Release Note for Catalyst 4948 Series Switch, Cisco IOS 12.2EW and 12.2SG [Cisco Catalyst 4900 Series Switches]

Table Of Contents

Release Notes for the Catalyst 4900 Series Switch, Cisco IOS Release 12.2(52)SG

Contents

Cisco IOS Software Packaging for the Cisco Catalyst 4900 Series

Catalyst 4900 Series Switch Cisco IOS Release Strategy

Cisco IOS Software Migration

Summary of Migration Plan

Support

System Requirements

Supported Hardware

Supported Features

Unsupported Features

New and Changed Information

New Hardware Features in Release 12.2(52)SG

New Software Features in Release 12.2(52)SG

New Hardware Features in Release 12.2(50)SG2

New Software Features in Release 12.2(50)SG2

New Hardware Features in Release 12.2(50)SG1

New Software Features in Release 12.2(50)SG1

New Hardware Features in Release 12.2(50)SG

New Software Features in Release 12.2(50)SG

New Hardware Features in Release 12.2(46)SG

New Software Features in Release 12.2(46)SG

New Hardware Features in Release 12.2(44)SG

New Software Features in Release 12.2(44)SG

New Hardware Features in Release 12.2(40)SG

New Software Features in Release 12.2(40)SG

New Hardware Features in Release 12.2(37)SG

New Software Features in Release 12.2(37)SG

New Hardware Features in Release 12.2(31)SGA

New Software Features in Release 12.2(31)SGA

New Hardware Features in Release 12.2(31)SG

New Software Features in Release 12.2(31)SG

New Hardware Features in Release 12.2(25)SG

New Software Features in Release 12.2(25)SG

New Hardware Features in Release 12.2(25)EWA

New Software Features in Release 12.2(25)EWA

New Hardware Features in Release 12.2(25)EW

New Software Features in Release 12.2(25)EW

New Hardware Features in Release 12.2(20)EWA

New Software Features in Release 12.2(20)EWA

Upgrading the System Software

Upgrading the ROMMON from the Console

Upgrading the ROMMON Remotely Using Telnet

Upgrading the Cisco IOS Software

Limitations and Restrictions

Caveats

Open Caveats in Cisco IOS Release 12.2(52)SG

Resolved Caveats in Cisco IOS Release 12.2(52)SG

Open Caveats in Cisco IOS Release 12.2(50)SG2

Resolved Caveats in Cisco IOS Release 12.2(50)SG2

Open Caveats in Cisco IOS Release 12.2(50)SG1

Resolved Caveats in Cisco IOS Release 12.2(50)SG1

Open Caveats in Cisco IOS Release 12.2(50)SG

Resolved Caveats in Cisco IOS Release 12.2(50)SG

Open Caveats in Cisco IOS Release 12.2(46)SG

Resolved Caveats in Cisco IOS Release 12.2(46)SG

Open Caveats in Cisco IOS Release 12.2(44)SG1

Resolved Caveats in Cisco IOS Release 12.2(44)SG1

Open Caveats in Cisco IOS Release 12.2(44)SG

Resolved Caveats in Cisco IOS Release 12.2(44)SG

Open Caveats in Cisco IOS Release 12.2(40)SG

Resolved Caveats in Cisco IOS Release 12.2(40)SG

Open Caveats in Cisco IOS Release 12.2(37)SG1

Resolved Caveats in Cisco IOS Release 12.2(37)SG1

Open Caveats in Cisco IOS Release 12.2(37)SG

Resolved Caveats in Cisco IOS Release 12.2(37)SG

Open Caveats in Cisco IOS Release 12.2(31)SGA10

Resolved Caveats in Cisco IOS Release 12.2(31)SGA10

Open Caveats in Cisco IOS Release 12.2(31)SGA9

Resolved Caveats in Cisco IOS Release 12.2(31)SGA9

Open Caveats in Cisco IOS Release 12.2(31)SGA8

Resolved Caveats in Cisco IOS Release 12.2(31)SGA8

Open Caveats in Cisco IOS Release 12.2(31)SGA7

Resolved Caveats in Cisco IOS Release 12.2(31)SGA7

Open Caveats in Cisco IOS Release 12.2(31)SGA6

Resolved Caveats in Cisco IOS Release 12.2(31)SGA6

Open Caveats in Cisco IOS Release 12.2(31)SGA5

Resolved Caveats in Cisco IOS Release 12.2(31)SGA5

Open Caveats in Cisco IOS Release 12.2(31)SGA4

Resolved Caveats in Cisco IOS Release 12.2(31)SGA4

Open Caveats in Cisco IOS Release 12.2(31)SGA3

Resolved Caveats in Cisco IOS Release 12.2(31)SGA3

Open Caveats in Cisco IOS Release 12.2(31)SGA2

Resolved Caveats in Cisco IOS Release 12.2(31)SGA2

Open Caveats in Cisco IOS Release 12.2(31)SGA1

Resolved Caveats in Cisco IOS Release 12.2(31)SGA1

Open Caveats in Cisco IOS Release 12.2(31)SGA

Resolved Caveats in Cisco IOS Release 12.2(31)SGA

Open Caveats in Cisco IOS Release 12.2(31)SG2

Resolved Caveats in Cisco IOS Release 12.2(31)SG3

Open Caveats in Cisco IOS Release 12.2(31)SG2

Resolved Caveats in Cisco IOS Release 12.2(31)SG2

Open Caveats in Cisco IOS Release 12.2(31)SG1

Resolved Caveats in Cisco IOS Release 12.2(31)SG1

Open Caveats in Cisco IOS Release 12.2(31)SG

Resolved Caveats in Cisco IOS Release 12.2(31)SG

Open Caveats in Cisco IOS Release 12.2(25)SG4

Resolved Caveats in Cisco IOS Release 12.2(25)SG4

Open Caveats in Cisco IOS Release 12.2(25)SG3

Resolved Caveats in Cisco IOS Release 12.2(25)SG3

Open Caveats in Cisco IOS Release 12.2(25)SG2

Resolved Caveats in Cisco IOS Release 12.2(25)SG2

Open Caveats in Cisco IOS Release 12.2(25)SG1

Resolved Caveats in Cisco IOS Release 12.2(25)SG1

Open Caveats in Cisco IOS Release 12.2(25)SG

Resolved Caveats in Cisco IOS Release 12.2(25)SG

Open Caveats in Cisco IOS Release 12.2(25)EWA14

Resolved Caveats in Cisco IOS Release 12.2(25)EWA14

Open Caveats in Cisco IOS Release 12.2(25)EWA13

Resolved Caveats in Cisco IOS Release 12.2(25)EWA13

Open Caveats in Cisco IOS Release 12.2(25)EWA12

Resolved Caveats in Cisco IOS Release 12.2(25)EWA12

Open Caveats in Cisco IOS Release 12.2(25)EWA11

Resolved Caveats in Cisco IOS Release 12.2(25)EWA11

Open Caveats in Cisco IOS Release 12.2(25)EWA10

Resolved Caveats in Cisco IOS Release 12.2(25)EWA10

Open Caveats in Cisco IOS Release 12.2(25)EWA9

Resolved Caveats in Cisco IOS Release 12.2(25)EWA9

Open Caveats in Cisco IOS Release 12.2(25)EWA8

Resolved Caveats in Cisco IOS Release 12.2(25)EWA8

Open Caveats in Cisco IOS Release 12.2(25)EWA7

Resolved Caveats in Cisco IOS Release 12.2(25)EWA7

Open Caveats in Cisco IOS Release 12.2(25)EWA6

Resolved Caveats in Cisco IOS Release 12.2(25)EWA6

Open Caveats in Cisco IOS Release 12.2(25)EWA5

Resolved Caveats in Cisco IOS Release 12.2(25)EWA5

Open Caveats in Cisco IOS Release 12.2(25)EWA4

Resolved Caveats in Cisco IOS Release 12.2(25)EWA4

Open Caveats in Cisco IOS Release 12.2(25)EWA3

Resolved Caveats in Cisco IOS Release 12.2(25)EWA3

Open Caveats in Cisco IOS Release 12.2(25)EWA2

Resolved Caveats in Cisco IOS Release 12.2(25)EWA2

Open Caveats in Cisco IOS Release 12.2(25)EWA1

Resolved Caveats in Cisco IOS Release 12.2(25)EWA1

Open Caveats in Cisco IOS Release 12.2(25)EWA

Resolved Caveats in Cisco IOS Release 12.2(25)EWA

Open Caveats in Cisco IOS Release 12.2(25)EW

Resolved Caveats in Cisco IOS Release 12.2(25)EW

Open Caveats in Cisco IOS Release 12.2(20)EWA4

Resolved Caveats in Cisco IOS Release 12.2(20)EWA4

Open Caveats in Cisco IOS Release 12.2(20)EWA3

Resolved Caveats in Cisco IOS Release 12.2(20)EWA3

Open Caveats in Cisco IOS Release 12.2(20)EWA2

Resolved Caveats in Cisco IOS Release 12.2(20)EWA2

Open Caveats in Cisco IOS Release 12.2(20)EWA1

Resolved Caveats in Cisco IOS Release 12.2(20)EWA1

Open Caveats in Cisco IOS Release 12.2(20)EWA

Resolved Caveats in Cisco IOS Release 12.2(20)EWA

Troubleshooting

Netbooting from the ROMMON

Troubleshooting at the System Level

Troubleshooting Modules

Troubleshooting MIBs

Related Documentation

Hardware Documents

Software Documentation

Cisco IOS Documentation

Notices

OpenSSL/Open SSL Project

License Issues

Obtaining Documentation and Submitting a Service Request

Release Notes for the Catalyst 4900 Series Switch, Cisco IOS Release 12.2(52)SG

Current Release
12.2(52)SG—May 20, 2009

Previous Releases
12.2(50)SG2, 12.1(50)SG1, 12.2(50)SG, 12.2(46)SG, 12.2(44)SG1, 12.2(44)SG, 12.2(37)SG1, 12..2(37)SG, 12.2(31)SGA10, 12.2(31)SGA9, 12.2(31)SGA8, 12.2(31)SGA7, 12.2(31)SGA6, 12.2(31)SGA5, 12.2(31)SGA4, 12.2(31)SGA3, 12.2(31)SGA2, 12.2(31)SGA1, 12.2(31)SGA, 12.2(31)SG3, 12.2(31)SG2, 12.2(31)SG1, 12.2(31)SG, 112.2(25)SG4, 2.2(25)SG3, 12.2(25)SG2, 12.2(25)SG1, 12.2(25)SG, 12.2(25)EWA14, 12.2(25)EWA13, 12.2(25EWA12, 12.2(25)EWA11, 12.2(25)EWA10, 12.2(25)EWA9, 12.2(25)EWA8, 12.2(25)EWA7, 12.2(25)EWA6, 12.2(25)EWA5, 12.2(25)EWA4, 12.2(25)EWA3, 12.2(25)EWA2, 12.2(25)EWA1, 12.2(25)EW, 12.2(20)EWA4, 12.2(20)EWA3, 12.2(20)EWA2, 12.2(20)EWA1, 12.2(20)EWA

These release notes describe the features, modifications, and caveats for the Cisco IOS software on the Catalyst 4900 series switch. The most current software release is Cisco IOS Release 12.2(52)SG.

The most current software release is Cisco IOS Release 12.2(52)SG. The most current release notes for this release is available on Cisco.com at this URL:

http://www.cisco.com/en/US/products/hw/switches/ps4324/prod_release_note09186a008062ff34.html

Note Although their Release Notes are unique, the 4 platforms (Catalyst 4500, Catalyst 4900,
Catalyst ME 4900, and Catalyst 4900M) use the same Software Configuration Guide, Command Reference Guide, and System Message Guide. Refer to this location:
http://www.cisco.com/go/cat4500/docs

Contents

This publication consists of these sections:

•Cisco IOS Software Packaging for the Cisco Catalyst 4900 Series

•Catalyst 4900 Series Switch Cisco IOS Release Strategy

•System Requirements

•New and Changed Information

•Upgrading the System Software

•Limitations and Restrictions

•Caveats

•Troubleshooting

•Related Documentation

•Notices

•Obtaining Documentation and Submitting a Service Request

Cisco IOS Software Packaging for the Cisco Catalyst 4900 Series

A new Cisco IOS Software package for Cisco Catalyst 4900 Series switches was introduced in Cisco IOS Software Release 12.2(25)SG. It is a new foundation for features and functionality and provides consistency across all Cisco Catalyst switches. The new Cisco IOS Software release train is designated as 12.2SG.

Prior Cisco Catalyst 4900 Series Cisco IOS Software images for the Cisco Catalyst 4900 Series Switches, formerly known as Basic Layer 3 and Enhanced Layer 3, now map to IP Base and Enterprise Services, respectively. Border Gateway Protocol (BGP) is now included in the Enterprise Services image. All currently shipping Cisco Catalyst 4900 software features based on Cisco IOS Software are supported in the IP Base image of Release 12.2(44)SG with a few exceptions.

The IP Base image does not support enhanced routing features such as Nonstop Forwarding/Stateful Switchover (NSF/SSO), BGP, Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), Intermediate System-to-Intermediate System (IS-IS), Internetwork Packet Exchange (IPX), AppleTalk, Virtual Routing Forwarding (VRF-lite), GLBP, and policy-based routing (PBR). The IP Base image supports EIGRP-Stub for limited routing on Cisco Catalyst 4900 Series Switches.

The Enterprise Services image supports all Cisco Catalyst 4900 Series software features based on Cisco IOS Software, including enhanced routing. BGP capability is included in the Enterprises Services package.

Cisco IOS Release 12.2(52)XO introduced a LAN Base software image and an IP upgrade image for the fixed configuration switches, WS-X4948 and WS-X4948-10GE. These will complement the existing IP Base and Enterprise Services images. The LAN Base image is primarily focused on customer access and Layer 2 requirements and therefore many of the IP Base features are not required. An IP Upgrade image is available if later you require some of those features.

The LAN Base image will not support the following features currently offered in the IP Base image: FHRP(HSRP/VRRP), GLBP, WCCP, L2PT & QinQ, Netflow, Auto QoS,EIGRP Stub, PIM SM/DM, MLD Snooping, Flex Link, PVST+, RPVST+, EPoE/PoE+, EEM, TDR, SSO,ISSU, CTS and Smartports (Role based Macros).

Note With the LAN Base image, 10GbE uplinks are supported on the Catalyst 4948-10GE switch but not the Catalyst 4948 switch.

Orderable Product Numbers:

•S49IPB-12252SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image) (cat4500-ipbase-mz)

•S49IPBK9-12252SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image with Triple Data Encryption Standard (3DES)) (cat4500-ipbasek9-mz)

•S49ES-12252SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with BGP support) (cat4500-entservices-mz)

•S49ESK9-12252SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with 3DES and BGP) (cat4500-entservicesk9-mz)

•S49IPB-12250SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image) (cat4500-ipbase-mz)

•S49IPBK9-12250SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image with Triple Data Encryption Standard (3DES)) (cat4500-ipbasek9-mz)

•S49ES-12250SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with BGP support) (cat4500-entservices-mz)

•S49ESK9-12250SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with 3DES and BGP) (cat4500-entservicesk9-mz)

•S49IPB-12246SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image) (cat4500-ipbase-mz)

•S49IPBK9-12246SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image with Triple Data Encryption Standard (3DES)) (cat4500-ipbasek9-mz)

•S49ES-12246SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with BGP support) (cat4500-entservices-mz)

•S49ESK9-12246SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with 3DES and BGP) (cat4500-entservicesk9-mz)

•S49IPB-12244SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image) (cat4500-ipbase-mz)

•S49IPBK9-12244SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image with Triple Data Encryption Standard (3DES)) (cat4500-ipbasek9-mz)

•S49ES-12244SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with BGP support) (cat4500-entservices-mz)

•S49ESK9-12244SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with 3DES and BGP) (cat4500-entservicesk9-mz)

•S49IPB-12240SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image) (cat4500-ipbase-mz)

•S49IPBK9-12240SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image with Triple Data Encryption Standard (3DES)) (cat4500-ipbasek9-mz)

•S49ES-12240SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with BGP support) (cat4500-entservices-mz)

•S49ESK9-12240SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with 3DES and BGP) (cat4500-entservicesk9-mz)

•S49IPB-12237SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image) (cat4500-ipbase-mz)

•S49IPBK9-12237SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image with Triple Data Encryption Standard (3DES)) (cat4500-ipbasek9-mz)

•S49ES-12237SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image) (cat4500-entservices-mz)

•S49ESK9-12237SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with 3DES) (cat4500-entservicesk9-mz)

•S49IPB-12231SGA—Cisco IOS software for the Catalyst 4900 Series (IP Base image) (cat4500-ipbase-mz)

•S49IPBK9-12231SGA—Cisco IOS software for the Catalyst 4900 Series (IP Base image with Triple Data Encryption Standard (3DES)) (cat4500-ipbasek9-mz)

•S49ES-12231SGA—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image) (cat4500-entservices-mz)

•S49ESK9-12231SGA—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with 3DES) (cat4500-entservicesk9-mz)

Note We recommend that you load 12.2(31)SGA8.

•S49IPB-12231SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image) (cat4500-ipbase-mz)

•S49IPBK9-12231SG—Cisco IOS software for the Catalyst 4900 Series (IP Base image with Triple Data Encryption Standard (3DES)) (cat4500-ipbasek9-mz)

•S49ES-12231SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image) (cat4500-entservices-mz)

•S49ESK9-12231SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with 3DES) (cat4500-entservicesk9-mz)

•S49IPB-12225SG—Cisco IOS software for the Catalyst 4900 Series Switch (IP Base image) (cat4500-ipbase-mz)

•S49IPBK9-12225SG—Cisco IOS software for the Catalyst 4900 Series Switch (IP Base image with Triple Data Encryption Standard (3DES)) (cat4500-ipbasek9-mz)

•S49ES-12225SG—Cisco IOS software for the Catalyst 4900 Series Switch (Enterprise Services image with BGP support) (cat4500-entservices-mz)

•S49ESK9-12225SG—Cisco IOS software for the Catalyst 4900 Series Switch (Enterprise Services image with 3DES and BGP support) (cat4500-entservicesk9-mz)

•S4KL3-12225EWA—Cisco IOS software for the Catalyst 4900 series switch, basic Layer 3 and voice software image (RIPv1, RIPv2, Static Routes, AppleTalk, and IPX Software Routing, Release 12.2(25)EWA (cat4000-i9s-mz.122-25.EWA)

•S4KL3E-12225EWA—Cisco IOS software for the Catalyst 4900 series switch, enhanced Layer 3 and voice software image including OSPF, IS-IS, and EIGRP, Release 12.2(25)EWA (cat4000-i5s-mz.122-25.EWA)

•S4KL3K9-12225EWA—Cisco IOS software for the Catalyst 4900 series switch, with 3DES strong encryption, basic Layer 3 and voice software image (SSHv1, SSHv2, RIPv1, RIPv2, static routes, AppleTalk, and IPX), Release 12.2(25)EWA (cat4000-i9k9s-mz.122-25.EWA)

•S4KL3EK9-12225EWA—Cisco IOS software for the Catalyst 4900 series switch, with 3DES strong encryption, enhanced Layer 3 and voice software image including (OSPF, IS-IS, IGRP, and EIGRP), Release 12.2(25)EWA (cat4000-i5k9s-mz.122-25.EWA)

•S4KL3-12220EWA—Cisco IOS software for the Catalyst 4900 series switch, basic Layer 3 and voice software image (RIPv1, RIPv2, Static Routes, AppleTalk, and IPX Software Routing, Release 12.2(20)EWA (cat4000-i9s-mz.122-20.EWA)

•S4KL3E-12220EWA—Cisco IOS software for the Catalyst 4900 series switch, enhanced Layer 3 and voice software image including OSPF, IS-IS, and EIGRP, Release 12.2(20)EWA (cat4000-i5s-mz.122-20.EWA)

•S4KL3K9-12220EWA—Cisco IOS software for the Catalyst 4900 series switch, with 3DES strong encryption, basic Layer 3 and voice software image (SSHv1, SSHv2, RIPv1, RIPv2, static routes, AppleTalk, and IPX), Release 12.2(20)EWA (cat4000-i9k9s-mz.122-20.EWA)

•S4KL3EK9-12220EWA—Cisco IOS software for the Catalyst 4900 series switch, with 3DES strong encryption, enhanced Layer 3 and voice software image including (OSPF, IS-IS, IGRP, and EIGRP), Release 12.2(20)EWA (cat4000-i5k9s-mz.122-20.EWA)

•S4KL3-12220EW—Cisco IOS software for the Catalyst 4900 series switch, basic Layer 3 and voice software image (RIPv1, RIPv2, Static Routes, AppleTalk, and IPX), Release Software Routing, Release 12.2(20)EW (cat4000-i9s-mz.122-20.EW)

•S4KL3E-12220EW—Cisco IOS software for the Catalyst 4900 series switch, enhanced Layer 3 and voice software image including OSPF, IS-IS, and EIGRP, Release 12.2(20)EW (cat4000-i5s-mz.122-20.EW)

•S4KL3K91-12220EW—Cisco IOS software for the Catalyst 4900 series switch, with 3DES strong encryption, basic Layer 3 and voice software image (SSHv1, SSHv2, RIPv1, RIPv2, static routes, AppleTalk, and IPX), Release 12.2(20)EW (cat4000-i9k91s-mz.122-20.EW)

•S4KL3EK91-12220EW—Cisco IOS software for the Catalyst 4900 series switch, with 3DES strong encryption, enhanced Layer 3 and voice software image including (OSPF, IS-IS, and EIGRP), Release 12.2(20)EW (cat4000-i5k91s-mz.122-20.EW)

Catalyst 4900 Series Switch Cisco IOS Release Strategy

Customers with Catalyst 4900 series switches who need the latest hardware support and software features should migrate to Cisco IOS Release 12.2(52)SG.

For more information on the Catalyst 4900 series switches, visit the following URL:

www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/index.htm

Catalyst 4900 Series has two maintenance trains. The Cisco IOS Release 12.2(31)SGA train is the most stable train, and has features found in the Cisco IOS Release 12.2(31)SGA. Currently, the Cisco IOS Release 12.2(31)SGA8 is the recommended release for customers who require a release with a maintenance train.

Cisco IOS Software Migration

Figure 1 displays the two active maintenance trains on the Cisco Catalyst 4900 platform has: 12.2(50)SG and 12.2(31)SGA.

Figure 1 Software Release Strategy for the Catalyst 4900 Series Switches

Summary of Migration Plan

•Customers requiring the latest Cisco Catalyst 4900 Series hardware and software features should migrate to the Cisco IOS Software Release 12.2(50)SG train, which will offer maintenance releases. The latest release from the 12.2(50)SG maintenance train is 12.2(50)SG2.

•Cisco IOS Software Release 12.2(31)SGA will continue offering maintenance releases. The latest release from the 12.2(31)SGA maintenance train is 12.2(31)SGA8.

Support

Support for Cisco IOS Software Release 12.2(52)SG follows the standard Cisco Systems® support policy, available at
http://www.cisco.com/en/US/products/products_end-of-life_policy.html

For more information about the Cisco Catalyst 4900 series switch, visit
http://www.cisco.com/en/US/products/ps6021/index.html

System Requirements

This section describes the system requirements:

•Supported Hardware

•Supported Features

•Unsupported Features

Supported Hardware

The following tables lists the hardware supported on the Catalyst 4900 series switch.

Table 1 Supported Hardware

Product Number (append with "=" for spares)

Product Description

Software Release

Minimum

Recommended

Small Form-Factor Pluggable Modules

GLC-BX-D

1000BASE-BX10-D small form-factor pluggable module

12.2(20)EWA

12.2(31)SGA8

GLC-BX-U

1000BASE-BX10-U small form-factor pluggable module

12.2(20)EWA

12.2(31)SGA8

GLC-SX-MM

1000BASE-SX small form-factor pluggable module

12.2(20)EWA

12.2(31)SGA8

GLC-LH-SM

1000BASE-LX/LH small form-factor pluggable module

12.2(20)EWA

12.2(31)SGA8

GLC-ZX-SM

1000BASE-ZX small form-factor pluggable module

12.2(20)EWA

12.2(31)SGA8

GLC-T

1000BASE-T small form-factor pluggable module

12.2(20)EWA

12.2(31)SGA8

CWDM-SFP-xxxx

CWDM small form-factor pluggable module (See Table 2 for a list of supported wavelengths.)

12.2(20)EWA

12.2(31)SGA8

10 Gigabit Ethernet X2 Pluggable Modules

X2-10GB-LR

10GBASE-LR single-mode X2 module

12.2(25)EWA

12.2(31)SGA8

X2-10GB-SR

10GBASE-SR single-mode X2 module

12.2(25)EWA

12.2(31)SGA8

X2-10GB-CX4

10GBASE-CX4 single-mode X2 module

12.2(25)EWA

12.2(31)SGA8

X2-10GB-LX4

10GBASE-LX4 single-mode X2 module

12.2(25)EWA

12.2(31)SGA8

X2-10GB-LRM

10GBASE-LRM single-mode X2 module

12.2(31)SGA

12.2(31)SGA3

X2-10GB-ER

10GBASE-ER single-mode X2 module

12.2(25)EWA

12.2(31)SGA8

X2-10GB-ZR

10GBASE-ZR X2 transceiver module for SMF, 1550 nm wavelength up to 80 km. DOM is not supported.

12.2(50)SG

12.2(50)SG

X2-10GB-DWDM

10GBASE-ZR X2 transceiver module for SMF, 32 nontunable ITU 100-GHz wavelengths up to 80 km are supported. DOM is supported. Dual SC/PC connectors are supported.

12.2(50)SG

12.2(50)SG

CVR-X2-SFP10G

Hot-swappable input/output (I/O) converter module that fits into a 10-Gigabit Ethernet X2 slot on a switch or line card module. Hosts one 10-Gigabit Ethernet SFP+ transceiver module.

12.2(50)SG

12.2(50)SG

Table 2 briefly describes the supported wavelengths in the Catalyst 4900 series switches.

Table 2 CWDM SFP Supported Wavelengths

Product Number (append with "=" for spares)

Product Description

Software Release

Minimum

Recommended

CWDM-SFP -1470

Longwave 1470 nm laser single-mode

12.2(20)EWA

12.2(31)SGA8

CWDM- SFP -1490

Longwave 1490 nm laser single-mode

12.2(20)EWA

12.2(31)SGA8

CWDM-SFP -1510

Longwave 1510 nm laser single-mode

12.2(20)EWA

12.2(31)SGA8

CWDM-SFP -1530

Longwave 1530 nm laser single-mode

12.2(20)EWA

12.2(31)SGA8

CWDM-SFP -1550

Longwave 1550 nm laser single-mode

12.2(20)EWA

12.2(31)SGA8

CWDM-SFP -1570

Longwave 1570 nm laser single-mode

12.2(20)EWA

12.2(31)SGA8

CWDM-SFP -1590

Longwave 1590 nm laser single-mode

12.2(20)EWA

12.2(31)SGA8

CWDM-SFP -1610

Longwave 1610 nm laser single-mode

12.2(20)EWA

12.2(31)SGA8

Table 3 briefly describes the Catalyst 4900 product set.

Table 3 WS-4948 and WS-4948-10GE

Product Number (append with "=" for spares)

Product Description

Software Release

Minimum

Recommended

WS-X4948

48-port 10/100/1000 Catalyst 4948 switch, optional software image, optional power supplies, fan tray

12.2(20)EWA

12.2(31)SGA8

WS-X4948-S

48-port 10/100/1000 Catalyst 4948 switch, SMI, one AC power supply, fan tray

12.2(20)EWA

12.2(31)SGA8

WS-X4948-E

48-port 10/100/1000 Catalyst 4948 switch, EMI, one AC power supply, fan tray

12.2(20)EWA

12.2(31)SGA8

WS-X4948-10GE

48-port 10/100/1000 2-10GE Catalyst 4948 switch, optional software image, optional power supplies, fan tray

12.2(25)EWA

12.2(31)SGA8

WS-X4948-10GE-S

48-port 10/100/1000 2-10GE Catalyst 4948 switch, SMI, one AC power supply, fan tray

12.2(25)EWA

12.2(31)SGA8

WS-X4948-10GE-E

48-port 10/100/1000 2-10GE Catalyst 4948 switch, EMI, one AC power supply, fan tray

12.2(25)EWA

12.2(31)SGA8

WS-C4928-10GE

24 Gigabit Ethernet Small Form-Factor Pluggable (SFP) downlinks, 4 Gigabit Ethernet SFP uplinks, two 10 Gigabit Ethernet X2 uplinks, redundant field-replaceable AC and DC power supplies, fan tray with redundant fans, 1 rack unit (RU) form factor

12.2(46)SG

12.2(46)SG

Supported Features

Table 4 lists the Cisco IOS software features for the Catalyst 4900 series switch.

Table 4 Cisco IOS Software Feature Set for the Catalyst 4900 Series Switch

Layer 2 Switching Features

Storm control

Multicast storm control

IP Source Guard

IP Source Guard for Statis Hosts

PVRST+

Layer 2 protocol tunneling

Layer 2 transparent bridging¹

Layer 2 MAC² learning, aging, and switching by software

Unicast MAC address filtering

VMPS³ Client

Layer 2 hardware forwarding up to 102 Mpps

Layer 2 switch ports and VLAN trunks

Spanning-Tree Protocol (IEEE 802.1D) per VLAN

802.1s and 802.1w

Layer 2 traceroute

Unidirectional Ethernet port

Per-VLAN spanning tree (PVST) and PVST+

Spanning-tree root guard

Spanning-tree Loop guard and PortFast BPDU Filtering

Support for 9216 byte frames

Port security on PVLANs

Private VLANs

Private VLAN DHCP snooping

Community PVLANs

Private VLAN Promiscuous Trunk

ISL

IEEE 802.1Q-based VLAN encapsulation

Multiple VLAN access port

VLAN Trunking Protocol (VTP) and VTP domains

VTP v3

Support for 4096 VLANs per switch

Unidirectional link detection (UDLD) and aggressive UDLD

Resilient Ethernet Protocol⁴

Ethernet CFM

Ethernet OAM Protocol

Layer 3 Routing, Switching, and Forwarding

802.1Q Tunneling (Q in Q)⁵

QinQ and Protocol Tunneling

Pragmatic General Multicast

ANCP Client

Auto RP Listener

IP and IP multicast routing and switching between Ethernet ports

Static IP routing

Classless routing⁶

PBR⁷

Dynamic Buffer Limiting

Selective Dynamic Buffer Limiting

QoS-based forwarding based on IP precedence

Trusted boundary

Auto QoS

Match CoS for non-IPV4 traffic

CoS Mutation

CEF⁸ load balancing

Hardware-based IP CEF routing at 102 Mpps

Up to 32,000 IP routes

Up to 32,000 IP host entries (Layer 3 adjacencies)

Up to 16,000 IP multicast route entries

Up to 55,000 unicast entries

Multicast flooding suppression for STP changes

Software routing of IPX, AppleTalk, and IPv6

IGMPv1, IGMPv2, and IGMPv3 (Full Support)

IGMP Querier

VRF-lite

VRF-aware IP services

Route Leaking⁹

IP Unnumbered

SVI Autostate Exclude

Supported Protocols

IS-IS¹⁰

DTP¹¹

RIP¹² and RIP II

EIGRP¹³

EIGRP stub

OSPF¹⁴

BGP4¹⁵

BGP route-map Continue

BGP Neighbor Policy

MBGP¹⁶

MSDP¹⁷

ICMP¹⁸ Router Discovery Protocol

PIM¹⁹—sparse and dense mode

Static routes

Classless interdomain routing (CIDR)

DVMRP²⁰

SSM

NTP²¹

WCCPv2 Layer 2 Redirection

VRRP²²

SCP²³

GLBP²⁴

EtherChannel Features

Cisco EtherChannel technology - 10/100/1000 Mbps, 10 Gbps

Load balancing for routed traffic, based on source and destination IP addresses

Load sharing for bridged traffic based on MAC addresses

ISL on all EtherChannels

IEEE 802.1Q on all EtherChannels

Bundling of up to eight Ethernet ports

Up to 50 active Ethernet port channels

Trunk Port Security over EtherChannel

Additional Protocols and Features

SPAN CPU port mirroring

SPAN packet-type filtering

SPAN destination in-packets option

SPAN ACL filtering

RSPAN²⁵

Enhanced VLAN statistics

Secondary addressing

Bootstrap protocol (BOOTP)

Authentication, authorization, and accounting using TACACS+ and RADIUS protocol

Cisco Discovery Protocol (CDP)

CDP 2nd Port Status TLV

FlexLink and MAC Address-Table Move Update

Network Mobility Services Protocol

Link Layer Discovery Protocol (LLDP)

LLDP Media Discovery (LLDP-MED)

Sticky port security

Trunk port security

Voice VLAN Sticky Port Security

Cisco Group Management Protocol (CGMP) server support

HSRP²⁶ over Ethernet, EtherChannels - 10/100/1000Mbps, 10 Gbps

IGMP²⁷ snooping version1, version 2, and version 3 (Full Support)

IGMP filtering

Port Aggregation Protocol (PagP)

802.3ad LACP

SSH version 1 and version 2²⁸

show interface capabilities command

IfIndex persistence

UDLR²⁹

Enhanced SNMP MIB support

SNMP³⁰ version 1, version 2, and version 3

SNMP version 3 (with encryption)

DHCP server and relay-agent

DHCP snooping

DHCP client autoconfiguration

DHCP Option 82 Pass Through

802.1X port-based authentication

802.1X with port security

802.1X accounting

802.1X with voice VLAN ID³¹

802.1X private VLAN assignment

802.1X private guest VLAN

802.1X RADIUS-supplied session timeout

802.1X authentication failure VLAN

802.1X MAC Authentication Bypass

802.1X Inaccessible Authentication Bypass

802.1X Unidirectional Controlled Port

Flexible Authentication Sequencing

Multi-Authentication

Open Authentication

Web Authentication

Local Web Authentication (EPM syslog and Common session ID)

PPPoE Intermediate Agent

Control Plane Policing

Port flood blocking

Router standard and extended ACLs ³²on all ports with no performance penalty

Identity ACL Policy Enforcement³³

Extended IPX ACL

VLAN ACL

PACL³⁴

Downloadable ACLs

Local Proxy ARP

Dynamic ARP Inspection on PVLANs

Dynamic ARP Inspection

Per-port QoS³⁵ rate-limiting and shaping

Per-port Per-VLAN QoS

Energy Wise

Power redundancy

Non-stop Forwarding Awareness

Non-stop Forwarding Awareness for EIGRP-stub in IP base for all supervisor engines

WCCP³⁶v2 Layer 2 Redirection

MAC Address Notification

SmartPort macros

802.1s standards compliance

IS-IS MIB

OSPF and EIGRP Fast Convergence

OSPF Fast Convergence

Time Domain Reflectometry

CNA³⁷

EEM³⁸

EEM with ISSU

VSS client with PagP+

Ethernet Management Port

IP SLA³⁹

X2 Link Debounce Timer

Enhanced Object Tracking subfeatures:

•HSRP with EOT

•VRRP with EOT

•GLBP with EOT

•IP SLA with EOT

•Reliable Backup Static Routing with EOT

Inactivity Timer

boot config command

Crashdump enhancement

Unicast MAC filtering

Smart Call Home

DHCPv6 Ethernet Remote ID option

DHCPv6 Relay - Persistent Interface ID option DHCPv6 Relay Agent notification for Prefix Delegation

PIM SSM Mapping

VRF lite NSF support with routing protocols OSPF/EIGRP/BG

¹Hardware-based transparent bridging within a VLAN

²MAC = Media Access Control

³VMPS = VLAN Management Policy Server

⁴Does not apply to Supervisor Engine 6-E

⁵Requires the Catalyst 4900 series switch Supervisor Engine V

⁶The ip classless command is not supported as classless routing is enabled by default.

⁷PBR = policy-based routing

⁸CEF = Cisco Express Forwarding

⁹Route Leaking from a global routing table into a VRF and Route Leaking from a VRF into a global routing table

¹⁰IS-IS = Intermediate System to Intermediate System

¹¹DTP = Dynamic Trunking Protocol

¹²RIP = Routing Information Protocol

¹³EIGRP = Enhanced Interior Gateway Routing Protocol

¹⁴OSPF = Open Shortest Path First

¹⁵BGP4 = Border Gateway Protocol 4

¹⁶MBGP = Multicast Border Gateway Protocol

¹⁷MSDP = Multicast Source Discovery Protocol

¹⁸ICMP = Internet Control Message Protocol

¹⁹PIM = Protocol Independent Multicast

²⁰DVMRP = Distance Vector Multicast Routing Protocol

²¹NTP = Network Time Protocol

²²VRRP = Virtual Router Redundancy Protocol

²³SCP = Secure Copy Protocol

²⁴GLBP = Gateway Load Balancing Protocol

²⁵RSPAN = Remote SPAN

²⁶HSRP = Hot Standby Router Protocol

²⁷IGMP = Internet Group Management Protocol

²⁸SSH = Secure Shell Protocol

²⁹UDLR = Unidirectional Link Routing

³⁰SNMP = Simple Network Management Protocol

³¹PoE is not supported on the Catalyst 4900 series switch.

³²ACLs = Access Control Lists

³³filter-ID and per-user ACL

³⁴PACL = Port Access Control List

³⁵QoS = Quality of Service

³⁶WCCP = Web Content Communication Protocol

³⁷CNA = Cisco Network Assistant; Minimum CNA release that supports Releases 12.2(25)EW is 1.0(2). Minimum CNA release that supports Release 12.2(20)EWA is 1.0(1).

³⁸EEM = Embedded Event anager

³⁹Includes HTTPS-HTTP with SSL 3.0, CEF-MIB, Embedded Syslog Manage, ...

Unsupported Features

These features are not supported in Cisco IOS Release 12.2(52)SG for the 4900 series switches:

•The following ACL types:

–Standard Xerox Network System (XNS) access list

–Extended XNS access list

–DECnet access list

–Protocol type-code access list

•Cisco IOS software IPX ACLs:

–<1200-1299> IPX summary address access list

•ADSL and Dial access for IPv6

•AppleTalk EIGRP (use native AppleTalk routing instead)

•Bridge groups

•Cisco IOS software-based transparent bridging (also called "fallback bridging")

•Connectionless (CLNS) routing; including IS-IS routing for CLNS. IS-IS is supported for IP routing only.

•DLSw (data-link switching)

•IGRP (use EIGRP instead)

•isis network point-to-point command

•Kerberos support for access control

•Lock and key

•NAT-PT for IPv6

•NetFlow

•PBR with Multiple Tracking Options

•QoS for IPv6 (QoS for IPv6 traffic)

•Reflexive ACLs

•Routing IPv6 over an MPLS network

•Two-way community VLANs in private VLANs

•CFM CoS

•PBR with EOT

New and Changed Information

These sections describe the new and changed information for the Catalyst 4900 series switch running Cisco IOS software:

•New Hardware Features in Release 12.2(52)SG

•New Software Features in Release 12.2(52)SG

•New Hardware Features in Release 12.2(50)SG2

•New Software Features in Release 12.2(50)SG2

•New Hardware Features in Release 12.2(50)SG1

•New Software Features in Release 12.2(50)SG1

•New Hardware Features in Release 12.2(50)SG

•New Software Features in Release 12.2(50)SG

•New Hardware Features in Release 12.2(46)SG

•New Software Features in Release 12.2(46)SG

•New Hardware Features in Release 12.2(44)SG

•New Software Features in Release 12.2(44)SG

•New Hardware Features in Release 12.2(40)SG

•New Software Features in Release 12.2(40)SG

•New Hardware Features in Release 12.2(37)SG

•New Software Features in Release 12.2(37)SG

•New Hardware Features in Release 12.2(31)SGA

•New Software Features in Release 12.2(31)SGA

•New Hardware Features in Release 12.2(31)SG

•New Software Features in Release 12.2(31)SG

•New Hardware Features in Release 12.2(25)SG

•New Software Features in Release 12.2(25)SG

•New Hardware Features in Release 12.2(25)EWA

•New Software Features in Release 12.2(25)EWA

•New Hardware Features in Release 12.2(25)EW

•New Software Features in Release 12.2(25)EW

•New Hardware Features in Release 12.2(20)EWA

•New Software Features in Release 12.2(20)EWA

New Hardware Features in Release 12.2(52)SG

Release 12.2(50)SG1 provides the following new hardware for the Catalyst 4900 series switch:

•6000W PS

New Software Features in Release 12.2(52)SG

Release 12.2(50)SG1 provides the following new Cisco IOS software features for the Catalyst 4900 series switch:

•EnergyWise

•Network Mobility Services Protocol

•Identity ACL Policy Enforcement Enhancement

–Filter-ID

–Per-user ACL

•Smart Call Home*

•Local WebAuth Enhancement

•DHCPv6 Enhancements

–DHCPv6 Ethernet Remote ID option

–DHCPv6 Relay - Persistent Interface ID option DHCPv6 Relay Agent notification for Prefix Delegation

•PIM SSM Mapping

•VRF lite NSF support with routing protocols OSPF/EIGRP/BGP

•Supported MIBs

–Cisco Enhanced Image MIB

–Cisco HSRP extension MIB

–CISCO-CALLHOME-MIB.my

–Energywise MIB

–POE MIB

–POE ext MIB

–Entity-Diag-MIB

–Bridge MIB

New Hardware Features in Release 12.2(50)SG2

Release 12.2(50)SG2 provides the following new hardware for the Catalyst 4900 series switch:

•None

New Software Features in Release 12.2(50)SG2

Release 12.2(50)SG2 provides the following new Cisco IOS software features for the Catalyst 4900 series switch:

•None

New Hardware Features in Release 12.2(50)SG1

Release 12.2(50)SG1 provides the following new hardware for the Catalyst 4900 series switch:

•None

New Software Features in Release 12.2(50)SG1

Release 12.2(50)SG1 provides the following new Cisco IOS software features for the Catalyst 4900 series switch:

•EEM version 2

New Hardware Features in Release 12.2(50)SG

Release 12.2(50)SG provides the following new hardware for the Catalyst 4900 series switch:

•SFP+ using X2 hole adaptor

•X2-10GB-ZR optical module

•X2-10GB-DWDM optical module

New Software Features in Release 12.2(50)SG

Release 12.2(50)SG provides the following Cisco IOS software features for the Catalyst 4900 series switch:

Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.

Release 12.2(50)SG provides the following new hardware for the Catalyst 4500 series switch:

•IGMP Querier ("Configuring IGMP Snooping" chapter)

•OSPF and EIGRP fast convergence and protection (Refer to the Cisco IOS Release 12.4 documentation)

•CDP 2nd Port Status TLV (no configuration required on the switch)

•Flexible Authentication Sequencing ("Configuring 802.1X" chapter)

•Multi-Authentication ("Configuring 802.1X" chapter)

•Open Authentication ("Configuring 802.1X" chapter)

•Web Authentication ("Configuring Web Authentication" chapter)

•Inactivity Timer ("Configuring 802.1X" chapter)

•Downloadable ACLs ("Configuring Network Security with ACLs" chapter)

•ANCP Client (not supported on E-Series Supervisor Engine 6-E; "Configuring ANCP Client" chapter)

•PPPoE Intermediate Agent (not supported on E-Series Supervisor Engine 6-E; "PPPoE Circuit-Id Tag Processing" chapter)

•VTP version 3 ("Configuring VLANs, VTP, and VMPS" chapter)

•VRF-aware IP services ("Configuring VRF-Lite" chapter)

•ANCP Client (not supported on E-Series Supervisor Engine 6-E; "Configuring ANCP Client" chapter)

•PPPoE Intermediate Agent (not supported on E-Series Supervisor Engine 6-E; "PPPoE Circuit-Id Tag Processing" chapter)

•VTP version 3 ("Configuring VLANs, VTP, and VMPS" chapter)

•VRF-aware IP services ("Configuring VRF-Lite" chapter)

•boot config command (Refer to the Cisco IOS Release 12.2 documentation)

•Crashdump enhancement (Refer to the Cisco IOS Release 12.2 documentation)

•Unicast MAC filtering ("Configuring Network Security with ACLs" chapter)

New Hardware Features in Release 12.2(46)SG

Release 12.2(46)SG provides the following new hardware for the Catalyst 4900 series switch:

•None

New Software Features in Release 12.2(46)SG

Release 12.2(46)SG provides the following Cisco IOS software features for the Catalyst 4900 series switch:

Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.

•FlexLink and FlexLink+ with MAC Address-Table Move Update (Refer to the "Configuring FlexLink" chapter)

•LLDP-MED: location TLV and MIB (Refer to the "Configuring LLDP and LLDP-MED" chapter)

•Enhanced Object Tracking (EOT) ((Refer to the Cisco IOS Release 12.2 documentation)

–HSRP with EOT

–VRRP with EOT

–GLBP with EOT

–IP SLA with EOT

–Reliable Backup Static Routing with EOT

•CFM 802.1ag (Refer to the "Configuring Ethernet CFM and OAM" chapter)

•E-OAM 802.3ah (Refer to the "Configuring Ethernet CFM and OAM" chapter)

•Ethernet Management Port (Refer to the "Configuring Interfaces" chapter)

New Hardware Features in Release 12.2(44)SG

Release 12.2(44)SG provides the following new hardware for the Catalyst 4900 series switch:

•None

New Software Features in Release 12.2(44)SG

Release 12.2(44)SG provides the following Cisco IOS software features for the Catalyst 4900 series switch:

Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.

•REP (Refer to the "Configuring REP" chapter)

•VSS client with PagP+

After configuring VSS dual-active on a Catalyst 6500 switches, the Catalyst 4500 series switch can detect VSS dual-active with PagP+ support.

•IP SLA (Refer to the Cisco IOS Release 12.2 documentation)

•802.1ab LLDP and LLDP-MED (Refer to the "Configuring LLDP and LLDP-MED" chapter)

•X2 Link Debounce Timer (Refer to the "Configuring Interfaces" chapter)

New Hardware Features in Release 12.2(40)SG

Release 12.2(40)SG provides the following new hardware for the Catalyst 4900 series switch:

•None

New Software Features in Release 12.2(40)SG

Release 12.2(40)SG provides the following Cisco IOS software features for the Catalyst 4900 series switch:

Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.

•Embedded Event Manager (Refer to the Cisco IOS Release 12.4 documentation)

•Gateway Load Balancing Protocol (Refer to the Cisco IOS Release 12.4 documentation)

New Hardware Features in Release 12.2(37)SG

Release 12.2(37)SG provides the following new hardware for the Catalyst 4900 series switch:

•None

New Software Features in Release 12.2(37)SG

Release 12.2(37)SG provides the following Cisco IOS software features for the Catalyst 4900 series switch:

Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.

•Selective Dynamic Buffer Limiting ("Configuring QoS" chapter)

•SVI Autostate Exclude ("Configuring Layer 3 Interface" chapter)

•IP Source Guard for Statis Hosts ("Configuring DHCP Snooping, IP Source Guard, and IPSG for Statis Hosts" chapter )

•BGP route-map Continue Support for Outbound Policy

For details, locate the feature entry in the Feature Information Table located toward the end of the "Connecting to a Service Provider Using External BGP" module

•Auto RP Listerner (Refer to the Cisco IOS Release 12.4 documentation)

New Hardware Features in Release 12.2(31)SGA

Cisco IOS Release 12.2(31)SGA is the first IOS release supporting the Cisco ME 4900 Series Ethernet Switch.

Following hardware was supported:

•X2-10GB-LRM

New Software Features in Release 12.2(31)SGA

Release 12.2(31)SGA provides the following Cisco IOS software features for the Catalyst 4900 series switch:

Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.

•Trunk Port Security over EtherChannel ("Configuring Port Security and Configuring EtherChannel" chapters)

•Match CoS for Non-IPv4 Traffic ("Configuring QoS" chapter)

•CoS Mutation ("Configuring QoS" chapter)

•QinQ Tunneling and Protocol Tunneling ("Configuring 802.1Q and Layer 2 Protocol Tunneling" chapter)

•IP Unnumbered ("Configuring IP Unnunmbered Support" chapter)

New Hardware Features in Release 12.2(31)SG

There are no new hardware features in Cisco IOS Release 12.2(31)SG.

New Software Features in Release 12.2(31)SG

Release 12.2(31)SG provides the following Cisco IOS software features for the Catalyst 4900 series switch:

Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.

•Control Plane Policing ("Configuring Control Plane Policing" chapter)

•WCCPv2 Layer 2 Redirection ("Configuring WCCPv2 Services" chapter)

•MAC Authentication Bypass ("Configuring 802.1X Port-Based Authentication" chapter)

•802.1X Inaccessible Authentication Bypass ("Configuring 802.1X Port-Based Authentication" chapter)

•802.1X Unidirectional Controlled Port ("Configuring 802.1X Port-Based Authentication" chapter)

•Private VLAN Promiscuous Trunk ("Configuring Private VLANs" chapter)

•MAC Address Notification ("Administering the Switch" chapter)

•Voice VLAN Sticky Port Security ("Configuring Port Security" chapter)

•Virtual Router Redundancy Protocol (VRRP) (Refer to the Cisco IOS Release 12.3 documentation)

•Secure Copy Protocol (SCP) (Refer to the Cisco IOS Release 12.3 documentation)

New Hardware Features in Release 12.2(25)SG

There are no new hardware features in Cisco IOS Release 12.2(25)SG.

New Software Features in Release 12.2(25)SG

Release 12.2(25)SG provides the following Cisco IOS software features for the Catalyst 4900 series switch:

Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.

•IEEE 802.1S Standards Compliance (Refer to the Cisco IOS Release 12.3 documentation)

Note In Cisco IOS Release 12.2(25)SG for the Catalyst 4500 and 4900 series switches, the implementation for multiple spanning tree (MST) changed from the previous release. Multiple STP (MSTP) complies with IEEE 802.1s standard. Previous MSTP implementations were based on a draft of the IEEE 802.1s standard.

•802.1X Authentication Failure VLAN ("Understanding and Configuring 802.1X Port-Based Authentication" chapter)

•HTTPS (Refer to the Cisco IOS Release 12.3 documentation)

•IS-IS MIB (Refer to the Cisco IOS Release 12.3 documentation

•OSPF Fast Convergence (Refer to the Cisco IOS Release 12.3 documentation)

•Time Domain Reflectometry ("Checking Port Status and Connectivity" chapter)

•IEEE 802.1S Standards Compliance (Refer to the Cisco IOS Release 12.3 documentation)

•SNMP V3 support for Bridge-MIB with VLAN indexing

•Interface Link and Trunk Status Logging Event Enhancement ("Configuring Interfaces" chapter)

New Hardware Features in Release 12.2(25)EWA

Release 12.2(25)EWA provides the following new hardware for the Catalyst 4900 series switch:

•WS-X4948-10GE—Catalyst 4948 48-Port 10/100/1000 + 2 10GE in a 1 RU with dual, redundant AC/DC power

Caution If you plan to insert X2 transceivers in the Cisco Catalyst 4948-10GE, you should ensure that the Catalyst 4900 series switch and the X2 back interfaces are properly oriented during the OIR (Online insertion and removal) of the transceivers. The top transceiver (port tengig1/49) should be inserted with heatsink facing up. The bottom transceiver (port tengig1/50) should be plugged in with heatsink facing down, CLEI (Common Language Equipment Identifiers) label facing up. When inserted correctly, the TX/RX of the bottom transceiver would look reversed. For more details refer to the
Catalyst 4948-10GE Switch Installation Guide.

New Software Features in Release 12.2(25)EWA

Release 12.2(25)EWA provides the following Cisco IOS software features for the Catalyst 4900 series switch:

Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.

•Per-Port Per-VLAN QoS ("Configuring QoS and Per-Port Per-VLAN QoS" chapter)

•Trunk-Port Security ("Configuring Port Security and Trunk Port Security" chapter)

•802.1X Private VLAN Assignment ("Understanding and Configuring 802.1X Port-Based Authentication" chapter)

•802.1X Private Guest VLAN ("Understanding and Configuring 802.1X Port-Based Authentication" chapter)

•802.1X Radius-Supplied Session Timeout ("Understanding and Configuring 802.1X Port-Based Authentication" chapter)

•DHCP Option 82 Pass Through ("Configuring DHCP Snooping and IP Source Guard" chapter)

New Hardware Features in Release 12.2(25)EW

There are no new hardware features in Release 12.2(25)EW.

New Software Features in Release 12.2(25)EW

There are no new software features in Cisco IOS Release 12.2(25)EW

New Hardware Features in Release 12.2(20)EWA

There are no new hardware features in Cisco IOS Release 12.2(20)EWA.

New Software Features in Release 12.2(20)EWA

Release 12.2(20)EWA provides the following Cisco IOS software features for the Catalyst 4900 series switch:

Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.

•802.1X with Voice VLAN ID ("Understanding and Configuring 802.1X Port-Based Authentication" chapter)

•Forced 10/100 Auto Negotiation ("Configuring Interfaces" chapter)

Upgrading the System Software

In most cases, upgrading the switch to a newer release of Cisco IOS software does not require a ROMMON upgrade. However, if you are running an early release of Cisco IOS software and plan to upgrade, the following tables list the recommended ROMMON release.

Caution Most supervisor engines have the required ROMMON release. However, due to caveat CSCed25996, we recommend that you upgrade your ROMMON to the recommended release.

Table 5 Catalyst 4900 Series Switches, Recommended ROMMON Release, and Promupgrade Programs

Switching Module

Minimum ROMMON Release

Recommended ROMMON

Release

Promupgrade Program

WS-X4948

12.2(20r)EW

12.2(31r)SGA1

cat4500-ios-promupgrade-122_31r_SGA1

WS-X4948-10GE

12.2(25r)EWA

12.2(31r)SGA1

cat4500-ios-promupgrade-122_31r_SGA1

WS-C4928-10GE

12.2(31r)SGA2

12.2(31r)SGA2

cat4500-ios-promupgrade-122_31r_SGA2

The following sections describe how to upgrade your switch software:

•Upgrading the ROMMON from the Console

•Upgrading the ROMMON Remotely Using Telnet

•Upgrading the Cisco IOS Software

Upgrading the ROMMON from the Console

Caution To avoid actions that might make your system unable to boot, read this entire section before starting the upgrade.

Note The examples in this section use the programmable read-only memory (PROM) upgrade version 12.2(25r)EWA and Cisco IOS Release 12.2(25)EWA. For other releases, replace the ROMMON release and Cisco IOS software release with the appropriate releases and filenames.

Follow this procedure to upgrade your supervisor engine ROMMON:

Step 1 Directly connect a serial cable to the console port.

Note This section assumes that the console baud rate is set to 9600 (default). If you want to use a different baud rate, change the configuration register value for your switch.

Step 2 Download the cat4000-ios-promupgrade-122_25r_EWA program from Cisco.com, and place it on a TFTP server in a directory that is accessible from the switch that will be upgraded.

The cat4000-ios-promupgrade-122_25r_EWA programs are available on Cisco.com at the same location from which you download Catalyst 4000 system images.

Step 3 Use the dir bootflash: command to ensure that there is sufficient space in Flash memory to store the PROM upgrade image. If there is insufficient space, delete one or more images, and then issue the
squeeze bootflash: command to reclaim the space.

Step 4 Download the cat4000-ios-promupgrade-122_25r_EWA program into Flash memory using the copy tftp command.

The following example shows how to download the PROM upgrade image cat4000-ios-promupgrade-122_25r_EWA from the remote host 172.20.58.78 to bootflash:
Switch# copy tftp: bootflash: 
Address or name of remote host [172.20.58.78]?  
Source filename [cat4000-ios-promupgrade-122_25r_EWA]?  
Destination filename [cat4000-ios-promupgrade-122_25r_EWA]?  
Accessing tftp://172.20.58.78/cat4000-ios-promupgrade-122_25r_EWA... 
Loading cat4000-ios-promupgrade-122_25r_EWA from 172.20.58.78 (via
FastEthernet2/1):!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!
[OK - 455620 bytes] 
455620 bytes copied in 2.644 secs (172322 bytes/sec) 
Switch#
Step 5 Enter the reload command to reset the switch, press Ctrl-C to stop the boot process, and re-enter ROMMON.

The following example shows the output after a reset into ROMMON:
Switch# reload
Proceed with reload? [confirm]
2d11h: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command
.
**********************************************************
 *                                                        *
 * Welcome to Rom Monitor for WS-C4948-10GE System.       *
 * Copyright (c) 1999-2005 by Cisco Systems, Inc.         *
 * All rights reserved.                                   *
 *                                                        *
 **********************************************************
 Rom Monitor Program Version 12.2(25r)EWA
 Supervisor: WS-C4948-10GE  Chassis: WS-C4948
 Hardware Revisions - Board: 8.3 CPLD Gill: 17
 MAC Address  : 00-0b-fc-ff-3b-ff
 IP Address   : 10.5.43.225
 Netmask      : 255.255.255.0
 Gateway      : 10.5.43.1
 TftpServer   : 10.5.5.5
 ***** The system will autoboot in 5 seconds *****
 Type control-C to prevent autobooting.
 . .
 Autoboot cancelled......... please wait!!!
 Autoboot cancelled......... please wait!!!
rommon 1 > [interrupt]
Step 6 Run the PROM upgrade program by entering this command:
boot bootflash:cat4000-ios-promupgrade-122_25r_EWA

Caution No intervention is necessary to complete the upgrade. To ensure a successful upgrade, do not interrupt the upgrade process. Do not perform a reset, power cycle, or OIR of the supervisor engine until the upgrade is complete.

The following example shows the output from a successful upgrade, followed by a system reset:
rommon 2 > boot bootflash:cat4000-ios-promupgrade-122_25r_EWA
 ********************************************************** 
 *                                                        * 
 * Rom Monitor Upgrade Utility For WS-C4948-10GE System   * 
 * This upgrades flash Rom Monitor image to the latest    * 
 *                                                        * 
 * Copyright (c) 1997-2005 by Cisco Systems, Inc.         * 
 * All rights reserved.                                   * 
 *                                                        * 
 **********************************************************
 Image size = 1024.0 KBytes 
 Maximum allowed size = 1048576 KBytes 
 Upgrading your PROM... DO NOT RESET the system
 unless instructed or upgrade of PROM will fail !!!
 Beginning erase of 0x100000 bytes at offset 0x3e00000...  Done!
 Beginning write of prom  (0x100000 bytes at offset 0x3e00000)...
 This could take as little as 30 seconds or up to 2 minutes.
 Please DO NOT RESET!
 Verifying...
 Success! The prom has been upgraded successfully.
 System will reset itself and reboot within few seconds....
Step 7 Boot the Cisco IOS software image, and enter the show version command to verify that ROMMON has been upgraded to 12.2(25r)EWA.

Step 8 Use the delete command to delete the PROM upgrade program from bootflash and the squeeze command to reclaim unused space.

The following example shows how to delete the cat4000-ios-promupgrade-122_25r_EWA image from bootflash and reclaim unused space:
Switch# delete bootflash:cat4000-ios-promupgrade-122_25r_EWA
Switch# squeeze bootflash:
All deleted files will be removed, proceed (y/n) [n]? y
Squeeze operation may take some time, proceed (y/n) [n]? y
Switch#
Step 9 Use the show version command to verify that the ROMMON has been upgraded
Switch# show version
Cisco IOS Software, Catalyst 4900 L3 Switch Software (cat4500-IPBASE-M), Version 
12.2(25)EWA, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 17-Aug-05 17:09 by alnguyen
Image text-base: 0x10000000, data-base: 0x11269914
ROM: 12.2(25r)EWA
Pod Revision 0, Force Revision 31, Tie Revision 17
Switch uptime is 1 minute
System returned to ROM by reload
System image file is "bootflash:cat4500-ipbase-mz.122-25.EWA"
cisco WS-C4948-10GE (MPC8540) processor (revision 3) with 262144K bytes of memory.
Processor board ID 0
MPC8540 CPU at 667Mhz, Fixed Module
Last reset from Reload
1 Virtual Ethernet interface
48 Gigabit Ethernet interfaces
2 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.
Configuration register is 0x2
Switch#
The ROMMON has now been upgraded.

See the "Upgrading the Cisco IOS Software" section for instructions on how to upgrade the Cisco IOS software on your switch.

Upgrading the ROMMON Remotely Using Telnet

Caution To avoid actions that might make your system unable to boot, read this entire section before starting the upgrade.

Follow this procedure to upgrade your supervisor engine ROMMON to Release 12.2(25r)EWA. This procedure can be used when console access is not available and when the ROMMON upgrade must be performed remotely.

Note In the following section, use the PROM upgrade version cat4000-ios-promupgrade-122_25r_EWA.

Step 1 Establish a Telnet session to the supervisor engine.

Note In the following discussion, we assume that at least one IP address has been assigned to either an SVI or a routed port.

Step 2 Download the cat4000-ios-promupgrade-122_25r_EWA program from Cisco.com, and place it on a TFTP server in a directory that is accessible from the switch to be upgraded.

The cat4000-ios-promupgrade-122_25r_EWA programs are available on Cisco.com at the same location from which you download Catalyst 4000 system images.

Step 3 Use the dir bootflash: command to ensure that there is sufficient space in Flash memory to store the PROM upgrade image. If there is insufficient space, delete one or more images, and then issue the
squeeze bootflash: command to reclaim the space.

Step 4 Download the cat4000-ios-promupgrade-122_25r_EWA program into Flash memory using the
copy tftp command.

The following example shows how to download the PROM upgrade image cat4000-ios-promupgrade-122_25r_EWA from the remote host 10.5.5.5 to bootflash:
Switch# copy tftp: bootflash: 
Address or name of remote host [10.5.5.5]?
Source filename [cat4000-ios-promupgrade-122_25r_EWA]? 
/tftpboot/pjose/cat4000-ios-promupgrade-122_25r_EWA
Destination filename [cat4000-ios-promupgrade-122_25r_EWA]?
Accessing tftp://10.5.5.5//tftpboot/pjose/cat4000-ios-promupgrade-122_25r_EWA...
Loading /tftpboot/pjose/cat4000-ios-promupgrade-122_25r_EWA from 10.5.5.5 (via G
igabitEthernet1/1): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 1244496 bytes]
1244496 bytes copied in 9.484 secs (131221 bytes/sec)
Switch#
Step 5 Use the no boot system flash bootflash:file_name command to clear all BOOT variable commands in the configuration file. In this example, the BOOT variable was set to boot the image cat4000-ios-promupgrade-122_25r_EWA from bootflash:
Switch# configure terminal
Switch(config)# no boot system flash bootflash:cat4000-ios-promupgrade-122_25r_EWA
Switch(config)# exit
Switch# write
Building configuration...
Compressed configuration from 3641 to 1244 bytes [OK]
Switch# 
Use the boot system flash bootflash:file_name command to set the BOOT variable. You will 
use two BOOT commands: one to upgrade the ROMMON and a second to load the Cisco IOS 
software image after the ROMMON upgrade is complete. Notice the order of the BOOT 
variables in the example below. At bootup the first BOOT variable command upgrades the 
ROMMON. When the upgrade is complete the supervisor engine will autoboot, and the second 
BOOT variable command will load the Cisco IOS software image specified by the second BOOT 
command. 
Note The config-register must be set to autoboot.
In this example, we assume that the console port baud rate is set to 9600 bps and that the 
config-register is set to 0x0102.
Use the config-register command to autoboot using image(s) specified by the BOOT variable. 
Configure the BOOT variable to upgrade the ROMMON and then autoboot the IOS image after 
the ROMMON upgrade is complete. In this example, we are upgrading the ROMMON to version 
12.2(25r)EWA. After the ROMMON upgrade is complete, the supervisor engine will boot Cisco 
IOS software Release 12.2(25)EWA.
config-register to 0x0102.
Switch# configure terminal
Switch(config)# boot system flash bootflash:cat4000-ios-promupgrade-122_25r_EWA
Switch(config)# boot system flash bootflash:cat4500-ipbase-mz.122-25.EWA
Switch(config)# config-register 0x0102
Switch(config)# exit
Switch# write
Building configuration...
Compressed configuration from 3641 to 1244 bytes [OK]
Switch# 
Step 6 Use the show bootvar command to verify the boot string. The BOOT variable in this example will first run the PROM upgrade to upgrade ROMMON. Then, the upgrade software will reload and the supervisor engine will load the Cisco IOS software image.
Switch#sh bootvar
BOOT variable = 
bootflash:cat4000-ios-promupgrade-122_25r_EWA,1;bootflash:cat4500-ipbase-mz.122-25.EWA
CONFIG_FILE variable does not exist
BOOTLDR variable does not exist
Configuration register is 0x2102
Step 7 Run the PROM upgrade program by issuing the reload command. Issuing this command will terminate your Telnet session.

Caution Verify the boot string in step 6. No intervention is necessary to complete the upgrade. To ensure a successful upgrade, do not interrupt the upgrade process. Do not perform a reset, power cycle, or OIR of the supervisor engine until the upgrade is complete.

The following example shows the console port output from a successful ROMMON upgrade followed by a system reset. Your Telnet session will be disconnected during the ROMMON upgrade, so you will not see this output. This step could take 2-3 minutes to complete. You will need to reconnect your Telnet session after 2-3 minutes when the Cisco IOS software image and the interfaces are loaded.
Switch# reload
Proceed with reload? [confirm]
00:00:36: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.
 ********************************************************** 
 *                                                        * 
 * Welcome to Rom Monitor for WS-C4948-10GE System.       * 
 * Copyright (c) 1999-2005 by Cisco Systems, Inc.         * 
 * All rights reserved.                                   * 
 *                                                        * 
 **********************************************************
 Rom Monitor Program Version 12.2(25r)EWA
 Supervisor: WS-C4948-10GE  Chassis: WS-C4948 
 Hardware Revisions - Board: 8.0 CPLD : 17 FPGA : 0 
 MAC Address  : 00-0b-fc-ff-3b-ff 
 IP Address   : 10.5.43.225 
 Netmask      : 255.255.255.0 
 Gateway      : 10.5.43.1 
 TftpServer   : 10.5.5.5 
 ***** The system will autoboot in 5 seconds *****
 Type control-C to prevent autobooting.
 . . . . .
 ******** The system will autoboot now ********
 config-register = 0x102 
 Autobooting using BOOT variable specified file.....
 Current BOOT file is --- bootflash:cat4000-ios-promupgrade-122_25r_EWA 
 ********************************************************** 
 *                                                        * 
 * Rom Monitor Upgrade Utility For WS-C4948-10GE System   * 
 * This upgrades flash Rom Monitor image to the latest    * 
 *                                                        * 
 * Copyright (c) 1997-2005 by Cisco Systems, Inc.         * 
 * All rights reserved.                                   * 
 *                                                        * 
 **********************************************************
 Image size = 1024.0 KBytes 
 Maximum allowed size = 1048576 KBytes 
 Upgrading your PROM... DO NOT RESET the system
 unless instructed or upgrade of PROM will fail !!!
 Beginning erase of 0x100000 bytes at offset 0x3e00000...  Done!
 Beginning write of prom  (0x100000 bytes at offset 0x3e00000)...
 This could take as little as 30 seconds or up to 2 minutes.
 Please DO NOT RESET!
 Verifying...
 Success! The prom has been upgraded successfully.
 System will reset itself and reboot within few seconds....
****
 (output truncated)
 . . . . .
 ******** The system will autoboot now ********
 config-register = 0x102 
 Autobooting using BOOT variable specified file.....
 Current BOOT file is --- bootflash:cat4500-ipbase-mz.122-25.EWA
Rommon reg: 0x00004180
###########
(output truncated)
Exiting to ios...
Rommon reg: 0x00000180
###############################
              Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706
Cisco IOS Software, Catalyst 4900 L3 Switch Software (cat4500-IPBASE-M), Version 
12.2(25)EWA, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 17-Aug-05 17:09 by alnguyen
Image text-base: 0x10000000, data-base: 0x11269914
cisco WS-C4948-10GE (MPC8540) processor (revision 3) with 262144K bytes of memory.
Processor board ID 0
MPC8540 CPU at 667Mhz, Fixed Module
Last reset from Reload
1 Virtual Ethernet interface
48 Gigabit Ethernet interfaces
2 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.
Uncompressed configuration from 1171 bytes to 2726 bytes
Press RETURN to get started!
Switch>en
Switch#
Step 8 Use the no boot system flash bootflash:file_name command to clear the BOOT command used to upgrade the ROMMON.
Switch# configure terminal
Switch(config)# no boot system flash bootflash:cat4000-ios-promupgrade-122_25r_EWA
Switch(config)# exit
Switch# write
Building configuration...
Compressed configuration from 3641 to 1244 bytes [OK]
Switch#
Step 9 Use the show version command to verify that the ROMMON has been upgraded.
Switch# show version
Cisco IOS Software, Catalyst 4900 L3 Switch Software (cat4500-IPBASE-M), Version 
12.2(25)EWA, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 17-Aug-05 17:09 by alnguyen
Image text-base: 0x10000000, data-base: 0x11269914
ROM: 12.2(25r)EWA
Pod Revision 0, Force Revision 31, Tie Revision 17
Switch uptime is 0 minutes
System returned to ROM by reload
System image file is "bootflash:cat4500-ipbase-mz.122-25.EWA"
cisco WS-C4948-10GE (MPC8540) processor (revision 3) with 262144K bytes of memory.
Processor board ID 0
MPC8540 CPU at 667Mhz, Fixed Module
Last reset from Reload
1 Virtual Ethernet interface
48 Gigabit Ethernet interfaces
2 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.
Configuration register is 0x102
Switch#
Step 10 Use the delete command to delete the PROM upgrade program from bootflash and the squeeze command to reclaim unused space.

The following example shows how to delete the cat4000-ios-promupgrade-122_25r_EWA image from bootflash and reclaim unused space:
Switch# delete bootflash:cat4000-ios-promupgrade-122_25r_EWA
Switch# squeeze bootflash:
All deleted files will be removed, proceed (y/n) [n]? y
Squeeze operation may take some time, proceed (y/n) [n]? y
Switch#
Step 11 Use the show bootvar command to verify that the ROMMON upgrade program has been removed from the BOOT variable.
Switch# show bootvar
BOOT variable = bootflash:cat4500-ipbase-mz.122-25.EWA,12;
CONFIG_FILE variable does not exist
BOOTLDR variable does not exist
Configuration register is 0x2102
Switch#
The ROMMON has now been upgraded.

See the "Upgrading the Cisco IOS Software" section for instructions on how to upgrade the Cisco IOS software on your switch.

Upgrading the Cisco IOS Software

Caution To avoid actions that might make your system unable to boot, please read this entire section before starting the upgrade.

Before you proceed, observe the following rules for hostname:

•Do not expect case to be preserved

Uppercase and lowercase characters look the same to many internet software applications. It may seem appropriate to capitalize a name the same way you might do in English, but conventions dictate that computer names appear all lowercase. For more information, refer to RFC 1178, Choosing a Name for Your Computer.

•Must start with a letter and end with a letter or digit.

•Interior characters can only be letters, digits, and hyphens; periods and underscores not allowed.

•Names must be 63 characters or fewer; hostname of fewer than 10 characters is recommended.

•On most systems, a field of 30 characters is used for the host name and the prompt in the CLI. Longer configuration mode prompts may be truncated.

To upgrade the Cisco IOS software on your Catalyst 4900 series switch, use this procedure:

Step 1 Download Cisco IOS Release 12.2(25)EWA from Cisco.com, and place the image on a TFTP server in a directory that is accessible from the supervisor engine that will be upgraded.

Step 2 Use the dir bootflash: command to ensure that there is sufficient space in Flash memory to store the promupgrade image. If there is insufficient space, delete one or more images, and then enter the squeeze bootflash: command to reclaim the space.

Step 3 Download the software image into Flash memory using the copy tftp command.

The following example shows how to download the Cisco IOS software image cat4500-ipbase-mz.122-25.EWA from the remote host 172.20.58.78 to bootflash:
Switch# copy tftp: bootflash:
Address or name of remote host [172.20.58.78]? 
Source filename [cat4500-ipbase-mz.122_25.EWA]?
Destination filename [cat4500-ipbase-mz.122-25.EWA]? 
Accessing tftp://172.20.58.78/cat4500-ipbase-mz.122-25.EWA...
Loading cat4500-ipbase-mz.122-25.EWA from 172.20.58.78 (via
FastEthernet2/1):!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 6923388/13846528 bytes]
6923388 bytes copied in 72.200 secs (96158 bytes/sec)
Switch#
Step 4 Use the no boot system flash bootflash:file_name command to clear the cat4500-ipbase-mz.122-25.EWA file and to save the BOOT variable.

The following example shows how to clear the BOOT variable:
Switch# configure terminal
Switch(config)# no boot system flash bootflash:cat4500-ipbase-mz.122_25.EWA
Switch(config)# exit
Switch# write
Building configuration...
Compressed configuration from 3641 to 1244 bytes [OK]
Switch# 
Step 5 Use the boot system flash command to add the Cisco IOS software image to the BOOT variable.

The following example shows how to add the cat4500-ipbase-mz.122-25.EWA image to the BOOT variable:
Switch# configure terminal
Switch(config)# boot system flash bootflash:cat4500-ipbase-mz.122_25.EWA
Switch(config)# exit
Switch# write
Building configuration...
Compressed configuration from 3641 to 1244 bytes [OK]
Switch# 
Step 6 Use the config-register command to set the configuration register to 0x2102.

The following example show how to set the second least significant bit in the configuration register:
Switch# configure terminal
Switch(config)# config-register 0x2102
Switch(config)# exit
Switch# write
Building configuration...
Compressed configuration from 3723 to 1312 bytes [OK]
Switch#
Step 7 Enter the reload command to reset the switch and load the software.

Caution No intervention is necessary to complete the upgrade. To ensure a successful upgrade, do not interrupt the upgrade process by performing a reset, power cycle, or OIR of the supervisor, for at least five minutes.

The following example shows the output from a successful upgrade followed by a system reset:
Switch# reload
System configuration has been modified. Save? [yes/no]: yes
Building configuration...
Compressed configuration from 2668 bytes to 1127 bytes[OK]
Proceed with reload? [confirm]
00:02:11: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Comm
and.
 **********************************************************
 *                                                        *
 * Welcome to Rom Monitor for WS-C4948-10GE System.       *
 * Copyright (c) 1999-2005 by Cisco Systems, Inc.         *
 * All rights reserved.                                   *
 *                                                        *
 **********************************************************
 Rom Monitor Program Version 12.2(25r)EWA
 Supervisor: WS-C4948-10GE  Chassis: WS-C4948
 Hardware Revisions - Board: 8.3 CPLD Gill: 17
 MAC Address  : 00-0b-fc-ff-3b-ff
 IP Address   : 10.5.43.225
 Netmask      : 255.255.255.0
 Gateway      : 10.5.43.1
 TftpServer   : 10.5.5.5
 ***** The system will autoboot in 5 seconds *****
 Type control-C to prevent autobooting.
 . . . . .
 ******** The system will autoboot now ********
 config-register = 0x2102
 Autobooting using BOOT variable specified file.....
 Current BOOT file is --- bootflash:cat4500-ipbase-mz.122-25.EWA
Rommon reg: 0x00004180
###########
k2diags version 5.0.1_e
prod: WS-C4948-10GE  part: 0  serial: 0
Power-on-self-test for Module 1:  WS-C4948-10GE
 Port/Test Status: (. = Pass, F = Fail, U = Untested)
Cpu Subsystem Tests ...
seeprom: . temperature_sensor: .
Port Traffic: L2 Serdes Loopback ...
 0: .  1: .  2: .  3: .  4: .  5: .  6: .  7: .  8: .  9: . 10: . 11: .
12: . 13: . 14: . 15: . 16: . 17: . 18: . 19: . 20: . 21: . 22: . 23: .
24: . 25: . 26: . 27: . 28: . 29: . 30: . 31: . 32: . 33: . 34: . 35: .
36: . 37: . 38: . 39: . 40: . 41: . 42: . 43: . 44: . 45: . 46: . 47: .
62: . 63: .
Port Traffic: L2 Asic Loopback ...
 0: .  1: .  2: .  3: .  4: .  5: .  6: .  7: .  8: .  9: . 10: . 11: .
12: . 13: . 14: . 15: . 16: . 17: . 18: . 19: . 20: . 21: . 22: . 23: .
24: . 25: . 26: . 27: . 28: . 29: . 30: . 31: . 32: . 33: . 34: . 35: .
36: . 37: . 38: . 39: . 40: . 41: . 42: . 43: . 44: . 45: . 46: . 47: .
62: . 63: .
Port Traffic: L3 Asic Loopback ...
 0: .  1: .  2: .  3: .  4: .  5: .  6: .  7: .  8: .  9: . 10: . 11: .
12: . 13: . 14: . 15: . 16: . 17: . 18: . 19: . 20: . 21: . 22: . 23: .
24: . 25: . 26: . 27: . 28: . 29: . 30: . 31: . 32: . 33: . 34: . 35: .
36: . 37: . 38: . 39: . 40: . 41: . 42: . 43: . 44: . 45: . 46: . 47: .
62: . 63: .
Switch Subsystem Memory ...
 1: .  2: .  3: .  4: .  5: .  6: .  7: .  8: .  9: . 10: . 11: . 12: .
13: . 14: . 15: . 16: . 17: . 18: . 19: . 20: . 21: . 22: . 23: . 24: .
25: . 26: . 27: . 28: . 29: . 30: . 31: . 32: . 33: . 34: . 35: . 36: .
37: . 38: . 39: . 40: . 41: . 42: . 43: . 44: . 45: . 46: . 47: . 48: .
49: . 50: . 51: .
Front Panel Ports ...
 1: .  2: .  3: .  4: .  5: .  6: .  7: .  8: .  9: . 10: . 11: . 12: .
13: . 14: . 15: . 16: . 17: . 18: . 19: . 20: . 21: . 22: . 23: . 24: .
25: . 26: . 27: . 28: . 29: . 30: . 31: . 32: . 33: . 34: . 35: . 36: .
37: . 38: . 39: . 40: . 41: . 42: . 43: . 44: . 45: . 46: . 47: . 48: .
Module 1 Passed
Exiting to ios...
Rommon reg: 0x00000180
###############################
              Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706
Cisco IOS Software, Catalyst 4900 L3 Switch Software (cat4500-IPBASE-M), Version
 12.2(25)EWA, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 17-Aug-05 17:09 by alnguyen
Image text-base: 0x10000000, data-base: 0x11269914
#    #    ##    #####   #    #    #    #    #   ####
#    #   #  #   #    #  ##   #    #    ##   #  #    #
#    #  #    #  #    #  # #  #    #    # #  #  #
# ## #  ######  #####   #  # #    #    #  # #  #  ###
##  ##  #    #  #   #   #   ##    #    #   ##  #    #
#    #  #    #  #    #  #    #    #    #    #   ####
The following environment variable(s) are set.  Setting these
environment variables may cause the system to behave unpredictably.
        "DontShipAllowChassisSimulation"
        "gdbEnable"
Use 'clear platform environment variable unsupported' to clear these variables.
cisco WS-C4948-10GE (MPC8540) processor (revision 3) with 262144K bytes of memor
y.
Processor board ID 0
MPC8540 CPU at 667Mhz, Fixed Module
Last reset from Reload
1 Virtual Ethernet interface
48 Gigabit Ethernet interfaces
2 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.
Uncompressed configuration from 1127 bytes to 2668 bytes
Press RETURN to get started!
00:00:06: %C4K_IOSMODPORTMAN-4-POWERSUPPLYBAD: Power supply 2 has failed or been
 turned off
00:00:06: %C4K_IOSMODPORTMAN-4-POWERSUPPLYFANBAD: Fan of power supply 2 has fail
ed
00:00:15: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
00:00:15: %C4K_IOSMODPORTMAN-6-MODULEONLINE: Module 1 (WS-C4948-10GE S/N: 0 Hw:
0.3) is online
00:00:16: %SYS-5-CONFIG_I: Configured from memory by console
00:00:16: %SYS-5-RESTART: System restarted --
Cisco IOS Software, Catalyst 4900 L3 Switch Software (cat4500-IPBASE-M), Version
 12.2(25)EWA, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 17-Aug-05 17:09 by alnguyen
Switch>
Switch#
Step 8 Use the show version command to verify that the new Cisco IOS release is operating on the switch.

Limitations and Restrictions

These sections list the limitations and restrictions for the current release of Cisco IOS software on the Catalyst 4900 series switch.

•For IP Unnumbered, the following are not supported:

–Dynamic routing protocols

–HSRP/VRRP

–Static arp

–Unnumbered interface and Numbered interface in different VRFs

•For WCCP version 2, the following are not supported:

–GRE encapsulation forwarding method

–Hash bucket based assignment method

–Redirection on an egress interface (redirection out)

–Redirect-list ACL

•For IPX software routing, the following are not supported:

–NHRP (Next Hop Resolution Protocol)

–NLSP

–Jumbo Frames

•For AppleTalk software routing, the following are not supported:

–AURP

–AppleTalk Control Protocol for PPP

–Jumbo Frames

–EIGRP

•For PBR, the following are not supported:

–Matching cannot be performed on packet lengths

–IP precedence, TOS, and QoS group are fixed

–ACL or route-map statistics cannot be updated

•IGRP not supported (use EIGRP, instead).

•IP classful routing is not supported; do not use the no ip classless command; it will have no effect, as only classless routing is supported. The command ip classless is not supported as classless routing is enabled by default.

•Catalyst 4500 supervisor engines will not be properly initialized if the VLAN configuration in the startup file does not match the information stored in the VLAN database file. This situation might occur if a backup configuration file was used.

•A Layer 2 LACP channel cannot be configured with the spanning tree PortFast feature.

•Netbooting using a boot loader image is not supported. See the "Troubleshooting" section for details on alternatives.

•An unsupported default CLI for mobile IP is displayed in the HSRP configuration. Although this CLI will not harm your system, you might want to remove it to avoid confusion.

Workaround: Display the configuration with the show standby command, then remove the CLI. Here is sample output of the show standby GigabitEthernet1/1 command:
switch(config)# interface g1/1
switch(config)# no standby 0 name (0 is hsrp group number)
•For HSRP "preempt delay" to function consistently, you must use the standby delay minimum command. Be sure to set the delay to more than 1 hello interval, thereby ensuring that a hello is received before HSRP leaves the initiate state.

Use the standby delay reload option if the router is rebooting after reloading the image.

•When you attempt to run OSPF between a Cisco router and a third party router, the two interfaces might get stuck in the Exstart/Exchange state. This problem occurs when the maximum transmission unit (MTU) settings for neighboring router interfaces do not match. If the router with the higher MTU sends a packet larger than the MTU set on the neighboring router, the neighboring router ignores the packet.

Workaround: Since the problem is caused by mismatched MTUs, the solution is to change the MTU on either router to match the neighbor's MTU.

•The Ethernet management port on the supervisor module is active in ROMMON mode only.

•If an original packet is dropped due to transmit queue shaping and/or sharing configurations, a SPAN packet copy can still be transmitted on the SPAN port.

•All software releases support a maximum of 16,000 IGMP snooping group entries.

•Use the no ip unreachables command on all interfaces with ACLs configured for performance reasons.

•The threshold for the Dynamic Arp Inspection err-disable function is set to 15 ARP packets per second per interface. You should adjust this threshold depending on the network configuration. The CPU should not receive DHCP packets at a sustained rate greater than 1000 pps.

Workaround: Verify whether or not the Neighbor discovery cache has an entry, separate from regular troubleshooting areas of IPv6 address configurations and other configurations.

•If you first configure an IP address or IPv6 address on a Layer 3 port, then change the Layer 3 port to a Layer 2 port with the switchport command, and finally change it back to a Layer 3 port, the original IP/IPv6 address will be lost.

•By default, IPv6 is not enabled. To route IPv6, you must issue the IPv6 unicast-routing command. If you plan to use IPv6 multicast routing, use the IPv6 multicast-routing command.

•By default, CEF is not enabled for IPv6 (once IPv6 unicast routing is enabled). To prevent IPv6 traffic from being process-switched, use the IPv6 cef command.

•Multicast sources in community VLANs are not supported.

•Two-way community VLANs are not supported.

•Voice VLANs are not supported on community VLAN host interfaces.

•Private VLAN trunks do not carry community VLANs.

•The maximum number of unique private VLAN pairs supported by the
switchport private-vlan mapping trunk command above is 1000. For example, one thousand secondary VLANs could map to one primary VLAN, or one thousand secondary VLANs could map one to one to one thousand primary VLANs.

•While configuring PVLAN promiscuous trunk ports, the maximum number of mappings is 500 primary VLANs to 500 secondary VLANs.

•802.1X inaccessible authentication bypass feature is not supported with NAC LAN port IP feature.

•Changes to the console speed in "line console 0" configuration mode do not impact console speed in ROMMON mode. To apply the same console speed in ROMMON mode, use the "confreg" ROMMON utility and change ROMMON console speed.

•If a Catalyst 4900 series switch requests information from the Cisco Secure Access Control Server (ACS) and the message exchange times out because the server does not respond, a message similar to this appears:
00:02:57: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.20.246.206:1645,1646 is not 
responding.
If this message appears, check that there is network connectivity between the switch and the ACS. You should also check that the switch has been properly configured as an AAA client on the ACS.

•The bgp shutdown command is not supported in BGP router configuration mode. Executing this command might produce unexpected results.

•A spurious error message appears when an SSH connection disconnects after an idle timeout.

Workaround: Disable idle timeouts. (CSCec30214)

•IPSG for Static Hosts basically supports the same port mode as IPSG except that it does not support trunk port:

–It supports Layer 2 access port and PVLAN host port (isolated or community port).

–It does not support trunk port, Layer 3 port or EtherChannel.

•IPSG for Static Hosts should not be used on uplink ports.

•Selective DBL is only supported for non-tagged or single-tagged IP packets. To achieve Selective DBL-like functionality with a non-IP packet (like Q-in-Q and IPX), apply an input policy map that matches COS values and specifies DBL in the class map.

•For Selective DBL, if the topology involves Layer 2 Q in Q tunneling, the match cos policy map will apply to the incoming port.

•If a set of DSCP values are already configured (e.g. 0-30, 0-63), specifying a subset of these DSCP values with the qos dbl dscp-based 0-7 command will not remove the unwanted DSCP values of 8 through 63. Rather, you must use the no form of the command to remove the extraneous values. In this case, the no qos dbl dscp-based 8-63 command will leave 0-7 selected.

•When using Port Security with Multi Domain Authentication (MDA) on an interface:

–You must allow for at least 3 MAC addresses to access the switch: 2 for the phone (the MAC address of a phone gets registered to the Data domain and Voice domain), and one for the PC.

–The data and voice VLAN IDs must differ.

•For IP Port Security (IPSG) for static hosts, the following apply:

–As IPSG learns the static hosts on each interface, the switch CPU may hit 100 per cent if there are a large number of hosts to learn. The CPU usage will drop once the hosts are learned.

–IPSG violations for static hosts are printed as they occur. If multiple violations occur simultaneously on different interfaces, the CLI displays the last violation. For example, if IPSG is configured for 10 ports and violations exist on ports 3,6 and 9, the violation messages are printed only for port 9.

–Inactive host bindings will appear in the device tracking table when either a VLAN is associated with another port or a port is removed from a VLAN. So, as hosts are moved across subnets, the hosts are displayed in the device tracking table as INACTIVE.

–Autostate SVI does not work on EtherChannel.

•After the fix for CSCsg08775, a GARP ACL entry is no longer part of the Static CAM area, but there is still a system-defined GARP class in Control Plane Policing (CPP). CPP is a macro with many CLIs and the GARP class creation CLI has been removed.

•When ipv6 is enabled on an interface via any CLI, it is possible to see the following message:
% Hardware MTU table exhausted
In such a scenario, the ipv6 MTU value programmed in hardware will be different from the ipv6 interface MTU value. This will happen if there is no room in the hw MTU table to store additional values.

You must free up some space in the table by unconfiguring some unused MTU values and subsequently disable/re-enable ipv6 on the interface or reapply the MTU configuration.

•To stop IPSG with Static Hosts on an interface, use the following commands in interface configuration submode:
Switch(config-if)# no ip verify source
Switch(config-if)# no ip device tracking max"
To enable IPSG with Static Hosts on a port, issue the following commands:
Switch(config)# ip device tracking ****enable IP device tracking globally
Switch(config)# ip device tracking max <n> ***set an IP device tracking maximum on int
Switch(config-if)# ip verify source tracking [port-security] ****activate IPSG on port
Caution If you only configure the ip verify source tracking [port-security] interface configuration command on a port without enabling IP device tracking globally or setting an IP device tracking maximum on that interface, IPSG with Static Hosts will reject all the IP traffic from that interface.

Note The issue above also applies to IPSG with Static Hosts on a PVLAN Host port.

•Management port does not support non-VRF aware features.

•When you enter the permit any any ? command you will observe the octal option, which is unsupported in Cisco IOS Release 12.2(52)SG.

CSCsy31324

•A Span destination of fa1 is not supported.

Caveats

Caveats describe unexpected behavior in Cisco IOS releases. Caveats listed as open in a prior release are carried forward to the next release as either open or resolved.

Note For the latest information on PSIRTS, refer to the Security Advisories on CCO at the following URL:
http://www.cisco.com/en/US/products/products_security_advisories_listing.html

Open Caveats in Cisco IOS Release 12.2(52)SG

This section lists the open caveats in Cisco IOS Release 12.2(52)SG:

•In rare instances, when you are using MAC ACL-based policers, the packet match counters in
show policy-map interface fa6/1 do not show the packets being matched:
Switch# sh policy-map int
  FastEthernet3/2 
   Service-policy output: p1
     Class-map: c1 (match-all)
       0 packets		<--------It stays at '0' despite of traffic being received
       Match: access-group name fnacl21
       police: Per-interface
         Conform: 9426560 bytes Exceed: 16573440 bytes
Workaround: Verify that the MAC addresses being transmitted through the system are learned.

(CSCef01798)

•When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up.

–If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated.

–If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain. If either of these differs from the FQDN in the certificate, then the existing persistent self-signed certificate is replaced with a new one with the updated FQDN. Be aware that the existing keypair is used in the new certificate.

On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.

Workaround: Re-connect. (CSCsb11964)

•After upgrading to Cisco IOS 12.2(31)SG and later releases, some CPU queues configured as SPAN sources and saved in the startup configuration file do not function as they did in the older software release.

This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.

QueueID

Old QueueName

New QueueName

5

control-packet

control-packet

6

rpf-failure

control-packet

7

adj-same-if

control-packet

8

<unused queue>

control-packet

11

<unused queue>

adj-same-if

13

acl input log

rfp-failure

14

acl input forward

acl input log

Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:
Switch(config)# no monitor session n source cpu queue all rx
Switch(config)# monitor session n source cpu queue <new_Queue_Name>
(CSCsc94802)

•To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command.

Workaround: None. (CSCsc11726)

•An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port.

This could occur for these reasons:

–A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch.

–This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled. The switch receives packets that require redirection and the destination MAC address is already in ARP table.

Workarounds:

–Do not inject packets that require IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch.

–Configure the correct default gateway on the host side. (CSCse75660)

•When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you configure
qos account layer2 encapsulation.

Workaround: None. (CSCsg58526)

•When hardcoded duplex and speed settings are deleted after an interface shuts down, an "a-" is added to the duplex and speed in the output from the show interface status command.

This does not impact performance.

Workaround: Issue the no shutdown command. (CSCsg27395)

•When a transceiver is removed rapidly from one port and placed in another on the same chassis, occasionally a duplicate seeprom message is displayed and the port is not able to handle traffic.

Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).

•When traffic is sent on a VLAN ID higher than 3000, the convergence timing caused by a failure exceeds 225ms.

Workaround: None. (CSCsm30320)

•CFM packets pass through the Layer 2 protocol tunnel.

Workaround: None. (CSCsq72572)

•With CFM enabled globally as well as on an ingress interface, CFM packets received on the interface are not policed with HWCOPP (HW Control Plane Policing).

Workaround: None. (CSCso93282)

•An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

–After a reload, copy the startup-config to the running-config.

–Use a loopback interface as the target of the ip unnumbered command

–Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

•In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

•During an ISSU upgrade or downgrade from v122_31_sg_throttle to v122_46_sg_throttle, the following error message displays on console of the active supervisor engine:
Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internal
software error occurred. Null0 linked to wrong hwidb Null0
Workaround: None. (CSCso68331)

•When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running config.

Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)

•If you configure OFM on an Etherchannel (with at least two interfaces), when you shut or remove the first member that joined the channel, the CFM neighbor is lost.

Workaround: Clear the errors with the clear ethernet cfm errors command in EXEC mode. (CSCsv43819)

•The CTS SXP cts sxp default password mypassword configuration command does not work when you configure type 6 password encryption on the switch.

Workarounds:Use either of the following to set the sxp default password:

–Use clear text(non encryption)

–Type 7 password encryptio

(CSCsv33006)

•Duplicate serial number error messages are reported on switching One X Convertor with SFP+, SFP+, X2 to another port, the inserted port enters a faulty status.

This problem impacts X2, OneX converters, and SFp+ on the Supervisor Engine 6-E, and linecards.

Workaround: Remove and reinsert the One X Convertor with SFP+ , SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)

•The presence of features and Per Vlan Capture might exhaust the TCAM masks.

Workaround: Disable Per VLAN Capture or some of the features. (CSCsr95455)

•Ping does not execute prior to a posture validation.

Workaround: Reapply the identity policy on the interface with the permit icmp command. (CSCsu03507

•Certain Cisco Trusted Security (CTS) SXP connection configuration may not consistently select the best source IP for each SXP connection.

On a switch with multiple Layer 3 interfaces, if the CTS SXP connection is configured without specifying source IP address and no default SXP source IP address is configured on the box, different SXP connections may pickup different source IP address for each connection.

Workaround: Do one of the following:

–Ensure that only one active Layer 3 interface exists on the switch.

–Specify source the IP address in each SXP connection configuration so there is no ambiguity

–Configure a default SXP source IP address so that the SXP connection without the source IP address will use this source IP address.

(CSCsv28348)

•On a Catalyst 4500 switch running 12.2(50)SG, when the access VLAN is deleted and then restored on a port configurd with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the access VLAN is restored.

This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.

Workaround: Shut down then reopen the interface.

(CSCso50921)

•VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

•Egress traffic may not be allowed when 802.1X is configured as a Unidirectional Controlled Port.

Workarounds: Do one of the following:

–Enter spanning-tree portfast then authentication control-direction in on a 802.1X port.

–Enter shut then no shut on a 802.1X port.

(CSCsv05205)

•When you remove an SFP+ from a OneX converter in a X2 slot, it takes roughly 45 seconds for the system to recognize this. Any commands during this time will indicate that the SFP+ is still present. Reinserting the SFP+ in another port or inserting another SFP+ in the same port can result in Duplicate Seeprom error message.

Workaround: When a log message appears indicating that the SFP+ has been removed , do one of the following:

–Enter any commands for that port.

–Insert an SFP+ in that port.

–Reinsert the removed SFP+ in any other port.

(CSCsv90044)

•When a PVLAN isolated port is connected to a router serving as a mutlicast source, and you enable igmp snooping, the routers connected to the isolated ports display as PIM neighbours.

Workaround: Do one of the following:

–Do not attach routers to PVLAN isolated ports.

–Disable igmp snooping (either globally or on the VLAN).

–Do not use a router connected to PVLAN isolated port as a multicast source.

(CSCsu39009)

•When you delete and recreate an interface, the tacking process is unable to track its state track.

Workaround: Reconfigure tracking on the newly created interface. (CSCsr66876)

•CTS SXP connection with a default password may cause the following message to display on the console because of bad TCP authentication:
*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 
2.2.2.1(64999)
This issue is seen when the default SXP password is encrypted with type-6 encryption.

Workaround: Do one of the following:

–Use type 7 password encryption to encrypt the default SXP password

–Don't enable password encryption and allow the default SXP password to set in clear text.

(CSCsv33136)

•IP Router Option may not work with IGMP version 2.

Workaround: None. (CSCsv42869)

•If VLAN Load Balancing is progressing, and you reconfigure VLAN Load Balancing to reflect different blocking ports, manual preemption does not occur.

Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:

a. Reconfigure the VLAN Load Balancing configuration on the desired REP ports.

b. Shut any one REP port in the segment to cause a failure in that segment.

c. No-shut that port to restore normal REP topology with one ALT port.

d. Invoke manual preemption on a primary edge port to obtain VLAN Load Balancing with the new configuration.

(CSCsv69853)

•After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.101   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.102   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. (CSCsw14005)

•AutoQoS cannot be configured on member ports of a port-channel.
Switch# sh runn int fa 3/1
 channel-group 2 mode on  -- Port in etherchannel
Switch# conf t
Switch(config)# int fa 3/1
Switch(config-if)# auto qos voip trust
AutoQoS Error: AutoQoS can not be configured on member port(s) of a port-channel
This problem is first seen in Cisco IOS Release 12.2(40)SG.

Workaround: Manually apply the configuration that would be generated by Auto QoS.

CSCsv00316

•The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.1X on the port and reconnect the host to a IP phone (with CDP port status TLV support) that is connected to the switch.

If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.

Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661

•Class-map hit counters do not increment on the egress policy-map when it is attached to the primary VLAN on a PVLAN trunk ports. However, the traffic is properly classified and the actions configured in the policy are applied properly.

Workaround: None. CSCsy72343

•When .1X with MDA is set in host mode and guest VLAN is enabled, when you pump traffic from ixia at a high rate, a Security violation is wrongly flagged.

Workaround: None.

CSCsy38640

•When you enter the show adjacency x.x.x.x internal command for an adjacency, the packet counters are increment correctly but the byte counters remain 0.

Workaround: None.

CSCsu35604

•When a link in a REP segment connecting two switches fails, 1 out of 3 attempts result in convergence timing exceeding 300ms.

Workaround: None.

CSCsw42967

•If a redundant switch is in SSO mode or during an ISSU upgrade/downgrade, and the standby supervisor is running IOS software release 12.2(44)SG or 12.2(46)SG, when you enter the
auto qos voip trust command on an interface with an attached service-policy, the standby supervisor engine reboots.

Workaround: Remove all service-policies from the interface before entering the
auto qos voip trust command.

CSCsq37471

•When a link fails on a closed REP segment of 16 nodes configured with VLANs on each node, the convergence time exceeds 250ms especially for multicast traffic.

Workaround: None.

This does not impact REP functionality, but it impacts restoration timing. Traffic restoration time after the failure of a REP segment sometimes exceeds 200ms.

CSCsx55704

•If you enable VTP pruning after a switch is moved to VTP version 3, VLAN pruning does not happen on the trunks.

Workaround: Change the VTP version from 3 to version 2 or 1 and then revert to version 3.

CSCsy66803

•When you request an on demand Call Home message send without specifying a profile name & the specified module returns an unknown diagnostic result, the following error message displays:
Switch# call-home send alert-group diagnostic module 2 
Sending diagnostic info call-home message ...
Please wait. This may take some time ...
Switch#
*Jan  3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand 
message failed to send (ERR 18, The alert group is not subscribed)
Workaround: Specify a profile name when you enter the diagnostic command.

You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.

CSCsz05888

•When an access-list is attached to an interface under extreme hardware resource exhaustion, the ACL may not be automatically loaded into the hardware even if hardware resources later become available.

No TCAM entries are available for the new access-list.

Workaround: Manually remove and reapply the ACL after freeing hardware TCAM resources by removing or shortening other classification policies on the switch.

CSCsy85006

•If you simultaneously apply a service-policy to a port in the output direction and a service-policy to a vlan-range under that port in the output direction, the class-map hit counters in the output of the
show policy-map interface command are wrong.

Workaround: None.

The queue transmit counters as well as the policing statistics (if any) are correct.

CSCsz20149

•On a switch running Cisco IOS Release 12.2(52)SG, the Auto Install feature does not work on the management port. The auto process status aborts.

Workaround: Configure the DHCP server on the same vrf; add the configuration vrf mgmtVrf to

the IP DHCP pool section.

CSCsz38559

•On a switch running Cisco IOS Release 12.2(50)SG or 12.2(52)SG, when an 802.1X port configured with PVLAN community VLAN receives a new PVLAN assignment from the AAA server, resetting the configuration on this interface may cause the switch to reload.

Workaround: None.

CSCsz38442

•On a switch running Cisco IOS 12.2(52)SG, when a port configured with 802.1X enters per vp errdisable mode because of a violation triggered by port security, DAI, DHCP snooping, or BPDU guard, the port's 802.1X sessions are not cleared despite the linkdown.

Workaround: None.

Do not configure 802.1X with other per vp errdisable features.

CSCsx74871

•Packets entering a switch as fragments or with a non-zero fragment offset field are not be subjected to PBR.

Workaround: None.

CSCsz06719

•After a .1X port is enabled for Guest VLAN, if you shut down the port connected to the RADIUS server so that the server goes dead and EAPOL packets are sent on that port, it is authorized in the access VLAN although the server is unreachable.

Workaround: Enter shut, then no shut on the port.

CSCsz63355

•When you configure EnergyWise power control on PoE ports with a time-based execution schedule, time entry executes without adjusting for daylight savings time.

Workaround: Manually re-enter all entries with new time settings.

CSCsy27389

•When a switch enabled for explicit host tracking runs IGMPv3, ports that stopped sending IGMPv3 reports are displayed in the IGMPv3 table until a timeout. This behavior didn't exist in Cisco IOS Release 12.2(50)SG..

Workaround: Disable explicit host tracking in the affected VLANs.

CSCsz28612

•On wireless control system (WCS), some device information is incorrectly displayed for PCs sitting behind an lldp-med capable phone. Specifically, WCS displays the phone's serial number, model number, and software version in the PC's device information. All other information about the PC is correctly displayed on WCS.

This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.

Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.

CSCsz34522

•When port-security is configured on normal trunks carrying primary and secondary private VLANs, its configuration can be erased from the running-config under the following circumstances:

Entering shut/no shut on the port after deleting a secondary VLAN. (CSCsz73895)

Workarounds:

–Configure error recovery for port-security violation instead of entering shut/no shut after deleting the VLAN.

–Configure port-security aging time to age out the MAC addresses before entering shut/no shut. Then, you can reconfigure port-security on the port only after reloading the switch.

Entering shut/no shut on the port after configuring port-security vp err disable and a violation occurs. (CSCsz80415)

Workarounds:

–Configure error recovery for port-security violation instead of entering shut/no shut to recover the port.

–Configure clear errdisable interface name vlan [range] instead of entering shut/no shut.

–Configure port-security aging time to age out the MAC addresses before entering shut/no shut. Then, reconfigure port-security on the port after reloading the switch.

Resolved Caveats in Cisco IOS Release 12.2(52)SG

This section lists the resolved caveats in Release 12.2(52)SG:

•Under control place policing, control plane classes (the classes that are auto created by the
macro global apply system-cpp command and use predefined ACLs to match traffic) increment both their packet and byte count. So, both counters are non-zero.

In contrast, data plane classes (the classes that are configured manually by user written ACLs), the byte counter increments as expected, but the packet count remains 0.

Workaround: None.

CSCsw16557

•On a Catalyst 4500, if an isolated private VLAN trunk interface flaps, the ingress and egress per-port per-vlan service policies are no longer applied on the port.

This impacts Cisco IOS Releases 12.2(31)SGA08, 12.2(37)SG, 12.2(40)SG, 12.2(44)SG, 12.2(46)SG, 12.2(50)SG, and 12.2(50)SG1.

Workarounds:

For a Classic Series Supervisor Engine, disable and configure QoS on the port.

For example, to configure Gig 2/1 as an isolated private VLAN trunk port, do the following:
       Switch# conf t
       Enter configuration commands, one per line.  End with CNTL/Z.
       Switch(config)# interface gigabitEthernet 2/1
       Switch(config-if)# no qos
       Switch(config-if)# qos
       Switch(config-if)# end
       Switch#
You can configure the following EEM script to automate this workaround. QoS will be disabled and re-enabled whenever a port flaps.
       logging event link-status global
       event manager applet linkup-reqos
        event syslog pattern "changed state to up"
        action 1 cli command "enable"
        action 2 cli command "conf t"
        action 3 cli command "interface gigabitEthernet 2/1"
        action 4 cli command "no qos"
        action 5 cli command "qos"
CSCsw19087

•When you run an SNMP (getmany) query on cbQosPoliceStatsTable and cbQosREDClassStatsTable with a single SSH window (session), CPU utilization achives 99 per cent. If you query cbQosPoliceStatsTable and cbQosREDClassStatsTable from 18 SSH sessions, a CPU-HOG error message displays.

Workaround: None, other than stopping the query.

CSCsw89720

•On a supervisor engine running Cisco IOS Release 12.2(50)SG or later releases with one or more ports configured for single-host mode, MAB, and authentication control-direction in, hosts are not authenticated through MAB when a port is configured for single-host mode and you enter the unidirectional control in command (Wake-on-LAN).

Workaround: Disable the authentication control-direction in command.

If you require authentication control-direction in, configure the port for multi-authentication or Multi-Domain Authentication (MDA).

CSCsx98360

•On a redundant switch running Cisco IOS Releases 12.2(50)SG or 12.2(50)SG1 where
802.1X VVID and port security are configured on a port, CDP MAC from the non 802.1X capable Cisco IP phone might not be added to the port security table on the standby supervisor engine.

Workaround: None.

This problem is fixed in Cisco IOS Releases 12.2(50)SG2 and 12.2(52)SG.

CSCsw29489

•On a switch running Cisco IOS Release 12.2(50)SG or 12.2(50)SG1 where 802.1X VVID and port security are configured on a port, inserting a non 802.1X capable Cisco IP phone with LLDP capability and a PC behind it may trigger a security violation.

Workaround: Turn off LLDP (on the switch) and the phone (from Call Manager).

This problem is fixed in 12.2(50)SG2 and 12.2(52)SG.

CSCsy21167

•When you apply the auto qos voip trust command to an interface that already has an attached service-policy, you force the standby supervisor engine to reboot, provided one of the following apply:

–The switch has redundant supervisor engines running Cisco IOS Release 12.2(44)SG or 12.2(46)SG.

–You perform an ISSU upgrade/downgrade, the standby supervisor engine is running Cisco IOS Release 12.2(44)SG or 12.2(46)SG, and the active supervisor is running Release 12.2(50)SG or later.

Workaround: Remove an existing service-policy from the interface before running the
auto qos voip trust command.

CSCsq37471

•Parity errors in the CPU's cache cause IOS to crash with a crashdump file like the following:
Switch# show platform crashdump
VECTOR 0
*** CRASH DUMP ***
02/09/2009 10:10:30
Last crash: 02/09/2009 10:10:30
Build: 12.2(20090206:234053) IPBASE
buildversion addr: 13115584
MCSR: 40000000 <--- non-zero value!
.

The key pieces of data are "VECTOR 0" and a MCSR value of 40000000, 20000000, or 10000000.

Workaround: Enter the show platform cpu cache command to lanuch an IOS algorithm that detects and recovers from parity errors in the CPU's cache. You will obtain a running count of the number of CPU cache parity errors that have been successfully detected and corrected on a running system:
Switch# show platform cpu cache
L1 Instruction Cache: ENABLED
L1 Data Cache: ENABLED
L2 Cache: ENABLED
Machine Check Interrupts: 5
L1 Instruction Cache Parity Errors: 3
L1 Instruction Cache Parity Errors (CPU30): 1
L1 Data Cache Parity Errors: 1
CSCsx15372

•On a switch running Cisco IOS Release12.2(50)SG, supplicants authorized on PVLAN in multi-auth host mode are not moved to an Uauthorized state when the PVLAN is removed.

This problem occurs only when a port is configured with PVLAN and 802.1X multi-auth.

Workaround: Shut down then reopen the interface. (CSCsr58573)

•The switch does not accept the snmp mib target list vrf command. This CLI is rejected even if the vrf is present in the DUT.

Workaround: None. (CSCsr95941)

•When the switch port configured with 802.1X Multi-Domain Authentication (MDA) and Guest VLAN is connected to a non-802.1X supplicant PC through a hub, the port falls back to guest VLAN. Subsequently, it is stuck in the guest VLAN and ignores all EAPOL traffic from another 802.1X supplicant PC connected to the hub.

Workaround: None. (CSCsu42775)

•The switch may reload after destroying the expExpressionTable row via SNMP when you enable the debug management expression evaluator command.

Workaround: Remove the above debug command. (CSCsu67323)

•A router may crash when a privilege-level 15 user logs on with the callback or callback-dialstring attribute.

'This problem is seen on all Catalyst 4500 or 4900 chassis running CiscoIOS Release 12.2.(50)SG. The problem occurs when the following conditions are present:

–The router is configured with AAA authentication and authorization.

–The AAA server runs CiscoSecure ACS 2.4.

–The callback or callback-dialstring attribute is configured on the AAA server for the user.

Workarounds: Do not configure the callback or callback-dialstring attribute for the user. If you use the callback-dialstring attribute in the TACACS+ profile, ensure that the NULL value is not configured. (CSCei62358)

•When you attempt an ISSU upgrade or downgrade between Cisco IOS Release 12.2(50)SG and 12.2(44)SG or 12.2(46)SG, the switch displays a traceback.

Workaround: None. (CSCsw32519)

•Entering the channel-group x mode or channel-protocol followed by lacp or pagp command on an fa1 management interface causes the active supervisor engine to reload.

Port-channel functionality is not supported on the management interface.

This is a configuration error.

Workaround: None. (CSCsv91302)

•On classic series supervisors and Supervisor Engine 6-E running Cisco IOS Release 12.2(50)SG and later releases, egress traffic is not allowed on ports configured for Wake-on-LAN (through the authentication control-direction in command) and Multi-domain Authentication (MDA) (through the authentication host-mode multi-domain command) before the port is authorized.

Workaround: None. CSCsy29140

•AutoQoS cannot be configured on member port(s) of a port-channel.
Switch# sh runn int fa 3/1
 channel-group 2 mode on  -- Port in etherchannel
Switch# conf t
Switch(config)# int fa 3/1
Switch(config-if)# auto qos voip trust
AutoQoS Error: AutoQoS can not be configured on member port(s) of a port-channel
This problem is first seen in 12.2(40)SG.

Workaround: Manually apply the configuration that is generated by AutoQoS. Do not use Auto Qos. CSCsv03316

•Under normal operation, you will observe the following messages in the logs:
001298: .Oct  8 01:38:50.968: %C4K_SWITCHINGENGINEMAN-4-TCAMINTERRUPT: flCam0  
aPErr interrupt. errAddr: 0x2947 dPErr: 1 mPErr: 0 valid: 1
001299: .Oct  8 01:51:20.100: %C4K_SWITCHINGENGINEMAN-4-TCAMINTERRUPT: flCam0  
aPErr interrupt. errAddr: 0x2B59 dPErr: 1 mPErr: 0 valid: 1
Workaround: None

CSCsv17545

Open Caveats in Cisco IOS Release 12.2(50)SG2

This section lists the open caveats in Cisco IOS Release 12.2(50)SG2:

•In rare instances, when you are using MAC ACL-based policers, the packet match counters in
show policy-map interface fa6/1 do not show the packets being matched:
Switch# sh policy-map int
  FastEthernet3/2 
   Service-policy output: p1
     Class-map: c1 (match-all)
       0 packets		<--------It stays at '0' despite of traffic being received
       Match: access-group name fnacl21
       police: Per-interface
         Conform: 9426560 bytes Exceed: 16573440 bytes
Workaround: Verify that the MAC addresses being transmitted through the system are learned.

(CSCef01798)

•When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up.

–If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated.

–If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain. If either of these differs from the FQDN in the certificate, then the existing persistent self-signed certificate is replaced with a new one with the updated FQDN. Be aware that the existing keypair is used in the new certificate.

On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.

Workaround: Re-connect. (CSCsb11964)

•After upgrading to Cisco IOS 12.2(31)SG and later releases, some CPU queues configured as SPAN sources and saved in the startup configuration file do not function as they did in the older software release.

This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.

QueueID

Old QueueName

New QueueName

5

control-packet

control-packet

6

rpf-failure

control-packet

7

adj-same-if

control-packet

8

<unused queue>

control-packet

11

<unused queue>

adj-same-if

13

acl input log

rfp-failure

14

acl input forward

acl input log

Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:
Switch(config)# no monitor session n source cpu queue all rx
Switch(config)# monitor session n source cpu queue <new_Queue_Name>
(CSCsc94802)

•To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command.

Workaround: None. (CSCsc11726)

•An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port.

This could occur for these reasons:

–A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch.

–This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled. The switch receives packets that require redirection and the destination MAC address is already in ARP table.

Workarounds:

–Do not inject packets that require IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch.

–Configure the correct default gateway on the host side. (CSCse75660)

•When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you configure
qos account layer2 encapsulation.

Workaround: None. (CSCsg58526)

•When hardcoded duplex and speed settings are deleted after an interface shuts down, an "a-" is added to the duplex and speed in the output from the show interface status command.

This does not impact performance.

Workaround: Issue the no shutdown command. (CSCsg27395)

•When a transceiver is removed rapidly from one port and placed in another on the same chassis, occasionally a duplicate seeprom message is displayed and the port is not able to handle traffic.

Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).

•When traffic is sent on a VLAN ID higher than 3000, the convergence timing caused by a failure exceeds 225ms.

Workaround: None. (CSCsm30320)

•CFM packets pass through the Layer 2 protocol tunnel.

Workaround: None. (CSCsq72572)

•With CFM enabled globally as well as on an ingress interface, CFM packets received on the interface are not policed with HWCOPP (HW Control Plane Policing).

Workaround: None. (CSCso93282)

•An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

–After a reload, copy the startup-config to the running-config.

–Use a loopback interface as the target of the ip unnumbered command

–Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

•In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

•During an ISSU upgrade or downgrade from v122_31_sg_throttle to v122_46_sg_throttle, the following error message displays on console of the active supervisor engine:
Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internal
software error occurred. Null0 linked to wrong hwidb Null0
Workaround: None. (CSCso68331)

•When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running config.

Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)

•If you configure OFM on an Etherchannel (with at least two interfaces), when you shut or remove the first member that joined the channel, the CFM neighbor is lost.

Workaround: Clear the errors with the clear ethernet cfm errors command in EXEC mode. (CSCsv43819)

•Duplicate serial number error messages are reported on switching One X Convertor with SFP+, SFP+, X2 to another port, the inserted port enters a faulty status.

This problem impacts X2, OneX converters, and SFp+ on the Supervisor Engine 6-E, and linecards.

Workaround: Remove and reinsert the One X Convertor with SFP+ , SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)

•The presence of features and Per Vlan Capture might exhaust the TCAM masks.

Workaround: Disable Per VLAN Capture or some of the features. (CSCsr95455)

•Ping does not execute prior to a posture validation.

Workaround: Reapply the identity policy on the interface with the permit icmp command. (CSCsu03507

•On a Catalyst 4500 switch running 12.2(50)SG, when the access VLAN is deleted and then restored on a port configurd with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the access VLAN is restored.

This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.

Workaround: Shut down then reopen the interface.

(CSCso50921)

•On a switch running Cisco IOS Release12.2(50)SG, supplicants authorized on PVLAN in multi-auth host mode are not moved to an Uauthorized state when the PVLAN is removed.

This problem occurs only when a port is configured with PVLAN and 802.1X multi-auth.

Workaround: Shut down then reopen the interface. (CSCsr58573)

•When the switch port configured with 802.1X Multi-Domain Authentication (MDA) and Guest VLAN is connected to a non-802.1X supplicant PC through a hub, the port falls back to guest VLAN. Subsequently, it is stuck in the guest VLAN and ignores all EAPOL traffic from another 802.1X supplicant PC connected to the hub.

Workaround: None. (CSCsu42775)

•VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

•Egress traffic may not be allowed when 802.1X is configured as a Unidirectional Controlled Port.

Workarounds: Do one of the following:

–Enter spanning-tree portfast then authentication control-direction in on a 802.1X port.

–Enter shut then no shut on a 802.1X port.

(CSCsv05205)

•When you remove an SFP+ from a OneX converter in a X2 slot, it takes roughly 45 seconds for the system to recognize this. Any commands during this time will indicate that the SFP+ is still present. Reinserting the SFP+ in another port or inserting another SFP+ in the same port can result in Duplicate Seeprom error message.

Workaround: When a log message appears indicating that the SFP+ has been removed , do one of the following:

–Enter any commands for that port.

–Insert an SFP+ in that port.

–Reinsert the removed SFP+ in any other port.

(CSCsv90044)

•The switch does not accept the snmp mib target list vrf command. This CLI is rejected even if the vrf is present in the DUT.

Workaround: None. (CSCsr95941)

•The switch does not accept the snmp mib target list vrf command. This CLI is rejected even if the vrf is present in the DUT.

Workaround: None. (CSCsr95941)

•When a PVLAN isolated port is connected to a router serving as a mutlicast source, and you enable igmp snooping, the routers connected to the isolated ports display as PIM neighbours.

Workaround: Do one of the following:

–Do not attach routers to PVLAN isolated ports.

–Disable igmp snooping (either globally or on the VLAN).

–Do not use a router connected to PVLAN isolated port as a multicast source.

(CSCsu39009)

•When you delete and recreate an interface, the tacking process is unable to track its state track.

Workaround: Reconfigure tracking on the newly created interface. (CSCsr66876)

•The switch may reload after destroying the expExpressionTable row via SNMP when you enable the debug management expression evaluator command.

Workaround: Remove the above debug command. (CSCsu67323)

•IP Router Option may not work with IGMP version 2.

Workaround: None. (CSCsv42869)

•A router may crash when a privilege-level 15 user logs on with the callback or callback-dialstring attribute.

'This problem is seen on all Catalyst 4500 or 4900 chassis running CiscoIOS Release 12.2.(50)SG. The problem occurs when the following conditions are present:

–The router is configured with AAA authentication and authorization.

–The AAA server runs CiscoSecure ACS 2.4.

–The callback or callback-dialstring attribute is configured on the AAA server for the user.

Workarounds: Do not configure the callback or callback-dialstring attribute for the user. If you use the callback-dialstring attribute in the TACACS+ profile, ensure that the NULL value is not configured. (CSCei62358)

•When you attempt an ISSU upgrade or downgrade between Cisco IOS Release 12.2(50)SG and 12.2(44)SG or 12.2(46)SG, the switch displays a traceback.

Workaround: None. (CSCsw32519)

•If VLAN Load Balancing is progressing, and you reconfigure VLAN Load Balancing to reflect different blocking ports, manual preemption does not occur.

Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:

a. Reconfigure the VLAN Load Balancing configuration on the desired REP ports.

b. Shut any one REP port in the segment to cause a failure in that segment.

c. No-shut that port to restore normal REP topology with one ALT port.

d. Invoke manual preemption on a primary edge port to obtain VLAN Load Balancing with the new configuration.

(CSCsv69853)

•After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.101   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.102   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. (CSCsw14005)

•Entering the channel-group x mode or channel-protocol followed by lacp or pagp command on an fa1 management interface causes the active supervisor engine to reload.

Port-channel functionality is not supported on the management interface.

This is a configuration error.

Workaround: None. (CSCsv91302)

•AutoQoS cannot be configured on member ports of a port-channel.
Switch# sh runn int fa 3/1
 channel-group 2 mode on  -- Port in etherchannel
Switch# conf t
Switch(config)# int fa 3/1
Switch(config-if)# auto qos voip trust
AutoQoS Error: AutoQoS can not be configured on member port(s) of a port-channel
This problem is first seen in Cisco IOS Release 12.2(40)SG.

Workaround: Manually apply the configuration that would be generated by Auto QoS.

CSCsv00316

•The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.1X on the port and reconnect the host to a IP phone (with CDP port status TLV support) that is connected to the switch.

If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.

Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661

•On classic series supervisors and Supervisor Engine 6-E running Cisco IOS Release 12.2(50)SG and later releases, egress traffic is not allowed on ports configured for Wake-on-LAN (through the authentication control-direction in command) and Multi-domain Authentication (MDA) (through the authentication host-mode multi-domain command) before the port is authorized.

Workaround: None. CSCsy29140

•Class-map hit counters do not increment on the egress policy-map when it is attached to the primary VLAN on a PVLAN trunk ports. However, the traffic is properly classified and the actions configured in the policy are applied properly.

Workaround: None. CSCsy72343

•AutoQoS cannot be configured on member port(s) of a port-channel.
Switch# sh runn int fa 3/1
 channel-group 2 mode on  -- Port in etherchannel
Switch# conf t
Switch(config)# int fa 3/1
Switch(config-if)# auto qos voip trust
AutoQoS Error: AutoQoS can not be configured on member port(s) of a port-channel
This problem is first seen in 12.2(40)SG.

Workaround: Manually apply the configuration that is generated by AutoQoS. Do not use Auto Qos. CSCsv03316

Resolved Caveats in Cisco IOS Release 12.2(50)SG2

This section lists the resolved caveats in Release 12.2(50)SG2:

•Packets for traffic destined to SNAP host might be dropped if the ARP table indicates that the MAC entry is SNAP.

Workarounds:

1. Configure a static ARPA entry for host.

2. Upgrade to a future IOS release containing the fix.

CSCsu90780

•When SPAN is enabled and the SPAN source port is receiving malformed packet such as the error packets produced by collision, the port might stop receiving packets or might replay the packets repeatedly to cause flooding to other ports.

This issue is observed on platforms including WS-C4948 and WS-X4548-GB, and linecards including:

–WS-X4418-GB (Port 3-18)

–WS-X4506-GB-T (RJ45 ports)

–WS-X4424-GB-RJ45

–WS-X4448-GB-RJ45

–WS-X4548-GB-RJ45

–WS-X4524-GB-RJ45V

–WS-X4548-GB-RJ45V

Workaround: Enable packet filter function to alert the SPAN session to pass good packet only with the command:
monitor session 1 filter packet-type good rx
CSCsv07168

•On a Catalyst 4948-10GE chassis running IOS Cisco Releases 12.21(31)SGA or 12.2(46)SG, the default transmit queue selection based on IP DSCP value is incorrect. For example, both CS1 and CS5 traffics are passing through transmit queue 1, instead of 1 and 3.

Workaround: Enable and disable global QoS, as follows:
switch# conf t
switch(conf)# qos
switch(conf)# no qos
CSCsv29945

•On a Catalyst 4500 switch running 12.2(50)SG or 12.2(50)SG1, when 802.1X VVID and port security are configured together on a switch port, inserting a non 802.1x capable Cisco IP phone with a PC behind it may trigger a security violation.

Workaround: None. CSCsv63638

•If you configure multiple REP segments, pre-emption in one segment brings down all REP segments.

Workaround: None. CSCsv91297

•On a Catalyst 4500 series switch, if an isolated private VLAN trunk interface flaps, the ingress per-port per-vlan policer is no longer applied on the port.

Affected Cisco IOS releases include 12.2(31)SGA08, 12.2(37)SG, 12.2(40)SG, 12.2(46)SG, and 12.2(50)SG.

Workaround: Disable and configure QoS, as follows:
Switch# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)# no qos
Switch(config)# qos
Switch(config)# end
Switch#
CSCsw19087

•A crash occurs when you enter the show idprom interface FastEthernet 1 command.

Workaround: None. CSCsw77413

•Hosts are not authenticated through MAB when you configure a port for single-host mode (with the authentication host-mode single-host command) and Wake-on-LAN (with the
authentication control-direction in command).

Workarounds: Disable Wake-on-LAN with the no authentication control-direction in command.

CSCsx98360

•On a Catalyst 4500 series switch running Cisco IOS Release 12.2(50)SG or 12.2(50)SG1, when you configure both 802.1X VVID and port security together on a switch port, then insert a non-802.1X capable Cisco IP phone with LLDP capability and a PC behind it, you might trigger a security violation. The violation is triggered when the PC behind the phone gets authorized on the port before the IP phone sends LLDP packet.

Workaround: Turn off LLDP on the switch and Cisco IP phone from Call Manager.

CSCsy21167

•When using control place policing, the control plane classes (the classes which are auto created by the macro global apply system-cpp command and use the predefined ACLs to match traffic) increment the packet and byte count. This mean that both counters are non-zero.

Instead, the data plane classes (configured manually by user written ACLs) increment the byte counter, but not the packet count (remains 0).

Workaround: None. CSCsw16557

Open Caveats in Cisco IOS Release 12.2(50)SG1

This section lists the open caveats in Cisco IOS Release 12.2(50)SG1:

•In rare instances, when you are using MAC ACL-based policers, the packet match counters in
show policy-map interface fa6/1 do not show the packets being matched:
Switch# sh policy-map int
  FastEthernet3/2 
   Service-policy output: p1
     Class-map: c1 (match-all)
       0 packets		<--------It stays at '0' despite of traffic being received
       Match: access-group name fnacl21
       police: Per-interface
         Conform: 9426560 bytes Exceed: 16573440 bytes
Workaround: Verify that the MAC addresses being transmitted through the system are learned.

(CSCef01798)

•When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up.

–If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated.

–If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain. If either of these differs from the FQDN in the certificate, then the existing persistent self-signed certificate is replaced with a new one with the updated FQDN. Be aware that the existing keypair is used in the new certificate.

On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.

Workaround: Re-connect. (CSCsb11964)

•After upgrading to Cisco IOS 12.2(31)SG and later releases, some CPU queues configured as SPAN sources and saved in the startup configuration file do not function as they did in the older software release.

This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.

QueueID

Old QueueName

New QueueName

5

control-packet

control-packet

6

rpf-failure

control-packet

7

adj-same-if

control-packet

8

<unused queue>

control-packet

11

<unused queue>

adj-same-if

13

acl input log

rfp-failure

14

acl input forward

acl input log

Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:
Switch(config)# no monitor session n source cpu queue all rx
Switch(config)# monitor session n source cpu queue <new_Queue_Name>
(CSCsc94802)

•To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command.

Workaround: None. (CSCsc11726)

•An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port.

This could occur for these reasons:

–A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch.

–This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled. The switch receives packets that require redirection and the destination MAC address is already in ARP table.

Workarounds:

–Do not inject packets that require IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch.

–Configure the correct default gateway on the host side. (CSCse75660)

•When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you configure
qos account layer2 encapsulation.

Workaround: None. (CSCsg58526)

•When hardcoded duplex and speed settings are deleted after an interface shuts down, an "a-" is added to the duplex and speed in the output from the show interface status command.

This does not impact performance.

Workaround: Issue the no shutdown command. (CSCsg27395)

•When a transceiver is removed rapidly from one port and placed in another on the same chassis, occasionally a duplicate seeprom message is displayed and the port is not able to handle traffic.

Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).

•When traffic is sent on a VLAN ID higher than 3000, the convergence timing caused by a failure exceeds 225ms.

Workaround: None. (CSCsm30320)

•CFM packets pass through the Layer 2 protocol tunnel.

Workaround: None. (CSCsq72572)

•With CFM enabled globally as well as on an ingress interface, CFM packets received on the interface are not policed with HWCOPP (HW Control Plane Policing).

Workaround: None. (CSCso93282)

•An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

–After a reload, copy the startup-config to the running-config.

–Use a loopback interface as the target of the ip unnumbered command

–Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

•In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

•During an ISSU upgrade or downgrade from v122_31_sg_throttle to v122_46_sg_throttle, the following error message displays on console of the active supervisor engine:
Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internal
software error occurred. Null0 linked to wrong hwidb Null0
Workaround: None. (CSCso68331)

•When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running config.

Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)

•If you configure OFM on an Etherchannel (with at least two interfaces), when you shut or remove the first member that joined the channel, the CFM neighbor is lost.

Workaround: Clear the errors with the clear ethernet cfm errors command in EXEC mode. (CSCsv43819)

•The CTS SXP cts sxp default password mypassword configuration command does not work when you configure type 6 password encryption on the switch.

Workarounds:Use either of the following to set the sxp default password:

–Use clear text(non encryption)

–Type 7 password encryptio

(CSCsv33006)

•Duplicate serial number error messages are reported on switching One X Convertor with SFP+, SFP+, X2 to another port, the inserted port enters a faulty status.

This problem impacts X2, OneX converters, and SFp+ on the Supervisor Engine 6-E, and linecards.

Workaround: Remove and reinsert the One X Convertor with SFP+ , SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)

•The presence of features and Per Vlan Capture might exhaust the TCAM masks.

Workaround: Disable Per VLAN Capture or some of the features. (CSCsr95455)

•Ping does not execute prior to a posture validation.

Workaround: Reapply the identity policy on the interface with the permit icmp command. (CSCsu03507

•Certain Cisco Trusted Security (CTS) SXP connection configuration may not consistently select the best source IP for each SXP connection.

On a switch with multiple Layer 3 interfaces, if the CTS SXP connection is configured without specifying source IP address and no default SXP source IP address is configured on the box, different SXP connections may pickup different source IP address for each connection.

Workaround: Do one of the following:

–Ensure that only one active Layer 3 interface exists on the switch.

–Specify source the IP address in each SXP connection configuration so there is no ambiguity

–Configure a default SXP source IP address so that the SXP connection without the source IP address will use this source IP address.

(CSCsv28348)

•On a Catalyst 4500 switch running 12.2(50)SG, when the access VLAN is deleted and then restored on a port configurd with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the access VLAN is restored.

This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.

Workaround: Shut down then reopen the interface.

(CSCso50921)

•On a switch running Cisco IOS Release12.2(50)SG, supplicants authorized on PVLAN in multi-auth host mode are not moved to an Uauthorized state when the PVLAN is removed.

This problem occurs only when a port is configured with PVLAN and 802.1X multi-auth.

Workaround: Shut down then reopen the interface. (CSCsr58573)

•When the switch port configured with 802.1X Multi-Domain Authentication (MDA) and Guest VLAN is connected to a non-802.1X supplicant PC through a hub, the port falls back to guest VLAN. Subsequently, it is stuck in the guest VLAN and ignores all EAPOL traffic from another 802.1X supplicant PC connected to the hub.

Workaround: None. (CSCsu42775)

•VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

•Egress traffic may not be allowed when 802.1X is configured as a Unidirectional Controlled Port.

Workarounds: Do one of the following:

–Enter spanning-tree portfast then authentication control-direction in on a 802.1X port.

–Enter shut then no shut on a 802.1X port.

(CSCsv05205)

•When you remove an SFP+ from a OneX converter in a X2 slot, it takes roughly 45 seconds for the system to recognize this. Any commands during this time will indicate that the SFP+ is still present. Reinserting the SFP+ in another port or inserting another SFP+ in the same port can result in Duplicate Seeprom error message.

Workaround: When a log message appears indicating that the SFP+ has been removed , do one of the following:

–Enter any commands for that port.

–Insert an SFP+ in that port.

–Reinsert the removed SFP+ in any other port.

(CSCsv90044)

•The switch does not accept the snmp mib target list vrf command. This CLI is rejected even if the vrf is present in the DUT.

Workaround: None. (CSCsr95941)

•The switch does not accept the snmp mib target list vrf command. This CLI is rejected even if the vrf is present in the DUT.

Workaround: None. (CSCsr95941)

•When a PVLAN isolated port is connected to a router serving as a mutlicast source, and you enable igmp snooping, the routers connected to the isolated ports display as PIM neighbours.

Workaround: Do one of the following:

–Do not attach routers to PVLAN isolated ports.

–Disable igmp snooping (either globally or on the VLAN).

–Do not use a router connected to PVLAN isolated port as a multicast source.

(CSCsu39009)

•When you delete and recreate an interface, the tacking process is unable to track its state track.

Workaround: Reconfigure tracking on the newly created interface. (CSCsr66876)

•CTS SXP connection with a default password may cause the following message to display on the console because of bad TCP authentication:
*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 
2.2.2.1(64999)
This issue is seen when the default SXP password is encrypted with type-6 encryption.

Workaround: Do one of the following:

–Use type 7 password encryption to encrypt the default SXP password

–Don't enable password encryption and allow the default SXP password to set in clear text.

(CSCsv33136)

•The switch may reload after destroying the expExpressionTable row via SNMP when you enable the debug management expression evaluator command.

Workaround: Remove the above debug command. (CSCsu67323)

•IP Router Option may not work with IGMP version 2.

Workaround: None. (CSCsv42869)

•A router may crash when a privilege-level 15 user logs on with the callback or callback-dialstring attribute.

'This problem is seen on all Catalyst 4500 or 4900 chassis running CiscoIOS Release 12.2.(50)SG. The problem occurs when the following conditions are present:

–The router is configured with AAA authentication and authorization.

–The AAA server runs CiscoSecure ACS 2.4.

–The callback or callback-dialstring attribute is configured on the AAA server for the user.

Workarounds: Do not configure the callback or callback-dialstring attribute for the user. If you use the callback-dialstring attribute in the TACACS+ profile, ensure that the NULL value is not configured. (CSCei62358)

•When you attempt an ISSU upgrade or downgrade between Cisco IOS Release 12.2(50)SG and 12.2(44)SG or 12.2(46)SG, the switch displays a traceback.

Workaround: None. (CSCsw32519)

•If VLAN Load Balancing is progressing, and you reconfigure VLAN Load Balancing to reflect different blocking ports, manual preemption does not occur.

Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:

a. Reconfigure the VLAN Load Balancing configuration on the desired REP ports.

b. Shut any one REP port in the segment to cause a failure in that segment.

c. No-shut that port to restore normal REP topology with one ALT port.

d. Invoke manual preemption on a primary edge port to obtain VLAN Load Balancing with the new configuration.

(CSCsv69853)

•After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.101   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.102   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. (CSCsw14005)

•Entering the channel-group x mode or channel-protocol followed by lacp or pagp command on an fa1 management interface causes the active supervisor engine to reload.

Port-channel functionality is not supported on the management interface.

This is a configuration error.

Workaround: None. (CSCsv91302)

Resolved Caveats in Cisco IOS Release 12.2(50)SG1

This section lists the resolved caveats in Release 12.2(50)SG1:

•When port security is configured on a port connected to a host via an IP phone and the host is disconnected, the host's MAC address is not removed from the port security MAC address table even if the IP phone and switch support the CDP 2nd port disconnect TLV feature.

Workaround:To remove the host's MAC address from the port security MAC address table, unconfigure and reconfigure port security on the port. (CSCsr74097)

Open Caveats in Cisco IOS Release 12.2(50)SG

This section lists the open caveats in Cisco IOS Release 12.2(50)SG:

•In rare instances, when you are using MAC ACL-based policers, the packet match counters in
show policy-map interface fa6/1 do not show the packets being matched:
Switch# sh policy-map int
  FastEthernet3/2 
   Service-policy output: p1
     Class-map: c1 (match-all)
       0 packets		<--------It stays at '0' despite of traffic being received
       Match: access-group name fnacl21
       police: Per-interface
         Conform: 9426560 bytes Exceed: 16573440 bytes
Workaround: Verify that the MAC addresses being transmitted through the system are learned.

(CSCef01798)

•When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up.

–If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated.

–If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain. If either of these differs from the FQDN in the certificate, then the existing persistent self-signed certificate is replaced with a new one with the updated FQDN. Be aware that the existing keypair is used in the new certificate.

On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.

Workaround: Re-connect. (CSCsb11964)

•After upgrading to Cisco IOS 12.2(31)SG and later releases, some CPU queues configured as SPAN sources and saved in the startup configuration file do not function as they did in the older software release.

This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.

QueueID

Old QueueName

New QueueName

5

control-packet

control-packet

6

rpf-failure

control-packet

7

adj-same-if

control-packet

8

<unused queue>

control-packet

11

<unused queue>

adj-same-if

13

acl input log

rfp-failure

14

acl input forward

acl input log

Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:
Switch(config)# no monitor session n source cpu queue all rx
Switch(config)# monitor session n source cpu queue <new_Queue_Name>
(CSCsc94802)

•To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command.

Workaround: None. (CSCsc11726)

•An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port.

This could occur for these reasons:

–A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch.

–This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled. The switch receives packets that require redirection and the destination MAC address is already in ARP table.

Workarounds:

–Do not inject packets that require IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch.

–Configure the correct default gateway on the host side. (CSCse75660)

•When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you configure
qos account layer2 encapsulation.

Workaround: None. (CSCsg58526)

•When hardcoded duplex and speed settings are deleted after an interface shuts down, an "a-" is added to the duplex and speed in the output from the show interface status command.

This does not impact performance.

Workaround: Issue the no shutdown command. (CSCsg27395)

•When a transceiver is removed rapidly from one port and placed in another on the same chassis, occasionally a duplicate seeprom message is displayed and the port is not able to handle traffic.

Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).

•When traffic is sent on a VLAN ID higher than 3000, the convergence timing caused by a failure exceeds 225ms.

Workaround: None. (CSCsm30320)

•CFM packets pass through the Layer 2 protocol tunnel.

Workaround: None. (CSCsq72572)

•With CFM enabled globally as well as on an ingress interface, CFM packets received on the interface are not policed with HWCOPP (HW Control Plane Policing).

Workaround: None. (CSCso93282)

•An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

–After a reload, copy the startup-config to the running-config.

–Use a loopback interface as the target of the ip unnumbered command

–Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

•In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

•During an ISSU upgrade or downgrade from v122_31_sg_throttle to v122_46_sg_throttle, the following error message displays on console of the active supervisor engine:
Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internal
software error occurred. Null0 linked to wrong hwidb Null0
Workaround: None. (CSCso68331)

•When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running config.

Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)

•If you configure OFM on an Etherchannel (with at least two interfaces), when you shut or remove the first member that joined the channel, the CFM neighbor is lost.

Workaround: Clear the errors with the clear ethernet cfm errors command in EXEC mode. (CSCsv43819)

•The CTS SXP cts sxp default password mypassword configuration command does not work when you configure type 6 password encryption on the switch.

Workarounds:Use either of the following to set the sxp default password:

–Use clear text(non encryption)

–Type 7 password encryptio

(CSCsv33006)

•Duplicate serial number error messages are reported on switching One X Convertor with SFP+, SFP+, X2 to another port, the inserted port enters a faulty status.

This problem impacts X2, OneX converters, and SFp+ on the Supervisor Engine 6-E, and linecards.

Workaround: Remove and reinsert the One X Convertor with SFP+ , SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)

•The presence of features and Per Vlan Capture might exhaust the TCAM masks.

Workaround: Disable Per VLAN Capture or some of the features. (CSCsr95455)

•Ping does not execute prior to a posture validation.

Workaround: Reapply the identity policy on the interface with the permit icmp command. (CSCsu03507

•Certain Cisco Trusted Security (CTS) SXP connection configuration may not consistently select the best source IP for each SXP connection.

On a switch with multiple Layer 3 interfaces, if the CTS SXP connection is configured without specifying source IP address and no default SXP source IP address is configured on the box, different SXP connections may pickup different source IP address for each connection.

Workaround: Do one of the following:

–Ensure that only one active Layer 3 interface exists on the switch.

–Specify source the IP address in each SXP connection configuration so there is no ambiguity

–Configure a default SXP source IP address so that the SXP connection without the source IP address will use this source IP address.

(CSCsv28348)

•On a Catalyst 4500 switch running 12.2(50)SG, when the access VLAN is deleted and then restored on a port configurd with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the access VLAN is restored.

This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.

Workaround: Shut down then reopen the interface.

(CSCso50921)

•On a switch running Cisco IOS Release12.2(50)SG, supplicants authorized on PVLAN in multi-auth host mode are not moved to an Uauthorized state when the PVLAN is removed.

This problem occurs only when a port is configured with PVLAN and 802.1X multi-auth.

Workaround: Shut down then reopen the interface. (CSCsr58573)

•When the switch port configured with 802.1X Multi-Domain Authentication (MDA) and Guest VLAN is connected to a non-802.1X supplicant PC through a hub, the port falls back to guest VLAN. Subsequently, it is stuck in the guest VLAN and ignores all EAPOL traffic from another 802.1X supplicant PC connected to the hub.

Workaround: None. (CSCsu42775)

•VTP databases do not propagate through promiscuous trunk ports. If only promiscuous trunks are configured, users will not see the VLAN updates on the other switches in the VTP domain.

Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)

•Egress traffic may not be allowed when 802.1X is configured as a Unidirectional Controlled Port.

Workarounds: Do one of the following:

–Enter spanning-tree portfast then authentication control-direction in on a 802.1X port.

–Enter shut then no shut on a 802.1X port.

(CSCsv05205)

•When you remove an SFP+ from a OneX converter in a X2 slot, it takes roughly 45 seconds for the system to recognize this. Any commands during this time will indicate that the SFP+ is still present. Reinserting the SFP+ in another port or inserting another SFP+ in the same port can result in Duplicate Seeprom error message.

Workaround: When a log message appears indicating that the SFP+ has been removed , do one of the following:

–Enter any commands for that port.

–Insert an SFP+ in that port.

–Reinsert the removed SFP+ in any other port.

(CSCsv90044)

•The switch does not accept the snmp mib target list vrf command. This CLI is rejected even if the vrf is present in the DUT.

Workaround: None. (CSCsr95941)

•The switch does not accept the snmp mib target list vrf command. This CLI is rejected even if the vrf is present in the DUT.

Workaround: None. (CSCsr95941)

•When a PVLAN isolated port is connected to a router serving as a mutlicast source, and you enable igmp snooping, the routers connected to the isolated ports display as PIM neighbours.

Workaround: Do one of the following:

–Do not attach routers to PVLAN isolated ports.

–Disable igmp snooping (either globally or on the VLAN).

–Do not use a router connected to PVLAN isolated port as a multicast source.

(CSCsu39009)

•When you delete and recreate an interface, the tacking process is unable to track its state track.

Workaround: Reconfigure tracking on the newly created interface. (CSCsr66876)

•CTS SXP connection with a default password may cause the following message to display on the console because of bad TCP authentication:
*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 
2.2.2.1(64999)
This issue is seen when the default SXP password is encrypted with type-6 encryption.

Workaround: Do one of the following:

–Use type 7 password encryption to encrypt the default SXP password

–Don't enable password encryption and allow the default SXP password to set in clear text.

(CSCsv33136)

•The switch may reload after destroying the expExpressionTable row via SNMP when you enable the debug management expression evaluator command.

Workaround: Remove the above debug command. (CSCsu67323)

•IP Router Option may not work with IGMP version 2.

Workaround: None. (CSCsv42869)

•A router may crash when a privilege-level 15 user logs on with the callback or callback-dialstring attribute.

'This problem is seen on all Catalyst 4500 or 4900 chassis running CiscoIOS Release 12.2.(50)SG. The problem occurs when the following conditions are present:

–The router is configured with AAA authentication and authorization.

–The AAA server runs CiscoSecure ACS 2.4.

–The callback or callback-dialstring attribute is configured on the AAA server for the user.

Workarounds: Do not configure the callback or callback-dialstring attribute for the user. If you use the callback-dialstring attribute in the TACACS+ profile, ensure that the NULL value is not configured. (CSCei62358)

•When you attempt an ISSU upgrade or downgrade between Cisco IOS Release 12.2(50)SG and 12.2(44)SG or 12.2(46)SG, the switch displays a traceback.

Workaround: None. (CSCsw32519)

•If VLAN Load Balancing is progressing, and you reconfigure VLAN Load Balancing to reflect different blocking ports, manual preemption does not occur.

Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:

a. Reconfigure the VLAN Load Balancing configuration on the desired REP ports.

b. Shut any one REP port in the segment to cause a failure in that segment.

c. No-shut that port to restore normal REP topology with one ALT port.

d. Invoke manual preemption on a primary edge port to obtain VLAN Load Balancing with the new configuration.

(CSCsv69853)

•After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.101   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': 
eou_auth 4.1.0.102   Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 
106617F8
This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. (CSCsw14005)

•Entering the channel-group x mode or channel-protocol followed by lacp or pagp command on an fa1 management interface causes the active supervisor engine to reload.

Port-channel functionality is not supported on the management interface.

This is a configuration error.

Workaround: None. (CSCsv91302)

Resolved Caveats in Cisco IOS Release 12.2(50)SG

This section lists the resolved caveats in Release 12.2(50)SG:

•With CFM, if the VLAN associated with the service instance/MEP is allocated after the Inward Facing MEP (IFM) is configured on an interface whose status is down, the IFM CC status remains inactive in the output of the show ethernet CFM maintenance local command. Also, the CFM remote neighbor is not seen.

This behavior is only seen when VLAN is allocated after the IFM is configured.

Workaround: Unconfigure with the no ethernet cfm mep level mpid vlan command, then reconfigure the IFM with the ethernet cfm mep level mpid vlan command on the port after the VLAN is allocated. Verify that the C-Status of the IFM is Active with the
show ethernet cfm maintenance-points local command. (CSCsm85460)

•Occasionally, if a PC continues to send traffic behind an 802.1X capable phone that is plugged into a port configured with MDA (Multi-Domain Authentication), MAB (MAC Authentication Bypass) and port security, a 802.1X security violation is triggered if the port observes traffic from the PC before the phone is fully authorized on the port.

Workaround: Authenticate the phone before plugging a PC behind the phone. (CSCsq92724)

•After CFM is disabled globally and then a switch is reloaded with the CFM configuration in place, and after reload when cfm is enabled globally, the cfm meps are being inactive, which results in loss of cfm neighbors.

Workarounds: Do one of the following:

–Reapply the cfm configuration; at a minimum, remove and re-add the MEPs configured on all the interfaces of the switch.

–Deallocate cfm service VLANs and reallocate them.

(CSCsq90598)

•The show ip cache verbose flow command does not display the AS path information, when netflow aggregation for origin-as is configured.

Workaround: None. (CSCsq63572)

•In REP, when you change the VLAN Load Balancing configuration to reflect different VLAN blocking, Manual Preemption doesn't occur.

Workaround: Intentionally fail the link between two switches by physically pulling the cable or shutting down the interface. Then, return the links to a normal condition. This will be followed by delayed preemption, which you might have already configured. (CSCsm91997)

•Cisco IOS software contains a vulnerability in multiple features that could allow an attacker to cause a denial of service (DoS) condition on the affected device. A sequence of specially crafted TCP packets can cause the vulnerable device to reload.

Cisco has released free software updates that address this vulnerability.

Several mitigation strategies are outlined in the workarounds section of this advisory.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml

CSCsr29468

•Symptoms: Several features within Cisco IOS software are affected by a crafted UDP packet vulnerability. If any of the affected features are enabled, a successful attack will result in a blocked input queue on the inbound interface. Only crafted UDP packets destined for the device could result in the interface being blocked, transit traffic will not block the interface.

Cisco has released free software updates that address this vulnerability.

Workarounds that mitigate this vulnerability are available in the workarounds section of the advisory. This advisory is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml.

CSCsk64158

•Symptoms: SSLVPN service stops accepting any new SSLVPN connections.

Conditions: A device configured for SSLVPN may stop accepting any new SSLVPN connections, due to a vulnerability in the processing of new TCP connections for SSLVPN services. If "debug ip tcp transactions" is enabled and this vulnerability is triggered, debug messages with connection queue limit reached will be observed. This vulnerability is documented in two separate Cisco bug IDs, both of which are required for a full fix: CSCso04657 and CSCsg00102.

CSCso04657

Open Caveats in Cisco IOS Release 12.2(46)SG

This section lists the open caveats in Cisco IOS Release 12.2(46)SG:

•In rare instances, when you are using MAC ACL-based policers, the packet match counters in
show policy-map interface fa6/1 do not show the packets being matched:
Switch# sh policy-map int
  FastEthernet3/2 
   Service-policy output: p1
     Class-map: c1 (match-all)
       0 packets		<--------It stays at '0' despite of traffic being received
       Match: access-group name fnacl21
       police: Per-interface
         Conform: 9426560 bytes Exceed: 16573440 bytes
Workaround: Verify that the MAC addresses being transmitted through the system are learned.

(CSCef01798)

•When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up.

–If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated.

–If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain. If either of these differs from the FQDN in the certificate, then the existing persistent self-signed certificate is replaced with a new one with the updated FQDN. Be aware that the existing keypair is used in the new certificate.

On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.

Workaround: Re-connect. (CSCsb11964)

•After upgrading to Cisco IOS 12.2(31)SG and later releases, some CPU queues configured as SPAN sources and saved in the startup configuration file do not function as they did in the older software release.

This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.

QueueID

Old QueueName

New QueueName

5

control-packet

control-packet

6

rpf-failure

control-packet

7

adj-same-if

control-packet

8

<unused queue>

control-packet

11

<unused queue>

adj-same-if

13

acl input log

rfp-failure

14

acl input forward

acl input log

Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:
Switch(config)# no monitor session n source cpu queue all rx
Switch(config)# monitor session n source cpu queue <new_Queue_Name>
(CSCsc94802)

•To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command.

Workaround: None. (CSCsc11726)

•An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port.

This could occur for these reasons:

–A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch.

–This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled. The switch receives packets that require redirection and the destination MAC address is already in ARP table.

Workarounds:

–Do not inject packets that require IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch.

–Configure the correct default gateway on the host side. (CSCse75660)

•When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you configure
qos account layer2 encapsulation.

Workaround: None. (CSCsg58526)

•When hardcoded duplex and speed settings are deleted after an interface shuts down, an "a-" is added to the duplex and speed in the output from the show interface status command.

This does not impact performance.

Workaround: Issue the no shutdown command. (CSCsg27395)

•When a transceiver is removed rapidly from one port and placed in another on the same chassis, occasionally a duplicate seeprom message is displayed and the port is not able to handle traffic.

Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).

•When traffic is sent on a VLAN ID higher than 3000, the convergence timing caused by a failure exceeds 225ms.

Workaround: None. (CSCsm30320)

•In REP, when you change the VLAN Load Balancing configuration to reflect different VLAN blocking, Manual Preemption doesn't occur.

Workaround: Intentionally fail the link between two switches by physically pulling the cable or shutting down the interface. Then, return the links to a normal condition. This will be followed by delayed preemption, which you might have already configured. (CSCsm91997)

•Occasionally, if a PC continues to send traffic behind an 802.1X capable phone that is plugged into a port configured with MDA (Multi-Domain Authentication), MAB (MAC Authentication Bypass) and port security, a 802.1X security violation is triggered if the port observes traffic from the PC before the phone is fully authorized on the port.

Workaround: Authenticate the phone before plugging a PC behind the phone. (CSCsq92724)

•With CFM, if the VLAN associated with the service instance/MEP is allocated after the Inward Facing MEP (IFM) is configured on an interface whose status is down, the IFM CC status remains inactive in the output of the show ethernet CFM maintenance local command. Also, the CFM remote neighbor is not seen.

This behavior is only seen when VLAN is allocated after the IFM is configured.

Workaround: Unconfigure with the no ethernet cfm mep level mpid vlan command, then reconfigure the IFM with the ethernet cfm mep level mpid vlan command on the port after the VLAN is allocated. Verify that the C-Status of the IFM is Active with the
show ethernet cfm maintenance-points local command. (CSCsm85460)

•The show ip cache verbose flow command does not display the AS path information, when netflow aggregation for origin-as is configured.

Workaround: None. (CSCsq63572)

•CFM packets pass through the Layer 2 protocol tunnel.

Workaround: None. (CSCsq72572)

•With CFM enabled globally as well as on an ingress interface, CFM packets received on the interface are not policed with HWCOPP (HW Control Plane Policing).

Workaround: None. (CSCso93282)

•An IP unnumbered configuration is lost after a reload.

Workarounds: Do one of the following:

–After a reload, copy the startup-config to the running-config.

–Use a loopback interface as the target of the ip unnumbered command

–Change the CLI configuration such that during bootup, the router port is created first.

(CSCsq63051)

•After CFM is disabled globally and then a switch is reloaded with the CFM configuration in place, and after reload when cfm is enabled globally, the cfm meps are being inactive, which results in loss of cfm neighbors.

Workarounds: Do one of the following:

–Reapply the cfm configuration; at a minimum, remove and re-add the MEPs configured on all the interfaces of the switch.

–Deallocate cfm service VLANs and reallocate them.

(CSCsq90598)

•In SSO mode, when a port-channel is created, deleted, and re-created on an active supervisor engine with the same channel-number, the standby port-channel state goes out of sync. After a switch over, the following message displays:
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:
Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)

•During an ISSU upgrade or downgrade from v122_31_sg_throttle to v122_46_sg_throttle, the following error message displays on console of the active supervisor engine:
Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internal
software error occurred. Null0 linked to wrong hwidb Null0
Workaround: None. (CSCso68331)

Resolved Caveats in Cisco IOS Release 12.2(46)SG

This section lists the resolved caveats in Release 12.2(46)SG:

•The REP Admin VLAN and RSPAN destination VLAN should not match. A given VLAN can be configured as a REP Admin VLAN as well as an RSPAN destination VLAN.

Workaround: Ensure that the REP Admin VLAN and the RSPAN destination VLAN differ. (CSCso12495)

•Under VLAN Load Balancing, the failure of a segment or the removal of supervisor engine may cause looping in the REP segment.

Workaround: None. (CSCsm61748)

•If you configure IPv6 MTU on an interface using the ipv6 mtu mtu-value command without first enabling IPv6 on the interface, your switch might pause indefinitely on startup.

Workarounds: Before configuring IPv6 MTU on an interface you must enable IPv6 on the interface. To enable IPv6, use the ipv6 enable command.

If you encounter this issue use the following commands in this order to recover your switch:

1. from the rommon prompt, use the confreg command to ignore the startup configuration

2. reset command to reboot your switch

3. copy startup-config running-config command to copy your startup configuration to your running configuration

4. ipv6 enable command to enable IPv6 on the interfaces

5. ipv6 mtu mtu-value command to configure IPv6 MTU on your interface

6. copy running-config startup-config command to save your recovered configuration

7. reload command on the switch to return to Rommon

8. from rommon, use the confreg command to process the startup config

9. reset the switch to resume normal operation. (CSCso42867)

Open Caveats in Cisco IOS Release 12.2(44)SG1

This section lists the open caveats in Cisco IOS Release 12.2(44)SG1:

•In rare instances, when you are using MAC ACL-based policers, the packet match counters in
show policy-map interface fa6/1 do not show the packets being matched:
Switch# sh policy-map int
  FastEthernet3/2 
   Service-policy output: p1
     Class-map: c1 (match-all)
       0 packets		<--------It stays at '0' despite of traffic being received
       Match: access-group name fnacl21
       police: Per-interface
         Conform: 9426560 bytes Exceed: 16573440 bytes
Workaround: Verify that the MAC addresses being transmitted through the system are learned.

(CSCef01798)

•When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up.

–If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated.

–If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain. If either of these differs from the FQDN in the certificate, then the existing persistent self-signed certificate is replaced with a new one with the updated FQDN. Be aware that the existing keypair is used in the new certificate.

On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.

Workaround: Re-connect. (CSCsb11964)

•After upgrading to Cisco IOS 12.2(31)SG and later releases, some CPU queues configured as SPAN sources and saved in the startup configuration file do not function as they did in the older software release.

This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.

QueueID

Old QueueName

New QueueName

5

control-packet

control-packet

6

rpf-failure

control-packet

7

adj-same-if

control-packet

8

<unused queue>

control-packet

11

<unused queue>

adj-same-if

13

acl input log

rfp-failure

14

acl input forward

acl input log

Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:
Switch(config)# no monitor session n source cpu queue all rx
Switch(config)# monitor session n source cpu queue <new_Queue_Name>
(CSCsc94802)

•To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command.

Workaround: None. (CSCsc11726)

•An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port.

This could occur for these reasons:

–A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch.

–This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled. The switch receives packets that require redirection and the destination MAC address is already in ARP table.

Workarounds:

–Do not inject packets that require IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch.

–Configure the correct default gateway on the host side. (CSCse75660)

•When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you configure
qos account layer2 encapsulation.

Workaround: None. (CSCsg58526)

•When hardcoded duplex and speed settings are deleted after an interface shuts down, an "a-" is added to the duplex and speed in the output from the show interface status command.

This does not impact performance.

Workaround: Issue the no shutdown command. (CSCsg27395)

•If the ACL of an SVI interface is too large for the TCAM, ARP replies for the associated VLAN may not be processed.

Workaround: Upgrade to Cisco IOS Release 12.2(31)SG or later and resize the TCAM with the
access-list hardware region balance command to support the ACL Verify TCAM utilization with the show platform hardware acl statistics utilization brief command. (CSCse50565)

•When a transceiver is removed rapidly from one port and placed in another on the same chassis, occasionally a duplicate seeprom message is displayed and the port is not able to handle traffic.

Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).

•The REP Admin VLAN and RSPAN destination VLAN should not match. A given VLAN can be configured as a REP Admin VLAN as well as an RSPAN destination VLAN.

Workaround: Ensure that the REP Admin VLAN and the RSPAN destination VLAN differ. (CSCso12495)

•When traffic is sent on a VLAN ID higher than 3000, the convergence timing caused by a failure exceeds 225ms.

Workaround: None. (CSCsm30320)

•In REP, when you change the VLAN Load Balancing configuration to reflect different VLAN blocking, Manual Preemption doesn't occur.

Workaround: Intentionally fail the link between two switches by physically pulling the cable or shutting down the interface. Then, return the links to a normal condition . This will be followed by delayed preemption, which you might have already configured. (CSCsm91997)

•Under VLAN Load Balancing, the failure of a segment or the removal of supervisor engine may cause looping in the REP segment.

Hierarchical Navigation

Cisco Catalyst 4900 Series Switches

Release Note for Catalyst 4948 Series Switch, Cisco IOS 12.2EW and 12.2SG

Downloads

Table Of Contents

Release Notes for the Catalyst 4900 Series Switch, Cisco IOS Release 12.2(52)SG

Contents

Cisco IOS Software Packaging for the Cisco Catalyst 4900 Series

Catalyst 4900 Series Switch Cisco IOS Release Strategy

Cisco IOS Software Migration

Summary of Migration Plan

Support

System Requirements

Supported Hardware

Supported Features

Unsupported Features

New and Changed Information

New Hardware Features in Release 12.2(52)SG

New Software Features in Release 12.2(52)SG

New Hardware Features in Release 12.2(50)SG2

New Software Features in Release 12.2(50)SG2

New Hardware Features in Release 12.2(50)SG1

New Software Features in Release 12.2(50)SG1

New Hardware Features in Release 12.2(50)SG

New Software Features in Release 12.2(50)SG

New Hardware Features in Release 12.2(46)SG

New Software Features in Release 12.2(46)SG

New Hardware Features in Release 12.2(44)SG

New Software Features in Release 12.2(44)SG

New Hardware Features in Release 12.2(40)SG

New Software Features in Release 12.2(40)SG

New Hardware Features in Release 12.2(37)SG

New Software Features in Release 12.2(37)SG

New Hardware Features in Release 12.2(31)SGA

New Software Features in Release 12.2(31)SGA

New Hardware Features in Release 12.2(31)SG

New Software Features in Release 12.2(31)SG

New Hardware Features in Release 12.2(25)SG

New Software Features in Release 12.2(25)SG

New Hardware Features in Release 12.2(25)EWA

New Software Features in Release 12.2(25)EWA

New Hardware Features in Release 12.2(25)EW

New Software Features in Release 12.2(25)EW

New Hardware Features in Release 12.2(20)EWA

New Software Features in Release 12.2(20)EWA

Upgrading the System Software

Upgrading the ROMMON from the Console

Upgrading the ROMMON Remotely Using Telnet

Upgrading the Cisco IOS Software

Limitations and Restrictions

Caveats

Open Caveats in Cisco IOS Release 12.2(52)SG

Resolved Caveats in Cisco IOS Release 12.2(52)SG

Open Caveats in Cisco IOS Release 12.2(50)SG2

Resolved Caveats in Cisco IOS Release 12.2(50)SG2

Open Caveats in Cisco IOS Release 12.2(50)SG1

Resolved Caveats in Cisco IOS Release 12.2(50)SG1

Open Caveats in Cisco IOS Release 12.2(50)SG

Resolved Caveats in Cisco IOS Release 12.2(50)SG

Open Caveats in Cisco IOS Release 12.2(46)SG

Resolved Caveats in Cisco IOS Release 12.2(46)SG

Open Caveats in Cisco IOS Release 12.2(44)SG1