CiscoWorks Interface Configuration Manager

Table Of Contents

Release Notes for CiscoWorks Interface Configuration Manager 1.0 on Windows

Contents

Introduction

Caveats

Important Notes

Known Problems

Product Documentation Set

Related Product Documentation

Obtaining Documentation

Cisco.com

Product Documentation DVD

Ordering Documentation

Documentation Feedback

Cisco Product Security Overview

Reporting Security Problems in Cisco Products

Obtaining Technical Assistance

Cisco Technical Support & Documentation Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information

Release Notes for CiscoWorks Interface Configuration Manager 1.0 on Windows

---

Contents

This document contains the following sections:

•Introduction

•Caveats

•Important Notes

•Known Problems

•Product Documentation Set

•Related Product Documentation

•Obtaining Documentation

•Documentation Feedback

•Cisco Product Security Overview

•Obtaining Technical Assistance

•Obtaining Additional Publications and Information

Introduction

The CiscoWorks Interface Configuration Manager (CiscoWorks ICM), is built on the CiscoWorks web-based framework of network management products.

It provides powerful tools for configuring, managing, and deploying global and port level security configurations that are key for Network Admission Control (NAC) deployment.

It provides features to manage and deploy security configurations at the global and port level, on access switches that are supported in Cisco's Network Admission Control (NAC) deployment (Phase 2).

Managing NAC deployment on many devices in a network without the aid of a network management system is as onerous a task as running any CLI commands on many devices. It is time-consuming and error-prone.

CiscoWorks ICM enables you to create, edit, delete NAC configurations on CiscoWorks ICM. It also allows you to configure them on multiple devices and ports considering the ACS/TACACS+ supplicants deployed in the network.

You can also generate reports using the reporting feature of CiscoWorks ICM.

For a complete description of all the CiscoWorks ICM 1.0 features, see the User Guide for CiscoWorks
Interface Configuration Manager Software release 1.0.
All documentation for CiscoWorks Interface Configuration Manager is available on Cisco.com at:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cwicm/cwicm10/index.htm

Caveats

This section describes the following caveats of CiscoWorks ICM:

•JRM memory leak — CSCsd22609

If you run a Configuration Instance Deploy Job on a large number of devices (for example, over 250 devices) the job might fail.

Also, before the job fails, you will not be able to view several of the ICM application pages.

Along with the above symptoms, if the JRM Server goes down with a core file then this is because of a known issue in Common Services (Defect ID: CSCsd22609).

Run NMSROOT/bin/pdshow at the command prompt to view the status of the JRM server. (Here, NMSROOT is the CiscoWorks installation directory (by default, SystemDrive:\Program Files\CSCOpx and SystemDrive is the Windows operating system installed directory).

The issue is related to a memory leak in the JRM component of Common Services.

This issue has been resolved in Common Services 3.0 Service Pack 4. We recommend that you upgrade to Common Services 3.0 Service Pack 4 to resolve this issue.

•Fine tune job download performance

The Change Audit feature of Resource Manager Essentials can slow down Job Download. If you want to enhance the performance, you can turn off Change Audit.

---

Note If you turn off Change Audit, the changes to the device will not be logged in Change Audit module of RME.

---

The properties file, ICMPreferences.properties, has a property, ChangeAuditIntegration. This property is set to ON by default.

To turn off Change Audit, set this property to OFF in the file. Ensure that you maintain case-sensitivity.

To access the ICMPreferences.properties file, go to: NMSROOT\MDC\tomcat\webapps\scm

Where NMSROOT is the CiscoWorks installation directory (by default, SystemDrive:\Program Files\CSCOpx and SystemDrive is the Windows operating system installed directory).

You do not need to restart the daemon manager.

You can fine tune the performance of Job Download by doing the following:

a. Turn off the "Change Audit Integration".

Disable ChangeAuditIntegration property in, NMSROOT/MDC/tomcat/webapps/scm/ICMPerferences.properties

b. Increase the number of download threads.

Bump up the value of CWICMNumOfThreads property up to 100 in,
NMSROOT/MDC/etc/regdaemon.xml

•If you have configured a large number of ports for NAC, the Detailed Inventory Report of Resource Manager Essentials may take more than two hours to launch.

To launch this report in a shorter time:

a. Go to this file location:

NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\inventory\reports\datagenerators

where NMSROOT is the CiscoWorks installation directory (by default, SystemDrive:\Program Files\CSCOpx and SystemDrive is the Windows operating system installed directory).

b. Take a backup of the IRConfig.properties file.

c. Edit the file to change the line
DDR_RENDER_LIMIT : 750
to
DDR_RENDER_LIMIT : 5500

d. This increases the DDR Render limit and displays the entire report. After you make this change, it should take approximately 30 minutes for the report to appear.

Important Notes

Unlike in Resource Manager Essentials, where a user with the role of Network Operator cannot change a device configuration by default, in CiscoWorks ICM a user with the role of Network Operator can modify a device configuration.

This is because, by default, this role allows users to create and deploy a Configuration Instance. To ensure that there is control and oversight on a Network Operator, a user with an Approver role may be designated to approve a job created by a Network Operator, before it can proceed.

Known Problems

Table 1 describes the problems known to exist in this release:

Table 1 Known Problems 

Bug ID	Summary	Explanation
CSCsd67412	Large device import causes RMEDbMonitor to fail.	The RMEDbMonitor goes down when a large number of devices are imported into the system. When a large number of devices (over 1500) are imported into the system, the database connection limit (100 connections) of the RME database is exceeded. As a result the RMEDbMonitor process cannot open a new connection to the database. When this monitor goes down, it brings down all the other dependent processes in the system, including the DPGroupServer process Workaround: Increase the maximum number of connections for the RME database to beyond 100. To do this: 1. Stop the daemon manager. Edit NMSROOT/databases/rmeng/orig/odbc.tmpl, where NMSROOT is the CiscoWorks installation directory (by default, SystemDrive:\Program Files\CSCOpx and SystemDrive is the Windows operating system installed directory). 2. Replace the 100 in the following line with 200 to raise the limit to 200. That is: Change this: __Switches=-q -m -ti 0 -gm 100 -gn 50 -ch 50P to this: __Switches=-q -m -ti 0 -gm 200 -gn 50 -ch 50P 3. Unregister and register the RME database to make sure that the daemon manager picks up the new number of connections. At the command line run the following commands: –NMSROOT/bin/perl NMSROOT/objects/db/conf/configureDb.pl action=unreg dsn=rmeng dmprefix=RME –NMSROOT/bin/perl NMSROOT/objects/db/conf/configureDb.pl action=reg dsn=rmeng dmprefix=RME where NMSROOT is the CiscoWorks installation directory (by default, SystemDrive:\Program Files\CSCOpx and SystemDrive is the Windows operating system installed directory). 4. Restart the daemon manager using these commands: –net stop crmdmgtd –net start crmdmgtd
CSCsd19031	An error sometimes appears when you try to deploy a CI and click Finish.	When you deploy a Configuration Instance an error sometimes appears after you click Finish. The error is: Application error: Failed to create new configuration instance job: Probable cause: getJRM:Can't bind to JRM. giving up and exiting. Workaround: Restart the daemon manager using these commands: •net stop crmdmgtd •net start crmdmgtd Alternatively, you can try the avoid a complete daemon manager restart using these commands: •net stop Tomcat •net start Tomcat
CSCsd72211	Exception list commands in the NAC L2IP Global service UI need a user friendly format.	In the NAC L2IP Global service dialog box, the Identity Profile Configuration and Identity Policy Configuration text boxes in the IOS parameters section are not very user-friendly. They do not provide adequate information. To access this text area: 1. Create a Device Port Group with at least one IOS device. 2. Create a new Configuration Instance and select the Device Port Group created in Step 1. 3. Select the NAC L2 IP Global Service. The NAC L2 IP Global Service dialog box appears with the Identity Profile Configuration and Identity Policy Configuration text boxes. Workaround: Here are some examples on framing an Identity Policy and Identity Profile Configuration: #Exception List : Identity Policy Configuration identity policy trans_1 access-group only2net199 redirect url http://10.188.10.204 match only2net177 identity policy healthy_1 access-group only2net177 #Exception List : EOU Identity Profile Configuration <B>identity profile eapoudp device authorize mac-address 0004.23b2.b979 policy trans_1 device authorize ip-address 10.155.176.112 policy trans_1 device authorize ip-address 10.155.176.0 0.0.0.255 policy trans_1 device authorize type cisco ip phone policy healthy_1 You could use the above command syntax as templates when building your own configuration.
CSCsd12095	CI deploy fails on a 4507 because the dotx control -direction command is not supported on the device.	On Catalyst 4507 devices running IOS v12.2(25)SG(1.93), the dot1x control- direction command is not supported. As a result, when NAC 802.1x Interface service is configured on a Configuration Instance (CI) that includes a Catalyst 4507 and a job is scheduled to deploy the CI to the devices, the command will fail on this device and hence the entire job will appear to fail. This occurs if: •The CI contains a DPG that includes a Catalyst 4507 running IOS version 12.25)SG(1.93) and •In the NAC 802.1x Interface service, the Port Control Direction option is changed to Incoming, Disable or both. Workaround 1: If the job failure policy selected is Ignore failure and continue, check the job details by clicking on the corresponding job ID. Check the status of Deployed devices. Do the following: •If the failed devices are only Catalyst 4507 devices running IOS version 12.25)SG(1.93), click on the device IP address and check the CLI output. and •If the CLI output is as required, ignore the failure error message. Workaround 2: Upgrade the IOS image on Cat4507 to 12.2(31)SG. Workaround 3: 1. Create a separate Device Port Group for Catalyst 4507 devices and do not include these devices in other Device and Port Groups. 2. Create the Configuration Instance with Device and Port Groups that do not have Catalyst 4507 devices. 3. Make a copy of the newly created Configuration Instance. 4. Edit the Configuration Instance and change the selected device port groups to include only device port groups that have Catalyst 4507 devices. 5. In the NAC 802.1x Interface service dialog box, for the Port Control Direction option, select No Change.
CSCsd19142	NAC 802.1x Interface command dot1x critical is not supported on 3550 IOS	On Catalyst 3550 devices running IOS 12.2(25)SED, the dot1x critical CLI command is not supported. As a result, the command will fail on this device and hence the entire job will appear to fail when: 1. The NAC 802.1x Interface service is configured on a Configuration Instance (CI) that includes a Catalyst 3550 2. A job is scheduled to deploy the CI to the devices,. This occurs if: 1. The CI contains a Device and Port Group that includes a Catalyst 3550 running IOS version 12.2(25)SED, 2. In the NAC 802.1x Interface service, the Advanced option Critical is changed to Enable or Disable. Workaround 1: If the job failure policy selected is Ignore failure and continue, check the job details by clicking on the corresponding Job ID. Check the status of Deployed devices. Do the following: •If the failed devices are only Catalyst 3550 devices running IOS 12.2(25)SED, Click on the device IP Address and check the CLI output. •If the CLI output is as required, ignore the failure error message. Workaround 2: Upgrade the IOS image on Catalyst 3550 devices to 12.2(25)SEE. Workaround 3: 1. Create a separate Device Port Group for Catalyst 3550 devices and do not include these devices in other Device and Port Groups. 2. Create the Configuration Instance with Device and Port Groups that do not have Catalyst 3550 devices. 3. Make a copy of the newly created Configuration Instance. 4. Edit the Configuration Instance and change the selected device port groups to include only device port groups that have Catalyst 3550 devices. 5. In the NAC 802.1x Interface service dialog box go to the Advanced option Critical, select No Change.
CSCsd72201	dot1x-auth-fail and multihost mode are not supported together	dot1x auth-fail vlan vlanid command is generated, even if it has not been configured. This is seen when Campus Manager is installed on LMS. This occurs while configuring NAC L2 802.1x service, in the Advanced configuration mode in the UI, when you select a value other than Disable for Multiple Host, from the drop-down list. The Auth-fail VLAN edit box is disabled (grayed). Hence you are prevented from configuring the Auth-fail VLAN. However, the Available VLANs drop down selector is not disabled. If you select a VLAN in this VLAN selector, the CLI is generated to configure auth-fail VLAN. Workaround: Do not select a VLAN in the Available VLANs drop down list, if you have configured Multiple Host as Enable or No Change. You should not select a VLAN in the Available VLANs drop down list, if the you do not want to configure auth-fail VLAN.
CSCsd72204	No correlation between the group created and the radius Servers in the group.	Radius Server groups are created even if the individual Radius server configuration is removed. This happens only if you have IOS devices in the Configuration Instance. This occurs when a Configuration Instance has IOS devices and you are configuring the Radius Server Service: You have: •Selected Disable in the drop down list for both the Radius Server Actions., to disable all the radius servers. •Created the AAA Group and given it a name. In this case, the CLIs are generated to remove the existing Radius server configuration and also to create the AAA Group with the same Radius server. The download succeeds and the configuration file has the AAA groups created with the Radius servers specified. However, the groups do not work, if used elsewhere. Workaround: Do not create AAA groups and disable a Radius server at the same time. If you want to disable a Radius server, then you should not create a AAA group. You may choose to remove the AAA group from the configuration and specify the name of the group to be removed.
CSCsd74696	Job Status appears as failed if there are no commands to download	Job Status appears as failed when there are no commands to download. This problem occurs under these conditions: •Select CatOS and IOS devices in a device group. •Create a Configuration Instance (CI) with this device group. •Select a service that will generate CLIs for one set of devices. For example, PBACL. The CLI will be generated for CatOS devices only. •Now Deploy the CI, the job status is marked as failed. The detailed reports shows that the device download for all IOS devices failed since there were no commands generated to download. Workaround: •Ensure that you select the devices in the Device Port Groups that need configuration change. Or •Check the Job Details page for the failed job to confirm the reason for failure. Ignore those device download failed cases where commands are not generated for the device. Further Details with an Illustration: A Configuration Instance consists of Device Port Groups and Services. Device Port Groups consist of devices and ports. The configured services are applicable to the devices and ports. In some cases, CLIs are not generated for some devices. For example, if you have a Device Port Group consisting of IOS and CatOS devices, and you have configured Adhoc Global Service. In the Adhoc Global Service the commands were entered only for IOS parameters and there were no commands entered for CatOS devices. In this case, there will be no commands generated for the CatOS device. If you deploy this particular CI, the overall download result appears as failed. If you see the job details, you will see that the CatOS device downloads have failed and the reason for failure is, No Commands generated. You can ignore the failure for this particular device. If all the device downloads have failed because there are no commands generated, then you can ignore all these cases and consider the deploy job as success.
CSCsd77356	Guest vlan and Auth-fail vlan CLI not generated for NAC 802.1x Interface on CatOS	The CLI, Guest vlan and Auth-fail vlan, is not generated for NAC 802.1x Interface on CatOS. This occurs if you have: •Created a NAC 802.1x interface service for CatOS by selecting Guest vlan and Auth-fail vlan from the Available VLAN drop down box, and •Saved the configuration. If you view the CLIs, for this, the commands for guest-vlan and auth-fail vlan are not displayed. Workaround: Enter the VLAN number in the text box for both and then the CLI is generated.
CSCsd77261	PBACLs: Cannot configure Healthy, Infected, or Quarantine groups using the UI drop-down list	The PBACL service does not provide for creation of Healthy, Infected, Quarantine groups through the drop down selection. An error appears if you do not create the groups before configuring Identity Policy. The error is: set policy name ASN_healthy group Healthy_grp Group name Healthy_grp does not exist. Create the group before mapping. Workaround: Manually enter the ACE for the group in the text box provided in PBACL. Here is the sample CLI: set security acl ip NRHACL permit ip group Healthy_grp any
CSCsd69131	PBACL on CatOS sometimes fails	PBACL download may fail intermittently. Workaround: To ensure that the PBACL configuration is downloaded successfully to the device, turn off the quicksend feature of the transport library. To turn off the quicksend feature: 1. Access the ICMPreferences.properties file, at this location: NMSROOT\MDC\tomcat\webapps\scm where NMSROOT is the CiscoWorks installation directory (by default, SystemDrive:\Program Files\CSCOpx and SystemDrive is the Windows operating system installed directory). The properties file, ICMPreferences.properties, has a property called EnableQuickSend. 2. Set the EnableQuickSend property to OFF and save the file. (By default the property is set to ON.) Run the deploy job after the changes are made into the property file. You do not need to restart the daemon manager. Note If the quicksend feature is turned off the download of IOS configuration may fail. For the details of this problem, and the workaround, see CSCsd75878.
CSCsd75878	Configuration Instance interface jobs on IOS fail when quicksend feature is turned off	The download of IOS configuration may fail intermittently. This is due to a device bug (Bug ID: CSCei63572). Workaround: To ensure that the IOS configuration is downloaded successfully to the device, turn on the quicksend feature of the transport library. To turn on the quicksend feature: 1. Access the ICMPreferences.properties file, at this location: NMSROOT\MDC\tomcat\webapps/scm where NMSROOT is the CiscoWorks installation directory (by default, SystemDrive:\Program Files\CSCOpx and SystemDrive is the Windows operating system installed directory). The properties file, ICMPreferences.properties, has a property called EnableQuickSend. 2. Set the EnableQuickSend property to ON and save the file. 3. Run the deploy job. (You do not need to restart the daemon manager.) Note If the quicksend feature is turned on the download of PBACL configuration may fail. For the details of this problem, and the workaround, see CSCsd69131.

Product Documentation Set

All the product documentation for CiscoWorks Interface Configuration Manager 1.0 (such as the user guide, the installation and setup guides, the release notes) is available on Cisco.com:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cwicm/cwicm10/index.htm

These guides are also available as PDFs on your product CD-ROM within the Documentation folder.

Your product shipped with a minimal set of printed documentation.

---

Note We sometimes update the electronic documentation after original publication. Therefore, you should continue to check the documentation on Cisco.com for updates.

---

Release Notes for CiscoWorks Interface Configuration Manager 1.0

•Release Notes for CiscoWorks Interface Configuration Manager 1.0 on Solaris (OL-9344-01)

•Release Notes for CiscoWorks Interface Configuration Manager 1.0 on Windows (OL-9345-01)

These documents are available in the following formats:

•As PDFs on your CiscoWorks Interface Configuration Manager CD-ROM.

•On Cisco.com at: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cwicm/cwicm10/relnote/index.htm

Installation and Setup Guides for CiscoWorks Interface Configuration Manager

•Installation and Setup Guide for CiscoWorks Interface Configuration Manager on Solaris, Software Release 1.0 (OL-9342-01)

•Installation and Setup Guide for CiscoWorks Interface Configuration Manager on Windows, Software Release 1.0 (OL-9343-01)

These documents are available in the following formats:

•As PDFs on your CiscoWorks Interface Configuration Manager CD-ROM.

•On Cisco.com at: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cwicm/cwicm10/install/index.htm

User Guide for CiscoWorks Interface Configuration Manager, Software Release 1.0 (OL-9341-01)

This document is available in the following formats:

•As a PDF on your CiscoWorks Interface Configuration Manager CD-ROM.

•From the CiscoWorks Interface Configuration Manager online help.

•On Cisco.com at: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cwicm/cwicm10/ug/index.htm

Supported Devices Table for CiscoWorks Interface Configuration Manager, Software Release 1.0

On Cisco.com at:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cwicm/cwicm10/index.htm

Documentation Guide and License for CiscoWorks Interface Configuration Manager 1.0 (78-17529-01)

This document is available in the following formats:

•A hard copy with your product.

•A PDF on your CiscoWorks Interface Configuration Manager CD-ROM.

•On Cisco.com at:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cwicm/cwicm10/scmdg.htm

Related Product Documentation

The following list includes documentation related to your product. These documents were not shipped with your product, but you can access them by using the listed URLs. You also can order printed copies by following the instructions in the Obtaining Documentation section.

The following are the related documents:

•LAN Management Solution (LMS)

•Campus Manager

•Resource Manager Essentials

•Campus Manager

LAN Management Solution (LMS)

All the LMS documents are available on Cisco.com at:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/lms/index.htm

CiscoWorks Common Services (CD One with CiscoView)

The following related documentation for CiscoWorks Common Services is available in the HTML and PDF formats on Cisco.com at:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/index.htm.

Resource Manager Essentials

All the Resource Manager Essentials documents, including Installation Guides, Release Notes, Supported Devices Table, User Guide are available on Cisco.com at:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_4_x/index.htm

Campus Manager

Installing Campus Manager is optional for CiscoWorks Interface Configuration Manager.

The following related documentation for Campus Manager is available in the HTML and PDF formats on Cisco.com at:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/camp_mgr/camp_4x/index.htm

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/techsupport

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Product Documentation DVD

The Product Documentation DVD is a comprehensive library of technical product documentation on a portable medium. The DVD enables you to access multiple versions of installation, configuration, and command guides for Cisco hardware and software products. With the DVD, you have access to the same HTML documentation that is found on the Cisco website without being connected to the Internet. Certain products also have .PDF versions of the documentation available.

The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com users (Cisco direct customers) can order a Product Documentation DVD (product number DOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco Marketplace at this URL:

http://www.cisco.com/go/marketplace/

Ordering Documentation

Registered Cisco.com users may order Cisco documentation at the Product Documentation Store in the Cisco Marketplace at this URL:

http://www.cisco.com/go/marketplace/

Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m. (0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by calling 011 408 519-5055. You can also order documentation by e-mail at tech-doc-store-mkpl@external.cisco.com or by fax at 1 408 519-5001 in the United States and Canada, or elsewhere at 011 408 519-5001.

Documentation Feedback

You can rate and provide feedback about Cisco technical documents by completing the online feedback form that appears with the technical documents on Cisco.com.

You can submit comments about Cisco documentation by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

From this site, you will find information about how to:

•Report security vulnerabilities in Cisco products.

•Obtain assistance with security incidents that involve Cisco products.

•Register to receive security information from Cisco.

A current list of security advisories, security notices, and security responses for Cisco products is available at this URL:

http://www.cisco.com/go/psirt

To see security advisories, security notices, and security responses as they are updated in real time, you can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL:

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you have identified a vulnerability in a Cisco product, contact PSIRT:

•For Emergencies only — security-alert@cisco.com

An emergency is either a condition in which a system is under active attack or a condition for which a severe and urgent security vulnerability should be reported. All other conditions are considered nonemergencies.

•For Nonemergencies — psirt@cisco.com

In an emergency, you can also reach PSIRT by telephone:

•1 877 228-7302

•1 408 525-6532

---

Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been encrypted with PGP versions 2.x through 9.x.

Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

The link on this page has the current PGP key ID in use.

If you do not have or use PGP, contact PSIRT at the aforementioned e-mail addresses or phone numbers before sending any sensitive material to find other means of encrypting the data.

---

Obtaining Technical Assistance

Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Technical Support & Documentation website on Cisco.com features extensive online support resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not have a valid Cisco service contract, contact your reseller.

Cisco Technical Support & Documentation Website

The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do

---

Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.

---

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.

Severity 1 (S1)—An existing network is down, or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operations are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of the network is impaired, while most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

•The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL:

http://www.cisco.com/go/guide

•Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

•Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

•Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

•iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

or view the digital edition at this URL:

http://ciscoiq.texterity.com/ciscoiq/sample/

•Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

•Networking products offered by Cisco Systems, as well as customer support services, can be obtained at this URL:

http://www.cisco.com/en/US/products/index.html

•Networking Professionals Connection is an interactive website for networking professionals to share questions, suggestions, and information about networking products and technologies with Cisco experts and other networking professionals. Join a discussion at this URL:

http://www.cisco.com/discuss/networking

•World-class networking training is available from Cisco. You can view current offerings at this URL:

http://www.cisco.com/en/US/learning/index.html

This document is to be used in conjunction with the documents listed in the "Product Documentation Set" section.

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2006 Cisco Systems, Inc. All rights reserved.