus message gets timed out on the SIP601 located in the lower cage of a Cisco 12816.
Conditions: This symptom is observed when the router reloads.
Workaround: There is no workaround.
•
Symptoms: Running Cisco IOS 120-(32)SY4 or SY6 on Eng3. After flapping interfaces the FIB converge pointing the correct outgoing interface while the FIB in hardware point to other interface, ex: GE 6/0/0 as outgoing interface.
The trigger is when the interface is flapping cause the default route is updated. The BGP session always is stable, never went down.
Topology: ======== End customer------(eng3)slot4 c12k_Lab_router-42 slot5 and slot6(Eng5) ------ router_B------ Internet The router Lab-router-42 receive a default route coming from neighbors router_B
snapshots from Eng3 Linecard on slot4.
Lab-router-42 #exec slot 4 sh ip hardware-cef 10.1.1.1 detail ========= Line Card (Slot 4) =========
Root: 0x240CE000 Location: 0x240CE404 Data: 0x81819380 Offset: 0x93D96404 Leaf pointer: 0x300C9C00
Leaf FCR 2 Addr 0x300C9C00 : 0xE0000100 0x0285C008 found 2 deep SRAM Loadbalance addr 0x28170020 default alpha ip loadbalance: 0x28170020 (0 paths, hw maxpath 0) Hash 1: alpha adjacency: 0x2001FA60 (cef adj NULL or alpha_default_lb) [0] oi 0x200006 oq 4080 in A ab 50 hl 20 gp 19 tl 4 loq 9800 6/0/0 mtu 1520 Output interface is GigabitEthernet6/0/0 <== Here ^^^^^^ Here
1 tag: 23 current counters 95059, 5157246 last reported 93252, 5059668
Output Queue / Local Output Queue Bundle: [0-7] output queue 0x4080 local output queue 0x9800 PLU leaf data: 0xE0000100 0x0285C008 0xA1020304 0xA5080000 Mask bits: 1 Origin AS: 0 Source lookup drop: yes QOS group: 0 Traffic index: 0 Precedence not set Default Route: yes PBR enabled: no
While the FIB was updated to properly interface outgoing
LAB_router_42#exec slot 4 sh ip cef 10.1.1.1 ========= Line Card (Slot 4) =========
0.0.0.0/0, version 38, epoch 0, cached adjacency 10.125.72.74 0 packets, 0 bytes Flow: AS 0, mask 0 tag information from 10.38.192.6/32, shared, all rewrites owned local tag: 34 via 192.168.225.0, 0 dependencies, recursive next hop 10.125.72.74, GigabitEthernet5/0/0 via 192.168.225.0/24 (Default) <=== HERE valid cached adjacency tag rewrite with Gi5/0/0, 10.125.72.74, tags imposed {} <=== HERE LAB_router_42#
Conditions: When there is a default route configured.
Workaround: Clear ip route 0.0.0.0 or <default-network>.
•
Symptoms: Only one interface in the POS-channel bundle is used for traffic forwarding.
Conditions: This symptom is observed on Cisco 12000 series routers running Cisco IOS Release 12.0(32)SY5 or later, on Engine 3 linecards, on ip2tag path.
Workaround: There is no workaround.
Further Problem Description: ip2tag path means that a plain IP packet is received by the router and an MPLS label has to be imposed before the packet is sent out of the router.
•
Symptoms: MVPN Traffic is being punted to slowpath for packets of size ranging from 1476 to 1500 (min ip mtu of the out going interfaces is 1500).
Packets of size ranging from 1476 to 1500 are being punted to slowpath which is not required. During fragmentation check, we should check the packet size with minimum of 1) min ip mtu of customer facing interfaces 2) min ip mtu of core facing interfaces - gre header (24).
If it is greater than the above value, then only the packet should be punted Slowpath for fragmentation.
Conditions: This issue applies to the MVPN on the GSR with E5 line card as the Egress LC (line card). The issue is not seen with E3 LC.
Workaround: There is no workaround.
•
LC crashed after swapping members of the MLPPP from one bay to another bay and vice-versa on the same LC.
•
Symptoms: A Cisco router crashes following multiple accesses to NVRAM.
Conditions: This symptom has been observed on a Cisco 12000 series Internet router that is running Cisco IOS Release 12.0(32)SY5. May not be platform specific. When the dir tar: command is executed parallel with the write mem command, the issue is seen.
Workaround: Avoid using the dir tar: command.
•
Symptoms: Unable to send any cmd to the SPA.
Conditions: Swapping the members of MLPPP and MLFR.
Workaround: Reload the LC.
•
Symptoms: Line card in slot 0 does not boot up completely. It does not go pass the UP IOS state.
Conditions: After upgrading the router to sy5 and having ATM LC in slot 6 send LAIS alarm.
Workaround: Move the ATM card to another slot or shut down the ATM line card in slot 6.
•
Symptoms: The Gigabit Ethernet link does not come up.
Conditions: When the interfaces that make the link are of 2x1GE V2 gig interface.
Workaround: There is no workaround.
•
Symptoms: bgp as-override doesn't work properly on a PE to overwrite the AS in the AS4_PATH.
Conditions: When a 4-byte CE is peered to a 2 byte capable PE using AS 23456 and the command as-override is configured on the neighbor, the PE router does not override the AS in the AS4_PATH with its own AS number, mapped to 4 bytes.
Workaround: Use "allowas-in" on the CE.
•
Symptom: BGP neighbors configured with as-override and send-label (CsC) together may not work after interface flap or service reset.
Conditions: neighbor xxx as-override neighbor xxx send-label.
Workaround: clear ip bgp * soft in
Further Problem Description: Peers (neighbors) with CsC (IPv4+label) BGP configuration with as-override option should be separated into different dynamic update groups during BGP update generation process. After CSCef70161 fix in 12.0(32)SY4 it is no longer the case, this fix CSCsu12040 enhance the CSCef70161 fix to handle the CsC (IPv4+label) case separately.
•
Symptoms: Customer is using carve-level 0 in their SY5 nodes (SIP-601) to avoid unnecessary buffer recarving and subsequent traffic disruption.
Conditions: carve-level 0
Workaround: There is no workaround.
•
Symptoms: Ping fails across FR subinterfaces over non channelized SPA.
Conditions: When channelized SPA is used on a bay and there are around more than 30 interfaces are created and used, later that SPA is removed and moved to some other bay or some other slot and this current empty bay is used for non channelized SPA and used for frame relay subinterface circuits, ping fails across FR sub interfaces.
Workaround: There is no workaround.
•
Symptom: When a second multilink is enabled between a PE to a connected CPE, the route may not be propagated to the remote PE. Ping from the local PE to the CPE always works fine over both multilinks; however ping from the remote PE to the CPE does not work when both links are enabled.
Conditions:
1. Routing protocol between the PE and the CE is BGP.
2. Two static route are defined on the PE toward the CE.
3. MLPPP is used on both links.
4. The PE is a Cisco 12000 series Internet router.
5. Both links are enabled.
These conditions do not guarantee that the problem will happen, but it may happen under certain circumstances.
Workaround: Either:
1. Redefine the static routes or shut/no shut both multilinks.
Or
2. Enable only one multilink.
Further Problem Description: The MPLS label shows as "aggregate" instead of "untagged" during the problem.
Resolved Caveats—Cisco IOS Release 12.0(32)SY6
Cisco IOS Release 12.0(32)SY6 is a rebuild release for Cisco IOS Release 12.0(32)SY. The caveats in this section are resolved in Cisco IOS Release 12.0(32)SY6 but may be open in previous Cisco IOS releases.
•
Symptoms: A router crashes with an L2VPN error with L2VPN and L3VPN traffic on the node.
Conditions: This symptom is observed with L2VPN and L3VPN traffic on the node.
Workaround: There is no workaround.
•
A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled may be subject to a denial of service (DoS) attack. For the device to be affected by this vulnerability the device also has to have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. To exploit this vulnerability an offending IPv6 packet must be targeted to the device. Packets that are routed throughout the router can not trigger this vulnerability. Successful exploitation will prevent the interface from receiving any additional traffic. The only exception is Resource Reservation Protocol (RSVP) service, which if exploited, will cause the device to crash. Only the interface on which the vulnerability was exploited will be affected.
Cisco is providing fixed software to address this issue. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml.
•
Symptoms: An engine 3 linecard in an mVPN PE router with multicast egress QoS configured may report the following error message and may also reload after this message:
SLOT 10:Sep 5 15:12:43.879 UTC: %EE48-3-CONGA_MCAST: Table indices not linked: (tbl1=262129, tbl2=262136, prev=0, oiq_id=0, oi=0, oq=0)
Conditions: This symptom is observed when an engine 3 linecard in an mVPN PE router has both core interfaces and VRF interfaces configured and an output service policy applied to one or more of these interfaces.
Workaround: Limit engine 3 linecards with service policies to either core interfaces or VRF interfaces, and do not combine both interface types on a single linecard. Note that Cisco recommends that core and VRF interfaces not be configured on the same linecard anyway because any multicast packet that needs to egress on both interfaces will be software-forwarded and not hardware-forwarded. Alternatively, replace the engine 3 linecard with an engine 5 linecard.
•
Symptoms: A device that is running Cisco IOS software may crash during processing of an Internet Key Exchange (IKE) message.
Conditions: The device must have a valid and complete configuration for IPsec. IPsec VPN features in Cisco IOS software that use IKE include Site-to-Site VPN tunnels, EzVPN (server and remote), DMVPN, IPsec over GRE, and GET VPN.
Workaround: Customers that do not require IPsec functionality on their devices can use the no crypto isakmp enable command in global configuration mode to disable the processing of IKE messages and eliminate device exposure.
If IPsec is configured, this bug may be mitigated by applying access control lists that limit the hosts or IP networks that are allowed to establish IPsec sessions with affected devices. This assumes that IPsec peers are known. This workaround may not be feasible for remote access VPN gateways where the source IP addresses of VPN clients are not known in advance. ISAKMP uses port UDP/500 and can also use UDP/848 (the GDOI port) when GDOI is in use.
Further Problem Description: This bug is triggered deep into the IKE negotiation, and an exchange of message between IKE peers is necessary.
If IPsec is not configured, it is not possible to reach the point in the IKE negotiation where the bug exists.
•
Symptoms: In an MVPN topology, sparse mode, Auto RP, if the PE router has the same line card as the core and customer-facing router, and if there are two RP announcers, the RP point may not be selected correctly, and traffic will not go through.
Conditions: This symptom is observed on a Cisco 12000 series that runs Cisco IOS Release 12.0(33)S.
Workaround: Select values for offset using the hw-module slot x ip multicast hw-accelerate source-table size a offset b command, which will prevent collision from happening.
•
Symptoms: Engine 2 line cards stop forwarding multicast traffic when the hw-module slot 2 ip multicast hw-accelerate command is issued.
Conditions: This symptom is observed when a higher priority bundle such as uRPF is already running.
Workaround: Unconfigure all the features to revert back to the vanilla bundle, and then reconfigure only the features that do not collide.
•
Symptoms: A CPUHOG message at the check heaps process is displayed when a large number of VRFs are configured. This may lead to BGP flapping.
Conditions: This symptom is observed when a large number of VRFs are configured on the box.
Workaround: Reduce the number of VRFs configured, if possible.
•
Symptoms: If you add the ip flow ingress command, it shows up in the running configuration. Once you add the no ip route-cache command, the ip flow ingress command disappears from the running configuration. If you add the ip route-cache command, it does not show the ip flow ingress command. You have to re-apply the ip flow ingress command to make it show up.
Conditions: This symptom is observed when the ip flow ingress and no ip route-cache commands are added.
Workaround: Re-apply the ip flow ingress command after adding the ip route-cache command.
•
Symptoms: A Traffic Engineering (TE) tunnel does not re-optimize to explicit path after an MTU change.
Conditions: The TE tunnel is operating via explicit path. The MTU on outgoing interface is changed. OSPF is flapped, and it does not come up as there is MTU mismatch (MTU is not changed on peer router). Meanwhile the TE re- optimizes to a dynamic path-option as expected. Now the MTU is reverted back to the previous value, and the OSPF adjacency comes up. The TE tunnel does not re-optimize to explicit path. Manual re-optimization of the TE tunnel fails as well, and the TE tunnel sticks to the dynamic path.
Workaround: Enter the shutdown command followed by the no shutdown command on the particular interface.
•
Symptoms: When an IXIA-simulated BGP neighbor is not up, BGP is forced to delete the ARP entry for the IXIA host for a while. During that period, the router has to send ARP, and traffic is lost for a while.
Conditions: While observed with other protocols, this symptom was noticed with a typical BGP configuration in which the peers are nonexistent. This would cause the SYN to be retransmitted multiple times, and after some threshold, the ARP entry would be purged.
The ARP entries gets flushed out when the TCP retransmission timer expires. This causes the CEF adjacency to be lost, and performance can drop for packets going to that destination until the ARP is resolved again. This problem is not specific to BGP and is applicable to anything that rides over TCP.
Workaround: There is no workaround.
•
Symptoms: Matching IP precedence does not match labelled packets, and matching experimental bits does not match pure IP packets.
Conditions: Occurs when E4P is egress and policing is configured in the policy.
Workaround: Match experimental bits for labelled packets and IP precedence for pure IP packets.
•
Symptoms: MPLS-TE tunnels do not come up after a core interface is brought down and then up again by entering the shutdown command followed by the no shutdown command.
Conditions: This symptom is observed when there are 200 MPLS-TE tunnels and 1000 VRFs configured on an NES-150 and when entering the shutdown command followed by the no shutdown command for the core interface when the traffic is on for all 1000 VRFs end to end.
Workaround: Enter the no mpls traffic-eng tunnels command followed by the mpls traffic-eng tunnels command, and all tunnels come up.
•
Symptoms: Tx traffic may get dropped due to a "precam 1 exception."
Conditions: This symptom is observed when vrf vlite and strict urpf are configured on the interfaces. This happens in all releases when adjacency indexes between 65528 to 65531 are used in TX SRAM Adjacency programming on line cards. This happens only on port 0.
Workaround: To recover from the situation, remove and re-apply the configuration on the interface when the problem is seen.
Alternate Workaround: Do not use port 0 on the line card. Using a subinterface will mitigate the issue.
•
Symptoms: A sync issue is observed with the standby and active configuration.
Conditions: This symptom is observed on a Cisco 12000 series router that is configured for MLPP/MFR. When an attempt is made to remove and add the members before the unprovisioning is completed, the member is added in standby but not in active; hence the configuration sync issue.
Workaround: Add the member after the unprovisioning is completed.
•
Symptoms: Bidirectional Forwarding Detection (BFD) sessions do not scale. This symptom is especially visible with OSPF client when one of the peers is rebooted after configuring the maximum number of BFD sessions.
Conditions: Occurs when configuring the maximum BFD sessions or total number of BFD sessions too close to maximum limit.
Workaround: Configure 90 percent of the maximum allowed BFD sessions.
•
Symptoms: When the MTU is changed on the core-facing E0 LC, all the E0 cards in the router crash.
Conditions: This symptom is observed with bidirectional traffic with an L3VPN, L2VPN configuration. There are also MPLS TE tunnels.
Workaround: There is no workaround.
•
Symptoms: A SIP600 crashes.
Conditions: When the primary CSC is shut, the SIP600 crashes.
Workaround: There is no workaround.
•
Symptoms: The ifStackStatus results for SPA-4XCT3/DS0 on GSR intermittently do not show relationship between Serial interface and T1, nor T1 to CT3.
Conditions: Occurs when running Cisco IOS Release 12.0(32)S6d with SPA-4XCT3/DS0. Polling ifStackStatus results do show layered relationship with Serial interface, T1 to CT3.
Workaround: Remove and add again the T1 link channel-group if possible.
•
Symptoms: A Cisco 12000 router with SIP-601 linecards may experience high CPU in the Tag Input process because of many packets being punted by the linecards to the PRP CPU. The packets are MPLS TTL expired packets that require an unreachable to be sent back. These packets should be processed on the linecard, but they are not.
Conditions: This symptom is observed only on SIP-601 10G linecards.
Workaround: There is no workaround.
•
Symptoms: A configuration of L2VPN interworking between SIP-601/GE SPA to SIP- 401/CT3/FR DLCI switching and with a QoS egress policy applied on the SIP-601 GE SPA interface, traffic may propagate egress on the GE port.
Conditions: When the policy is not applied, traffic flows egress on the GE SPA based interface. When the policy is applied, no traffic is seen egress on the GE interfaces.
Workaround: There is no workaround.
•
Symptoms: A BGP VPNv4 route is not imported and available immediately after an update is received. After approximately 3 to 20 minutes elapse since the router receives the update, the VPNv4 route becomes available.
Conditions:
–
–
BGP(4): no valid path for NNNNN:NNNNN:XX.XX.XX.XX/XX
–
–
Workaround: There is no workaround.
•
Symptoms: Class Based Tunnel Selection (CBTS) stops working. Packets are sent through the wrong tunnel.
Conditions: This symptom is observed when the tunnel flaps.
Workaround: There is no workaround. Once CBTS is broken, only a reload of the Line card clears the problem.
•
Symptoms: On switchover, we see the overhead message appearing in config if we have not configured.
Conditions: This symptom is observed only if there is a switchover in RPR+ or SSO mode.
Workaround: Manually change the config to restore the previous config.
•
Symptoms: A soft OIR over E3:POS impacts complete traffic with a biscuit tunnel.
Condition: A soft OIR over E3:POS impacts complete traffic with a biscuit tunnel configured. In OIR "test mbus power 6 off" and "test mbus power 6 on" are performed followed by a microcode reload on slot 6.
Workaround: There is no workaround.
•
Symptoms: After an RP switchover (SSO), or performing the following procedure, the VPWS DLCI output queues become unallocated.
1. Add VPWS DLCI with service-policy to the FR main interface.
2. Add an FR subinterface but with LFI enabled.
3. Bounce the service policy class on the DLCI under the main interface.
Conditions: When a VPWS circuit is configured on the FR main interface and L3 subinterface has LFI enabled. QoS is applied to both L2VPN and L3VPN services.
Workaround:
1. Delete the LFI FR service-policy.
2. Bounce QoS again on the VPWS DLCI.
•
Symptoms: An 80-byte buffer depletion occurs on E5, leading to an outage of all serial links.
Conditions: The conditions under which this symptom is observed are unknown.
Workaround: There is no workaround.
•
Symptoms: An output policy on an MFR interface disappears when the SIP 601 card is reset.
Conditions: Configure the service policy and apply it to the output of the MFR interface. Reset the SIP 601 card, and the service policy will disappear from configuration.
Workaround: There is no workaround.
•
Symptoms: Prefixes learned via IGP (ISIS) get assigned "imp-null" as the local label for them.
Conditions: The router has ECMP paths to uplink routers via POS interfaces. It runs ISIS as an IGP. There could be TE tunnel configured on the POS interface. And frequent interface flaps.
Workaround: There is no workaround. Clear the route or flap the interface to bring back the correct local label.
•
Symptoms: With an ingress E2 GigE line card and an egress E5 line card, packets are dropped in the egress line card with TX bad BMA buffer counts increasing.
Conditions: This symptom is observed when the ingress is E2 and the egress is E5.
Workaround: There is no workaround.
Further Problem Description: This issue is not seen with an E3/E5 combination or an E2/E6 combination.
•
Symptoms: CEF and hardware CEF for global default route are inconsistent. This may cause the default traffic to be sent through the wrong interface.
Conditions: This issue occurs under the following conditions:
1. Global default should point toward the core.
2. VRF default should be learned from the remote PE.
Workaround: Enter the clear ip route 0.0.0.0 0.0.0.0 command:
•
Symptoms: L2VPN traffic on an MFR interface is unable to pass through FR/IETF encapsulation MPLS trunk. Furthermore, if this MFR interface is deleted and re-added, the following error messages are received.
SLOT 4:Mar 20 11:51:05.459 UTC: %SPA_CHOC_DSX-3-ERROR: Serial4/0/0/1:0: response parsing failed for DLCI (601) provisioning -Traceback= 40031238 408CA0D0 408D15B4 412C0438 412BF87C 412BFEF0 413BC9F0 413BCD3C 413BDC50 SLOT 4:Mar 20 11:51:05.471 UTC: %SPA_CHOC_DSX-3-ERROR: Serial4/0/0/1:0: response parsing failed for DLCI (602) provisioning -Traceback= 40031238 408CA0D0 408D15B4 412C0438 412BF87C 412BFEF0 413BC9F0 413BCD3C 413BDC50
Conditions: This symptom is observed after an MFR interface is deleted and re-added.
Workaround: There is no workaround.
•
Symptoms: A router crashes with an unexpected exception to CPUvector 300.
Conditions: This symptom is observed when you configure MPLS trunks on an 4xT3E3 SPA with FR IETF encapsulation.
Workaround: There is no workaround.
•
Symptoms: The E4+ line card crashes continuously with the following output:
SLOT 1:Jan 19 02:06:09.559 UTC: %TX192-3-CPUIF: Error=0x40
rd 0x15 base 0x12 hdr 0x14 last 0x14 wr 0x14 insert 0x0 back 0x1 len 0x2474 cnt 0x0
Conditions: There is no exact trigger. But this symptom is observed when there are corrupt packets being sent from the ingress card under unknown circumstances.
Workaround: There is no workaround.
•
Symptoms: A router acting as an OSPF ABR for an NSSA area, when announcing a default route into the NSSA area, sets the LSA forwarding address to one of its interfaces instead of to 0.0.0.0. When there is more than one interface from that router into the NSSA area (load balancing), only one interface will be used by NSSA routers to forward traffic toward destinations reachable via the default route. If there is no default route present in the RIB, the forwarding address is set to 0.0.0.0, which will enable load balancing.
Conditions: This behavior is not present in Cisco IOS Release 12.0(32)SY4.
Workaround: To have load balancing, you may want to define a loopback inside the NSSA to be elected as the FA and have the FA visible from the interfaces into the NSSA.
•
Symptoms: High CPU utilization is seen on a Cisco 12000 series Internet router caused by the IPC seat manager.
Conditions: This symptom is observed in production.
Workaround: There is no workaround.
•
Symptoms: A SIP601 sometimes crashes or gets an alignment error.
SLOT 4:Mar 17 17:59:03.877 UTC: %ALIGN-3-SPURIOUS: Spurious memory access made at 0x408C1E14 reading 0xF SLOT 4:Mar 17 17:59:03.877 UTC: %ALIGN-3- TRACE: -Traceback= 408C1E14 408C03D4 00000000 00000000 00000000 00000000 00000000 00000000
Conditions: The conditions under which this symptom occurs are unknown.
Workaround: There is no workaround.
•
Symptoms: In MVPN, on the source PE, multicast packets are punted to the RP CPU, and some packets are also dropped.
Conditions: Ingress E3 and egress E5, and the TUNSEQ error message appears.
Workaround: There is no workaround.
•
Symptoms: The l2fwd traffic will stop forwarding, and we see a mismatch of the connection identifier (CI) of the channelized SPA and the CI value in the shim header of the l2 rewrite.
<snip>
Router1# execute-on slot 4 test hw sub 1 pm sho linkrec 4
========= Line Card (Slot 4) =========Engineering internal use only
tag 0, id 4, anyphy 4, anyphy_flags 15, state 0
crc 0, idle 0, subrate 0, invert 0, priority 0
encap fr
ml_parent_id 1, corrupt_ci 65535, control_ci 2
dlci(0) = seq_ci(10)
dlci(20) = seq_ci(15) <<<< initially CI is 15
dlci(1023) = seq_ci(11)Router1#
# spa_ct3_test freedm show glob
..
Number of Auto Do Not Resequence events : 1
Number of USN Do Not Resequence events : 1
CI that last experienced a lost sequenced datagram : 13
Number of datagrams detected with an unexpected SN : 6
CI that last experienced a unexpected SN : 15Router1# execute-on slot 4 test hw sub 1 pm sho linkrec 4
========= Line Card (Slot 4) =========Engineering internal use only tag 0, id 4, anyphy 4, anyphy_flags 15, state 0
crc 0, idle 0, subrate 0, invert 0, priority 0
encap fr
ml_parent_id 1, corrupt_ci 65535, control_ci 2
dlci(0) = seq_ci(10)
dlci(20) = seq_ci(13) <<< CI changed to 13 due to auto DNR
dlci(1023) = seq_ci(11)Router2# ping X.X.X.X
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to X.X.X.X, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)Router1# execute-on slot 4 sho l2 hw l2tp 4425 tx de
========= Line Card (Slot 4) =========Number of rewrites : 3, leaves : 3
Default PLU leaf : 0x14700003 (0 refs)
Default TLU rewrite: 0x1C008BA0 (0 refs)Circuit ID VMR ID PLU Leaf
20 0x14600041 0x0000000000000000800000001C0004FD
FCR Leaf Value TLU Addess (TLU/CPU)
L2TP-D-TX 0x800000001C0004FD 0x000004FD/0x1C009FA0mac_len: 4, mac_string: 000F8004 04400000 <<<< bad shim header with old CI 15
Conditions: This problem will occur for l2vpns only on E5 channelized based SPAs.
Workaround: Enter into interface configuration mode.
Alternate Workaround: Remove and re-add the xconnect.
•
Symptoms: A 12000-SIP-401/501/601 has 8 MB of FSRAM with the fix CSCsm13564. But PLU and TLU adjacencies in the 12000-SIP-401/501/601 support up to 4 MB. This is causing a crash on the DT t
