Guest

Cisco IOS Software Releases 12.3 Special and Early Deployments

Release Notes for the Cisco 830 Series and SOHO 90 Series Routers for Cisco IOS Release 12.3(11)YS1

 Feedback

Table Of Contents

Release Notes for the Cisco 830 Series and Cisco SOHO 90 Series Routers for Cisco IOS Release 12.3(11)YS

Contents

System Requirements

Memory Requirements

Hardware Supported

Determining the Software Version

Upgrading to a New Software Release

Feature Set Tables

New and Changed Information

New Hardware Features in Cisco IOS Release 12.3(11)YS1

New Hardware Features in Cisco IOS Release 12.3(11)YS

New Software Features in Cisco IOS Release 12.3(11)YS1

New Software Features in Cisco IOS Release 12.3(11)YS

PPP Random Reconnect Timer

X.25 over ISDN Layer 2 Reconnect Function for SAPI 16

Inside to Inside NAT - NAT Virtual Interface Support

AZR Enhancements

Caveats

Resolved Caveats - Cisco IOS Release 12.3(11)YS2

Resolved Caveats - Cisco IOS Release 12.3(11)YS1

Open Caveats - Cisco IOS Release 12.3(11)YS

Resolved Caveats - Cisco IOS Release 12.3(11)YS

Additional References

Release-Specific Documents

Platform-Specific Documents

Feature Modules

Cisco Feature Navigator

Cisco IOS Software Documentation Set

Documentation Modules

Obtaining Documentation, Obtaining Support, and Security Guidelines


Release Notes for the Cisco 830 Series and Cisco SOHO 90 Series Routers for Cisco IOS Release 12.3(11)YS


September 24, 2008
Cisco IOS Release 12.3(11)YS4
OL-7686-04

These release notes describe new features and significant software components for the Cisco 828 router that support Cisco IOS Release 12.3 T, up to and including Cisco IOS Release 12.3(11)YS4. These release notes are updated as needed to describe new memory requirements, new features, new hardware support, software platform deferrals, microcode or modem code changes, related document changes, and any other important changes. Use these release notes with the Cross-Platform Release Notes for Cisco IOS Release 12.3(11)T located on Cisco.com.

For a list of the software caveats that apply to Cisco IOS Release 12.3(11)YS4, see the "Caveats" section, and refer to the online Caveats for Cisco IOS Release 12.3(11)T document. The caveats document is updated for every 12.3 T maintenance release and is located on Cisco.com.

Contents

System Requirements

New and Changed Information

Caveats

Additional References

Obtaining Documentation, Obtaining Support, and Security Guidelines

System Requirements

This section describes the system requirements for Cisco IOS Release 12.3(11)YS1.

Memory Requirements

Table 1 lists the memory requirements for Cisco IOS Release 12.3(11)YS1.


Note Recommended memory is the memory required for potential future expansions.


Table 1 Memory Requirements for the Cisco 800 Series and SOHO Series Routers

Platform
Image Name
Feature Set
Image
Flash Memory
DRAM Memory
Min.
Recom.
Min.
Recom.

Cisco 831

Cisco 831 Series IOS IP/FW2 IPSec 3DES

IP/FW2/IPSec 3DES

c831-k9o3y6-mz

12 MB

12 MB

64 MB

64 MB

Cisco 831 Series IOS IP/FW2 Plus IPSec 3DES

IP Plus/FW2/IPSec 3DES

c831-k9o3sy6-mz

12 MB

12 MB

64 MB

64 MB

Cisco 836

Cisco 836 Series IOS IP/FW2 IPSec 3DES

IP/FW2/IPSec 3DES

c836-k9o3y6-mz

12 MB

12 MB

64 MB

64 MB

Cisco 836 Series IOS IP/FW2 Plus IPSec 3DES

IP Plus/FW2/IPSec 3DES

c836-k9o3sy6-mz

12 MB

12 MB

64 MB

64 MB

Cisco 836 Series IOS IP/FW2/Dial Backup Plus IPSec 3DES

IP Plus/FW2/Dial Backup IPSec 3DES

c836-k9o3s8y6-mz

12 MB

12 MB

64 MB

64 MB

Cisco 837

Cisco 837 Series IOS IP/FW2 IPSec 3DES

IP/FW2/IPSec 3DES

c837-k9o3y6-mz

12 MB

12 MB

64 MB

64 MB

Cisco 837 Series IOS IP/FW2 Plus IPSec 3DES

IP Plus/FW2/IPSec 3DES

c837-k9o3sy6-mz

12 MB

12 MB

64 MB

64 MB

Cisco SOHO 91

Cisco SOHO 91 IP/FW 3DES

IP/FW 3DES

soho91-k9oy6-mz

8 MB

8 MB

64 MB

64 MB

Cisco SOHO 96

Cisco SOHO 96 Series IOS IP/FW/3DES

IP/FW 3DES

soho96-k9oy1-mz

8 MB

8 MB

64 MB

64 MB

Cisco SOHO 97

Cisco SOHO 97 Series IOS IP/FW

IP/FW

soho97-oy1-mz

8 MB

8 MB

64 MB

64 MB

Cisco SOHO 97 Series IOS IP/FW/3DES

IP/FW 3DES

soho97-k9oy1-mz

8 MB

8 MB

64 MB

64 MB


Hardware Supported

Cisco IOS Release 12.3(11)YS1 supports the following routers:

Cisco SOHO 91 router

Cisco SOHO 96 router

Cisco SOHO 97 router

Cisco 831 router

Cisco 836 router

Cisco 837 router

Determining the Software Version

To determine the version of Cisco IOS software running on your Cisco router, log in to the router and enter the show version command:

Router> show version
Cisco IOS Software, C836 Software (c836-k9o3sy6-mz), Version 12.3(11)YS1, RELEASE SOFTWARE 
(fc1)
Synched to technology version 12.4(0.6)

Upgrading to a New Software Release

For general information about upgrading to a new software release, see Cisco IOS Software Releases 12.3 T Installation and Upgrade Procedures located on Cisco.com.

Feature Set Tables

Table 2 to Table 7 list the features and feature sets supported in Cisco IOS Release 12.3(11)YS1.

Feature List by Feature Set for Cisco SOHO Series Routers

Table 2 Feature Set Table for Cisco SOHO 91 Routers

Feature
In
Feature Set
IP/FW 3DES

PPP Random reconnect timer

12.3(11)YS

Yes

X.25 over ISDN layer 2 reconnect function for SAPI 16

12.3(11)YS

No

Inside to inside NAT

12.3(11)YS

Yes

AZR enhancements

12.3(11)YS

No


Table 3 Feature Set Table for Cisco SOHO 96 Routers

Feature
In
Feature Set
IP/FW 3DES

PPP Random reconnect timer

12.3(11)YS

Yes

X.25 over ISDN layer 2 reconnect function for SAPI 16

12.3(11)YS

No

Inside to inside NAT

12.3(11)YS

Yes

AZR enhancements

12.3(11)YS

No


Table 4 Feature Set Table for Cisco SOHO 97 Routers

Feature
In
Feature Set
IP/FW 3DES
IP/FW

PPP Random reconnect timer

12.3(11)YS

Yes

Yes

X.25 over ISDN layer 2 reconnect function for SAPI 16

12.3(11)YS

No

No

Inside to inside NAT

12.3(11)YS

Yes

Yes

AZR enhancements

12.3(11)YS

No

No


Feature List by Feature Set for Cisco 83X Series Routers

Table 5 Feature Set Table for Cisco 831 Routers

Feature
In
Feature Set
IP/FW2 3DES
IP/FW2 Plus 3DES

PPP Random reconnect timer

12.3(11)YS

Yes

Yes

X.25 over ISDN layer 2 reconnect function for SAPI 16

12.3(11)YS

No

No

Inside to inside NAT

12.3(11)YS

Yes

Yes

AZR enhancements

12.3(11)YS

No

Yes


Table 6 Feature Set Table for Cisco 836 Routers

Feature
In
Feature Set
IP/FW2 3DES
IP/FW2 Plus 3DES
IP Plus/FW2/Dial Backup IPSec 3DES

PPP Random reconnect timer

12.3(11)YS

Yes

Yes

Yes

X.25 over ISDN layer 2 reconnect function for SAPI 16

12.3(11)YS

Yes

Yes

Yes

Inside to inside NAT

12.3(11)YS

Yes

Yes

Yes

AZR enhancements

12.3(11)YS

No

Yes

Yes


Table 7 Feature Set Table for Cisco 837 Routers

Feature
In
Feature Set
IP/FW2 3DES
IP/FW2 Plus 3DES

PPP Random reconnect timer

12.3(11)YS

Yes

Yes

X.25 over ISDN layer 2 reconnect function for SAPI 16

12.3(11)YS

No

No

Inside to inside NAT

12.3(11)YS

Yes

Yes

AZR enhancements

12.3(11)YS

No

Yes


New and Changed Information

Cisco IOS Release 12.3(11)YS1 supports the features listed in this section.

New Hardware Features in Cisco IOS Release 12.3(11)YS1

There are no new hardware features in Cisco IOS release 12.3(11)YS1.

New Hardware Features in Cisco IOS Release 12.3(11)YS

There are no new hardware features in Cisco IOS release 12.3(11)YS.

New Software Features in Cisco IOS Release 12.3(11)YS1

There are no new software features in Cisco IOS release 12.3(11)YS1.

New Software Features in Cisco IOS Release 12.3(11)YS

PPP Random Reconnect Timer

When the central aggregation platform disconnects subscribers at the same time, the Cisco CPE attempts to synchronize and retries the connection at the exact same time.

This has the result of overloading the backend infrastructures to handle the authentication of up to and in some cases more than 10000 users at once. The BAS/BRAS and Radius servers usually have a hard time handling these many requests at once, resulting in potentially new down situations that could create continuous issues in the network.

The PPP Random Reconnect Timer has been introduced to avoid this situation. It will try a reconnect at a random time after the underlying protocol is up, to allow the connection to go through. This could be after a local power cycle or after a central failure on the link (DSL/Ethernet) or BAS.

X.25 over ISDN Layer 2 Reconnect Function for SAPI 16

AODI (Always on Dynamic ISDN) is a protocol suite for creating the impression of an always-on environment for ISDN dial up connections, without nailing up the ISDN B channels and with flexible bandwidth-on-demand properties.

With a Cisco router on the client side, testing established that when the X.25 switch/packet handler shut the layer 2 down due to inactivity, the router would never bring up layer-2 on SAPI 16 to trigger AODI calls. This resulted in failure to send traffic over the connection unless the service provider nailed-up the layer 2 on the X.25 switch. This is not desirable for the service providers, due to requirements for switching resource oversubscription. This feature is a fix for this issue and also officially introduces support for AODI on the Cisco 836 platform.

Inside to Inside NAT - NAT Virtual Interface Support

This feature allows NAT to be set up in such a way that both inside and outside users can see and ping an inside server on the same IP address as seen on the outside interface (i.e., static NAT set up to support the use of the inside server from the outside). This implies that a request from an internal host to the internal server would be routed through the router masking IP address of the destination host for the source host and masking the IP address of the source host from the destination host.

The purpose of this feature is to provide customers of the Cisco 830 and SOHO 90 routers, with the ability to allow the use of a single DNS name / DNS server external to the LAN to provide name resolution for internal servers to internal clients even if NAT is applied and the NAT global address is the known address from a DNS perspective.

This approach also has some side benefits, making it possible to share the outside users experience and also enabling immediate corrective action should the translations or applications not work properly over NAT, or should the DNS requests not resolve correctly making the service unavailable for external customers.

This feature has been implemented using the standard Cisco IOS feature called NAT virtual interface.

A sample configuration procedure is given below, followed by an explanation of the NAT commands.


interface Ethernet0
 ip address 192.168.122.1 255.255.255.0 
 ip nat enable
!
interface Ethernet1
 ip address 192.168.122.1 255.255.255.0 
 ip nat enable
 duplex auto
!
interface Ethernet2
 no ip address
 shutdown 
!
ip classless
!
ip http server
no ip http secure-server
!
ip nat pool POOL 192.168.25.20 192.168.25.30 netmask 255.255.255.0
ip nat source list 1 pool POOL overload
ip nat source static tcp 192.168.123.1 interface Ethernet1 1
ip nat source static tcp 192.168.125.10 interface Ethernet1 10
!
access-list 1 permit 192.168.122.0 0.0.0.255
!

Command
Purpose

ip nat enable

Example:

Router(config-if)# ip nat enable

Configures an interface connecting VPNs and the Internet for NAT translation.

ip nat pool name start- ip end- ip netmask netmask add-route

Example:

Router(config)# ip nat pool pool1 200.1.1.1 200.1.1.20 netmask 255.255.255.0 add-route

Configures a NAT pool and associated mappings.

ip nat source list access-list-number pool number vrf name overload

Example:

Router(config)# ip nat source list 1 pool 1 vrf bank overload

Configures a NAT virtual interface without inside or outside specification for VPN customer bank.

ip nat source static local- ip global- ip vrf name

Example:

Router(config)# ip nat source static 192.168.123.1 192.168.125.10 vrf bank

Configures a static NVI.

For the complete command reference, seeCisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services, Release 12.3T, on Cisco.com.

AZR Enhancements

ARP auto logoff

This feature ensures more correct billing of customers that are charged by the minute, by linking AZR customer logoff to the ARP timers for customers which is user configurable. This is to ensure that customers who do not explicitly logoff get logged off as the ARP entry times out.

DHCP option 82, subscriber suboption

This feature allows for identification of users based on IP address explicitly in the AZR by linking subscriber identification to the DHCP option 82. This allows for a more secure identification and mapping of subscriber vs. IP address.

Caveats

Caveats describe unexpected behavior or defects in the Cisco IOS software releases. Severity 1 caveats are the most serious caveats, severity 2 caveats are less serious, and severity 3 caveats are the least serious of these three severity levels. Caveats of all three levels are listed below.

Resolved Caveats - Cisco IOS Release 12.3(11)YS2

Resolved Caveats - Cisco IOS Release 12.3(11)YS1

Open Caveats - Cisco IOS Release 12.3(11)YS

Resolved Caveats - Cisco IOS Release 12.3(11)YS

Resolved Caveats - Cisco IOS Release 12.3(11)YS2

CSCec12299

Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs.

Workarounds are available to help mitigate this vulnerability.

This issue is triggered by a logic error when processing extended communities on the PE device.

This issue cannot be deterministically exploited by an attacker.

Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml.

CSCsf04754

Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.

The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.

Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.

This advisory will be posted at http://www.cisco.com/en/US/products/products_security_advisory09186a00809ac83b.shtml

CSCsi01470

Symptom    A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.

Workaround   Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml.

CSCdz55178 QoS profile name of more then 32 chars will crash the router

Symptom    System reloads unexpectedly or other serious side-affects such as memory corruption occur.

Conditions   A cable qos profile with a length greater than 32 characters is configured on the system.

For example:

cable qos profile 12 name g711@10ms_for_any_softswitch_Traa^C
                          00000000011111111111222222222333^ 
                          12345678901234567890123456789012|
                                                          |
                                                       PROBLEM (Variable Overflowed).

Workaround   Change the qos profile name to a value less that 32 characters.

Further Problem Description   The variable which holds the value for the string name only allows for 32 characters and the code did not properly truncate names longer than the associated buffer.

This caused other locations in memory to be corrupted.

CSCsj52927 DATACORRUPTION-1-DATAINCONSISTENCY message in show log

Symptom    DATACORRUPTION-1-DATAINCONSISTENCY messages are seen in 'show log'

Conditions   The messages are seen when the router comes up.

Workaround   There is no workaround.

CSCsj66369 Traceback seen at rpmxf_dg_db_init

Symptom    Tracebacks seen while running metal_vpn_cases.itcl script

Conditions   A strcpy in the file 'rpmxf_dg_online.c' copies more bytes than the destination buffer size.Due to this we are getting data corruption tracebacks

Workaround   There is no workaround.

CSCse85200 Inadequate validation of TLVs in cdp

Symptom    Specifically crafted CDP packets can cause a router to allocate and keep extra memory. Exploitation of this behavior by sending multiple specifically crafted CDP packets could cause memory allocation problems on the router.

Since CDP is a layer-2 protocol, this issue can only be triggered by systems that are residing on the same network segment.

Workaround   The workaround is to disable on interfaces where CDP is not necessary.

CSCsj44099 Router crashes if DSPFARM profile description is 128 characters long.

Symptom    A cisco c3800 router can experience a memory corruption resulting in a crash if the description field under the "dspfarm profile" configuration matches the maximum of 128 characters.

Conditions   During configuration of the dspfarm profile thru the CLI, a description that is 128 characters will cause a memory copy problem. If the user tries to display the results of the configuration using "show dspfarm profile", the router will crash trying to display the output.

Workaround   To prevent this problem configure the dspfarm profile description with 127 characters or less.

CSCed94829 IOS reloads due to malformed IKE messages

Multiple Cisco products contain vulnerabilities in the processing of IPSec IKE (Internet Key Exchange) messages. These vulnerabilities were identified by the University of Oulu Secure Programming Group (OUSPG) "PROTOS" Test Suite for IPSec and can be repeatedly exploited to produce a denial of service.

Cisco has made free software available to address this vulnerability for

affected customers. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051114-ipsec.shtml.

CSCsg03449 Etherswitch module VLAN Trunking Protocol Vulnerabilities

VTP Version field DoS

Integer Wrap in VTP revision

Buffer Overflow in VTP VLAN name

Conditions   The packets must be received on a trunk enabled port.

Further Information   On the 13th September 2006, Phenoelit Group posted an advisory containing

three vulnerabilities:

These vulnerabilities are addressed by Cisco IDs:

CSCsd52629/CSCsd34759 -- VTP version field DoS

CSCse40078/CSCse47765 -- Integer Wrap in VTP revision

CSCsd34855/CSCei54611 -- Buffer Overflow in VTP VLAN name

CSCsg03449 -- Etherswitch module VLAN Trunking Protocol Vulnerabilities

Cisco's statement and further information are available on the Cisco public website at

http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml

CSCsb33172 short-circuit crypto engine operations when faking AM2

Symptom    A vulnerability exists in the way some Cisco products handle IKE phase I messages which allows an attacker to discover which group names are configured and valid on the device.

A Cisco Security Notice has been published on this issue and can be found at the following URL:

http://www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml

CSCsa62111 7200 input queue stuck

Symptom    Packets may be stuck in the input queue of a Cisco 7200 series.

Conditions   This symptom is observed on a Cisco 7200 series that is running Cisco IOS interim Release 12.3(12.10) and that is configured with an NPE-G1.

Workaround   : Reload the router to clear the input queue or increase the input queue beyond the default limit of 75 via the hold-queue length command.

CSCek37177 malformed tcp packets deplete processor memory.

The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition.

This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the Cisco IOS device will not trigger this vulnerability.

Cisco has made free software available to address this vulnerability for affected customers.

This issue is documented as Cisco bug ID CSCek37177

There are workarounds available to mitigate the effects of the vulnerability. This advisory is posted at

http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml

CSCeh73049 tclsh mode bypasses aaa command authorization check

Symptom    A vulnerability exists within the Cisco IOS Authentication, Authorization, and Accounting (AAA) command authorization feature, where command authorization checks are not performed on commands executed from the Tool Command Language (Tcl) exec shell. This may allow authenticated users to bypass command authorization checks in some configurations resulting in unauthorized privilege escalation.

Conditions   Devices that are not running AAA command authorization feature, or do not support Tcl functionality are not affected by this vulnerability. This vulnerability is present in all versions of Cisco IOS that support the tclsh command.

Workaround   This advisory with appropriate workarounds is posted at http://www.cisco.com/warp/public/707/cisco-response-20060125-aaatcl.shtml

CSCsd92405 router crashed by repeated SSL connection with malformed finished 
message

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml


Note Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml


A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link:

http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.

CSCsb12598 Router forced crash on receiving fragmented TLS ClientHello

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

* Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

* Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

* Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml


Note Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml


A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.

CSCsb40304 Router crash on sending repetitive SSL ChangeCipherSpec

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, A malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml


Note Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml


A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.

CSCsb06658 mwr1900 incorrectly identified as a DOCSIS devices.

A vulnerability exists in certain Cisco Internetwork Operating System (IOS) Software release trains running on the Cisco IAD2400 series, 1900 Series Mobile Wireless Edge Routers and Cisco VG224 Analog Phone Gateways. Vulnerable versions may contain a default hard-coded Simple Network Management Protocol (SNMP) community string when SNMP is enabled on the device. The default community string is a result of inadvertently identifying these devices as supporting Data Over Cable Service Interface Specification (DOCSIS) compliant interfaces. The consequence of this error is that an additional read-write community string may be enabled if the device is configured for SNMP management, allowing a knowledgeable attacker the potential to gain privileged access to the device. Cisco is making free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20060920-docsis.shtml .

CSCsb11124 SGBP Crafted Packet Denial of Service

The Cisco IOS Stack Group Bidding Protocol (SGBP) feature in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable denial of service condition.

Devices that do not support or have not enabled the SGBP protocol are not affected by this vulnerability. Cisco has made free software available to address this vulnerability for affected customers.

There are workarounds available to mitigate the effects of the vulnerability.

Cisco has published a Security Advisory on this issue; it is available at http://www.cisco.com/warp/public/707/cisco-sa-20060118-sgbp.shtml

CSCse05736 A router running RCP can be reloaded with a specific packet

Symptom    A router that is running RCP can be reloaded by a specific packet.

Conditions   This symptom is seen under the following conditions: - The router must have RCP enabled.

The packet must come from the source address of the designated system configured to send RCP packets to the router.

The packet must have a specific data content.

Workaround   Put access lists on the edge of your network blocking RCP packets to prevent spoofed RSH packets. Use another protocol such as SCP. Use VTY ACLs.

CSCsd85587 7200 Router crashes with ISAKMP Codenomicon test suite

A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

The vulnerable cryptographic library is used in the following Cisco products:

Cisco IOS, documented as Cisco bug ID CSCsd85587

Cisco IOS XR, documented as Cisco bug ID CSCsg41084

Cisco PIX and ASA Security Appliances, documented as Cisco bug ID CSCse91999

Cisco Unified CallManager, documented as Cisco bug ID CSCsg44348

Cisco Firewall Service Module (FWSM) CSCsi97695

This vulnerability is also being tracked by CERT/CC as VU#754281.

Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml .


Note Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml


CSCsd85587 Input Queue Wedge with syslog

Symptom    The interface input queue may fill up with up to 50 packets

Conditions   A syslog server is configured

Workaround   For each syslog server configured, it may be possible that up to 50 packets can become stuck in the interface input queue. Increasing the size of the input hold-queue to accommodate these packets will allow traffic to pass freely.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml.

CSCsc72722 CBAC - firewall resets TCP idle timer upon receiving invalid TCP packets

Symptom    TCP connections that are opened through a Cisco IOS Firewall (CBAC) may not timeout.

Conditions   With Cisco IOS Firewall (CBAC) enabled, the TCP idle timer for a session may be reset even by TCP packets that fail TCP inspection and are subsequently dropped. This could lead to the TCP session not timing out.

Workaround   There is no workaround.

CSCsa53334 bus error in single_pkt_regex

The Intrusion Prevention System (IPS) feature set of Cisco IOS® contains several vulnerabilities. These include:

Fragmented IP packets may be used to evade signature inspection.

IPS signatures utilizing the regular expression feature of the ATOMIC.TCP signature engine may cause a router to crash resulting in a denial of service.

There are mitigations and workarounds for these vulnerabilities. Cisco has made free software available to address these vulnerabilities for affected customers.

This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml

CSCsg16908 IOS FTP Server Deprecation

Multiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's file system, including the device's saved configuration, which may include passwords or other sensitive information. The IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the IOS FTP Server service are unaffected by these vulnerabilities. This vulnerability does not apply to the IOS FTP Client feature.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml.

CSCsc64976 HTTP server should scrub embedded HTML tags from cmd output

A vulnerability exists in the IOS HTTP server in which HTML code inserted into dynamically generated output, such as the output from a show buffers command, will be passed to the browser requesting the page. This HTML code could be interpreted by the client browser and potentially execute malicious commands against the device or other possible cross-site scripting attacks. Successful exploitation of this vulnerability requires that a user browse a page containing dynamic content in which HTML commands have been injected. Cisco will be making free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051201-http.shtml

CSCsc64976 unnecessary tcp ports opened in default router config

Cisco devices running IOS which support voice and are not configured for Session Initiated Protocol (SIP) are vulnerable to a crash under yet to be determined conditions, but isolated to traffic destined to User Datagram Protocol (UDP) 5060. SIP is enabled by default on all Advanced images which support voice and do not contain the fix for CSCsb25337. Devices which are properly configured for SIP processing are not vulnerable to this issue. Workarounds exist to mitigate the effects of this problem.

This advisory is posted at

http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml

CSCsb93407 H323 port tcp 1720 still listening after call service stop

Symptom    When H323 call service stops, the router still listens on TCP port 1720 and completes connection attempts.

Conditions   This symptom occurs after H323 is disabled using the following configuration commands:


voice service voip 
h323
call service stop

Workaround   Access can be blocked by deploying an interface access list that blocks access to TCP port 1720 for traffic that is destined for any of the IP addresses of the router.

CSCsf28840 Crash due to configured peer type control vector

A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device. There are workarounds available for this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtml

CSCsf28840 CoPP: Need support for malformed IP options

Symptom    CoPP policy configured to drop packets with IP options will ignore packets with malformed IP options

Conditions   CoPP configured to filter ip packets with IP options

Workaround   Do not use IP option ACL filtering with CoPP. Instead configure CoPP to filter ip packets by source or destination address.

CSCsf28840 Malformed SSH version 2 packets may cause processor memory depletion

Symptom    Malformed SSH version 2 packets may cause a memory leak, causing the platform to operate under a degraded condition. Under rare circumstances, the platform may reload to recover itself.

Conditions   This symptom is observed on a Cisco platform that is configured for SSH version 2 after it has received malformed SSHv2 packets.

Workaround   As an interim solution until the affected platform can be upgraded to a Cisco IOS software image that contains the fix for caveat

CSCse24889, configure SSH version 1 from the global configuration mode, as in

the following example:

config t

ip ssh version 1
end

Alternate Workaround    Permit only known trusted hosts and/or networks to connect to the router by creating a vty access list, as in the following example:

10.1.1.0/24 is a trusted network that
is permitted access to the router, all
other access is denied

access-list 99 permit 10.1.1.0 0.0.0.255
access-list 99 deny any

line vty 0 4
access-class 99 in
end

Further Problem Description    For information about configuring vty access lists, see the Controlling Access to a Virtual Terminal Line document:

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cntrl_acc_vtl.html#wp1027129

For information about SSH, see the Configuring Secure Shell on Routers and Switches Running Cisco IOS document:

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml

CSCsf28840 certificate crashes 12.3.4.JA AP

Symptom    Certain malformed client certificates may cause an Access Point (AP) to crash.

Conditions   This symptom is observed on a Cisco platform that functions as an AP and that runs Cisco IOS Release 12.3(2)JA2 or Release 12.3(4)JA when EAP-TLS is configured. The symptom may also occur in other releases.

Workaround   Issue a new client certificate.

CSCsf28840 SIP: A router may reload due to SIP traffic

Cisco devices running an affected version of Internetwork Operating System (IOS) which supports Session Initiation Protocol (SIP) are affected by a vulnerability that may lead to a reload of the device when receiving a specific series of packets destined to port 5060. This issue is compounded by a related bug which allows traffic to TCP 5060 and UDP port 5060 on devices not configured for SIP. There are no known instances of intentional exploitation of this issue. However, Cisco has observed data streams that appear to be unintentionally triggering the vulnerability. Workarounds exist to mitigate the effects of this problem on devices which do not require SIP. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml.

CSCsf28840 Corruption of ext communities when receiving over ipv4 EBGP session

Symptom    EIGRP-specific Extended Community 0x8800 is corrupted and shown as

0x0:0:0.

Conditions   This symptom is observed when EIGRP-specific Extended Community 0x8800 is received via an IPv4 EBGP session on a CE router. This occurs typically in the following inter-autonomous system scenario:


ASBR/PE-1 <----> VRF-to-VRF <----> ASBR/PE-2

Workaround   Use a configuration such as the following to remove extended communities from the CE router:


router bgp 1
 address-family ipv4 vrf one
 neighbor 1.0.0.1 remote-as 100
 neighbor 1.0.0.1 activate
 neighbor 1.0.0.1 route-map FILTER in
 exit-address-family
!
ip extcommunity-list 100 permit _RT.*_
!         
!         
route-map FILTER permit 10
 set extcomm-list 100 delete
! 
CSCin95836 Buffer overflow in NHRP protocol

Symptom    A Cisco IOS device configured for NHRP may restart.

Workaround   There is no workaround.

CSCei61732 Additional data integrity check in system timer

Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.

Cisco has made free software available that includes the additional integrity checks for affected customers.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml

CSCek26492 Enhancements to Packet Input Path

Symptom    A router may crash if it receives a packet with a specific crafted IP option as detailed in Cisco Security Advisory: Crafted IP Option Vulnerability:

http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml

Conditions   This Bug resolves a symptom of CSCec71950. Cisco IOS with this specific Bug are not at risk of crash if CSCec71950 has been resolved in the software.

Workaround   Cisco IOS versions with the fix for CSCec71950 are not at risk for this issue and no workaround is required. If CSCec71950 is not resolved, see the following Cisco Security Advisory: Crafted IP Option Vulnerability for workaround information:

http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml

CSCsj44081 Improvements in diagnostics and instrumentation

Symptom    Cisco IOS Software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS Software releases published after April 5, 2007.

Details   With the new enhancement in place, IOS will emit a %DATACORRUPTION-1-DATAINCONSISTENCY error message whenever it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.

The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp

May 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error

The error message is then followed by a traceback.

It is important to note that this error message does not imply that packet data is being corrupted. It does, however provide an early indicator of other conditions that can eventually lead to poor system performance or an IOS restart.

Recommended Action   Collect "show tech-support" command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the%DATACORRUPTION-1-DATAINCONSISTENCY message and note those to your support contact.

CSCsg96319 reverse ssh eliminated telnet authentication on VTY

Symptom    When a reverse SSH session is established with valid authentication credentials, anyone can obtain unprivileged Telnet access to a system without being authenticated. This situation affects only reverse SSH sessions when a connection is made with the

ssh -l userid :number ip-address command. 

Conditions   This symptom is observed only when the Reverse SSH Enhancement is configured. This enhancement is documented at the following URL:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t11/feature/guide/gt_rssh.html

Workaround   Configure reverse SSH by entering the ip ssh port portnum rotary group command. This configuration is explained at the following URL:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t11/feature/guide/gt_rssh.html#wp1027188

CSCsg40567 Memory leak found with malformed tls/ssl packets in http core process

Symptom    Malformed SSL packets may cause a router to leak multiple memory blocks.

Conditions   This symptom is observed on a Cisco router that has the ip http secure server command enabled.

Workaround   Disable the ip http secure server command.

Resolved Caveats - Cisco IOS Release 12.3(11)YS1

CSCsb24007

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCeh60551

Symptom    Certain malformed client certificates may cause an AP running 12.3.2.JA2 or 12.3.4.JA to crash when EAP-TLS is used.

Workaround   Issue a new client certificate.

CSCei61732

Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.

Cisco has made free software available that includes the additional integrity checks for affected customers.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml.

CSCeh35823

Free memory disappears quickly.

CSCei27330

SYS-2-BADSHARE displays frequently on router log.

CSCin91271

NVI Access fails with an actual address.

CSCeh13489

BGP shouldn't propogate updates with AS PATH lengths greater than 255.

Open Caveats - Cisco IOS Release 12.3(11)YS

CSCin91271 

Symptom    NVI: Access fails with actual address.

With NVI CLI, a Cisco 830 series or SOHO 90 series router will not be able to access (telnet) a LAN server through a local address which is translated with CLI.

Workaround   Workaround: None. This mode of access should be avoided to avoid deletion of static entry. Other modes of access are available.

CSCeh01990 

Symptom    Auth ARP probe changes cause existing clients to be disconnected.

Client MAC address entries may be cleared from the router ARP cache unexpectantly. This problem primarily affects deployments where the Authorized ARP and probe commands are configured on a Cisco router acting as an Access Zone Router (AZR). It is seen when the arp authorized interface command is configured along with the arp probe command while entires already exist in the router's ARP cache / local DHCP bindings database. If a change is made to the arp probe interval/count settings while a client ARP entry/DHCP binding already exists, that entry will be inadvertently cleared from arp cache along with its DHCP binding.

Impacted clients who manually release & renew their lease, will receive a new lease, but will continue to be disconnected. Only clients that request and receive a DHCP lease AFTER the probe interval/count variables have been established will not be affected.

Workaround   This problem can be easily avoided by not making setting changes to the arp probe command while users are actively connected. If a setting change is unavoidable (while users are actively connected) the router must be reloaded in order to clear the problem.

CSCsa65271 

Symptom    SCHED-3-STUCKMTMR: Sleep with expired managed timer 633D1000.

When an AZR with multiple 802.1q sub interfaces is configured with the commands arp authorized and arp probe interval, the AZR randomly logs traceback messages pointing to the IP ARP Probe process, such as "%SCHED-3-STUCKMTMR: Sleep with expired managed timer."

Workaround   No workaround is currently available.

Resolved Caveats - Cisco IOS Release 12.3(11)YS

CSCef58201

Symptom    CEF-Dialer failed to add adjacency for CEF interface Virtual-Access1.

The CEF-Dialer feature fails to add an adjacency for a virtual-access1 CEF interface because the IP route is installed after the feature attempts to add the adjacency.

Workaround   Configure a static host entry for the neighbor in the routing table, pointing to the Dialer interface:

ip route prefix mask 255.255.255.255 Dialer1

For the prefix mask argument, enter the IP address of the neighbor.

CSCeh37039

Symptom    usbtoken file system aborted dir operation at unknown type file.

A file system fails to complete the dir command or a show command upon encountering a unrecognized file. This symptom is observed when there is a file of a type that is not supported by the USB token file system.

Workaround   Format the USB token prior to its first use.

CSCeh65626

Symptom    NAT-NVI: Inside-Inside telnet traffic fails over single interface.

CSCin89746

Symptom    NAT overload fails with NVI.

CSCin91153

Symptom    FTP failure with NVI - LAN host to LAN server.

After traffic that uses any NAT ALG traverses the router, if clear ip nat trans * command is used, the router does not do any further translations. This condition is observed only if NVI NAT is configured with a pool OVERLOAD configuration.

Workaround   The same pool can be configured again with a different name and mapped to the dynamic NAT configuration, after clear ip nat trans * is performed.

CSCsa74819

Symptom    Can't disable vpdn ip udp ignore checksum across reloads.

In a release which configures vpdn ip udp ignore checksum by default, if the user manually configures no vpdn ip udp ignore checksum in order NOT to ignore the checksum, this configuration change is not retained across reloads. After writing the configuration to NVRAM and reloading the router, the vpdn ip udp ignore checksum command will automatically be put back in place by IOS. This issue is seen on any image which contains the CSCef90365 fix and after configuring no vpdn ip udp ignore checksum.

Workaround   Re-configure the no vpdn ip udp ignore checksum command after every reload.

CSCsa52807

Symptom    L2TP doing PMTUD vulnerable to spoofed ICMP paks.

A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).

These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:

1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages

Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.

Multiple Cisco products are affected by the attacks described in this Internet draft.

Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml

The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en

CSCsa62111

Symptom    7200 input queue stuck.

Workaround   Reloading the router will clear the input queue, or increasing the input queue using the hold-queue length command beyond the default limit of 75.

Additional References

The following sections describe the documentation available for the Cisco 828 router. Typically, these documents consist of hardware and software installation guides, Cisco IOS configuration and command references, system error messages, feature modules, and other documents. Documentation is available as printed manuals or electronic documents, except for feature modules, which are available online on Cisco.com in pdf or html form.

Use these release notes with the documents listed in the following sections:

Release-Specific Documents

Platform-Specific Documents

Release-Specific Documents

The following documents are specific to Release 12.3 and apply to Cisco IOS Release 12.3(11)YS. They are located on Cisco.com:

Cross-Platform Release Notes for Cisco IOS Release 12.3(11)T

Field Notices: http://www.cisco.com/warp/public/tech_tips/index/fn.html.

Caveats for Cisco IOS Release 12.3 and Caveats for Cisco IOS Release 12.3(11)T

Platform-Specific Documents

Hardware installation guides, configuration and command reference guides, and additional documents specific to the Cisco 828 routers are available on Cisco.com at the following location:

http://www.cisco.com/en/US/products/hw/routers/tsd_products_support_category_home.html

Feature Modules

Feature modules describe new features supported by Cisco IOS Release 12.3 and Cisco IOS Release 12.3(11)YS, and are updates to the Cisco IOS documentation set. A feature module consists of a brief overview of the feature, benefits, configuration tasks, and a command reference. As updates, the feature modules are available online only.

Cisco Feature Navigator

Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a particular set of features and which features are supported in a particular Cisco IOS image. Cisco Feature Navigator is available 24 hours a day, 7 days a week.

To use Cisco Feature Navigator, you must have a JavaScript-enabled web browser such as Netscape 3.0 or later, or Internet Explorer 4.0 or later. Internet Explorer 4.0 always has JavaScript enabled. To enable JavaScript for Netscape 3.x or Netscape 4.x, follow the instructions provided with the web browser. For JavaScript support and enabling instructions for other browsers, check with the browser vendor.

Cisco Feature Navigator is updated when major Cisco IOS software releases and technology releases occur. You can access Feature Navigator at the following URL:

http://www.cisco.com/go/cfn 

Cisco IOS Software Documentation Set

The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS command references, and several other supporting documents.

Documentation Modules

Each module in the Cisco IOS documentation set consists of one or more configuration guides and one or more corresponding command references. Chapters in a configuration guide describe protocols, configuration tasks, and Cisco IOS software functionality, and contain comprehensive configuration examples. Chapters in a command reference provide complete command syntax information. Use each configuration guide with its corresponding command reference. Cisco IOS Software Documentation is available in html or pdf form.

Select your release and click the command references, configuration guides, or any other Cisco IOS documentation you need

Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feed-back, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html