Release Note for Catalyst 4900M Switch, Cisco IOS 12.2SG [Cisco Catalyst 4900 Series Switches]

Table Of Contents

Release Notes for the Catalyst 4900M Series Switch, Cisco IOS Release 12.2(53)SG

Contents

Cisco IOS Software Packaging for the
Cisco Catalyst 4900M Switch

Cisco 4900M Series Ethernet Switch
Cisco IOS Release Strategy

Cisco IOS Software Migration

Summary of Migration Plan

Support

System Requirements

Supported Hardware

Supported Features

Following Features are Supported only on the Catalyst 4900M

Unsupported Features

New and Changed Information

New Hardware Features in Release 12.2(53)SG

New Software Features in Release 12.2(53)SG

New Hardware Features in Release 12.2(52)SG

New Software Features in Release 12.2(52)SG

New Hardware Features in Release 12.2(50)SG3

New Software Features in Release 12.2(50)SG3

New Hardware Features in Release 12.2(50)SG2

New Software Features in Release 12.2(50)SG2

New Hardware Features in Release 12.2(50)SG1

New Software Features in Release 12.2(50)SG1

New Hardware Features in Release 12.2(50)SG

New Software Features in Release 12.2(50)SG

New Hardware Features in Release 12.2(46)SG

New Software Features in Release 12.2(46)SG

Minimum and Recommended ROMMON Release

Limitations and Restrictions

Caveats

Open Caveats in Cisco IOS Release 12.2(53)SG

Resolved Caveats in Cisco IOS Release 12.2(53)SG

Open Caveats in Cisco IOS Release 12.2(52)SG

Resolved Caveats in Cisco IOS Release 12.2(52)SG

Open Caveats in Cisco IOS Release 12.2(50)SG5

Resolved Caveats in Cisco IOS Release 12.2(50)SG5

Open Caveats in Cisco IOS Release 12.2(50)SG4

Resolved Caveats in Cisco IOS Release 12.2(50)SG4

Open Caveats in Cisco IOS Release 12.2(50)SG3

Resolved Caveats in Cisco IOS Release 12.2(50)SG3

Open Caveats in Cisco IOS Release 12.2(50)SG2

Resolved Caveats in Cisco IOS Release 12.2(50)SG2

Open Caveats in Cisco IOS Release 12.2(50)SG1

Resolved Caveats in Cisco IOS Release 12.2(50)SG1

Open Caveats in Cisco IOS Release 12.2(50)SG

Resolved Caveats in Cisco IOS Release 12.2(50)SG

Open Caveats in Cisco IOS Release 12.2(46)SG

Resolved Caveats in Cisco IOS Release 12.2(46)SG

Open Caveats in Cisco IOS Release 12.2(40)XO

Resolved Caveats in Cisco IOS Release 12.2(40)XO

Troubleshooting

Netbooting from the ROMMON

Troubleshooting at the System Level

Troubleshooting Modules

Troubleshooting MIBs

Related Documentation

Hardware Documents

Software Documentation

Cisco IOS Documentation

Notices

OpenSSL/Open SSL Project

License Issues

Obtaining Documentation and Submitting a Service Request

Release Notes for the Catalyst 4900M Series Switch, Cisco IOS Release 12.2(53)SG

Current Release
12.2(53)SG—July 27, 2009

Previous Release
12.2(52)SG, 12.2(50)SG5, 12.2(50)SG4, 12.2(50)SG3, 12.2(50)SG2, 12.2(50)SG1, 12.2(50)SG, 12.2(46)SG, 12.2(40)XO

These release notes describe the features, modifications, and caveats for Cisco IOS software on the Catalyst 4900M switch.

Cisco Systems announces the Cisco Catalyst 4900M Series, a premium extension to the widely deployed Catalyst 4948 Series top of rack Ethernet switches for data center server racks. Optimized for ultimate deployment flexibility, the Catalyst 4900M Series can be deployed for 10/100/1000 server access with 1:1 uplink to downlink oversubscription, mix of 10/100/1000 and 10 GbE servers or all 10GbE servers in the same rack. The Catalyst 4900M is a 320Gbps, 250Mpps, 2RU fixed configuration switch with
8 fixed wire speed X2 ports on the base unit and 2 optional half card slots for deployment flexibility and investment protection. Low latency, scalable buffer memory and high availability with 1+1 hot swappable AC or DC power supplies and field replaceable fans optimize the Catalyst 4900M for any size of data center.

Support for Cisco IOS Software Release 12.2(53)SG, the default image, follows the standard Cisco Systems® support policy, available at
http://www.cisco.com/en/US/products/products_end-of-life_policy.html

For more information about the Cisco Catalyst 4900M Series, visit:
http://www.cisco.com/go/cat4900/docs.

Note Although their Release Notes are unique, the 4 platforms (Catalyst 4500, Catalyst 4900,
Catalyst ME 4900, and Catalyst 4900M) use the same Software Configuration Guide, Command Reference Guide, and System Message Guide. Refer to this location:

http://www.cisco.com/go/cat4500/docs

Contents

This publication consists of these sections:

•Cisco IOS Software Packaging for the Cisco Catalyst 4900M Switch

•System Requirements

•New and Changed Information

•Minimum and Recommended ROMMON Release

•Limitations and Restrictions

•Caveats

•Troubleshooting

•Related Documentation

•Notices

•Obtaining Documentation and Submitting a Service Request

Cisco IOS Software Packaging for the
Cisco Catalyst 4900M Switch

Catalyst 4900M software features based on Cisco IOS Software 12.2(53)SG will support the IP Base image and the entservices image.

The IP Base image does not support enhanced routing features such as Nonstop Forwarding/Stateful Switchover (NSF/SSO), BGP, Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), Intermediate System-to-Intermediate System (IS-IS), Internetwork Packet Exchange (IPX), AppleTalk, Virtual Routing Forwarding (VRF-lite), GLBP, and policy-based routing (PBR). The IP Base image supports Static routes, RIPv1/v2 for IP BASE, and EIGRP-Stub for limited routing on Cisco Catalyst 4900 Series Switches.

The Enterprise Services image supports Cisco Catalyst 4900M Series software features based on Cisco IOS Software 12.2(53)SG, including enhanced routing. BGP capability is included in the Enterprises Services package.

Note The recommended Cisco IOS image on the Catalyst 4900M is 12.2(50)SG3.

Orderable Product Numbers:

•S49MES-12253SG - Cisco IOS Software for Cisco Catalyst 4900M Switches (Enterprise Services image with BGP support)

•S49MESK9-12253SG - Cisco IOS Software for Cisco Catalyst 4900M Switches (Enterprise Services image with 3DES and BGP support)

•S49MIPB-12253SG - Cisco IOS Software for Cisco Catalyst 4900M Switches (IP Base image)

•S49MIPBK9-12253SG - Cisco IOS Software for Cisco Catalyst 4900M Switches (IP Base image with 3DES)

•S45EIPB-12250SG—Cisco IOS software for the Catalyst 4500 Series Supervisor Engine 6-E (IP Base Image)

•S45IPBK9-12250SG—Cisco IOS software for the Catalyst 4500 Series Supervisor Engine 6-E (IP Base Image with 3DES) (cat4500-ipbasek9-mz)

•S45EES-12250SG—Cisco IOS software for the Catalyst 4500 Series Supervisor Engine 6-E (Enterprise Services image) (cat4500-ipbasek9-mz)

•S45EESK9-12250SG—Cisco IOS software for the Catalyst 4500 Series Supervisor Engine 6-E (Enterprise Services image) (cat4500-ipbasek9-mz)

•S45EIPB-12250SG—Cisco IOS software for the Catalyst 4500 Series Supervisor Engine 6-E (IP Base Image)

•S45IPBK9-12250SG—Cisco IOS software for the Catalyst 4500 Series Supervisor Engine 6-E (IP Base Image with 3DES) (cat4500-ipbasek9-mz)

•S45EES-12250SG—Cisco IOS software for the Catalyst 4500 Series Supervisor Engine 6-E (Enterprise Services image) (cat4500-ipbasek9-mz)

•S45EESK9-12250SG—Cisco IOS software for the Catalyst 4500 Series Supervisor Engine 6-E (Enterprise Services image) (cat4500-ipbasek9-mz)

•S45EIPB-12246SG—Cisco IOS software for the Catalyst 4500 Series Supervisor Engine 6-E (IP Base Image)

•S45IPBK9-12246SG—Cisco IOS software for the Catalyst 4500 Series Supervisor Engine 6-E (IP Base Image with 3DES) (cat4500-ipbasek9-mz)

•S45EES-12246SG—Cisco IOS software for the Catalyst 4500 Series Supervisor Engine 6-E (Enterprise Services image) (cat4500-ipbasek9-mz)

•S45EESK9-12246SG—Cisco IOS software for the Catalyst 4500 Series Supervisor Engine 6-E (Enterprise Services image) (cat4500-ipbasek9-mz)

•S49IPB-12252SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image) (cat4500-ipbase-mz)

•S49IPBK9-12252SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image with Triple Data Encryption Standard (3DES)) (cat4500-ipbasek9-mz)

•S49ES-12252SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with BGP support) (cat4500-entservices-mz)

•S49ESK9-12252SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with 3DES and BGP) (cat4500-entservicesk9-mz)

Cisco 4900M Series Ethernet Switch
Cisco IOS Release Strategy

Customers with Catalyst 4900M switches who need the latest hardware support and software features should migrate to Cisco IOS Release 12.2(53)SG.

For more information on the Cisco 4900M Switch, visit the following URL: www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/index.htm

Cisco IOS Software Migration

Figure 1 displays the two active, 12.2(31)SGA and 12.2(50)SG, and newly introduced 12.2(53)SG extended maintenance trains.

Support for the Catalyst 4900M platform was introduced in 12.2(40)XO. Moving forward, the Cisco Catalyst 4900M platform has two maintenance trains. The Cisco IOS Release 12.2(53)SG is the latest maintenance train and includes the most recent features including support for OSPF for routed Access

Figure 1 Software Release Strategy for the Catalyst 4900M Series Switch

Summary of Migration Plan

•Customers requiring the latest Cisco Catalyst 4900M Switch hardware and software features should migrate to Cisco IOS Software Release 12.2(53)SG.

Support

Support for Cisco IOS Software Release 12.2(53)SG follows the standard Cisco Systems® support policy, available at
http://www.cisco.com/en/US/products/products_end-of-life_policy.html

System Requirements

Note The recommended Cisco IOS image on the Catalyst 4900M is 12.2(50)SG3.

This section describes the system requirements:

•Supported Hardware

•Supported Features

•Unsupported Features

Supported Hardware

The following tables lists the hardware supported on the Catalyst 4900M series switch.

Table 1 Supported Hardware

Product Number (append with "=" for spares)

Product Description

Small Form-Factor Pluggable Modules (supported only in WS-X4908-10GE(=) half-card)

GLC-SC-MM

Gigabit Ethernet SFP, LC connector, and SX transceiver small form-factor pluggable module

GLC-LH-SM

Gigabit Ethernet SFP, LC connector, and LX/LH transceiver small form-factor pluggable module

GLC-ZX-SM

1000BASE-ZX small form-factor pluggable module

GLC-T

1000BASE-T small form-factor pluggable module

CWDM-SFP-xxxx

CWDM small form-factor pluggable module (See Table 2 for a list of supported wavelengths.)

10 Gigabit Ethernet X2 Pluggable Modules

X2-10GB-LR

10GBASE-LR X2 transceiver module for SMF, 1310-nm wavelength, SC duplex connector

X2-10GB-ER

10GBASE-ER X2 transceiver module for SMF, 1550-nm wavelength, SC duplex connector

X2-10GB-CX4

10GBASE-CX4 X2 transceiver module for CX4 cable, copper, Infiniband 4X connector

X2-10GB-LX4

10GBASE-LX4 X2 transceiver module for MMF, 1310-nm wavelength, SC duplex connector

X2-10GB-LRM

10GBASE-LRM X2 transceiver module for MMF, 1310-nm wavelength, SC duplex connector

X2-10GB-SR

10GBASE-SR X2 transceiver module for MMF, 850-nm wavelength, SC duplex connector

X2-10GB-ZR

10GBASE-ZR X2 transceiver module for SMF, 1550 nm wavelength up to 80 km. DOM is not supported.

X2-10GB-DWDM

10GBASE-ZR X2 transceiver module for SMF, 32 nontunable ITU 100-GHz wavelengths up to 80 km are supported. DOM is supported. Dual SC/PC connectors are supported.

CVR-X2-SFP10G

Hot-swappable input/output (I/O) converter module that fits into a 10-Gigabit Ethernet X2 slot on a switch or line card module. Hosts one 10-Gigabit Ethernet SFP+ transceiver module.

SFP+ Modules

SFP-10G-SR

Cisco 10GBASE-SR SFP+ Module for MMF

Table 2 briefly describes the supported wavelengths in the Catalyst 4900M series switches.

Table 2 CWDM SFP Supported Wavelengths

Product Number (append with "=" for spares)

Product Description

CWDM-SFP -1470

Longwave 1470 nm laser single-mode

CWDM- SFP -1490

Longwave 1490 nm laser single-mode

CWDM-SFP -1510

Longwave 1510 nm laser single-mode

CWDM-SFP -1530

Longwave 1530 nm laser single-mode

CWDM-SFP -1550

Longwave 1550 nm laser single-mode

CWDM-SFP -1570

Longwave 1570 nm laser single-mode

CWDM-SFP -1590

Longwave 1590 nm laser single-mode

CWDM-SFP -1610

Longwave 1610 nm laser single-mode

The following tables lists the hardware supported on the Catalyst 4900M series switch.

Table 3 Supported Hardware

Product Number (append with "=" for spares)

Product Description

WS-C4900M

Catalyst 4900M 8-port base system

WS-X4920-GB-RJ45 (=)

Catalyst 4900M 20-port 10/100/1000 RJ-45 half card

WS-X4904-10GE (=)

Catalyst 4900M 4 port 10GbE half card with X2 interfaces

WS-X4908-10GE (=)

Catalyst 4900M 8 port 10GbE half card with X2 interfaces

PWR-C49M-1000AC(=)

Catalyst 4900M AC Power Supply

PWR-C49M-1000AC/2

Catalyst 4900M AC Power Supply Redundant

PWR-C49M-1000DC(=)

Catalyst 4900M DC Power Supply

PWR-C49M-1000DC/2

Catalyst 4900M DC Power Supply Redundant

WS-X4992=

Catalyst 4900M Spare Fan Tray

CVR-X2-SFP=

TwinGig module

Supported Features

Note The default image for the Catalyst 4900M series switch is Cisco IOS Release 12.2(50)SG5.

Table 4 lists the Cisco IOS software features for the Catalyst 4900M series switch.

Table 4 Cisco IOS Software Feature Set for the Catalyst 4900M series Switch

Layer 2 Switching Features

Storm control

Storm Control: Per-Port Multicast Suppression

Multicast storm control

IP Source Guard

IP Source Guard for Static Hosts

PVRST+

Layer 2 transparent bridging¹

Layer 2 MAC² learning, aging, and switching by software

Unicast MAC address filtering

VMPS³ Client

Layer 2 hardware forwarding up to 102 Mpps

Layer 2 Control Policing (Not supported on Supervisor Engine 6-E)

Layer 2 switch ports and VLAN trunks

Spanning-Tree Protocol (IEEE 802.1D) per VLAN

802.1s and 802.1w

Layer 2 traceroute

Unidirectional Ethernet port

Per-VLAN spanning tree (PVST) and PVST+

Spanning-tree root guard

Spanning-tree Loop guard and PortFast BPDU Filtering

Support for 9216 byte frames

Port security

Port security on Voice VLAN

Port security MAC Aging

Trunk Port Security

Unicast MAC Filtering

802.1X with Port Security

Private VLANs

Private VLAN DHCP snooping

Private VLAN trunks

IEEE 802.1Q-based VLAN encapsulation

Multiple VLAN access port

VLAN Trunking Protocol (VTP) and VTP domains

VTP v3

Support for 4096 VLANs per switch

Unidirectional link detection (UDLD) and aggressive UDLD

SNMP V3 support for Bridge-MIB with VLAN indexing

Ethernet CFM

Ethernet OAM Protocol

Supported Protocols

DTP⁴

RIPv1⁵ and RIPv2, Static Routing

EIGRP⁶

EIGRP Stub Routing

OSPF⁷

BGP4⁸

BGP route-map Continue

BGP Neighbor Policy

MBGP⁹

MSDP¹⁰

ICMP¹¹ Router Discovery Protocol

Static routes

Classless interdomain routing (CIDR)

DVMRP¹²

NTP¹³

STP - Portfast BPDU Guard

STP- BPDU Filtering

STP - Root Guard

SCP¹⁴

EtherChannel Features

Cisco EtherChannel technology - 10/100/1000 Mbps, 10 Gbps

Load balancing for routed traffic, based on source and destination IP addresses

Load sharing for bridged traffic based on MAC addresses

IEEE 802.1Q on all EtherChannels

Bundling of up to eight Ethernet ports

Trunk Port Security over EtherChannel

Additional Protocols and Features

Secure Copy Protocol (SCP)

Routed Jumbo Frame support

SPAN CPU port mirroring

SPAN packet-type filtering

SPAN destination in-packets option

SPAN ACL filtering

Enhanced VLAN statistics

Secondary addressing

Bootstrap protocol (BOOTP)

Authentication, authorization, and accounting using TACACS+ and RADIUS protocol

Cisco Discovery Protocol (CDP)

CDP 2nd Port Status TLV

FlexLink and MAC Address-Table Move Update

Network Mobility Services Protocol

Sticky port security

Voice VLAN Sticky Port Security

Cisco Group Management Protocol (CGMP) server support

HSRP¹⁵ over Ethernet, EtherChannels - 10/100/1000Mbps, 10 Gbps

GLBP

VRRP

IGMP¹⁶ snooping version1, version 2, and version 3 (Full Support)

IGMP filtering

IGMP Querier

Multicast VRF-lite

VRF-aware IP services

Configurable IGMP Leave Timer

Multicast Source Discovery Protocol (MSDP)

Smartports I custom macros

Smartports II default macros

Smartports III global macros

Port Aggregation Protocol (PagP)

802.3ad LACP

SSH version 1 and version 2¹⁷

show interface capabilities command

IfIndex persistence

Enhanced SNMP MIB support

SNMP¹⁸ version 1, version 2, and version 3

SNMP version 3 (with encryption)

DHCP server and relay-agent

DHCP Snooping Statistics and SYSLOG

DHCP client autoconfiguration

DHCP Option 82 data Insertion

DHCP Option 82 Pass Through

DHCP Relay Agent for IPv6

DHCP Option 82 - Configurable Remote ID and Circuit ID

Port flood blocking

Router standard and extended ACLs ¹⁹on all ports with no performance penalty

Downloadable ACL

VLAN ACL

PACL²⁰

VACL

RACL

Unicast RPF

Local Proxy ARP

Dynamic ARP Inspection on PVLANs

Dynamic ARP Inspection

Per-VLAN CTI

ARP QoS

MQC

Ingress/Egress Policing

Ingress Rate Limiting

Egress Bandwidth Limiting/port shaping

Per VLAN Policy & Per Port Policer

802.1p Priority

Strict Priority Scheduling

Ingress/Egress Strict Priority Queuing (Expedite)

Shaped Round Robin (SRR)

Egress Shaped Queues

Ingress/egress Shared Queues

DSCP Mapping

DSCP Filtering

AutoQoS - VoIP

PBR²¹

Auto QoS 1.5

Trust Boundary Configuration

Dynamic Buffer Limiting (DBL)

Per-VLAN Control Traffic Intercept

Table Map Based Classification

Interface Index Persistence

UDI - Unique Device Identifier

Per-port QoS²² rate-limiting and shaping

Per-port Per-VLAN QoS

Energy Wise

Two-Rate Three-Color Policing

Dynamic Multi-Protocol Ternary Content Addressable Memory

SmartPort macros

802.1s standards compliance

Flexible Authentication Sequencing

Multi-Authentication

Open Authentication

Web Authentication

Local Web Authentication (EPM syslog and Common session ID)

PPPoE Intermediate Agent

Identity ACL Policy Enforcement²³

IPv6 routing - unicast routing "RIPng"

IPv6 Neighbor Discovery Throttingly

IPv6 MLDv1 & v2 SNooping

IPv6 Host support (- IPv6 support: Addressing; IPv6: Option processing, Fragmentation, ICMPv6,

TCP/UDP over IPv6; Applications: Ping/Traceroute/VTY/SSH/TFTP, SNMP for IPv6 objects)

IPv6 ACLs

IPv6 Management Services (CDP over IPv6, SSHv2 over IPv6)

IPv6: MLDv1/v2

IPv6:CEFv6

IPv6:MLD Snooping

Non-stop Forwarding Awareness

Non-stop Forwarding Awareness for EIGRP-stub in IP base for all supervisor engines

BGP MIB

OSPF Fast Convergence²⁴

AutoRP

Service-Aware Resource Allocation

TwinGig Converter Module

FAT File System

EEM²⁵

VSS client with PagP+

Ethernet Management Port

Enhanced Object Tracking subfeatures:

•HSRP with EOT

•VRRP with EOT

•GLBP with EOT

•IP SLA with EOT

•Reliable Backup Static Routing with EOT

ANCP Client

Bidiectional PIM

OSPF and EIGRP Fast Convergence

Inactivity Timer

boot config command

Crashdump enhancement

Unicast MAC filtering

Energy Wise

DHCPv6 Ethernet Remote ID option

DHCPv6 Relay - Persistent Interface ID option DHCPv6 Relay Agent notification for Prefix Delegation

PIM SSM Mapping

VRF lite NSF support with routing protocols OSPF/EIGRP/BG

Layer 2 Tunneling Protocol

Online Diagnostics

PIM Accept Register - Rogue Multicast Server Protection²⁶

Configuration Rollback

IP Multicast Load Splitting (Equal Cost Multipath (ECMP) using S, G and Next-hop)

OSPF for Routed Access

Archiving crashfiles

¹Hardware-based transparent bridging within a VLAN

²MAC = Media Access Control

³VMPS = VLAN Management Policy Server

⁴DTP = Dynamic Trunking Protocol

⁵RIP = Routing Information Protocol

⁶EIGRP = Enhanced Interior Gateway Routing Protocol

⁷OSPF = Open Shortest Path First

⁸BGP4 = Border Gateway Protocol 4

⁹MBGP = Multicast Border Gateway Protocol

¹⁰MSDP = Multicast Source Discovery Protocol

¹¹ICMP = Internet Control Message Protocol

¹²DVMRP = Distance Vector Multicast Routing Protocol

¹³NTP = Network Time Protocol

¹⁴SCP = Secure Copy Protocol

¹⁵HSRP = Hot Standby Router Protocol

¹⁶IGMP = Internet Group Management Protocol

¹⁷SSH = Secure Shell Protocol

¹⁸SNMP = Simple Network Management Protocol

¹⁹ACLs = Access Control Lists

²⁰PACL = Port Access Control List

²¹Policy-based Routing

²²QoS = Quality of Service

²³filter-ID and per-user ACL

²⁴The Catalyst 4500 series switch supports Fast Hellos, ISPF, and LSA Throttling.

²⁵EEM = Embedded Event Manager

²⁶The route-map keyword is not supported.

Following Features are Supported only on the Catalyst 4900M

With Cisco IOS Release 12.2(52)SG, the following features are available only with
Supervisor Engine 6-E:

•IPv6

–IPv6 Addressing Architecture

–CDP IPv6 Address Family

–CEFv6

–DNS resolver for AAAA over an IPv4 transport

–DNS resolver for AAAA over an IPv6 transport

–Extended ACL

–Hop-by-Hop option header

–ICMP Rate Limiting

–ICMPv6

–ICMPv6 Redirect

–IPv6 MIB

–IPv6 over IEEE 802.1Q

–IPv6 over IPv4 GRE tunnel

–ISATAP

–Loopback

–MFIB for IPv6

–MLD Snooping (will show up as a new chapter in the Config Guide)

–MLDv1/v2

–MTU Path Discovery for IPv6

–OSPFv3

–RIPng

–EIGRPv6

–BGPv4

•FAT filesystem

•PIM (SM, DM, SDM)

•QoS

–Two Rate three Color Policing

–Table map support for marking

–Class based queuing actions (shaping/bandwidth/queue-limit/dbl/strict priority)

•Voltage Margining CLI

•QoS for IPv6

•ARP QoS

Unsupported Features

These features are not supported in Cisco IOS Release 12.2(53)SG for the Catalyst 4900M switch:

•IS-IS

•IS-IS MIB

•MAC notification MIB support

•RPR

•NSF with SSO

•ISSU

•The following ACL types:

–Standard Xerox Network System (XNS) access list

–Extended XNS access list

–DECnet access list

–Protocol type-code access list

•ADSL and Dial access for IPv6

•AppleTalk EIGRP (use native AppleTalk routing instead)

•Bridge groups

•Cisco IOS software IPX ACLs:

–<1200-1299> IPX summary address access list

•Cisco IOS software-based transparent bridging (also called "fallback bridging")

•Connectionless (CLNS) routing; including IS-IS routing for CLNS. IS-IS is supported for IP routing only.

•DLSw (data-link switching)

•IGRP (use EIGRP instead)

•IP SLA

•isis network point-to-point command

•Kerberos support for access control

•Lock and key

•NAT-PT for IPv6

•Reflexive ACLs

•Routing IPv6 over an MPLS network

•Two-way community VLANs in private VLANs

•WCCP v1 and v2

•PIM Stub in IP Base

•UniDirectional Link Routing (UDLR)

•NAC L2 IP - Inaccessible authentication bypass

•Packet Based Storm Control

•AutoQoS - VoIP

•Global QoS (enable QoS)

•CER for E-911 Support

•Auto RP

•Cisco-Port-QoS-MIB

•Real Time DiagNosis (GOLD-Lite)

•Cisco Network Assistant (CNA)

•Time Domain Reflectometry

•HTTP Software Upgrade

•MAC Address Notification

•CFM CoS

New and Changed Information

These sections describe the new and changed information for the Catalyst 4900M series switch running Cisco IOS software:

•New Hardware Features in Release 12.2(53)SG

•New Software Features in Release 12.2(53)SG

•New Hardware Features in Release 12.2(52)SG

•New Software Features in Release 12.2(52)SG

•New Hardware Features in Release 12.2(50)SG2

•New Software Features in Release 12.2(50)SG2

•New Hardware Features in Release 12.2(50)SG1

•New Software Features in Release 12.2(50)SG1

•New Hardware Features in Release 12.2(50)SG

•New Software Features in Release 12.2(50)SG

•New Hardware Features in Release 12.2(46)SG

•New Software Features in Release 12.2(46)SG

New Hardware Features in Release 12.2(53)SG

Release 12.2(53)SG provides no new hardware for the Catalyst 4900M switch.

New Software Features in Release 12.2(53)SG

Release 12.2(53)SG provides the following Cisco IOS software features for the Catalyst 4900M switch:

•IP Multicast Load Splitting (Equal Cost Multipath (ECMP) using S, G and Next-hop)

•OSPF for Routed Access (Supervisor Engine 6-E, Supervisor Engine 6L-E, and 4900M)

OSPF for Routed Access is designed specifically to enable customers to extend Layer 3 routing capabilities to the access or Wiring Closet.

Note OSPF for Routed Access supports only one OSPFv2 and one OSPFv3 instance with a maximum number of 200 dynamically learned routes.

With the typical topology (hub and spoke) in a campus environment, where the wiring closets (spokes) are connected to the distribution switch (hub) forwarding all nonlocal traffic to the distribution layer, the wiring closet switch need not hold a complete routing table. A best practice design, where the distribution switch sends a default route to the wiring closet switch to reach inter-area and external routes (OSPF stub or totally stub area configuration) should be used when OSPF for Routed Access is used in the wiring closet.

Refer to the following link for more details:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/routed-ex.html

With Cisco IOS Release 12.2(53)SG, the IP Base image supports OSPF for routed access. The Enterprise Services image is required if you need multiple OSPFv2 and OSPFv3 instances without route restrictions. Additionally, Enterprise Services is required to enable the VRF-lite feature.

New Hardware Features in Release 12.2(52)SG

Release 12.2(52)SG provides no new hardware for the Catalyst 4900M series switch.

New Software Features in Release 12.2(52)SG

Release 12.2(52)SG provides the following new Cisco IOS software features for the Catalyst 4900M series switch:

•EnergyWise

•Network Mobility Services Protocol

•Identity ACL Policy Enforcement Enhancement

–Filter-ID

–Per-user ACL

•Smart Call Home*

•Local WebAuth Enhancement

•DHCPv6 Enhancements

–DHCPv6 Ethernet Remote ID option

–DHCPv6 Relay - Persistent Interface ID option DHCPv6 Relay Agent notification for Prefix Delegation

•SSM Mapping

•PIM Accept Register - Rogue Multicast Server Protection (route-map option is not supported)

•VRF lite NSF support with routing protocols OSPF/EIGRP/BGP

•Online Diagnostics

•Supported MIBs

–Cisco Enhanced Image MIB

–Cisco HSRP extension MIB

–CISCO-CALLHOME-MIB.my

–EnergyWise MIB

–POE MIB

–POE ext MIB

–Entity-Diag-MIB

–Bridge MIB

New Hardware Features in Release 12.2(50)SG3

Release 12.2(50)SG3 provides the following hardware for the Catalyst 4500 series switch:

•CVR-X2-SFP10G

Hot-swappable input/output (I/O) converter module that fits into a 10-Gigabit Ethernet X2 slot on a switch or line card module. Hosts one 10-Gigabit Ethernet SFP+ transceiver module.

•SFP-10G-SR

Cisco 10GBASE-SR SFP+ Module for MMF

New Software Features in Release 12.2(50)SG3

Release 12.2(50)SG3 provides no new features for the Catalyst 4500 series switch.

New Hardware Features in Release 12.2(50)SG2

Release 12.2(50)SG2 provides no new hardware for the Catalyst 4900M series switch.

New Software Features in Release 12.2(50)SG2

Release 12.2(50)SG2 provides no new software for the Catalyst 4900M series switch.

New Hardware Features in Release 12.2(50)SG1

Release 12.2(50)SG1 provides no new hardware for the Catalyst 4900M series switch.

New Software Features in Release 12.2(50)SG1

Release 12.2(50)SG1 provides the following new Cisco IOS software features for the Catalyst 4900M series switch:

•EEM version 2

New Hardware Features in Release 12.2(50)SG

Release 12.2(50)SG provides the following new hardware for the Catalyst 4900M series switch:

•X2-10GB-ZR optical module

•X2-10GB-DWDM optical module

New Software Features in Release 12.2(50)SG

Release 12.2(50)SG provides the following Cisco IOS software features for the Catalyst 4900M series switch:

Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.

•Multicast VRF-lite ("Configuring VRF-Lite" chapter)

•IGMP Querier ("Configuring IGMP Snooping" chapter)

•Bidirectional PIM ("Configuring IP Multicast" chapter)

•Private VLAN trunks ("Configuring Private VLANs" chapter)

•DHCP Relay Agent for IPv6 (refer to Cisco IOS Release 12.2 mainline documentation)

•OSPF and EIGRP fast convergence and protection (Refer to the Cisco IOS Release 12.4 documentation)

•CDP 2nd Port Status TLV (no configuration required on the switch)

•Flexible Authentication Sequencing ("Configuring 802.1X" chapter)

•Multi-Authentication ("Configuring 802.1X" chapter)

•Open Authentication ("Configuring 802.1X" chapter)

•Web Authentication ("Configuring Web Authentication" chapter)

•Inactivity Timer ("Configuring 802.1X" chapter)

•Downloadable ACLs ("Configuring Network Security with ACLs" chapter)

•ANCP Client ("Configuring ANCP Client" chapter)

•PPPoE Intermediate Agent ("PPPoE Circuit-Id Tag Processing" chapter)

•VTP version 3 ("Configuring VLANs, VTP, and VMPS" chapter)

•VRF-aware IP services ("Configuring VRF-Lite" chapter)

•Control Plane Policing ("Configuring CPP" chapter)

•boot config command (Refer to the Cisco IOS Release 12.4 documentation)

•Archiving Crashinfo Files ("Configuring Command-Line Interfaces" chapter)

•Unicast MAC filtering ("Configuring Network Security with ACLs" chapter)

•Configuration Rollback

New Hardware Features in Release 12.2(46)SG

Release 12.2(46)SG provides no new hardware for the Catalyst 4900M series switch.

New Software Features in Release 12.2(46)SG

Note All features supported in Release 12.2(44)SG on Supervisor Engine 6-E (except for SSO) apply to this chassis.

Release 12.2(46)SG provides the following Cisco IOS software features for the Catalyst 4500 series switch:

Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.

•802.1X Catchup (Refer to the "Configuring 802.1X" chapter)

–802.1X Guest VLAN

–802.1X Critical Authentication

–Wake on LAN

–Radius Accounting

–Radius Supplied Timeout

•ARP QoS (Refer to the "Configuring QoS" chapter)

•Per-VLAN CTI (Refer to the "Configuring QoS" chapter)

•Flash support for Layer 3 features

•FlexLink and FlexLink+ with MAC Address-Table Move Update (Refer to the "Configuring FlexLink" chapter)

•Ethernet Management Port (Refer to the "Configuring Interfaces" chapter)

•LLDP-MED: location TLV and MIB (Refer to the "Configuring LLDP and LLDP-MED" chapter)

•Enhanced Object Tracking (EOT) ((Refer to the Cisco IOS Release 12.2 documentation)

–HSRP with EOT

–VRRP with EOT

–GLBP with EOT

–IP SLA with EOT

–Reliable Backup Static Routing with EOT

•RSPAN (Refer to the "Configuring SPAN and RSPAN" chapter)

•CFM 802.1ag (Refer to the "Configuring Ethernet CFM and OAM" chapter)

•E-OAM 802.3ah (Refer to the "Configuring Ethernet CFM and OAM" chapter)

•Ethernet Management Port (Refer to the "Configuring Interfaces" chapter)

•Embedded management (Refer to the Cisco IOS Release 12.4 documentation)

•MAC notify MIB (Refer to the Cisco IOS Release 12.4 documentation)

•BGP (Refer to the Cisco IOS Release 12.4 documentation)

•802.1X Dynamic VLAN Assignment (Refer to the "Configuring 802.1X" chapter)

•802.1X MAC Authentication Bypass (Refer to the "Configuring 802.1X" chapter)

•802.1X with VVID/PVID (Refer to the "Configuring 802.1X" chapter)

•Eight configurable queues per port (Refer to the "Configuring QoS" chapter)

•VSS client with PagP+

After configuring VSS dual-active on a Catalyst 6500 switches, the Catalyst 4500 series switch can detect VSS dual-active with PagP+ support.

•IP SLA (Refer to the Cisco IOS Release 12.2 documentation)

•802.1ab LLDP and 802.1ab LLDP-MED (Refer to the "Configuring LLDP and LLDP-MED" chapter)

•X2 Link Debounce Timer (Refer to the "Configuring Interfaces" chapter)

•Resilient Ethernet Protocol (REP) (Refer to the "Configuring REP" chapter)

Minimum and Recommended ROMMON Release

Table 5 Minimum and Recommended ROMMON Release for Catalyst 4900M

Minimum ROMMON Release

Recommended ROMMON

Release

12.2(40r)XO

12.2(44r)SG5

Limitations and Restrictions

•The WS-X4920-GB-RJ45 card performs at wire speed until it operates at 99.6% utilization. Beyond this rate, the card will lose some packets.

•Compact Flash is not supported on a Cisco Catalyst 4900M switch running Cisco IOS Release 12.2(40)XO. Attempting to use Compact Flash may corrupt your data.

•IP classful routing is not supported; do not use the no ip classless command; it will have no effect, as only classless routing is supported. The command ip classless is not supported as classless routing is enabled by default.

•A Layer 2 LACP channel cannot be configured with the spanning tree PortFast feature.

•Netbooting using a boot loader image is not supported. See the "Troubleshooting" section for details on alternatives.

•An unsupported default CLI for mobile IP is displayed in the HSRP configuration. Although this CLI will not harm your system, you might want to remove it to avoid confusion.

Workaround: Display the configuration with the show standby command, then remove the CLI. Here is sample output of the show standby GigabitEthernet1/1 command:
switch(config)# interface g1/1
switch(config)# no standby 0 name (0 is hsrp group number)
•For HSRP "preempt delay" to function consistently, you must use the standby delay minimum command. Be sure to set the delay to more than 1 hello interval, thereby ensuring that a hello is received before HSRP leaves the initiate state.

Use the standby delay reload option if the router is rebooting after reloading the image.

•You can run only .1q-in-.1q packet pass-through with Catalyst 4900M switch.

•For PVST and Catalyst 4900M switch VLANs, Cisco IOS Release 12.2(40)XO and higher support a maximum of 3000 spanning tree port instances. If you want to use more than this number of instances, you should use MST rather than PVST.

•Because the Catalyst 4900M switch supports the FAT filesystem, the following restrictions apply:

–The verify and squeeze commands are not supported.

–The rename command is supported in FAT file system.

For the Catalyst 4900M switch, the rename command has been added for bootflash and slot0. For all other supervisor engines, the rename command is supported for nvram devices only.

–the fsck command is supported for slot0 device. It is not supported in the file systems on supervisor engines other than 6-E.

–In the FAT file system, the IOS format bootflash: command erases user files only. It does not erase system configuration.

–The FAT file system supports a maximum of 63 characters for file/directory name. The maximum for path length is 127 characters.

–The FAT file system does not support the following characters in file/directory names:{}#%^ and space characters.

–The FAT file system honors the Microsoft Windows file attribute of "read-only" and "read-write", but it does not support the Windows file "hidden" attribute.

–Supervisor Engine 6-E uses the FAT file system for compact flash (slot0). If a compact flash is not formatted in FAT file system (such as compact flash on a supervisor engine other than 6-E), the switch does not recognize it.

•The Fast Ethernet port (10/100) on the supervisor module is active in ROMMON mode only.

•If an original packet is dropped due to transmit queue shaping and/or sharing configurations, a SPAN packet copy can still be transmitted on the SPAN port.

•All software releases support a maximum of 16,000 IGMP snooping group entries.

•Use the no ip unreachables command on all interfaces with ACLs configured for performance reasons.

•The threshold for the Dynamic Arp Inspection err-disable function is set to 15 ARP packets per second per interface. You should adjust this threshold depending on the network configuration. The CPU should not receive DHCP packets at a sustained rate greater than 1000 pps.

•If you first configure an IP address or IPv6 address on a Layer 3 port, then change the Layer 3 port to a Layer 2 port with the switchport command, and finally change it back to a Layer 3 port, the original IP/IPv6 address will be lost.

•If a Catalyst 4900M switch requests information from the Cisco Secure Access Control Server (ACS) and the message exchange times out because the server does not respond, a message similar to this appears:
00:02:57: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.20.246.206:1645,1646 is not 
responding.
If this message appears, check that there is network connectivity between the switch and the ACS. You should also check that the switch has been properly configured as an AAA client on the ACS.

•For IP Port Security (IPSG) for static hosts, the following apply:

–As IPSG learns the static hosts on each interface, the switch CPU may hit 100 per cent if there are a large number of hosts to learn. The CPU usage will drop once the hosts are learned.

–IPSG violations for static hosts are printed as they occur. If multiple violations occur simultaneously on different interfaces, the CLI displays the last violation. For example, if IPSG is configured for 10 ports and violations exist on ports 3,6 and 9, the violation messages are printed only for port 9.

–Inactive host bindings will appear in the device tracking table when either a VLAN is associated with another port or a port is removed from a VLAN. So, as hosts are moved across subnets, the hosts are displayed in the device tracking table as INACTIVE.

–Autostate SVI does not work on EtherChannel.

•When ipv6 is enabled on an interface via any CLI, it is possible to see the following message:
% Hardware MTU table exhausted
In such a scenario, the ipv6 MTU value programmed in hardware will be different from the ipv6 interface MTU value. This will happen if there is no room in the hw MTU table to store additional values.

You must free up some space in the table by unconfiguring some unused MTU values and subsequently disable/re-enable ipv6 on the interface or reapply the MTU configuration.

•To stop IPSG with Static Hosts on an interface, use the following commands in interface configuration submode:
Switch(config-if)# no ip verify source
Switch(config-if)# no ip device tracking max"
To enable IPSG with Static Hosts on a port, issue the following commands:
Switch(config)# ip device tracking ****enable IP device tracking globally
Switch(config)# ip device tracking max <n> ***set an IP device tracking maximum on int
Switch(config-if)# ip verify source tracking [port-security] ****activate IPSG on port
Caution If you only configure the ip verify source tracking [port-security] interface configuration command on a port without enabling IP device tracking globally or setting an IP device tracking maximum on that interface, IPSG with Static Hosts will reject all the IP traffic from that interface.

Note The issue above also applies to IPSG with Static Hosts on a PVLAN Host port.

•IPv6 ACL is not supported on a Catalyst 4900M switchport. IPv6 packets cannot be filtered on switchports using any of the known methods (PACL, VACL, or MACLs).

•Class-map match statements using match ip prec | dscp match only IPv4 packets whereas matches performed with match prec | dscp match both IPv4 and IPv6 packets.

•IPv6 QoS hardware switching is disabled if the policy-map contains IPv6 ACL and match cos in the same class-map with the ipv6 access-list has any mask range between /81 and /127. It results in forwarding packets to software which efficiently disable the QoS.

•Management port does not support non-VRF aware features.

•When you enter the permit any any ? command you will observe the octal option, which is unsupported in Cisco IOS Release 12.2(52)SG.

CSCsy31324

•A Span destination of fa1 is not supported.

Caveats

Caveats describe unexpected behavior in Cisco IOS releases. Caveats listed as open in a prior release are carried forward to the next release as either open or resolved.

Note For the latest information on PSIRTS, refer to the Security Advisories on CCO at the following URL:
http://www.cisco.com/en/US/products/products_security_advisories_listing.html

Open Caveats in Cisco IOS Release 12.2(53)SG

This section lists the open caveats in Cisco IOS Release 12.2(53)SG:

•Software qos does not match a .1Q packet properly for applying the desired qos actions.

Workarounds: None.

The support to handle .1Q packets for software QoS lookup unavailable in the Cisco IOS Release 12.2(40)SG release. (CSCsk66449)

•Under some conditions, one or more flows continue to be dropped because of DBL even after DBL has been removed from the service-policy.

When an output service-policy is attached to an interface and if the policy is configured to apply DBL on a queue, the flows that are enqueued to the queue are subjected to the DBL algorithm. If one or more flows are classified as belligerent (flows do not back-off in response to drops because of congestion in the queue), those flows continue to be classified as belligerent even when DBL is disabled on that queue.

For this condition to persist, the transmit queues in question must remain congested for a long period of time and that congestion must be caused by flows that remain belligerent.

Workaround: Provided the queue in question is non-default (queuing actions are not configured in the class-default class of the policy-map), detach and re-attach the service-policy.

If this happens on the default queue, modifying and resetting some queuing parameters like bandwidth/shape fixes the issue. (CSCsk62457

•When an Catalyst 4900M switch encounters either a fan tray failure or a supervisor critical temperature, the chassis shuts off. The output of the show crashdump command will not indicate the cause of the power-down.

Workarounds: Use the show log command to determine the cause of the power-down.

–If the log has LogGalInsufficientFansDetected messages, the cause was a fan-tray failure.

–If the log has LogRkiosModuleShutdownTemp messages, the cause was that the supervisor critical temperature exceeded the failure threshold.

(CSCsk48632)

•A Catalyst 4900M switch will support a maximum of 32 MTU values system wide.

On a Catalyst 4900M running Cisco IOS Release 12.2(40)SG, all MTU values configured on a line card are set to default when the module is reset. Furthermore, MTU values are not retained for modules that are physically moved.

Workaround: None. (CSCsk52542)

Workaround: Reinsert the X2. (CSCsk43618)

•On rare occasions, if you use an X2 SR transceiver on a WS-X4706-10GE running
Cisco IOS Release 12.2(40)SG, you will observe CRC errors after a reload or power cycle when you insert the card or the X2.

Workaround: Reinsert the X2. (CSCsk43618)

•Control plane policing applied to DHCP traffic as identified by the system class-maps system-cpp-dhcp-cs, system-cpp-dhcp-sc, and system-cpp-dhcp-ss may not be effective.

Workaround: None. CSCsk67395)

•When the CPU transmits .1X packet on an interface that has an egress qos policy attached, the packet is not matched and exits without any QoS marking actions.

When a packet is sent to the CPU it may get sent out on some other interface. If so, the original COS value for a .1X packet cannot be matched by software QoS (as per CSCsk66449). The packet is transmitted with whatever COS value it was generated with (7, for the MLDv1 packets described here).

Workaround: None.

Part of the root cause of this problem is captured through CSCsk66449, which indicates that the software QoS cannot match against a .1X packet. (CSCsk72544)

•If a class-map is configured with exceed-action drop, re-configuring the same class-map with exceed-action transmit causes class-map configurations to conflict for the same class-map.

Workaround: If you plan to change a class-map action, such as exceed-action, you meed to remove the class-map with the no class c1 command under policy-map submode. Then, apply the new class-map with the updated changes.

CSCsk70826)

•If burst is not explicitly configured for a single rate policer, the show policy-map command displays an incorrect burst value.

Workaround: Enter the show policy-map interface command. (CSCsi71036)

•When you enter the show policy-map vlan vlan command, unconditional marking actions that are configured on the VLAN are not shown.

Workaround: None. However, if you enter the show policy-map name, the unconditional marking actions are displayed. (CSCsi94144)

•You observe a .05% loss on WS-X4908-10GE when sending traffic at 99% of the port capacity.

Workaround: None. (CSCsl39767)

•IGMP snooping entries are active even after disabling IGMP snooping globally and per VLAN.

Workarounds: Disable IGMP snooping on all the relevant VLANs before disabling it globally.

•IPv6 MLD entries are active even if an IPv6 MLD related configuration does not exist.

Workaround: Unconfigure all generic QOS policies from the system. (CSCsq84853)

•IPv6 entries are active in the CAM; the CPU receives IPv6 packets.

Workaround: Unconfigure any generic QOS policies from the system. The QoS policies with the match any attribute cause IPv6 entries to become active. If the switch is a pure Layer 2 device, remove the generic protocol family attributes and narrow it to the protocol family.

(CSCsq84796)

•Initially, REP configured with VLAN Load Balancing (VLB) works correctly. When you issue a force-switchover on the switch, that has a port acting as the secondary ALT port, a loop is induced in the topology.

Workaround: Enter shut, then no-shut on any REP port (of the same segment in which VLB is configured) in the topology. (CSCsq75342)

•In Cisco IOS Release 12.2(46)SG, if flexlink is applied to a pair of etherchannels, then flexlink config may not be applied after a reboot, if the backup EtherChannel is defined after the flexlink configuration.

Workaround: Define the backup etherchannel before applying flexlink command. (CSCsq13477)

•In Cisco IOS Release 12.2(46)SG, if an etherchannel is a member of a flexlink pair, then static MAC addresses configured on the EtherChannel are not moved to the alternate port when the EtherChannel fails (flexlink failure)

Workaround: None. (CSCsq99468)

•Performing a default interface operation on an interface with auto-QoS enabled results in an error message and the loss of the auto-QoS configuration. For example, the following sequence of operation results in a loss of the configuration:
config-if# auto qos voip cisco-phone
config# default interface interface-name
Workaround: Replace the default interface command with the following:
config# interface interface-number
config-if# switchport
(CSCsq47116)

•When a CFM Inward Facing MEP(IFM) is configured on a VLAN that is not allocated on a switch port that is DOWN, the show ethernet cfm maintenance-points local command displays the
IFM CC Status as Inactive. Then, you allocate the VLAN, the CC-status remains Inactive.

You only see this symptom if you did not allocate a VLAN before you configure the IFM, then at a later time allocate the same VLAN.

Workaround: Unconfigure, then reconfigure the IFM on the port.

•An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

–After a reload, copy the startup-config to the running-config.

–Use a loopback interface as the target of the ip unnumbered command

–Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

•In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

•When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running config.

Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)

•If you configure OFM on an Etherchannel (with at least two interfaces), when you shut or remove the first member that joined the channel, the CFM neighbor is lost.

Workaround: Clear the errors with the clear ethernet cfm errors command in EXEC mode. (CSCsv43819)

•Duplicate serial number error messages are reported on switching One X Convertor with SFP+, SFP+, X2 to another port, the inserted port enters a faulty status.

This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.

Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)

•The presence of features and Per Vlan Capture might exhaust the TCAM masks.

Workaround: Disable Per VLAN Capture or some of the features. (CSCsr95455)

•On a Catalyst 4500 switch running 12.2(50)SG, when the access VLAN is deleted and then restored on a port configured with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the access VLAN is restored.

This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.

Workaround: Shut down then reopen the interface.

(CSCso50921)

•VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

•Egress traffic may not be allowed when 802.1X is configured as a Unidirectional Controlled Port.

Workarounds: Do one of the following:

–Enter spanning-tree portfast then authentication control-direction in on a 802.1X port.

–Enter shut then no shut on a 802.1X port.

(CSCsv05205)

•When you remove an SFP+ from a OneX converter in a X2 slot, it takes roughly 45 seconds for the system to recognize this. Any commands during this time will indicate that the SFP+ is still present. Reinserting the SFP+ in another port or inserting another SFP+ in the same port can result in Duplicate Seeprom error message.

Workaround: When a log message appears indicating that the SFP+ has been removed, do one of the following:

–Enter any commands for that port.

–Insert an SFP+ in that port.

–Reinsert the removed SFP+ in any other port.

(CSCsv90044)

•The switch does not accept the snmp mib target list vrf command. This CLI is rejected even if the vrf is present in the DUT.

Workaround: None. (CSCsr95941)

•When a PVLAN isolated port is connected to a router serving as a multicast source, and you enable igmp snooping, the routers connected to the isolated ports display as PIM neighbors.

Workaround: Do one of the following:

–Do not attach routers to PVLAN isolated ports.

–Disable igmp snooping (either globally or on the VLAN).

–Do not use a router connected to PVLAN isolated port as a multicast source.

(CSCsu39009)

•When you delete and recreate an interface, the tacking process is unable to track its state track.

Workaround: Reconfigure tracking on the newly created interface. (CSCsr66876IP Router Option may not work with IGMP version 2.

Workaround: None. (CSCsv42869)

•If VLAN Load Balancing is progressing, and you reconfigure VLAN Load Balancing to reflect different blocking ports, manual preemption does not occur.

Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:

a. Reconfigure the VLAN Load Balancing configuration on the desired REP ports.

b. Shut any one REP port in the segment to cause a failure in that segment.

c. No-shut that port to restore normal REP topology with one ALT port.

d. Invoke manual preemption on a primary edge port to obtain VLAN Load Balancing with the new configuration.

(CSCsv69853)

•After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.101   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.102   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. (CSCsw14005)

•The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.1X on the port and reconnect the host to a IP phone (with CDP port status TLV support) that is connected to the switch.

If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.

Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661

•Class-map hit counters do not increment on the egress policy-map when it is attached to the primary VLAN on a PVLAN trunk ports. However, the traffic is properly classified and the actions configured in the policy are applied properly.

Workaround: None. CSCsy72343

•When two WS-C4900M chassis are attached to an optical ring and an optical switchover is performed to choose a different path, you might see CRC Align Errors and Sequence Errors after performing an end to end ping. The ping success rate ranges from 90% to 100%.

The errors can also occur with data traffic.

This issue is seen with the TenGigabit ports of the Catalyst 4900M base board. It is not seen with the TenGigabit ports of a WS-X4908-10GE line card.

The issue is seen with release 12.2(44)XO and later releases.

Workaround: Enter shut, then no shut.

You may need to do this multiple times until the issue is resolved.

CSCsx80612

•When multiple streams of CRC errors are encountered on WS-C4900M configured with OAM Configuration of monitoring the frame errored seconds, OAM does not always report the value of errored frame seconds correctly.

To observe this issue, the following CLIs are configured with window size as the period for monitoring the errors and a low threshold equal to the number of CRC errored seconds seen/expected.
ethernet oam link-monitor frame-seconds window 
ethernet oam link-monitor frame-seconds threshold low 
Workaround: Configure a lower value of low threshold such that the frame errors are seen divided into the expected number of frame errored seconds.

CSCsy37181

•If RSPAN is configured on a WS-C4900M running Cisco IOS 12.2(46)SG, CPU utilization will be high.

Workaround: Disable RSPAN.

CSCsu81046

•When two Catalyst 4900M switches are attached to an optical ring and you perform an optical switchover to choose a different path, you might observe CRC Align Errors and Sequence after performing an end to end ping. The ping success rate ranges from 90% to 100%. The interface errors can also occur with data traffic.

This issue is seen with the TenGigabit ports of a Catalyst 4900M base board. It is not seen with the TenGigabit ports of a WS-X4908-10GE line card.

Workaround: Enter the commands shut then no shut.

Occasionally, you need to re-enter the commands.

CSCsx80612

•When .1X with MDA is set in host mode and guest VLAN is enabled, when you pump traffic from a traffic generator at a high rate, a Security violation is wrongly flagged.

Workaround: None.

CSCsy38640

•When you enter the show adjacency x.x.x.x internal command for an adjacency, the packet counters are increment correctly but the byte counters remain 0.

Workaround: None.

CSCsu35604

•On a redundant switch running Cisco IOS Release 12.2(52)SG, after a ports is authorized through 802.1X, the show dot1x interface statistics command may display empty values on the standby supervisor engine.

The statistics are displayed properly on the active supervisor.

Workaround: None.

CSCsx64308

•When the ports connecting a RADIUS server and a client are placed in different VLANs, and you enter the ip radius source-interface command and perform two SSO switchovers, the authenticated session is lost.

Workaround: Re-authenticate the client.

CSCsx94066

•When multiple streams of CRC errors are encountered on a WS-C4900M chassis configured with OAM monitoring of frame errored seconds, OAM does not report the value of errored frame seconds correctly if you configure the following CLIs:
ethernet oam link-monitor frame-seconds window
ethernet oam link-monitor frame-seconds threshold low
Workaround: Configure a lower value for the low threshold so that the frame errors are seen divided into the expected number of frame errored seconds.

CSCsy37181

•If you enable VTP pruning after a switch is moved to VTP version 3, VLAN pruning does not happen on the trunks.

Workaround: Change the VTP version from 3 to version 2 or 1 and then revert to version 3.

CSCsy66803

•The 10Gig uplink on a standby supervisor WS-X45-SUP6-E stops transmitting or receiving traffic after the old standby engine becomes active through an OIR (if the OIR is done quickly, within 5 seconds) of the active supervisor engine.

Workaround: Reload the active and standby supervisor engine.

While performing OIR of the supervisor engines, the engines must be removed completely before re-insertion.

CSCsy70428

•When you request an on demand Call Home message send without specifying a profile name & the specified module returns an unknown diagnostic result, the following error message displays:
Switch# call-home send alert-group diagnostic module 2 
Sending diagnostic info call-home message ...
Please wait. This may take some time ...
Switch#
*Jan  3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand 
message failed to send (ERR 18, The alert group is not subscribed)
Workaround: Specify a profile name when you enter the diagnostic command.

You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.

CSCsz05888

•When an access-list is attached to an interface under extreme hardware resource exhaustion, the ACL may not be automatically loaded into the hardware even if hardware resources later become available.

No TCAM entries are available for the new access-list.

Workaround: Manually remove and reapply the ACL after freeing hardware TCAM resources by removing or shortening other classification policies on the switch.

CSCsy85006

•If you simultaneously apply a service-policy to a port in the output direction and a service-policy to a vlan-range under that port in the output direction, the class-map hit counters in the output of the
show policy-map interface command are wrong.

Workaround: None.

The queue transmit counters as well as the policing statistics (if any) are correct.

CSCsz20149

•On a switch running Cisco IOS Release 12.2(52)SG, the Auto Install feature does not work on the management port. The auto process status aborts.

Workaround: Configure the DHCP server on the same vrf; add the configuration vrf mgmtVrf to

the IP DHCP pool section.

CSCsz38559

•On a switch running Cisco IOS Release 12.2(50)SG or 12.2(52)SG, when an 802.1X port configured with PVLAN community VLAN receives a new PVLAN assignment from the AAA server, resetting the configuration on this interface may cause the switch to reload.

Workaround: None.

CSCsz38442

•On a switch running Cisco IOS 12.2(52)SG, when a port configured with 802.1X enters per vp errdisable mode because of a violation triggered by port security, DAI, DHCP snooping, or BPDU guard, the port's 802.1X sessions are not cleared despite the linkdown.

Workaround: None.

Do not configure 802.1X with other per vp errdisable features.

CSCsx74871

•After a .1X port is enabled for Guest VLAN, if you shut down the port connected to the RADIUS server so that the server goes dead and EAPOL packets are sent on that port, it is authorized in the access VLAN although the server is unreachable.

Workaround: Enter shut, then no shut on the port.

CSCsz63355

•When a switch enabled for explicit host tracking runs IGMPv3, ports that stopped sending IGMPv3 reports are displayed in the IGMPv3 table until a timeout. This behavior didn't exist in Cisco IOS Release 12.2(50)SG.

Workaround: Disable explicit host tracking in the affected VLANs.

CSCsz28612

•When you configure EnergyWise power control on PoE ports with a time-based execution schedule, time entry executes without adjusting for daylight savings time.

Workaround: Manually re-enter all entries with new time settings.

CSCsy27389

•On wireless control system (WCS), some device information is incorrectly displayed for PCs sitting behind an lldp-med capable phone. Specifically, WCS displays the phone's serial number, model number, and software version in the PC's device information. All other information about the PC is correctly displayed on WCS.

This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.

Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.

CSCsz34522

•When port-security is configured on normal trunks carrying primary and secondary private VLANs, its configuration can be erased from the running-config under the following circumstances:

Entering shut/no shut on the port after deleting a secondary VLAN. (CSCsz73895)

Workarounds:

–Configure error recovery for port-security violation instead of entering shut/no shut after deleting the VLAN.

–Configure port-security aging time to age out the MAC addresses before entering shut/no shut. Then, you can reconfigure port-security on the port only after reloading the switch.

CSCsz73895

•High CPU utilization might be observed on a switch for a prolonged period of time when a large number of packets on a VLAN/SVI are processed by software.

Workaround: None. Functionality is unaffected.

CSCsy32312

•If a host is authenticated in the data VLAN, the STP state of the VLAN is blocked.

Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port.

The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding.

Workaround: Enter shut, then no shut on the port.

CSCta04665

•When the vlan-port state changes on flexlink ports, the following two messages appear on the console:
A syslog warning message "%SM-4-BADEVENT: Event 'forward' is invalid for the current 
state 'present': pm_vp .."
A traceback error message
This issue happens only on flexlink ports under the following two scenarios:

–You configure flexlink vlan load balancing before changing the port mode of a backup interface to trunk mode.

–Flexlink recovers from per vlan-port error disable states.

Workaround: None

The syslog and Traceback do not impact functionality. Flexlink states end up with correct states and there is no impact on traffic forwarding.

CSCta05317

•Per vlan-port error disable features (dhcp-rate-limit and arp-inspection) do not work on flexlink (without VLAN load balancing). When a violation occurs on the Active link, the corresponding vlan-port will not be error disabled.

The existing per-port error disable (that is, when a violation happens, the entire port will be error disabled) still works on flexlink.

Workaround: Use flexlink with VLAN load balancing.

If you do not want to use vlan load balancing, then enter the
switchport backup interface perfer vlan command on the Active interface, where vlan z is set to an unused vlan on the system

CSCta76320

Resolved Caveats in Cisco IOS Release 12.2(53)SG

This section lists the resolved caveats in Release 12.2(53)SG:

•On a Catalyst 4900M switch running Cisco IOS Release 12.2(46)SG, if you configure RSPAN, the CPU utilization will be high. This problem can occur when capturing traffic.

Workarounds: Disable RSPAN.

CSCsu81046

•When two Catalyst 4900M switches are attached to an optical ring and an optical switchover is performed on the ring to choose a different path, CRC Align Errors and Sequence Errors might be observed when you issue an end to end ping after the switchover. The ping success rate is between 90 and 100 per cent. The interface errors can occur with data traffic as well.

This issue is seen with the Ten-Gigabit ports of a Catalyst 4900M base board but not with the Ten-Gigabit ports of a WS-X4908-10GE line card.

Workaround: Enter shut, then no shut.

Sometimes you need to do this multiple times before the issue is resolved.

CSCsx80612

•Entering shut/no shut on the port after configuring port-security vp err disable and a violation occurs.

Workarounds:

–Configure error recovery for port-security violation instead of entering shut/no shut to recover the port.

–Configure clear errdisable interface name vlan [range] instead of entering shut/no shut.

–Configure port-security aging time to age out the MAC addresses before entering shut/no shut. Then, reconfigure port-security on the port after reloading the switch.

(CSCsy80415)

•Ping does not execute prior to a posture validation.

Workaround: Reapply the identity policy on the interface with the permit icmp command. (CSCsu03507

Open Caveats in Cisco IOS Release 12.2(52)SG

This section lists the open caveats in Cisco IOS Release 12.2(52)SG:

•Software qos does not match a .1Q packet properly for applying the desired qos actions.

Workarounds: None.

The support to handle .1Q packets for software QoS lookup unavailable in the Cisco IOS Release 12.2(40)SG release. (CSCsk66449)

•Under some conditions, one or more flows continue to be dropped because of DBL even after DBL has been removed from the service-policy.

When an output service-policy is attached to an interface and if the policy is configured to apply DBL on a queue, the flows that are enqueued to the queue are subjected to the DBL algorithm. If one or more flows are classified as belligerent (flows do not back-off in response to drops because of congestion in the queue), those flows continue to be classified as belligerent even when DBL is disabled on that queue.

For this condition to persist, the transmit queues in question must remain congested for a long period of time and that congestion must be caused by flows that remain belligerent.

Workaround: Provided the queue in question is non-default (queuing actions are not configured in the class-default class of the policy-map), detach and re-attach the service-policy.

If this happens on the default queue, modifying and resetting some queuing parameters like bandwidth/shape fixes the issue. (CSCsk62457

•When an Catalyst 4900M switch encounters either a fan tray failure or a supervisor critical temperature, the chassis shuts off. The output of the show crashdump command will not indicate the cause of the power-down.

Workarounds: Use the show log command to determine the cause of the power-down.

–If the log has LogGalInsufficientFansDetected messages, the cause was a fan-tray failure.

–If the log has LogRkiosModuleShutdownTemp messages, the cause was that the supervisor critical temperature exceeded the failure threshold.

(CSCsk48632)

•A Catalyst 4900M switch will support a maximum of 32 MTU values system wide.

On a Catalyst 4900M running Cisco IOS Release 12.2(40)SG, all MTU values configured on a line card are set to default when the module is reset. Furthermore, MTU values are not retained for modules that are physically moved.

Workaround: None. (CSCsk52542)

Workaround: Reinsert the X2. (CSCsk43618)

•On rare occasions, if you use an X2 SR transceiver on a WS-X4706-10GE running
Cisco IOS Release 12.2(40)SG, you will observe CRC errors after a reload or power cycle when you insert the card or the X2.

Workaround: Reinsert the X2. (CSCsk43618)

•Control plane policing applied to DHCP traffic as identified by the system class-maps system-cpp-dhcp-cs, system-cpp-dhcp-sc, and system-cpp-dhcp-ss may not be effective.

Workaround: None. CSCsk67395)

•When the CPU transmits .1X packet on an interface that has an egress qos policy attached, the packet is not matched and exits without any QoS marking actions.

When a packet is sent to the CPU it may get sent out on some other interface. If so, the original COS value for a .1X packet cannot be matched by software QoS (as per CSCsk66449). The packet is transmitted with whatever COS value it was generated with (7, for the MLDv1 packets described here).

Workaround: None.

Part of the root cause of this problem is captured through CSCsk66449, which indicates that the software QoS cannot match against a .1X packet. (CSCsk72544)

•If a class-map is configured with exceed-action drop, re-configuring the same class-map with exceed-action transmit causes class-map configurations to conflict for the same class-map.

Workaround: If you plan to change a class-map action, such as exceed-action, you meed to remove the class-map with the no class c1 command under policy-map submode. Then, apply the new class-map with the updated changes.

CSCsk70826)

•If burst is not explicitly configured for a single rate policer, the show policy-map command displays an incorrect burst value.

Workaround: Enter the show policy-map interface command. (CSCsi71036)

•When you enter the show policy-map vlan vlan command, unconditional marking actions that are configured on the VLAN are not shown.

Workaround: None. However, if you enter the show policy-map name, the unconditional marking actions are displayed. (CSCsi94144)

•You observe a .05% loss on WS-X4908-10GE when sending traffic at 99% of the port capacity.

Workaround: None. (CSCsl39767)

•IGMP snooping entries are active even after disabling IGMP snooping globally and per VLAN.

Workarounds: Disable IGMP snooping on all the relevant VLANs before disabling it globally.

•IPv6 MLD entries are active even if an IPv6 MLD related configuration does not exist.

Workaround: Unconfigure all generic QOS policies from the system. (CSCsq84853)

•IPv6 entries are active in the CAM; the CPU receives IPv6 packets.

Workaround: Unconfigure any generic QOS policies from the system. The QoS policies with the match any attribute cause IPv6 entries to become active. If the switch is a pure Layer 2 device, remove the generic protocol family attributes and narrow it to the protocol family.

(CSCsq84796)

•Initially, REP configured with VLAN Load Balancing (VLB) works correctly. When you issue a force-switchover on the switch, that has a port acting as the secondary ALT port, a loop is induced in the topology.

Workaround: Enter shut, then no-shut on any REP port (of the same segment in which VLB is configured) in the topology. (CSCsq75342)

•In Cisco IOS Release 12.2(46)SG, if flexlink is applied to a pair of etherchannels, then flexlink config may not be applied after a reboot, if the backup EtherChannel is defined after the flexlink configuration.

Workaround: Define the backup etherchannel before applying flexlink command. (CSCsq13477)

•In Cisco IOS Release 12.2(46)SG, if an etherchannel is a member of a flexlink pair, then static MAC addresses configured on the EtherChannel are not moved to the alternate port when the EtherChannel fails (flexlink failure)

Workaround: None. (CSCsq99468)

•Performing a default interface operation on an interface with auto-QoS enabled results in an error message and the loss of the auto-QoS configuration. For example, the following sequence of operation results in a loss of the configuration:
config-if# auto qos voip cisco-phone
config# default interface interface-name
Workaround: Replace the default interface command with the following:
config# interface interface-number
config-if# switchport
(CSCsq47116)

•When a CFM Inward Facing MEP(IFM) is configured on a VLAN that is not allocated on a switch port that is DOWN, the show ethernet cfm maintenance-points local command displays the
IFM CC Status as Inactive. Then, you allocate the VLAN, the CC-status remains Inactive.

You only see this symptom if you did not allocate a VLAN before you configure the IFM, then at a later time allocate the same VLAN.

Workaround: Unconfigure, then reconfigure the IFM on the port.

•An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

–After a reload, copy the startup-config to the running-config.

–Use a loopback interface as the target of the ip unnumbered command

–Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

•In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

•When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running config.

Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)

•If you configure OFM on an Etherchannel (with at least two interfaces), when you shut or remove the first member that joined the channel, the CFM neighbor is lost.

Workaround: Clear the errors with the clear ethernet cfm errors command in EXEC mode. (CSCsv43819)

•Duplicate serial number error messages are reported on switching One X Convertor with SFP+, SFP+, X2 to another port, the inserted port enters a faulty status.

This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.

Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)

•The presence of features and Per Vlan Capture might exhaust the TCAM masks.

Workaround: Disable Per VLAN Capture or some of the features. (CSCsr95455)

•On a Catalyst 4500 switch running 12.2(50)SG, when the access VLAN is deleted and then restored on a port configured with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the access VLAN is restored.

This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.

Workaround: Shut down then reopen the interface.

(CSCso50921)

•VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

•Egress traffic may not be allowed when 802.1X is configured as a Unidirectional Controlled Port.

Workarounds: Do one of the following:

–Enter spanning-tree portfast then authentication control-direction in on a 802.1X port.

–Enter shut then no shut on a 802.1X port.

(CSCsv05205)

•When you remove an SFP+ from a OneX converter in a X2 slot, it takes roughly 45 seconds for the system to recognize this. Any commands during this time will indicate that the SFP+ is still present. Reinserting the SFP+ in another port or inserting another SFP+ in the same port can result in Duplicate Seeprom error message.

Workaround: When a log message appears indicating that the SFP+ has been removed, do one of the following:

–Enter any commands for that port.

–Insert an SFP+ in that port.

–Reinsert the removed SFP+ in any other port.

(CSCsv90044)

•The switch does not accept the snmp mib target list vrf command. This CLI is rejected even if the vrf is present in the DUT.

Workaround: None. (CSCsr95941)

•When a PVLAN isolated port is connected to a router serving as a multicast source, and you enable igmp snooping, the routers connected to the isolated ports display as PIM neighbors.

Workaround: Do one of the following:

–Do not attach routers to PVLAN isolated ports.

–Disable igmp snooping (either globally or on the VLAN).

–Do not use a router connected to PVLAN isolated port as a multicast source.

(CSCsu39009)

•When you delete and recreate an interface, the tacking process is unable to track its state track.

Workaround: Reconfigure tracking on the newly created interface. (CSCsr66876IP Router Option may not work with IGMP version 2.

Workaround: None. (CSCsv42869)

•If VLAN Load Balancing is progressing, and you reconfigure VLAN Load Balancing to reflect different blocking ports, manual preemption does not occur.

Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:

a. Reconfigure the VLAN Load Balancing configuration on the desired REP ports.

b. Shut any one REP port in the segment to cause a failure in that segment.

c. No-shut that port to restore normal REP topology with one ALT port.

d. Invoke manual preemption on a primary edge port to obtain VLAN Load Balancing with the new configuration.

(CSCsv69853)

•After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.101   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.102   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. (CSCsw14005)

•The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.1X on the port and reconnect the host to a IP phone (with CDP port status TLV support) that is connected to the switch.

If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.

Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661

•Class-map hit counters do not increment on the egress policy-map when it is attached to the primary VLAN on a PVLAN trunk ports. However, the traffic is properly classified and the actions configured in the policy are applied properly.

Workaround: None. CSCsy72343

•When two WS-C4900M chassis are attached to an optical ring and an optical switchover is performed to choose a different path, you might see CRC Align Errors and Sequence Errors after performing an end to end ping. The ping success rate ranges from 90% to 100%.

The errors can also occur with data traffic.

This issue is seen with the TenGigabit ports of the Catalyst 4900M base board. It is not seen with the TenGigabit ports of a WS-X4908-10GE line card.

The issue is seen with release 12.2(44)XO and later releases.

Workaround: Enter shut, then no shut.

You may need to do this multiple times until the issue is resolved.

CSCsx80612

•When multiple streams of CRC errors are encountered on WS-C4900M configured with OAM Configuration of monitoring the frame errored seconds, OAM does not always report the value of errored frame seconds correctly.

To observe this issue, the following CLIs are configured with window size as the period for monitoring the errors and a low threshold equal to the number of CRC errored seconds seen/expected.
ethernet oam link-monitor frame-seconds window 
ethernet oam link-monitor frame-seconds threshold low 
Workaround: Configure a lower value of low threshold such that the frame errors are seen divided into the expected number of frame errored seconds.

CSCsy37181

•If RSPAN is configured on a WS-C4900M running Cisco IOS 12.2(46)SG, CPU utilization will be high.

Workaround: Disable RSPAN.

CSCsu81046

•When two Catalyst 4900M switches are attached to an optical ring and you perform an optical switchover to choose a different path, you might observe CRC Align Errors and Sequence after performing an end to end ping. The ping success rate ranges from 90% to 100%. The interface errors can also occur with data traffic.

This issue is seen with the TenGigabit ports of a Catalyst 4900M base board. It is not seen with the TenGigabit ports of a WS-X4908-10GE line card.

Workaround: Enter the commands shut then no shut.

Occasionally, you need to re-enter the commands.

CSCsx80612

•When .1X with MDA is set in host mode and guest VLAN is enabled, when you pump traffic from a traffic generator at a high rate, a Security violation is wrongly flagged.

Workaround: None.

CSCsy38640

•When you enter the show adjacency x.x.x.x internal command for an adjacency, the packet counters are increment correctly but the byte counters remain 0.

Workaround: None.

CSCsu35604

•On a redundant switch running Cisco IOS Release 12.2(52)SG, after a ports is authorized through 802.1X, the show dot1x interface statistics command may display empty values on the standby supervisor engine.

The statistics are displayed properly on the active supervisor.

Workaround: None.

CSCsx64308

•When the ports connecting a RADIUS server and a client are placed in different VLANs, and you enter the ip radius source-interface command and perform two SSO switchovers, the authenticated session is lost.

Workaround: Re-authenticate the client.

CSCsx94066

•When multiple streams of CRC errors are encountered on a WS-C4900M chassis configured with OAM monitoring of frame errored seconds, OAM does not report the value of errored frame seconds correctly if you configure the following CLIs:
ethernet oam link-monitor frame-seconds window
ethernet oam link-monitor frame-seconds threshold low
Workaround: Configure a lower value for the low threshold so that the frame errors are seen divided into the expected number of frame errored seconds.

CSCsy37181

•If you enable VTP pruning after a switch is moved to VTP version 3, VLAN pruning does not happen on the trunks.

Workaround: Change the VTP version from 3 to version 2 or 1 and then revert to version 3.

CSCsy66803

•The 10Gig uplink on a standby supervisor WS-X45-SUP6-E stops transmitting or receiving traffic after the old standby engine becomes active through an OIR (if the OIR is done quickly, within 5 seconds) of the active supervisor engine.

Workaround: Reload the active and standby supervisor engine.

While performing OIR of the supervisor engines, the engines must be removed completely before re-insertion.

CSCsy70428

•When you request an on demand Call Home message send without specifying a profile name & the specified module returns an unknown diagnostic result, the following error message displays:
Switch# call-home send alert-group diagnostic module 2 
Sending diagnostic info call-home message ...
Please wait. This may take some time ...
Switch#
*Jan  3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand 
message failed to send (ERR 18, The alert group is not subscribed)
Workaround: Specify a profile name when you enter the diagnostic command.

You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.

CSCsz05888

•When an access-list is attached to an interface under extreme hardware resource exhaustion, the ACL may not be automatically loaded into the hardware even if hardware resources later become available.

No TCAM entries are available for the new access-list.

Workaround: Manually remove and reapply the ACL after freeing hardware TCAM resources by removing or shortening other classification policies on the switch.

CSCsy85006

•If you simultaneously apply a service-policy to a port in the output direction and a service-policy to a vlan-range under that port in the output direction, the class-map hit counters in the output of the
show policy-map interface command are wrong.

Workaround: None.

The queue transmit counters as well as the policing statistics (if any) are correct.

CSCsz20149

•On a switch running Cisco IOS Release 12.2(52)SG, the Auto Install feature does not work on the management port. The auto process status aborts.

Workaround: Configure the DHCP server on the same vrf; add the configuration vrf mgmtVrf to

the IP DHCP pool section.

CSCsz38559

•On a switch running Cisco IOS Release 12.2(50)SG or 12.2(52)SG, when an 802.1X port configured with PVLAN community VLAN receives a new PVLAN assignment from the AAA server, resetting the configuration on this interface may cause the switch to reload.

Workaround: None.

CSCsz38442

•On a switch running Cisco IOS 12.2(52)SG, when a port configured with 802.1X enters per vp errdisable mode because of a violation triggered by port security, DAI, DHCP snooping, or BPDU guard, the port's 802.1X sessions are not cleared despite the linkdown.

Workaround: None.

Do not configure 802.1X with other per vp errdisable features.

CSCsx74871

•After a .1X port is enabled for Guest VLAN, if you shut down the port connected to the RADIUS server so that the server goes dead and EAPOL packets are sent on that port, it is authorized in the access VLAN although the server is unreachable.

Workaround: Enter shut, then no shut on the port.

CSCsz63355

•When a switch enabled for explicit host tracking runs IGMPv3, ports that stopped sending IGMPv3 reports are displayed in the IGMPv3 table until a timeout. This behavior didn't exist in Cisco IOS Release 12.2(50)SG.

Workaround: Disable explicit host tracking in the affected VLANs.

CSCsz28612

•When you configure EnergyWise power control on PoE ports with a time-based execution schedule, time entry executes without adjusting for daylight savings time.

Workaround: Manually re-enter all entries with new time settings.

CSCsy27389

•On wireless control system (WCS), some device information is incorrectly displayed for PCs sitting behind an lldp-med capable phone. Specifically, WCS displays the phone's serial number, model number, and software version in the PC's device information. All other information about the PC is correctly displayed on WCS.

This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.

Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.

CSCsz34522

•When port-security is configured on normal trunks carrying primary and secondary private VLANs, its configuration can be erased from the running-config under the following circumstances:

Entering shut/no shut on the port after deleting a secondary VLAN. (CSCsz73895)

Workarounds:

–Configure error recovery for port-security violation instead of entering shut/no shut after deleting the VLAN.

–Configure port-security aging time to age out the MAC addresses before entering shut/no shut. Then, you can reconfigure port-security on the port only after reloading the switch.

CSCsz73895

Entering shut/no shut on the port after configuring port-security vp err disable and a violation occurs. (CSCsz80415)

Workarounds:

–Configure error recovery for port-security violation instead of entering shut/no shut to recover the port.

–Configure clear errdisable interface name vlan [range] instead of entering shut/no shut.

–Configure port-security aging time to age out the MAC addresses before entering shut/no shut. Then, reconfigure port-security on the port after reloading the switch.

Resolved Caveats in Cisco IOS Release 12.2(52)SG

This section lists the resolved caveats in Release 12.2(52)SG:

•Under normal operation, you will observe the following messages in the logs:
001298: .Oct  8 01:38:50.968: %C4K_SWITCHINGENGINEMAN-4-TCAMINTERRUPT: flCam0  
aPErr interrupt. errAddr: 0x2947 dPErr: 1 mPErr: 0 valid: 1
001299: .Oct  8 01:51:20.100: %C4K_SWITCHINGENGINEMAN-4-TCAMINTERRUPT: flCam0  
aPErr interrupt. errAddr: 0x2B59 dPErr: 1 mPErr: 0 valid: 1
Workaround: None

CSCsv17545

•Under control place policing, control plane classes (the classes that are auto created by the
macro global apply system-cpp command and use predefined ACLs to match traffic) increment both their packet and byte count. So, both counters are non-zero.

In contrast, data plane classes (the classes that are configured manually by user written ACLs), the byte counter increments as expected, but the packet count remains 0.

Workaround: None.

CSCsw16557

•On a Catalyst 4500, if an isolated private VLAN trunk interface flaps, the ingress and egress per-port per-vlan service policies are no longer applied on the port.

This impacts Cisco IOS Releases 12.2(31)SGA08, 12.2(37)SG, 12.2(40)SG, 12.2(44)SG, 12.2(46)SG, 12.2(50)SG, and 12.2(50)SG1.

Workarounds:

For a Classic Series Supervisor Engine, disable and configure QoS on the port.

For example, to configure Gig 2/1 as an isolated private VLAN trunk port, do the following:
       Switch# conf t
       Enter configuration commands, one per line.  End with CNTL/Z.
       Switch(config)# interface gigabitEthernet 2/1
       Switch(config-if)# no qos
       Switch(config-if)# qos
       Switch(config-if)# end
       Switch#
You can configure the following EEM script to automate this workaround. QoS will be disabled and re-enabled whenever a port flaps.
       logging event link-status global
       event manager applet linkup-reqos
        event syslog pattern "changed state to up"
        action 1 cli command "enable"
        action 2 cli command "conf t"
        action 3 cli command "interface gigabitEthernet 2/1"
        action 4 cli command "no qos"
        action 5 cli command "qos"
CSCsw19087

•When you run an SNMP (getmany) query on cbQosPoliceStatsTable and cbQosREDClassStatsTable with a single SSH window (session), CPU utilization achives 99 per cent. If you query cbQosPoliceStatsTable and cbQosREDClassStatsTable from 18 SSH sessions, a CPU-HOG error message displays.

Workaround: None, other than stopping the query.

CSCsw89720

•On a supervisor engine running Cisco IOS Release 12.2(50)SG or later releases with one or more ports configured for single-host mode, MAB, and authentication control-direction in, hosts are not authenticated through MAB when a port is configured for single-host mode and you enter the unidirectional control in command (Wake-on-LAN).

Workaround: Disable the authentication control-direction in command.

If you require authentication control-direction in, configure the port for multi-authentication or Multi-Domain Authentication (MDA).

CSCsx98360

•On a redundant switch running Cisco IOS Releases 12.2(50)SG or 12.2(50)SG1 where
802.1X VVID and port security are configured on a port, CDP MAC from the non 802.1X capable Cisco IP phone might not be added to the port security table on the standby supervisor engine.

Workaround: None.

This problem is fixed in Cisco IOS Releases 12.2(50)SG2 and 12.2(52)SG.

CSCsw29489

•On a switch running Cisco IOS Release 12.2(50)SG or 12.2(50)SG1 where 802.1X VVID and port security are configured on a port, inserting a non 802.1X capable Cisco IP phone with LLDP capability and a PC behind it may trigger a security violation.

Workaround: Turn off LLDP (on the switch) and the phone (from Call Manager).

This problem is fixed in 12.2(50)SG2 and 12.2(52)SG.

CSCsy21167

•Parity errors in the CPU's cache cause IOS to crash with a crashdump file like the following:
Switch# show platform crashdump
VECTOR 0
*** CRASH DUMP ***
02/09/2009 10:10:30
Last crash: 02/09/2009 10:10:30
Build: 12.2(20090206:234053) IPBASE
buildversion addr: 13115584
MCSR: 40000000 <--- non-zero value!
.

The key pieces of data are "VECTOR 0" and a MCSR value of 40000000, 20000000, or 10000000.

Workaround: Enter the show platform cpu cache command to launch an IOS algorithm that detects and recovers from parity errors in the CPU's cache. You will obtain a running count of the number of CPU cache parity errors that have been successfully detected and corrected on a running system:
Switch# show platform cpu cache
L1 Instruction Cache: ENABLED
L1 Data Cache: ENABLED
L2 Cache: ENABLED
Machine Check Interrupts: 5
L1 Instruction Cache Parity Errors: 3
L1 Instruction Cache Parity Errors (CPU30): 1
L1 Data Cache Parity Errors: 1
CSCsx15372

•Ordinarily, the output of a CFM Traceroute from a MEP normally lists down the next hop name (device/host name) for each hop till the other MEP. When CFM over EtherChannel exists between the two MEPs, CFM Traceroute issued from a MEP does not show the next hop name.

Workaround: None. (CSCso50659)

•An Unhandled Rommon Exception occurs while booting a WS-X4013+10GE for Cisco IOS Releases 12.2(31)SGA8, 12.2(31)SGA9, 12.2(46)SG, 12.2(46)SG1, 12.2(50)SG, 12.2(50)SG1.

Workaround: Upgrade to ROMMON version 1.2(31r)SGA4.

CSCsw91043

•On a switch running Cisco IOS Release12.2(50)SG, supplicants authorized on PVLAN in multi-auth host mode are not moved to an Unauthorized state when the PVLAN is removed.

This problem occurs only when a port is configured with PVLAN and 802.1X multi-auth.

Workaround: Shut down then reopen the interface. (CSCsr58573)

•The switch does not accept the snmp mib target list vrf command. This CLI is rejected even if the vrf is present in the DUT.

Workaround: None. (CSCsr95941)

•When the switch port configured with 802.1X Multi-Domain Authentication (MDA) and Guest VLAN is connected to a non-802.1X supplicant PC through a hub, the port falls back to guest VLAN. Subsequently, it is stuck in the guest VLAN and ignores all EAPOL traffic from another 802.1X supplicant PC connected to the hub.

Workaround: None. (CSCsu42775)

•The switch may reload after destroying the expExpressionTable row via SNMP when you enable the debug management expression evaluator command.

Workaround: Remove the above debug command. (CSCsu67323)

•A router may crash when a privilege-level 15 user logs on with the callback or callback-dialstring attribute.

'This problem is seen on all Catalyst 4500 or 4900 chassis running Cisco IOS Release 12.2.(50)SG. The problem occurs when the following conditions are present:

–The router is configured with AAA authentication and authorization.

–The AAA server runs CiscoSecure ACS 2.4.

–The callback or callback-dialstring attribute is configured on the AAA server for the user.

Workarounds: Do not configure the callback or callback-dialstring attribute for the user. If you use the callback-dialstring attribute in the TACACS+ profile, ensure that the NULL value is not configured. (CSCei62358)

•When you attempt an ISSU upgrade or downgrade between Cisco IOS Release 12.2(50)SG and 12.2(44)SG or 12.2(46)SG, the switch displays a traceback.

Workaround: None. (CSCsw32519)

•Entering the channel-group x mode or channel-protocol followed by lacp or pagp command on an fa1 management interface causes the active supervisor engine to reload.

Port-channel functionality is not supported on the management interface.

This is a configuration error.

Workaround: None. (CSCsv91302)

•On classic series supervisors and Supervisor Engine 6-E running Cisco IOS Release 12.2(50)SG and later releases, egress traffic is not allowed on ports configured for Wake-on-LAN (through the authentication control-direction in command) and Multi-domain Authentication (MDA) (through the authentication host-mode multi-domain command) before the port is authorized.

Workaround: None. CSCsy29140

•IPv6 EIGRP routes are not learned through the port channel.

Workaround: Unconfigure the port channel and the associated physical port, and reconfigure them.

(CSCsq74229)

•The IPv6 ICMP neighbor state changes from REACH to STALE after 15 secs of inactivity on the link.

Workaround: Ping the global and link local addresses of the neighbor to ascertain and reinstate reachability. (CSCsq77181)

•An Unhandled Rommon Exception occurs while booting a WS-X4013+10GE for Cisco IOS Releases 12.2(31)SGA8, 12.2(31)SGA9, 12.2(46)SG, 12.2(46)SG1, 12.2(50)SG, 12.2(50)SG1.

Workaround: Upgrade to ROMMON version 1.2(31r)SGA4.

CSCsw91043

•Ping does not execute prior to a posture validation.

Workaround: Reapply the identity policy on the interface with the permit icmp command. (CSCsu03507

Open Caveats in Cisco IOS Release 12.2(50)SG5

This section lists the open caveats in Cisco IOS Release 12.2(50)SG5:

•Software qos does not match a .1Q packet properly for applying the desired qos actions.

Workarounds: None.

The support to handle .1Q packets for software QoS lookup unavailable in the Cisco IOS Release 12.2(40)SG release. (CSCsk66449)

•Under some conditions, one or more flows continue to be dropped because of DBL even after DBL has been removed from the service-policy.

When an output service-policy is attached to an interface and if the policy is configured to apply DBL on a queue, the flows that are enqueued to the queue are subjected to the DBL algorithm. If one or more flows are classified as belligerent (flows do not back-off in response to drops because of congestion in the queue), those flows continue to be classified as belligerent even when DBL is disabled on that queue.

For this condition to persist, the transmit queues in question must remain congested for a long period of time and that congestion must be caused by flows that remain belligerent.

Workaround: Provided the queue in question is non-default (queuing actions are not configured in the class-default class of the policy-map), detach and re-attach the service-policy.

If this happens on the default queue, modifying and resetting some queuing parameters like bandwidth/shape fixes the issue. (CSCsk62457

•When an Catalyst 4900M switch encounters either a fan tray failure or a supervisor critical temperature, the chassis shuts off. The output of the show crashdump command will not indicate the cause of the power-down.

Workarounds: Use the show log command to determine the cause of the power-down.

–If the log has LogGalInsufficientFansDetected messages, the cause was a fan-tray failure.

–If the log has LogRkiosModuleShutdownTemp messages, the cause was that the supervisor critical temperature exceeded the failure threshold.

(CSCsk48632)

•A Catalyst 4900M switch will support a maximum of 32 MTU values system wide.

On a Catalyst 4900M running Cisco IOS Release 12.2(40)SG, all MTU values configured on a line card are set to default when the module is reset. Furthermore, MTU values are not retained for modules that are physically moved.

Workaround: None. (CSCsk52542)

Workaround: Reinsert the X2. (CSCsk43618)

•On rare occasions, if you use an X2 SR transceiver on a WS-X4706-10GE running
Cisco IOS Release 12.2(40)SG, you will observe CRC errors after a reload or power cycle when you insert the card or the X2.

Workaround: Reinsert the X2. (CSCsk43618)

•Control plane policing applied to DHCP traffic as identified by the system class-maps system-cpp-dhcp-cs, system-cpp-dhcp-sc, and system-cpp-dhcp-ss may not be effective.

Workaround: None. CSCsk67395)

•When the CPU transmits .1X packet on an interface that has an egress qos policy attached, the packet is not matched and exits without any QoS marking actions.

When a packet is sent to the CPU it may get sent out on some other interface. If so, the original COS value for a .1X packet cannot be matched by software QoS (as per CSCsk66449). The packet is transmitted with whatever COS value it was generated with (7, for the MLDv1 packets described here).

Workaround: None.

Part of the root cause of this problem is captured through CSCsk66449, which indicates that the software QoS cannot match against a .1X packet. (CSCsk72544)

•If a class-map is configured with exceed-action drop, re-configuring the same class-map with exceed-action transmit causes class-map configurations to conflict for the same class-map.

Workaround: If you plan to change a class-map action, such as exceed-action, you meed to remove the class-map with the no class c1 command under policy-map submode. Then, apply the new class-map with the updated changes.

CSCsk70826)

•If burst is not explicitly configured for a single rate policer, the show policy-map command displays an incorrect burst value.

Workaround: Enter the show policy-map interface command. (CSCsi71036)

•When you enter the show policy-map vlan vlan command, unconditional marking actions that are configured on the VLAN are not shown.

Workaround: None. However, if you enter the show policy-map name, the unconditional marking actions are displayed. (CSCsi94144)

•You observe a .05% loss on WS-X4908-10GE when sending traffic at 99% of the port capacity.

Workaround: None. (CSCsl39767)

•IGMP snooping entries are active even after disabling IGMP snooping globally and per VLAN.

Workarounds: Disable IGMP snooping on all the relevant VLANs before disabling it globally.

•IPv6 MLD entries are active even if an IPv6 MLD related configuration does not exist.

Workaround: Unconfigure all generic QOS policies from the system. (CSCsq84853)

•IPv6 entries are active in the CAM; the CPU receives IPv6 packets.

Workaround: Unconfigure any generic QOS policies from the system. The QoS policies with the match any attribute cause IPv6 entries to become active. If the switch is a pure Layer 2 device, remove the generic protocol family attributes and narrow it to the protocol family.

(CSCsq84796)

•Initially, REP configured with VLAN Load Balancing (VLB) works correctly. When you issue a force-switchover on the switch, that has a port acting as the secondary ALT port, a loop is induced in the topology.

Workaround: Enter shut, then no-shut on any REP port (of the same segment in which VLB is configured) in the topology. (CSCsq75342)

•In Cisco IOS Release 12.2(46)SG, if flexlink is applied to a pair of etherchannels, then flexlink config may not be applied after a reboot, if the backup EtherChannel is defined after the flexlink configuration.

Workaround: Define the backup etherchannel before applying flexlink command. (CSCsq13477)

•In Cisco IOS Release 12.2(46)SG, if an etherchannel is a member of a flexlink pair, then static MAC addresses configured on the EtherChannel are not moved to the alternate port when the EtherChannel fails (flexlink failure)

Workaround: None. (CSCsq99468)

•Performing a default interface operation on an interface with auto-QoS enabled results in an error message and the loss of the auto-QoS configuration. For example, the following sequence of operation results in a loss of the configuration:
config-if# auto qos voip cisco-phone
config# default interface interface-name
Workaround: Replace the default interface command with the following:
config# interface interface-number
config-if# switchport
(CSCsq47116)

•The IPv6 ICMP neighbor state changes from REACH to STALE after 15 secs of inactivity on the link.

Workaround: Ping the global and link local addresses of the neighbor to ascertain and reinstate reachability. (CSCsq77181)

•IPv6 EIGRP routes are not learned through the port channel.

Workaround: Unconfigure the port channel and the associated physical port, and reconfigure them.

(CSCsq74229)

•When a CFM Inward Facing MEP(IFM) is configured on a VLAN that is not allocated on a switch port that is DOWN, the show ethernet cfm maintenance-points local command displays the
IFM CC Status as Inactive. Then, you allocate the VLAN, the CC-status remains Inactive.

You only see this symptom if you did not allocate a VLAN before you configure the IFM, then at a later time allocate the same VLAN.

Workaround: Unconfigure, then reconfigure the IFM on the port.

•Ordinarily, the output of a CFM Traceroute from a MEP normally lists down the next hop name (device/host name) for each hop till the other MEP. When CFM over EtherChannel exists between the two MEPs, CFM Traceroute issued from a MEP does not show the next hop name.

Workaround: None. (CSCso50659)

•An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

–After a reload, copy the startup-config to the running-config.

–Use a loopback interface as the target of the ip unnumbered command

–Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

•In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

•When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running config.

Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)

•If you configure OFM on an Etherchannel (with at least two interfaces), when you shut or remove the first member that joined the channel, the CFM neighbor is lost.

Workaround: Clear the errors with the clear ethernet cfm errors command in EXEC mode. (CSCsv43819)

•Duplicate serial number error messages are reported on switching One X Convertor with SFP+, SFP+, X2 to another port, the inserted port enters a faulty status.

This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.

Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)

•The presence of features and Per Vlan Capture might exhaust the TCAM masks.

Workaround: Disable Per VLAN Capture or some of the features. (CSCsr95455)

•On a Catalyst 4500 switch running 12.2(50)SG, when the access VLAN is deleted and then restored on a port configured with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the access VLAN is restored.

This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.

Workaround: Shut down then reopen the interface.

(CSCso50921)

•When the switch port configured with 802.1X Multi-Domain Authentication (MDA) and Guest VLAN is connected to a non-802.1X supplicant PC through a hub, the port falls back to guest VLAN. Subsequently, it is stuck in the guest VLAN and ignores all EAPOL traffic from another 802.1X supplicant PC connected to the hub.

Workaround: None. (CSCsu42775)

•VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

•Egress traffic may not be allowed when 802.1X is configured as a Unidirectional Controlled Port.

Workarounds: Do one of the following:

–Enter spanning-tree portfast then authentication control-direction in on a 802.1X port.

–Enter shut then no shut on a 802.1X port.

(CSCsv05205)

•When you remove an SFP+ from a OneX converter in a X2 slot, it takes roughly 45 seconds for the system to recognize this. Any commands during this time will indicate that the SFP+ is still present. Reinserting the SFP+ in another port or inserting another SFP+ in the same port can result in Duplicate Seeprom error message.

Workaround: When a log message appears indicating that the SFP+ has been removed, do one of the following:

–Enter any commands for that port.

–Insert an SFP+ in that port.

–Reinsert the removed SFP+ in any other port.

(CSCsv90044)

•The switch does not accept the snmp mib target list vrf command. This CLI is rejected even if the vrf is present in the DUT.

Workaround: None. (CSCsr95941)

•The switch does not accept the snmp mib target list vrf command. This CLI is rejected even if the vrf is present in the DUT.

Workaround: None. (CSCsr95941)

•When a PVLAN isolated port is connected to a router serving as a multicast source, and you enable igmp snooping, the routers connected to the isolated ports display as PIM neighbors.

Workaround: Do one of the following:

–Do not attach routers to PVLAN isolated ports.

–Disable igmp snooping (either globally or on the VLAN).

–Do not use a router connected to PVLAN isolated port as a multicast source.

(CSCsu39009)

•When you delete and recreate an interface, the tacking process is unable to track its state track.

Workaround: Reconfigure tracking on the newly created interface. (CSCsr66876)

•The switch may reload after destroying the expExpressionTable row via SNMP when you enable the debug management expression evaluator command.

Workaround: Remove the above debug command. (CSCsu67323)

•IP Router Option may not work with IGMP version 2.

Workaround: None. (CSCsv42869)

•If VLAN Load Balancing is progressing, and you reconfigure VLAN Load Balancing to reflect different blocking ports, manual preemption does not occur.

Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:

a. Reconfigure the VLAN Load Balancing configuration on the desired REP ports.

b. Shut any one REP port in the segment to cause a failure in that segment.

c. No-shut that port to restore normal REP topology with one ALT port.

d. Invoke manual preemption on a primary edge port to obtain VLAN Load Balancing with the new configuration.

(CSCsv69853)

•After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.101   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.102   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. (CSCsw14005)

•The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.1X on the port and reconnect the host to a IP phone (with CDP port status TLV support) that is connected to the switch.

If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.

Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661

•Class-map hit counters do not increment on the egress policy-map when it is attached to the primary VLAN on a PVLAN trunk ports. However, the traffic is properly classified and the actions configured in the policy are applied properly.

Workaround: None. CSCsy72343

•On a Catalyst 4900 series switch running Cisco IOS Release 12.2(46)SG and later versions, if you enter the clear port-security dynamic interface fastethernet1 command, the switch reloads.

Do not enter this command if port security is not configured on the interface.

Do not enter this command on fa1.

Workaround: None. CSCtb16586

Resolved Caveats in Cisco IOS Release 12.2(50)SG5

This section lists the resolved caveats in Release 12.2(50)SG5:

•Under extremely rare conditions, a switch may silently stop forwarding traffic.

This caveat occurs when a register value is corrupted and you subsequently enable a Layer 3 feature.

Workaround: None (CSCsz48273)

Open Caveats in Cisco IOS Release 12.2(50)SG4

This section lists the open caveats in Cisco IOS Release 12.2(50)SG4:

•Software qos does not match a .1Q packet properly for applying the desired qos actions.

Workarounds: None.

The support to handle .1Q packets for software QoS lookup unavailable in the Cisco IOS Release 12.2(40)SG release. (CSCsk66449)

•Under some conditions, one or more flows continue to be dropped because of DBL even after DBL has been removed from the service-policy.

When an output service-policy is attached to an interface and if the policy is configured to apply DBL on a queue, the flows that are enqueued to the queue are subjected to the DBL algorithm. If one or more flows are classified as belligerent (flows do not back-off in response to drops because of congestion in the queue), those flows continue to be classified as belligerent even when DBL is disabled on that queue.

For this condition to persist, the transmit queues in question must remain congested for a long period of time and that congestion must be caused by flows that remain belligerent.

Workaround: Provided the queue in question is non-default (queuing actions are not configured in the class-default class of the policy-map), detach and re-attach the service-policy.

If this happens on the default queue, modifying and resetting some queuing parameters like bandwidth/shape fixes the issue. (CSCsk62457

•When an Catalyst 4900M switch encounters either a fan tray failure or a supervisor critical temperature, the chassis shuts off. The output of the show crashdump command will not indicate the cause of the power-down.

Workarounds: Use the show log command to determine the cause of the power-down.

–If the log has LogGalInsufficientFansDetected messages, the cause was a fan-tray failure.

–If the log has LogRkiosModuleShutdownTemp messages, the cause was that the supervisor critical temperature exceeded the failure threshold.

(CSCsk48632)

•A Catalyst 4900M switch will support a maximum of 32 MTU values system wide.

On a Catalyst 4900M running Cisco IOS Release 12.2(40)SG, all MTU values configured on a line card are set to default when the module is reset. Furthermore, MTU values are not retained for modules that are physically moved.

Workaround: None. (CSCsk52542)

Workaround: Reinsert the X2. (CSCsk43618)

•On rare occasions, if you use an X2 SR transceiver on a WS-X4706-10GE running
Cisco IOS Release 12.2(40)SG, you will observe CRC errors after a reload or power cycle when you insert the card or the X2.

Workaround: Reinsert the X2. (CSCsk43618)

•Control plane policing applied to DHCP traffic as identified by the system class-maps system-cpp-dhcp-cs, system-cpp-dhcp-sc, and system-cpp-dhcp-ss may not be effective.

Workaround: None. CSCsk67395)

•When the CPU transmits .1X packet on an interface that has an egress qos policy attached, the packet is not matched and exits without any QoS marking actions.

When a packet is sent to the CPU it may get sent out on some other interface. If so, the original COS value for a .1X packet cannot be matched by software QoS (as per CSCsk66449). The packet is transmitted with whatever COS value it was generated with (7, for the MLDv1 packets described here).

Workaround: None.

Part of the root cause of this problem is captured through CSCsk66449, which indicates that the software QoS cannot match against a .1X packet. (CSCsk72544)

•If a class-map is configured with exceed-action drop, re-configuring the same class-map with exceed-action transmit causes class-map configurations to conflict for the same class-map.

Workaround: If you plan to change a class-map action, such as exceed-action, you meed to remove the class-map with the no class c1 command under policy-map submode. Then, apply the new class-map with the updated changes.

CSCsk70826)

•If burst is not explicitly configured for a single rate policer, the show policy-map command displays an incorrect burst value.

Workaround: Enter the show policy-map interface command. (CSCsi71036)

•When you enter the show policy-map vlan vlan command, unconditional marking actions that are configured on the VLAN are not shown.

Workaround: None. However, if you enter the show policy-map name, the unconditional marking actions are displayed. (CSCsi94144)

•You observe a .05% loss on WS-X4908-10GE when sending traffic at 99% of the port capacity.

Workaround: None. (CSCsl39767)

•IGMP snooping entries are active even after disabling IGMP snooping globally and per VLAN.

Workarounds: Disable IGMP snooping on all the relevant VLANs before disabling it globally.

•IPv6 MLD entries are active even if an IPv6 MLD related configuration does not exist.

Workaround: Unconfigure all generic QOS policies from the system. (CSCsq84853)

•IPv6 entries are active in the CAM; the CPU receives IPv6 packets.

Workaround: Unconfigure any generic QOS policies from the system. The QoS policies with the match any attribute cause IPv6 entries to become active. If the switch is a pure Layer 2 device, remove the generic protocol family attributes and narrow it to the protocol family.

(CSCsq84796)

•Initially, REP configured with VLAN Load Balancing (VLB) works correctly. When you issue a force-switchover on the switch, that has a port acting as the secondary ALT port, a loop is induced in the topology.

Workaround: Enter shut, then no-shut on any REP port (of the same segment in which VLB is configured) in the topology. (CSCsq75342)

•In Cisco IOS Release 12.2(46)SG, if flexlink is applied to a pair of etherchannels, then flexlink config may not be applied after a reboot, if the backup EtherChannel is defined after the flexlink configuration.

Workaround: Define the backup etherchannel before applying flexlink command. (CSCsq13477)

•In Cisco IOS Release 12.2(46)SG, if an etherchannel is a member of a flexlink pair, then static MAC addresses configured on the EtherChannel are not moved to the alternate port when the EtherChannel fails (flexlink failure)

Workaround: None. (CSCsq99468)

•Performing a default interface operation on an interface with auto-QoS enabled results in an error message and the loss of the auto-QoS configuration. For example, the following sequence of operation results in a loss of the configuration:
config-if# auto qos voip cisco-phone
config# default interface interface-name
Workaround: Replace the default interface command with the following:
config# interface interface-number
config-if# switchport
(CSCsq47116)

•The IPv6 ICMP neighbor state changes from REACH to STALE after 15 secs of inactivity on the link.

Workaround: Ping the global and link local addresses of the neighbor to ascertain and reinstate reachability. (CSCsq77181)

•IPv6 EIGRP routes are not learned through the port channel.

Workaround: Unconfigure the port channel and the associated physical port, and reconfigure them.

(CSCsq74229)

•When a CFM Inward Facing MEP(IFM) is configured on a VLAN that is not allocated on a switch port that is DOWN, the show ethernet cfm maintenance-points local command displays the
IFM CC Status as Inactive. Then, you allocate the VLAN, the CC-status remains Inactive.

You only see this symptom if you did not allocate a VLAN before you configure the IFM, then at a later time allocate the same VLAN.

Workaround: Unconfigure, then reconfigure the IFM on the port.

•Ordinarily, the output of a CFM Traceroute from a MEP normally lists down the next hop name (device/host name) for each hop till the other MEP. When CFM over EtherChannel exists between the two MEPs, CFM Traceroute issued from a MEP does not show the next hop name.

Workaround: None. (CSCso50659)

•An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

–After a reload, copy the startup-config to the running-config.

–Use a loopback interface as the target of the ip unnumbered command

–Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

•In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

•When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running config.

Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)

•If you configure OFM on an Etherchannel (with at least two interfaces), when you shut or remove the first member that joined the channel, the CFM neighbor is lost.

Workaround: Clear the errors with the clear ethernet cfm errors command in EXEC mode. (CSCsv43819)

•Duplicate serial number error messages are reported on switching One X Convertor with SFP+, SFP+, X2 to another port, the inserted port enters a faulty status.

This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.

Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)

•The presence of features and Per Vlan Capture might exhaust the TCAM masks.

Workaround: Disable Per VLAN Capture or some of the features. (CSCsr95455)

•On a Catalyst 4500 switch running 12.2(50)SG, when the access VLAN is deleted and then restored on a port configured with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the access VLAN is restored.

This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.

Workaround: Shut down then reopen the interface.

(CSCso50921)

•When the switch port configured with 802.1X Multi-Domain Authentication (MDA) and Guest VLAN is connected to a non-802.1X supplicant PC through a hub, the port falls back to guest VLAN. Subsequently, it is stuck in the guest VLAN and ignores all EAPOL traffic from another 802.1X supplicant PC connected to the hub.

Workaround: None. (CSCsu42775)

•VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

•Egress traffic may not be allowed when 802.1X is configured as a Unidirectional Controlled Port.

Workarounds: Do one of the following:

–Enter spanning-tree portfast then authentication control-direction in on a 802.1X port.

–Enter shut then no shut on a 802.1X port.

(CSCsv05205)

•When you remove an SFP+ from a OneX converter in a X2 slot, it takes roughly 45 seconds for the system to recognize this. Any commands during this time will indicate that the SFP+ is still present. Reinserting the SFP+ in another port or inserting another SFP+ in the same port can result in Duplicate Seeprom error message.

Workaround: When a log message appears indicating that the SFP+ has been removed, do one of the following:

–Enter any commands for that port.

–Insert an SFP+ in that port.

–Reinsert the removed SFP+ in any other port.

(CSCsv90044)

•The switch does not accept the snmp mib target list vrf command. This CLI is rejected even if the vrf is present in the DUT.

Workaround: None. (CSCsr95941)

•The switch does not accept the snmp mib target list vrf command. This CLI is rejected even if the vrf is present in the DUT.

Workaround: None. (CSCsr95941)

•When a PVLAN isolated port is connected to a router serving as a multicast source, and you enable igmp snooping, the routers connected to the isolated ports display as PIM neighbors.

Workaround: Do one of the following:

–Do not attach routers to PVLAN isolated ports.

–Disable igmp snooping (either globally or on the VLAN).

–Do not use a router connected to PVLAN isolated port as a multicast source.

(CSCsu39009)

•When you delete and recreate an interface, the tacking process is unable to track its state track.

Workaround: Reconfigure tracking on the newly created interface. (CSCsr66876)

•The switch may reload after destroying the expExpressionTable row via SNMP when you enable the debug management expression evaluator command.

Workaround: Remove the above debug command. (CSCsu67323)

•IP Router Option may not work with IGMP version 2.

Workaround: None. (CSCsv42869)

•If VLAN Load Balancing is progressing, and you reconfigure VLAN Load Balancing to reflect different blocking ports, manual preemption does not occur.

Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:

a. Reconfigure the VLAN Load Balancing configuration on the desired REP ports.

b. Shut any one REP port in the segment to cause a failure in that segment.

c. No-shut that port to restore normal REP topology with one ALT port.

d. Invoke manual preemption on a primary edge port to obtain VLAN Load Balancing with the new configuration.

(CSCsv69853)

•After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.101   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.102   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. (CSCsw14005)

•The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.1X on the port and reconnect the host to a IP phone (with CDP port status TLV support) that is connected to the switch.

If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.

Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661

•Class-map hit counters do not increment on the egress policy-map when it is attached to the primary VLAN on a PVLAN trunk ports. However, the traffic is properly classified and the actions configured in the policy are applied properly.

Workaround: None. CSCsy72343

•On a Catalyst 4900 series switch running Cisco IOS Release 12.2(46)SG and later versions, if you enter the clear port-security dynamic interface fastethernet1 command, the switch reloads.

Do not enter this command if port security is not configured on the interface.

Do not enter this command on fa1.

Workaround: None. CSCtb16586

Resolved Caveats in Cisco IOS Release 12.2(50)SG4

This section lists the resolved caveats in Release 12.2(50)SG4:

•A router may crash when a privilege-level 15 user logs on with the callback or callback-dialstring attribute.

'This problem is seen on all Catalyst 4500 or 4900 chassis running Cisco IOS Release 12.2.(50)SG. The problem occurs when the following conditions are present:

–The router is configured with AAA authentication and authorization.

–The AAA server runs CiscoSecure ACS 2.4.

–The callback or callback-dialstring attribute is configured on the AAA server for the user.

Workarounds: Do not configure the callback or callback-dialstring attribute for the user. If you use the callback-dialstring attribute in the TACACS+ profile, ensure that the NULL value is not configured. (CSCei62358)

•On a switch running Cisco IOS Release12.2(50)SG, supplicants authorized on PVLAN in multi-auth host mode are not moved to an Unauthorized state when the PVLAN is removed.

This problem occurs only when a port is configured with PVLAN and 802.1X multi-auth.

Workaround: Shut down then reopen the interface. (CSCsr58573)

•Ping does not execute prior to a posture validation.

Workaround: Reapply the identity policy on the interface with the permit icmp command. (CSCsu03507

•Ordinarily, you observe the following messages frequently in the logs:
001298: .Oct  8 01:38:50.968: %C4K_SWITCHINGENGINEMAN-4-TCAMINTERRUPT: flCam0  
aPErr interrupt. errAddr: 0x2947 dPErr: 1 mPErr: 0 valid: 1
001299: .Oct  8 01:51:20.100: %C4K_SWITCHINGENGINEMAN-4-TCAMINTERRUPT: flCam0  
aPErr interrupt. errAddr: 0x2B59 dPErr: 1 mPErr: 0 valid: 1
They imply no impact to performance.

Workaround: None. (CSCsv17545)

•Entering the channel-group x mode or channel-protocol followed by lacp or pagp command on an fa1 management interface causes the active supervisor engine to reload.

Port-channel functionality is not supported on the management interface.

This is a configuration error.

Workaround: None. (CSCsv91302)

•When you attempt an ISSU upgrade or downgrade between Cisco IOS Release 12.2(50)SG and 12.2(44)SG or 12.2(46)SG, the switch displays a traceback.

Workaround: None. (CSCsw32519)

•On classic series supervisors and Supervisor Engine 6-E running Cisco IOS Release 12.2(50)SG and later releases, egress traffic is not allowed on ports configured for Wake-on-LAN (through the authentication control-direction in command) and Multi-domain Authentication (MDA) (through the authentication host-mode multi-domain command) before the port is authorized.

Workaround: None. CSCsy29140

•On a Catalyst 4900M switch, when you use a WS-X4908-10GE card with CVR-X2-SFP twin gig converters, the giga ports do not link up to the peer device that sends a remote fault. The
show int status | inc gi x/y command indicates notconnect.

Similar behavior is observed with Supervisor Engine 6-E uplinks and the WS-X4706-10GE line card.

This behavior is seen in Cisco IOS Releases 12.2(50)SG thru 12.2(50)SG3 when the peer device sends a remote fault.

Workaround: Disable auto negotiation at both ends.

(CSCta02425)

Open Caveats in Cisco IOS Release 12.2(50)SG3

This section lists the open caveats in Cisco IOS Release 12.2(50)SG3:

•Software qos does not match a .1Q packet properly for applying the desired qos actions.

Workarounds: None.

The support to handle .1Q packets for software QoS lookup unavailable in the Cisco IOS Release 12.2(40)SG release. (CSCsk66449)

•Under some conditions, one or more flows continue to be dropped because of DBL even after DBL has been removed from the service-policy.

When an output service-policy is attached to an interface and if the policy is configured to apply DBL on a queue, the flows that are enqueued to the queue are subjected to the DBL algorithm. If one or more flows are classified as belligerent (flows do not back-off in response to drops because of congestion in the queue), those flows continue to be classified as belligerent even when DBL is disabled on that queue.

For this condition to persist, the transmit queues in question must remain congested for a long period of time and that congestion must be caused by flows that remain belligerent.

Workaround: Provided the queue in question is non-default (queuing actions are not configured in the class-default class of the policy-map), detach and re-attach the service-policy.

If this happens on the default queue, modifying and resetting some queuing parameters like bandwidth/shape fixes the issue. (CSCsk62457

•When an Catalyst 4900M switch encounters either a fan tray failure or a supervisor critical temperature, the chassis shuts off. The output of the show crashdump command will not indicate the cause of the power-down.

Workarounds: Use the show log command to determine the cause of the power-down.

–If the log has LogGalInsufficientFansDetected messages, the cause was a fan-tray failure.

–If the log has LogRkiosModuleShutdownTemp messages, the cause was that the supervisor critical temperature exceeded the failure threshold.

(CSCsk48632)

•A Catalyst 4900M switch will support a maximum of 32 MTU values system wide.

On a Catalyst 4900M running Cisco IOS Release 12.2(40)SG, all MTU values configured on a line card are set to default when the module is reset. Furthermore, MTU values are not retained for modules that are physically moved.

Workaround: None. (CSCsk52542)

Workaround: Reinsert the X2. (CSCsk43618)

•On rare occasions, if you use an X2 SR transceiver on a WS-X4706-10GE running
Cisco IOS Release 12.2(40)SG, you will observe CRC errors after a reload or power cycle when you insert the card or the X2.

Workaround: Reinsert the X2. (CSCsk43618)

•Control plane policing applied to DHCP traffic as identified by the system class-maps system-cpp-dhcp-cs, system-cpp-dhcp-sc, and system-cpp-dhcp-ss may not be effective.

Workaround: None. CSCsk67395)

•When the CPU transmits .1X packet on an interface that has an egress qos policy attached, the packet is not matched and exits without any QoS marking actions.

When a packet is sent to the CPU it may get sent out on some other interface. If so, the original COS value for a .1X packet cannot be matched by software QoS (as per CSCsk66449). The packet is transmitted with whatever COS value it was generated with (7, for the MLDv1 packets described here).

Workaround: None.

Part of the root cause of this problem is captured through CSCsk66449, which indicates that the software QoS cannot match against a .1X packet. (CSCsk72544)

•If a class-map is configured with exceed-action drop, re-configuring the same class-map with exceed-action transmit causes class-map configurations to conflict for the same class-map.

Workaround: If you plan to change a class-map action, such as exceed-action, you meed to remove the class-map with the no class c1 command under policy-map submode. Then, apply the new class-map with the updated changes.

CSCsk70826)

•If burst is not explicitly configured for a single rate policer, the show policy-map command displays an incorrect burst value.

Workaround: Enter the show policy-map interface command. (CSCsi71036)

•When you enter the show policy-map vlan vlan command, unconditional marking actions that are configured on the VLAN are not shown.

Workaround: None. However, if you enter the show policy-map name, the unconditional marking actions are displayed. (CSCsi94144)

•You observe a .05% loss on WS-X4908-10GE when sending traffic at 99% of the port capacity.

Workaround: None. (CSCsl39767)

•IGMP snooping entries are active even after disabling IGMP snooping globally and per VLAN.

Workarounds: Disable IGMP snooping on all the relevant VLANs before disabling it globally.

•IPv6 MLD entries are active even if an IPv6 MLD related configuration does not exist.

Workaround: Unconfigure all generic QOS policies from the system. (CSCsq84853)

•IPv6 entries are active in the CAM; the CPU receives IPv6 packets.

Workaround: Unconfigure any generic QOS policies from the system. The QoS policies with the match any attribute cause IPv6 entries to become active. If the switch is a pure Layer 2 device, remove the generic protocol family attributes and narrow it to the protocol family.

(CSCsq84796)

•Initially, REP configured with VLAN Load Balancing (VLB) works correctly. When you issue a force-switchover on the switch, that has a port acting as the secondary ALT port, a loop is induced in the topology.

Workaround: Enter shut, then no-shut on any REP port (of the same segment in which VLB is configured) in the topology. (CSCsq75342)

•In Cisco IOS Release 12.2(46)SG, if flexlink is applied to a pair of etherchannels, then flexlink config may not be applied after a reboot, if the backup EtherChannel is defined after the flexlink configuration.

Workaround: Define the backup etherchannel before applying flexlink command. (CSCsq13477)

•In Cisco IOS Release 12.2(46)SG, if an etherchannel is a member of a flexlink pair, then static MAC addresses configured on the EtherChannel are not moved to the alternate port when the EtherChannel fails (flexlink failure)

Workaround: None. (CSCsq99468)

•Performing a default interface operation on an interface with auto-QoS enabled results in an error message and the loss of the auto-QoS configuration. For example, the following sequence of operation results in a loss of the configuration:
config-if# auto qos voip cisco-phone
config# default interface interface-name
Workaround: Replace the default interface command with the following:
config# interface interface-number
config-if# switchport
(CSCsq47116)

•The IPv6 ICMP neighbor state changes from REACH to STALE after 15 secs of inactivity on the link.

Workaround: Ping the global and link local addresses of the neighbor to ascertain and reinstate reachability. (CSCsq77181)

•IPv6 EIGRP routes are not learned through the port channel.

Workaround: Unconfigure the port channel and the associated physical port, and reconfigure them.

(CSCsq74229)

•When a CFM Inward Facing MEP(IFM) is configured on a VLAN that is not allocated on a switch port that is DOWN, the show ethernet cfm maintenance-points local command displays the
IFM CC Status as Inactive. Then, you allocate the VLAN, the CC-status remains Inactive.

You only see this symptom if you did not allocate a VLAN before you configure the IFM, then at a later time allocate the same VLAN.

Workaround: Unconfigure, then reconfigure the IFM on the port.

•Ordinarily, the output of a CFM Traceroute from a MEP normally lists down the next hop name (device/host name) for each hop till the other MEP. When CFM over EtherChannel exists between the two MEPs, CFM Traceroute issued from a MEP does not show the next hop name.

Workaround: None. (CSCso50659)

•An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

–After a reload, copy the startup-config to the running-config.

–Use a loopback interface as the target of the ip unnumbered command

–Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

•In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

•When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running config.

Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)

•If you configure OFM on an Etherchannel (with at least two interfaces), when you shut or remove the first member that joined the channel, the CFM neighbor is lost.

Workaround: Clear the errors with the clear ethernet cfm errors command in EXEC mode. (CSCsv43819)

•Duplicate serial number error messages are reported on switching One X Convertor with SFP+, SFP+, X2 to another port, the inserted port enters a faulty status.

This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.

Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)

•The presence of features and Per Vlan Capture might exhaust the TCAM masks.

Workaround: Disable Per VLAN Capture or some of the features. (CSCsr95455)

•Ping does not execute prior to a posture validation.

Workaround: Reapply the identity policy on the interface with the permit icmp command. (CSCsu03507

•On a Catalyst 4500 switch running 12.2(50)SG, when the access VLAN is deleted and then restored on a port configured with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the access VLAN is restored.

This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.

Workaround: Shut down then reopen the interface.

(CSCso50921)

•On a switch running Cisco IOS Release12.2(50)SG, supplicants authorized on PVLAN in multi-auth host mode are not moved to an Unauthorized state when the PVLAN is removed.

This problem occurs only when a port is configured with PVLAN and 802.1X multi-auth.

Workaround: Shut down then reopen the interface. (CSCsr58573)

•When the switch port configured with 802.1X Multi-Domain Authentication (MDA) and Guest VLAN is connected to a non-802.1X supplicant PC through a hub, the port falls back to guest VLAN. Subsequently, it is stuck in the guest VLAN and ignores all EAPOL traffic from another 802.1X supplicant PC connected to the hub.

Workaround: None. (CSCsu42775)

•VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

•Egress traffic may not be allowed when 802.1X is configured as a Unidirectional Controlled Port.

Workarounds: Do one of the following:

–Enter spanning-tree portfast then authentication control-direction in on a 802.1X port.

–Enter shut then no shut on a 802.1X port.

(CSCsv05205)

•When you remove an SFP+ from a OneX converter in a X2 slot, it takes roughly 45 seconds for the system to recognize this. Any commands during this time will indicate that the SFP+ is still present. Reinserting the SFP+ in another port or inserting another SFP+ in the same port can result in Duplicate Seeprom error message.

Workaround: When a log message appears indicating that the SFP+ has been removed, do one of the following:

–Enter any commands for that port.

–Insert an SFP+ in that port.

–Reinsert the removed SFP+ in any other port.

(CSCsv90044)

•The switch does not accept the snmp mib target list vrf command. This CLI is rejected even if the vrf is present in the DUT.

Workaround: None. (CSCsr95941)

•The switch does not accept the snmp mib target list vrf command. This CLI is rejected even if the vrf is present in the DUT.

Workaround: None. (CSCsr95941)

•When a PVLAN isolated port is connected to a router serving as a multicast source, and you enable igmp snooping, the routers connected to the isolated ports display as PIM neighbors.

Workaround: Do one of the following:

–Do not attach routers to PVLAN isolated ports.

–Disable igmp snooping (either globally or on the VLAN).

–Do not use a router connected to PVLAN isolated port as a multicast source.

(CSCsu39009)

•When you delete and recreate an interface, the tacking process is unable to track its state track.

Workaround: Reconfigure tracking on the newly created interface. (CSCsr66876)

•The switch may reload after destroying the expExpressionTable row via SNMP when you enable the debug management expression evaluator command.

Workaround: Remove the above debug command. (CSCsu67323)

•IP Router Option may not work with IGMP version 2.

Workaround: None. (CSCsv42869)

•A router may crash when a privilege-level 15 user logs on with the callback or callback-dialstring attribute.

'This problem is seen on all Catalyst 4500 or 4900 chassis running Cisco IOS Release 12.2.(50)SG. The problem occurs when the following conditions are present:

–The router is configured with AAA authentication and authorization.

–The AAA server runs CiscoSecure ACS 2.4.

–The callback or callback-dialstring attribute is configured on the AAA server for the user.

Workarounds: Do not configure the callback or callback-dialstring attribute for the user. If you use the callback-dialstring attribute in the TACACS+ profile, ensure that the NULL value is not configured. (CSCei62358)

•When you attempt an ISSU upgrade or downgrade between Cisco IOS Release 12.2(50)SG and 12.2(44)SG or 12.2(46)SG, the switch displays a traceback.

Workaround: None. (CSCsw32519)

•If VLAN Load Balancing is progressing, and you reconfigure VLAN Load Balancing to reflect different blocking ports, manual preemption does not occur.

Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:

a. Reconfigure the VLAN Load Balancing configuration on the desired REP ports.

b. Shut any one REP port in the segment to cause a failure in that segment.

c. No-shut that port to restore normal REP topology with one ALT port.

d. Invoke manual preemption on a primary edge port to obtain VLAN Load Balancing with the new configuration.

(CSCsv69853)

•After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.101   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.102   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. (CSCsw14005)

•Entering the channel-group x mode or channel-protocol followed by lacp or pagp command on an fa1 management interface causes the active supervisor engine to reload.

Port-channel functionality is not supported on the management interface.

This is a configuration error.

Workaround: None. (CSCsv91302)

•Ordinarily, you observe the following messages frequently in the logs:
001298: .Oct  8 01:38:50.968: %C4K_SWITCHINGENGINEMAN-4-TCAMINTERRUPT: flCam0  
aPErr interrupt. errAddr: 0x2947 dPErr: 1 mPErr: 0 valid: 1
001299: .Oct  8 01:51:20.100: %C4K_SWITCHINGENGINEMAN-4-TCAMINTERRUPT: flCam0  
aPErr interrupt. errAddr: 0x2B59 dPErr: 1 mPErr: 0 valid: 1
They imply no impact to performance.

Workaround: None. (CSCsv17545)

•The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.1X on the port and reconnect the host to a IP phone (with CDP port status TLV support) that is connected to the switch.

If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.

Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661

•On classic series supervisors and Supervisor Engine 6-E running Cisco IOS Release 12.2(50)SG and later releases, egress traffic is not allowed on ports configured for Wake-on-LAN (through the authentication control-direction in command) and Multi-domain Authentication (MDA) (through the authentication host-mode multi-domain command) before the port is authorized.

Workaround: None. CSCsy29140

•Class-map hit counters do not increment on the egress policy-map when it is attached to the primary VLAN on a PVLAN trunk ports. However, the traffic is properly classified and the actions configured in the policy are applied properly.

Workaround: None. CSCsy72343

•On a Catalyst 4900M switch, when you use a WS-X4908-10GE card with CVR-X2-SFP twin gig converters, the giga ports do not link up to the peer device that sends a remote fault. The
show int status | inc gi x/y command indicates notconnect.

Similar behavior is observed with Supervisor Engine 6-E uplinks and the WS-X4706-10GE line card.

This behavior is seen in Cisco IOS Releases 12.2(50)SG thru 12.2(50)SG3 when the peer device sends a remote fault.

Workaround: Disable auto negotiation at both ends.

(CSCta02425)

Resolved Caveats in Cisco IOS Release 12.2(50)SG3

This section lists the resolved caveats in Release 12.2(50)SG3:

•A Catalyst 4900M switch might crash if you insert/remove a TwinGig converter or boot it with installed TwinGig converters.

TwinGig converters are only supported on E-series supervisors and line cards. This bug does not affect systems without installed converters.

Workaround: None.

Once the switch has booted successfully and has detected all installed TwinGig converters, it is unlikely to crash unless you insert a converter. CSCsz49331

Open Caveats in Cisco IOS Release 12.2(50)SG2

This section lists the open caveats in Cisco IOS Release 12.2(50)SG2:

•Software qos does not match a .1Q packet properly for applying the desired qos actions.

Workarounds: None.

The support to handle .1Q packets for software QoS lookup unavailable in the Cisco IOS Release 12.2(40)SG release. (CSCsk66449)

•Under some conditions, one or more flows continue to be dropped because of DBL even after DBL has been removed from the service-policy.

When an output service-policy is attached to an interface and if the policy is configured to apply DBL on a queue, the flows that are enqueued to the queue are subjected to the DBL algorithm. If one or more flows are classified as belligerent (flows do not back-off in response to drops because of congestion in the queue), those flows continue to be classified as belligerent even when DBL is disabled on that queue.

For this condition to persist, the transmit queues in question must remain congested for a long period of time and that congestion must be caused by flows that remain belligerent.

Workaround: Provided the queue in question is non-default (queuing actions are not configured in the class-default class of the policy-map), detach and re-attach the service-policy.

If this happens on the default queue, modifying and resetting some queuing parameters like bandwidth/shape fixes the issue. (CSCsk62457

•When an Catalyst 4900M switch encounters either a fan tray failure or a supervisor critical temperature, the chassis shuts off. The output of the show crashdump command will not indicate the cause of the power-down.

Workarounds: Use the show log command to determine the cause of the power-down.

–If the log has LogGalInsufficientFansDetected messages, the cause was a fan-tray failure.

–If the log has LogRkiosModuleShutdownTemp messages, the cause was that the supervisor critical temperature exceeded the failure threshold.

(CSCsk48632)

•A Catalyst 4900M switch will support a maximum of 32 MTU values system wide.

On a Catalyst 4900M running Cisco IOS Release 12.2(40)SG, all MTU values configured on a line card are set to default when the module is reset. Furthermore, MTU values are not retained for modules that are physically moved.

Workaround: None. (CSCsk52542)

Workaround: Reinsert the X2. (CSCsk43618)

•On rare occasions, if you use an X2 SR transceiver on a WS-X4706-10GE running
Cisco IOS Release 12.2(40)SG, you will observe CRC errors after a reload or power cycle when you insert the card or the X2.

Workaround: Reinsert the X2. (CSCsk43618)

•Control plane policing applied to DHCP traffic as identified by the system class-maps system-cpp-dhcp-cs, system-cpp-dhcp-sc, and system-cpp-dhcp-ss may not be effective.

Workaround: None. CSCsk67395)

•When the CPU transmits .1X packet on an interface that has an egress qos policy attached, the packet is not matched and exits without any QoS marking actions.

When a packet is sent to the CPU it may get sent out on some other interface. If so, the original COS value for a .1X packet cannot be matched by software QoS (as per CSCsk66449). The packet is transmitted with whatever COS value it was generated with (7, for the MLDv1 packets described here).

Workaround: None.

Part of the root cause of this problem is captured through CSCsk66449, which indicates that the software QoS cannot match against a .1X packet. (CSCsk72544)

•If a class-map is configured with exceed-action drop, re-configuring the same class-map with exceed-action transmit causes class-map configurations to conflict for the same class-map.

Workaround: If you plan to change a class-map action, such as exceed-action, you meed to remove the class-map with the no class c1 command under policy-map submode. Then, apply the new class-map with the updated changes.

CSCsk70826)

•If burst is not explicitly configured for a single rate policer, the show policy-map command displays an incorrect burst value.

Workaround: Enter the show policy-map interface command. (CSCsi71036)

•When you enter the show policy-map vlan vlan command, unconditional marking actions that are configured on the VLAN are not shown.

Workaround: None. However, if you enter the show policy-map name, the unconditional marking actions are displayed. (CSCsi94144)

•You observe a .05% loss on WS-X4908-10GE when sending traffic at 99% of the port capacity.

Workaround: None. (CSCsl39767)

•IGMP snooping entries are active even after disabling IGMP snooping globally and per VLAN.

Workarounds:Disable IGMP snooping on all the relevant VLANs before disabling it globally.

•IPv6 MLD entries are active even if an IPv6 MLD related configuration does not exist.

Workaround: Unconfigure all generic QOS policies from the system. (CSCsq84853)

•IPv6 entries are active in the CAM; the CPU receives IPv6 packets.

Workaround: Unconfigure any generic QOS policies from the system. The QoS policies with the match any attribute cause IPv6 entries to become active. If the switch is a pure Layer 2 device, remove the generic protocol family attributes and narrow it to the protocol family.

(CSCsq84796)

•Initially, REP configured with VLAN Load Balancing (VLB) works correctly. When you issue a force-switchover on the switch, that has a port acting as the secondary ALT port, a loop is induced in the topology.

Workaround: Enter shut, then no-shut on any REP port (of the same segment in which VLB is configured) in the topology. (CSCsq75342)

•In Cisco IOS Release 12.2(46)SG, if flexlink is applied to a pair of etherchannels, then flexlink config may not be applied after a reboot, if the backup EtherChannel is defined after the flexlink configuration.

Workaround: Define the backup etherchannel before applying flexlink command. (CSCsq13477)

•In Cisco IOS Release 12.2(46)SG, if an etherchannel is a member of a flexlink pair, then static MAC addresses configured on the EtherChannel are not moved to the alternate port when the EtherChannel fails (flexlink failure)

Workaround: None. (CSCsq99468)

•Performing a default interface operation on an interface with auto-QoS enabled results in an error message and the loss of the auto-QoS configuration. For example, the following sequence of operation results in a loss of the configuration:
config-if# auto qos voip cisco-phone
config# default interface interface-name
Workaround: Replace the default interface command with the following:
config# interface interface-number
config-if# switchport
(CSCsq47116)

•The IPv6 ICMP neighbor state changes from REACH to STALE after 15 secs of inactivity on the link.

Workaround: Ping the global and link local addresses of the neighbor to ascertain and reinstate reachability. (CSCsq77181)

•IPv6 EIGRP routes are not learned through the port channel.

Workaround: Unconfigure the port channel and the associated physical port, and reconfigure them.

(CSCsq74229)

•When a CFM Inward Facing MEP(IFM) is configured on a VLAN that is not allocated on a switch port that is DOWN, the show ethernet cfm maintenance-points local command displays the
IFM CC Status as Inactive. Then, you allocate the VLAN, the CC-status remains Inactive.

You only see this symptom if you did not allocate a VLAN before you configure the IFM, then at a later time allocate the same VLAN.

Workaround: Unconfigure, then reconfigure the IFM on the port.

•Ordinarily, the output of a CFM Traceroute from a MEP normally lists down the next hop name(device/host name) for each hop till the other MEP. When CFM over EtherChannel exists between the two MEPs, CFM Traceroute issued from a MEP does not show the next hop name.

Workaround: None. (CSCso50659)

•An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

–After a reload, copy the startup-config to the running-config.

–Use a loopback interface as the target of the ip unnumbered command

–Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

•In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

•When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running config.

Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)

•If you configure OFM on an Etherchannel (with at least two interfaces), when you shut or remove the first member that joined the channel, the CFM neighbor is lost.

Workaround: Clear the errors with the clear ethernet cfm errors command in EXEC mode. (CSCsv43819)

•Duplicate serial number error messages are reported on switching One X Convertor with SFP+, SFP+, X2 to another port, the inserted port enters a faulty status.

This problem impacts X2, OneX converters, and SFp+ on the Supervisor Engine 6-E, and linecards.

Workaround: Remove and reinsert the One X Convertor with SFP+ , SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)

•The presence of features and Per Vlan Capture might exhaust the TCAM masks.

Workaround: Disable Per VLAN Capture or some of the features. (CSCsr95455)

•Ping does not execute prior to a posture validation.

Workaround: Reapply the identity policy on the interface with the permit icmp command. (CSCsu03507

•On a Catalyst 4500 switch running 12.2(50)SG, when the access VLAN is deleted and then restored on a port configurd with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the access VLAN is restored.

This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.

Workaround: Shut down then reopen the interface.

(CSCso50921)

•On a switch running Cisco IOS Release12.2(50)SG, supplicants authorized on PVLAN in multi-auth host mode are not moved to an Uauthorized state when the PVLAN is removed.

This problem occurs only when a port is configured with PVLAN and 802.1X multi-auth.

Workaround: Shut down then reopen the interface. (CSCsr58573)

•When the switch port configured with 802.1X Multi-Domain Authentication (MDA) and Guest VLAN is connected to a non-802.1X supplicant PC through a hub, the port falls back to guest VLAN. Subsequently, it is stuck in the guest VLAN and ignores all EAPOL traffic from another 802.1X supplicant PC connected to the hub.

Workaround: None. (CSCsu42775)

•VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

•Egress traffic may not be allowed when 802.1X is configured as a Unidirectional Controlled Port.

Workarounds: Do one of the following:

–Enter spanning-tree portfast then authentication control-direction in on a 802.1X port.

–Enter shut then no shut on a 802.1X port.

(CSCsv05205)

•When you remove an SFP+ from a OneX converter in a X2 slot, it takes roughly 45 seconds for the system to recognize this. Any commands during this time will indicate that the SFP+ is still present. Reinserting the SFP+ in another port or inserting another SFP+ in the same port can result in Duplicate Seeprom error message.

Workaround: When a log message appears indicating that the SFP+ has been removed , do one of the following:

–Enter any commands for that port.

–Insert an SFP+ in that port.

–Reinsert the removed SFP+ in any other port.

(CSCsv90044)

•The switch does not accept the snmp mib target list vrf command. This CLI is rejected even if the vrf is present in the DUT.

Workaround: None. (CSCsr95941)

•The switch does not accept the snmp mib target list vrf command. This CLI is rejected even if the vrf is present in the DUT.

Workaround: None. (CSCsr95941)

•When a PVLAN isolated port is connected to a router serving as a mutlicast source, and you enable igmp snooping, the routers connected to the isolated ports display as PIM neighbours.

Workaround: Do one of the following:

–Do not attach routers to PVLAN isolated ports.

–Disable igmp snooping (either globally or on the VLAN).

–Do not use a router connected to PVLAN isolated port as a multicast source.

(CSCsu39009)

•When you delete and recreate an interface, the tacking process is unable to track its state track.

Workaround: Reconfigure tracking on the newly created interface. (CSCsr66876)

•The switch may reload after destroying the expExpressionTable row via SNMP when you enable the debug management expression evaluator command.

Workaround: Remove the above debug command. (CSCsu67323)

•IP Router Option may not work with IGMP version 2.

Workaround: None. (CSCsv42869)

•A router may crash when a privilege-level 15 user logs on with the callback or callback-dialstring attribute.

'This problem is seen on all Catalyst 4500 or 4900 chassis running CiscoIOS Release 12.2.(50)SG. The problem occurs when the following conditions are present:

–The router is configured with AAA authentication and authorization.

–The AAA server runs CiscoSecure ACS 2.4.

–The callback or callback-dialstring attribute is configured on the AAA server for the user.

Workarounds: Do not configure the callback or callback-dialstring attribute for the user. If you use the callback-dialstring attribute in the TACACS+ profile, ensure that the NULL value is not configured. (CSCei62358)

•When you attempt an ISSU upgrade or downgrade between Cisco IOS Release 12.2(50)SG and 12.2(44)SG or 12.2(46)SG, the switch displays a traceback.

Workaround: None. (CSCsw32519)

•If VLAN Load Balancing is progressing, and you reconfigure VLAN Load Balancing to reflect different blocking ports, manual preemption does not occur.

Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:

a. Reconfigure the VLAN Load Balancing configuration on the desired REP ports.

b. Shut any one REP port in the segment to cause a failure in that segment.

c. No-shut that port to restore normal REP topology with one ALT port.

d. Invoke manual preemption on a primary edge port to obtain VLAN Load Balancing with the new configuration.

(CSCsv69853)

•After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.101   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.102   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. (CSCsw14005)

•Entering the channel-group x mode or channel-protocol followed by lacp or pagp command on an fa1 management interface causes the active supervisor engine to reload.

Port-channel functionality is not supported on the management interface.

This is a configuration error.

Workaround: None. (CSCsv91302)

•Ordinarily, you observe the following messages frequently in the logs:
001298: .Oct  8 01:38:50.968: %C4K_SWITCHINGENGINEMAN-4-TCAMINTERRUPT: flCam0  
aPErr interrupt. errAddr: 0x2947 dPErr: 1 mPErr: 0 valid: 1
001299: .Oct  8 01:51:20.100: %C4K_SWITCHINGENGINEMAN-4-TCAMINTERRUPT: flCam0  
aPErr interrupt. errAddr: 0x2B59 dPErr: 1 mPErr: 0 valid: 1
They imply no impact to performance.

Workaround: None. (CSCsv17545)

•The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.1X on the port and reconnect the host to a IP phone (with CDP port status TLV support) that is connected to the switch.

If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.

Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661

•On classic series supervisors and Supervisor Engine 6-E running Cisco IOS Release 12.2(50)SG and later releases, egress traffic is not allowed on ports configured for Wake-on-LAN (through the authentication control-direction in command) and Multi-domain Authentication (MDA) (through the authentication host-mode multi-domain command) before the port is authorized.

Workaround: None. CSCsy29140

•Class-map hit counters do not increment on the egress policy-map when it is attached to the primary VLAN on a PVLAN trunk ports. However, the traffic is properly classified and the actions configured in the policy are applied properly.

Workaround: None. CSCsy72343

•On a Catalyst 4900M switch, when you use a WS-X4908-10GE card with CVR-X2-SFP twin gig converters, the giga ports do not link up to the peer device that sends a remote fault. The
show int status | inc gi x/y command indicates notconnect.

Similar behavior is observed with Supervisor Engine 6-E uplinks and the WS-X4706-10GE line card.

This behavior is seen in Cisco IOS Releases 12.2(50)SG thru 12.2(50)SG3 when the peer device sends a remote fault.

Workaround: Disable auto negotiation at both ends.

(CSCta02425)

Resolved Caveats in Cisco IOS Release 12.2(50)SG2

This section lists the resolved caveats in Release 12.2(50)SG2:

•Packets for traffic destined to SNAP host might be dropped if the ARP table indicates that the MAC entry is SNAP.

Workarounds:

1. Configure a static ARPA entry for host.

2. Upgrade to a future IOS release containing the fix.

CSCsu90780

•On a Catalyst 4500 switch running 12.2(50)SG or 12.2(50)SG1, when 802.1X VVID and port security are configured together on a switch port, inserting a non 802.1x capable Cisco IP phone with a PC behind it may trigger a security violation.

Workaround: None. CSCsv63638

•If you configure multiple REP segments, pre-emption in one segment brings down all REP segments.

Workaround: None. CSCsv91297

•On a Catalyst 4500 series switch, if an isolated private VLAN trunk interface flaps, the ingress per-port per-vlan policer is no longer applied on the port.

Affected Cisco IOS releases include 12.2(31)SGA08, 12.2(37)SG, 12.2(40)SG, 12.2(46)SG, and 12.2(50)SG.

Workaround: Disable and configure QoS, as follows:
Switch# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)# no qos
Switch(config)# qos
Switch(config)# end
Switch#
CSCsw19087

•On a Catalyst 4500 redundant switch running Cisco IOS Release 12.2(50)SG or 12.2(50)SG1, when 802.1X VVID and port security are configured together on a switch port, the CDP MAC from the non 802.1X capable Cisco IP phone may not be added to the port security table on the standby supervisor engine.

Workaround: None. CSCsw29489

•A crash occurs when you enter the show idprom interface FastEthernet 1 command.

Workaround: None. CSCsw77413

•Hosts are not authenticated through MAB when you configure a port for single-host mode (with the authentication host-mode single-host command) and Wake-on-LAN (with the
authentication control-direction in command).

Workarounds: Disable Wake-on-LAN with the no authentication control-direction in command.

CSCsx98360

•On a Catalyst 4500 series switch running Cisco IOS Release 12.2(50)SG or 12.2(50)SG1, when you configure both 802.1X VVID and port security together on a switch port, then insert a non-802.1X capable Cisco IP phone with LLDP capability and a PC behind it, you might trigger a security violation. The violation is triggered when the PC behind the phone gets authorized on the port before the IP phone sends LLDP packet.

Workaround: Turn off LLDP on the switch and Cisco IP phone from Call Manager.

CSCsy21167

Open Caveats in Cisco IOS Release 12.2(50)SG1

This section lists the open caveats in Cisco IOS Release 12.2(50)SG1:

•Software qos does not match a .1Q packet properly for applying the desired qos actions.

Workarounds: None.

The support to handle .1Q packets for software QoS lookup unavailable in the Cisco IOS Release 12.2(40)SG release. (CSCsk66449)

•Under some conditions, one or more flows continue to be dropped because of DBL even after DBL has been removed from the service-policy.

When an output service-policy is attached to an interface and if the policy is configured to apply DBL on a queue, the flows that are enqueued to the queue are subjected to the DBL algorithm. If one or more flows are classified as belligerent (flows do not back-off in response to drops because of congestion in the queue), those flows continue to be classified as belligerent even when DBL is disabled on that queue.

For this condition to persist, the transmit queues in question must remain congested for a long period of time and that congestion must be caused by flows that remain belligerent.

Workaround: Provided the queue in question is non-default (queuing actions are not configured in the class-default class of the policy-map), detach and re-attach the service-policy.

If this happens on the default queue, modifying and resetting some queuing parameters like bandwidth/shape fixes the issue. (CSCsk62457

•When an Catalyst 4900M switch encounters either a fan tray failure or a supervisor critical temperature, the chassis shuts off. The output of the show crashdump command will not indicate the cause of the power-down.

Workarounds: Use the show log command to determine the cause of the power-down.

–If the log has LogGalInsufficientFansDetected messages, the cause was a fan-tray failure.

–If the log has LogRkiosModuleShutdownTemp messages, the cause was that the supervisor critical temperature exceeded the failure threshold.

(CSCsk48632)

•A Catalyst 4900M switch will support a maximum of 32 MTU values system wide.

On a Catalyst 4900M running Cisco IOS Release 12.2(40)SG, all MTU values configured on a line card are set to default when the module is reset. Furthermore, MTU values are not retained for modules that are physically moved.

Workaround: None. (CSCsk52542)

Workaround: Reinsert the X2. (CSCsk43618)

•On rare occasions, if you use an X2 SR transceiver on a WS-X4706-10GE running
Cisco IOS Release 12.2(40)SG, you will observe CRC errors after a reload or power cycle when you insert the card or the X2.

Workaround: Reinsert the X2. (CSCsk43618)

•Control plane policing applied to DHCP traffic as identified by the system class-maps system-cpp-dhcp-cs, system-cpp-dhcp-sc, and system-cpp-dhcp-ss may not be effective.

Workaround: None. CSCsk67395)

•When the CPU transmits .1X packet on an interface that has an egress qos policy attached, the packet is not matched and exits without any QoS marking actions.

When a packet is sent to the CPU it may get sent out on some other interface. If so, the original COS value for a .1X packet cannot be matched by software QoS (as per CSCsk66449). The packet is transmitted with whatever COS value it was generated with (7, for the MLDv1 packets described here).

Workaround: None.

Part of the root cause of this problem is captured through CSCsk66449, which indicates that the software QoS cannot match against a .1X packet. (CSCsk72544)

•If a class-map is configured with exceed-action drop, re-configuring the same class-map with exceed-action transmit causes class-map configurations to conflict for the same class-map.

Workaround: If you plan to change a class-map action, such as exceed-action, you meed to remove the class-map with the no class c1 command under policy-map submode. Then, apply the new class-map with the updated changes.

CSCsk70826)

•If burst is not explicitly configured for a single rate policer, the show policy-map command displays an incorrect burst value.

Workaround: Enter the show policy-map interface command. (CSCsi71036)

•When you enter the show policy-map vlan vlan command, unconditional marking actions that are configured on the VLAN are not shown.

Workaround: None. However, if you enter the show policy-map name, the unconditional marking actions are displayed. (CSCsi94144)

•You observe a .05% loss on WS-X4908-10GE when sending traffic at 99% of the port capacity.

Workaround: None. (CSCsl39767)

•IGMP snooping entries are active even after disabling IGMP snooping globally and per VLAN.

Workarounds:Disable IGMP snooping on all the relevant VLANs before disabling it globally.

•IPv6 MLD entries are active even if an IPv6 MLD related configuration does not exist.

Workaround: Unconfigure all generic QOS policies from the system. (CSCsq84853)

•IPv6 entries are active in the CAM; the CPU receives IPv6 packets.

Workaround: Unconfigure any generic QOS policies from the system. The QoS policies with the match any attribute cause IPv6 entries to become active. If the switch is a pure Layer 2 device, remove the generic protocol family attributes and narrow it to the protocol family.

(CSCsq84796)

•Initially, REP configured with VLAN Load Balancing (VLB) works correctly. When you issue a force-switchover on the switch, that has a port acting as the secondary ALT port, a loop is induced in the topology.

Workaround: Enter shut, then no-shut on any REP port (of the same segment in which VLB is configured) in the topology. (CSCsq75342)

•In Cisco IOS Release 12.2(46)SG, if flexlink is applied to a pair of etherchannels, then flexlink config may not be applied after a reboot, if the backup EtherChannel is defined after the flexlink configuration.

Workaround: Define the backup etherchannel before applying flexlink command. (CSCsq13477)

•In Cisco IOS Release 12.2(46)SG, if an etherchannel is a member of a flexlink pair, then static MAC addresses configured on the EtherChannel are not moved to the alternate port when the EtherChannel fails (flexlink failure)

Workaround: None. (CSCsq99468)

•Performing a default interface operation on an interface with auto-QoS enabled results in an error message and the loss of the auto-QoS configuration. For example, the following sequence of operation results in a loss of the configuration:
config-if# auto qos voip cisco-phone
config# default interface interface-name
Workaround: Replace the default interface command with the following:
config# interface interface-number
config-if# switchport
(CSCsq47116)

•The IPv6 ICMP neighbor state changes from REACH to STALE after 15 secs of inactivity on the link.

Workaround: Ping the global and link local addresses of the neighbor to ascertain and reinstate reachability. (CSCsq77181)

•IPv6 EIGRP routes are not learned through the port channel.

Workaround: Unconfigure the port channel and the associated physical port, and reconfigure them.

(CSCsq74229)

•When a CFM Inward Facing MEP(IFM) is configured on a VLAN that is not allocated on a switch port that is DOWN, the show ethernet cfm maintenance-points local command displays the
IFM CC Status as Inactive. Then, you allocate the VLAN, the CC-status remains Inactive.

You only see this symptom if you did not allocate a VLAN before you configure the IFM, then at a later time allocate the same VLAN.

Workaround: Unconfigure, then reconfigure the IFM on the port.

•Ordinarily, the output of a CFM Traceroute from a MEP normally lists down the next hop name(device/host name) for each hop till the other MEP. When CFM over EtherChannel exists between the two MEPs, CFM Traceroute issued from a MEP does not show the next hop name.

Workaround: None. (CSCso50659)

•An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

–After a reload, copy the startup-config to the running-config.

–Use a loopback interface as the target of the ip unnumbered command

–Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

•In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

•When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running config.

Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)

•If you configure OFM on an Etherchannel (with at least two interfaces), when you shut or remove the first member that joined the channel, the CFM neighbor is lost.

Workaround: Clear the errors with the clear ethernet cfm errors command in EXEC mode. (CSCsv43819)

•Duplicate serial number error messages are reported on switching One X Convertor with SFP+, SFP+, X2 to another port, the inserted port enters a faulty status.

This problem impacts X2, OneX converters, and SFp+ on the Supervisor Engine 6-E, and linecards.

Workaround: Remove and reinsert the One X Convertor with SFP+ , SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)

•The presence of features and Per Vlan Capture might exhaust the TCAM masks.

Workaround: Disable Per VLAN Capture or some of the features. (CSCsr95455)

•Ping does not execute prior to a posture validation.

Workaround: Reapply the identity policy on the interface with the permit icmp command. (CSCsu03507

•On a Catalyst 4500 switch running 12.2(50)SG, when the access VLAN is deleted and then restored on a port configurd with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the access VLAN is restored.

This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.

Workaround: Shut down then reopen the interface.

(CSCso50921)

•On a switch running Cisco IOS Release12.2(50)SG, supplicants authorized on PVLAN in multi-auth host mode are not moved to an Uauthorized state when the PVLAN is removed.

This problem occurs only when a port is configured with PVLAN and 802.1X multi-auth.

Workaround: Shut down then reopen the interface. (CSCsr58573)

•When the switch port configured with 802.1X Multi-Domain Authentication (MDA) and Guest VLAN is connected to a non-802.1X supplicant PC through a hub, the port falls back to guest VLAN. Subsequently, it is stuck in the guest VLAN and ignores all EAPOL traffic from another 802.1X supplicant PC connected to the hub.

Workaround: None. (CSCsu42775)

•VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

•Egress traffic may not be allowed when 802.1X is configured as a Unidirectional Controlled Port.

Workarounds: Do one of the following:

–Enter spanning-tree portfast then authentication control-direction in on a 802.1X port.

–Enter shut then no shut on a 802.1X port.

(CSCsv05205)

•When you remove an SFP+ from a OneX converter in a X2 slot, it takes roughly 45 seconds for the system to recognize this. Any commands during this time will indicate that the SFP+ is still present. Reinserting the SFP+ in another port or inserting another SFP+ in the same port can result in Duplicate Seeprom error message.

Workaround: When a log message appears indicating that the SFP+ has been removed , do one of the following:

–Enter any commands for that port.

–Insert an SFP+ in that port.

–Reinsert the removed SFP+ in any other port.

(CSCsv90044)

•The switch does not accept the snmp mib target list vrf command. This CLI is rejected even if the vrf is present in the DUT.

Workaround: None. (CSCsr95941)

•The switch does not accept the snmp mib target list vrf command. This CLI is rejected even if the vrf is present in the DUT.

Workaround: None. (CSCsr95941)

•When a PVLAN isolated port is connected to a router serving as a mutlicast source, and you enable igmp snooping, the routers connected to the isolated ports display as PIM neighbours.

Workaround: Do one of the following:

–Do not attach routers to PVLAN isolated ports.

–Disable igmp snooping (either globally or on the VLAN).

–Do not use a router connected to PVLAN isolated port as a multicast source.

(CSCsu39009)

•When you delete and recreate an interface, the tacking process is unable to track its state track.

Workaround: Reconfigure tracking on the newly created interface. (CSCsr66876)

•The switch may reload after destroying the expExpressionTable row via SNMP when you enable the debug management expression evaluator command.

Workaround: Remove the above debug command. (CSCsu67323)

•IP Router Option may not work with IGMP version 2.

Workaround: None. (CSCsv42869)

•A router may crash when a privilege-level 15 user logs on with the callback or callback-dialstring attribute.

'This problem is seen on all Catalyst 4500 or 4900 chassis running CiscoIOS Release 12.2.(50)SG. The problem occurs when the following conditions are present:

–The router is configured with AAA authentication and authorization.

–The AAA server runs CiscoSecure ACS 2.4.

–The callback or callback-dialstring attribute is configured on the AAA server for the user.

Workarounds: Do not configure the callback or callback-dialstring attribute for the user. If you use the callback-dialstring attribute in the TACACS+ profile, ensure that the NULL value is not configured. (CSCei62358)

•When you attempt an ISSU upgrade or downgrade between Cisco IOS Release 12.2(50)SG and 12.2(44)SG or 12.2(46)SG, the switch displays a traceback.

Workaround: None. (CSCsw32519)

•If VLAN Load Balancing is progressing, and you reconfigure VLAN Load Balancing to reflect different blocking ports, manual preemption does not occur.

Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:

a. Reconfigure the VLAN Load Balancing configuration on the desired REP ports.

b. Shut any one REP port in the segment to cause a failure in that segment.

c. No-shut that port to restore normal REP topology with one ALT port.

d. Invoke manual preemption on a primary edge port to obtain VLAN Load Balancing with the new configuration.

(CSCsv69853)

•After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.101   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.102   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. (CSCsw14005)

•Entering the channel-group x mode or channel-protocol followed by lacp or pagp command on an fa1 management interface causes the active supervisor engine to reload.

Port-channel functionality is not supported on the management interface.

This is a configuration error.

Workaround: None. (CSCsv91302)

•On a Catalyst 4900M switch, when you use a WS-X4908-10GE card with CVR-X2-SFP twin gig converters, the giga ports do not link up to the peer device that sends a remote fault. The
show int status | inc gi x/y command indicates notconnect.

Similar behavior is observed with Supervisor Engine 6-E uplinks and the WS-X4706-10GE line card.

This behavior is seen in Cisco IOS Releases 12.2(50)SG thru 12.2(50)SG3 when the peer device sends a remote fault.

Workaround: Disable auto negotiation at both ends.

(CSCta02425)

Resolved Caveats in Cisco IOS Release 12.2(50)SG1

This section lists the resolved caveats in Release 12.2(50)SG1:

•When port security is configured on a port connected to a host via an IP phone and the host is disconnected, the host's MAC address is not removed from the port security MAC address table even if the IP phone and switch support the CDP 2nd port disconnect TLV feature.

Workaround:To remove the host's MAC address from the port security MAC address table, unconfigure and reconfigure port security on the port. (CSCsr74097)

Open Caveats in Cisco IOS Release 12.2(50)SG

This section lists the open caveats in Cisco IOS Release 12.2(50)SG:

•Software qos does not match a .1Q packet properly for applying the desired qos actions.

Workarounds: None.

The support to handle .1Q packets for software QoS lookup unavailable in the Cisco IOS Release 12.2(40)SG release. (CSCsk66449)

•Under some conditions, one or more flows continue to be dropped because of DBL even after DBL has been removed from the service-policy.

When an output service-policy is attached to an interface and if the policy is configured to apply DBL on a queue, the flows that are enqueued to the queue are subjected to the DBL algorithm. If one or more flows are classified as belligerent (flows do not back-off in response to drops because of congestion in the queue), those flows continue to be classified as belligerent even when DBL is disabled on that queue.

For this condition to persist, the transmit queues in question must remain congested for a long period of time and that congestion must be caused by flows that remain belligerent.

Workaround: Provided the queue in question is non-default (queuing actions are not configured in the class-default class of the policy-map), detach and re-attach the service-policy.

If this happens on the default queue, modifying and resetting some queuing parameters like bandwidth/shape fixes the issue. (CSCsk62457

•When an Catalyst 4900M switch encounters either a fan tray failure or a supervisor critical temperature, the chassis shuts off. The output of the show crashdump command will not indicate the cause of the power-down.

Workarounds: Use the show log command to determine the cause of the power-down.

–If the log has LogGalInsufficientFansDetected messages, the cause was a fan-tray failure.

–If the log has LogRkiosModuleShutdownTemp messages, the cause was that the supervisor critical temperature exceeded the failure threshold.

(CSCsk48632)

•A Catalyst 4900M switch will support a maximum of 32 MTU values system wide.

On a Catalyst 4900M running Cisco IOS Release 12.2(40)SG, all MTU values configured on a line card are set to default when the module is reset. Furthermore, MTU values are not retained for modules that are physically moved.

Workaround: None. (CSCsk52542)

Workaround: Reinsert the X2. (CSCsk43618)

•On rare occasions, if you use an X2 SR transceiver on a WS-X4706-10GE running
Cisco IOS Release 12.2(40)SG, you will observe CRC errors after a reload or power cycle when you insert the card or the X2.

Workaround: Reinsert the X2. (CSCsk43618)

•Control plane policing applied to DHCP traffic as identified by the system class-maps system-cpp-dhcp-cs, system-cpp-dhcp-sc, and system-cpp-dhcp-ss may not be effective.

Workaround: None. CSCsk67395)

•When the CPU transmits .1X packet on an interface that has an egress qos policy attached, the packet is not matched and exits without any QoS marking actions.

When a packet is sent to the CPU it may get sent out on some other interface. If so, the original COS value for a .1X packet cannot be matched by software QoS (as per CSCsk66449). The packet is transmitted with whatever COS value it was generated with (7, for the MLDv1 packets described here).

Workaround: None.

Part of the root cause of this problem is captured through CSCsk66449, which indicates that the software QoS cannot match against a .1X packet. (CSCsk72544)

•If a class-map is configured with exceed-action drop, re-configuring the same class-map with exceed-action transmit causes class-map configurations to conflict for the same class-map.

Workaround: If you plan to change a class-map action, such as exceed-action, you meed to remove the class-map with the no class c1 command under policy-map submode. Then, apply the new class-map with the updated changes.

CSCsk70826)

•If burst is not explicitly configured for a single rate policer, the show policy-map command displays an incorrect burst value.

Workaround: Enter the show policy-map interface command. (CSCsi71036)

•When you enter the show policy-map vlan vlan command, unconditional marking actions that are configured on the VLAN are not shown.

Workaround: None. However, if you enter the show policy-map name, the unconditional marking actions are displayed. (CSCsi94144)

•You observe a .05% loss on WS-X4908-10GE when sending traffic at 99% of the port capacity.

Workaround: None. (CSCsl39767)

•IGMP snooping entries are active even after disabling IGMP snooping globally and per VLAN.

Workarounds:Disable IGMP snooping on all the relevant VLANs before disabling it globally.

•IPv6 MLD entries are active even if an IPv6 MLD related configuration does not exist.

Workaround: Unconfigure all generic QOS policies from the system. (CSCsq84853)

•IPv6 entries are active in the CAM; the CPU receives IPv6 packets.

Workaround: Unconfigure any generic QOS policies from the system. The QoS policies with the match any attribute cause IPv6 entries to become active. If the switch is a pure Layer 2 device, remove the generic protocol family attributes and narrow it to the protocol family.

(CSCsq84796)

•Initially, REP configured with VLAN Load Balancing (VLB) works correctly. When you issue a force-switchover on the switch, that has a port acting as the secondary ALT port, a loop is induced in the topology.

Workaround: Enter shut, then no-shut on any REP port (of the same segment in which VLB is configured) in the topology. (CSCsq75342)

•In Cisco IOS Release 12.2(46)SG, if flexlink is applied to a pair of etherchannels, then flexlink config may not be applied after a reboot, if the backup EtherChannel is defined after the flexlink configuration.

Workaround: Define the backup etherchannel before applying flexlink command. (CSCsq13477)

•In Cisco IOS Release 12.2(46)SG, if an etherchannel is a member of a flexlink pair, then static MAC addresses configured on the EtherChannel are not moved to the alternate port when the EtherChannel fails (flexlink failure)

Workaround: None. (CSCsq99468)

•Performing a default interface operation on an interface with auto-QoS enabled results in an error message and the loss of the auto-QoS configuration. For example, the following sequence of operation results in a loss of the configuration:
config-if# auto qos voip cisco-phone
config# default interface interface-name
Workaround: Replace the default interface command with the following:
config# interface interface-number
config-if# switchport
(CSCsq47116)

•The IPv6 ICMP neighbor state changes from REACH to STALE after 15 secs of inactivity on the link.

Workaround: Ping the global and link local addresses of the neighbor to ascertain and reinstate reachability. (CSCsq77181)

•IPv6 EIGRP routes are not learned through the port channel.

Workaround: Unconfigure the port channel and the associated physical port, and reconfigure them.

(CSCsq74229)

•When a CFM Inward Facing MEP(IFM) is configured on a VLAN that is not allocated on a switch port that is DOWN, the show ethernet cfm maintenance-points local command displays the
IFM CC Status as Inactive. Then, you allocate the VLAN, the CC-status remains Inactive.

You only see this symptom if you did not allocate a VLAN before you configure the IFM, then at a later time allocate the same VLAN.

Workaround: Unconfigure, then reconfigure the IFM on the port.

•Ordinarily, the output of a CFM Traceroute from a MEP normally lists down the next hop name(device/host name) for each hop till the other MEP. When CFM over EtherChannel exists between the two MEPs, CFM Traceroute issued from a MEP does not show the next hop name.

Workaround: None. (CSCso50659)

•An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

–After a reload, copy the startup-config to the running-config.

–Use a loopback interface as the target of the ip unnumbered command

–Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

•In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

•When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running config.

Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)

•If you configure OFM on an Etherchannel (with at least two interfaces), when you shut or remove the first member that joined the channel, the CFM neighbor is lost.

Workaround: Clear the errors with the clear ethernet cfm errors command in EXEC mode. (CSCsv43819)

•Duplicate serial number error messages are reported on switching One X Convertor with SFP+, SFP+, X2 to another port, the inserted port enters a faulty status.

This problem impacts X2, OneX converters, and SFp+ on the Supervisor Engine 6-E, and linecards.

Workaround: Remove and reinsert the One X Convertor with SFP+ , SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)

•The presence of features and Per Vlan Capture might exhaust the TCAM masks.

Workaround: Disable Per VLAN Capture or some of the features. (CSCsr95455)

•Ping does not execute prior to a posture validation.

Workaround: Reapply the identity policy on the interface with the permit icmp command. (CSCsu03507

•On a Catalyst 4500 switch running 12.2(50)SG, when the access VLAN is deleted and then restored on a port configurd with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the access VLAN is restored.

This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.

Workaround: Shut down then reopen the interface.

(CSCso50921)

•On a switch running Cisco IOS Release12.2(50)SG, supplicants authorized on PVLAN in multi-auth host mode are not moved to an Uauthorized state when the PVLAN is removed.

This problem occurs only when a port is configured with PVLAN and 802.1X multi-auth.

Workaround: Shut down then reopen the interface. (CSCsr58573)

•When the switch port configured with 802.1X Multi-Domain Authentication (MDA) and Guest VLAN is connected to a non-802.1X supplicant PC through a hub, the port falls back to guest VLAN. Subsequently, it is stuck in the guest VLAN and ignores all EAPOL traffic from another 802.1X supplicant PC connected to the hub.

Workaround: None. (CSCsu42775)

•VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

•Egress traffic may not be allowed when 802.1X is configured as a Unidirectional Controlled Port.

Workarounds: Do one of the following:

–Enter spanning-tree portfast then authentication control-direction in on a 802.1X port.

–Enter shut then no shut on a 802.1X port.

(CSCsv05205)

•When you remove an SFP+ from a OneX converter in a X2 slot, it takes roughly 45 seconds for the system to recognize this. Any commands during this time will indicate that the SFP+ is still present. Reinserting the SFP+ in another port or inserting another SFP+ in the same port can result in Duplicate Seeprom error message.

Workaround: When a log message appears indicating that the SFP+ has been removed , do one of the following:

–Enter any commands for that port.

–Insert an SFP+ in that port.

–Reinsert the removed SFP+ in any other port.

(CSCsv90044)

•The switch does not accept the snmp mib target list vrf command. This CLI is rejected even if the vrf is present in the DUT.

Workaround: None. (CSCsr95941)

•The switch does not accept the snmp mib target list vrf command. This CLI is rejected even if the vrf is present in the DUT.

Workaround: None. (CSCsr95941)

•When a PVLAN isolated port is connected to a router serving as a mutlicast source, and you enable igmp snooping, the routers connected to the isolated ports display as PIM neighbours.

Workaround: Do one of the following:

–Do not attach routers to PVLAN isolated ports.

–Disable igmp snooping (either globally or on the VLAN).

–Do not use a router connected to PVLAN isolated port as a multicast source.

(CSCsu39009)

•When you delete and recreate an interface, the tacking process is unable to track its state track.

Workaround: Reconfigure tracking on the newly created interface. (CSCsr66876)

•The switch may reload after destroying the expExpressionTable row via SNMP when you enable the debug management expression evaluator command.

Workaround: Remove the above debug command. (CSCsu67323)

•IP Router Option may not work with IGMP version 2.

Workaround: None. (CSCsv42869)

•A router may crash when a privilege-level 15 user logs on with the callback or callback-dialstring attribute.

'This problem is seen on all Catalyst 4500 or 4900 chassis running CiscoIOS Release 12.2.(50)SG. The problem occurs when the following conditions are present:

–The router is configured with AAA authentication and authorization.

–The AAA server runs CiscoSecure ACS 2.4.

–The callback or callback-dialstring attribute is configured on the AAA server for the user.

Workarounds: Do not configure the callback or callback-dialstring attribute for the user. If you use the callback-dialstring attribute in the TACACS+ profile, ensure that the NULL value is not configured. (CSCei62358)

Hierarchical Navigation

Cisco Catalyst 4900 Series Switches

Release Note for Catalyst 4900M Switch, Cisco IOS 12.2SG

Downloads

Table Of Contents

Release Notes for the Catalyst 4900M Series Switch, Cisco IOS Release 12.2(53)SG

Contents

Cisco IOS Software Packaging for the Cisco Catalyst 4900M Switch

Cisco 4900M Series Ethernet Switch Cisco IOS Release Strategy

Cisco IOS Software Migration

Summary of Migration Plan

Support

System Requirements

Supported Hardware

Supported Features

Following Features are Supported only on the Catalyst 4900M

Unsupported Features

New and Changed Information

New Hardware Features in Release 12.2(53)SG

New Software Features in Release 12.2(53)SG

New Hardware Features in Release 12.2(52)SG

New Software Features in Release 12.2(52)SG

New Hardware Features in Release 12.2(50)SG3

New Software Features in Release 12.2(50)SG3

New Hardware Features in Release 12.2(50)SG2

New Software Features in Release 12.2(50)SG2

New Hardware Features in Release 12.2(50)SG1

New Software Features in Release 12.2(50)SG1

New Hardware Features in Release 12.2(50)SG

New Software Features in Release 12.2(50)SG

New Hardware Features in Release 12.2(46)SG

New Software Features in Release 12.2(46)SG

Minimum and Recommended ROMMON Release

Limitations and Restrictions

Caveats

Open Caveats in Cisco IOS Release 12.2(53)SG

Resolved Caveats in Cisco IOS Release 12.2(53)SG

Open Caveats in Cisco IOS Release 12.2(52)SG

Resolved Caveats in Cisco IOS Release 12.2(52)SG

Open Caveats in Cisco IOS Release 12.2(50)SG5

Resolved Caveats in Cisco IOS Release 12.2(50)SG5

Open Caveats in Cisco IOS Release 12.2(50)SG4

Resolved Caveats in Cisco IOS Release 12.2(50)SG4

Open Caveats in Cisco IOS Release 12.2(50)SG3

Resolved Caveats in Cisco IOS Release 12.2(50)SG3

Open Caveats in Cisco IOS Release 12.2(50)SG2

Resolved Caveats in Cisco IOS Release 12.2(50)SG2

Open Caveats in Cisco IOS Release 12.2(50)SG1

Resolved Caveats in Cisco IOS Release 12.2(50)SG1

Open Caveats in Cisco IOS Release 12.2(50)SG

Cisco IOS Software Packaging for the
Cisco Catalyst 4900M Switch

Cisco 4900M Series Ethernet Switch
Cisco IOS Release Strategy