 Feedback
|
Table Of Contents
Release Notes for the Catalyst 4900 Series Switch, Cisco IOS Release 12.2(54)SG
Cisco IOS Software Packaging for the
Cisco Catalyst 4900 Series SwitchCatalyst 4900 Series Switch Cisco IOS Release Strategy
New Hardware Features in Release 12.2(54)SG
New Software Features in Release 12.2(54)SG
New Hardware Features in Release 12.2(53)SG3
New Software Features in Release 12.2(53)SG3
New Hardware Features in Release 12.2(53)SG
New Software Features in Release 12.2(53)SG
New Hardware Features in Release 12.2(52)SG
New Software Features in Release 12.2(52)SG
New Hardware Features in Release 12.2(50)SG2
New Software Features in Release 12.2(50)SG2
New Hardware Features in Release 12.2(50)SG1
New Software Features in Release 12.2(50)SG1
New Hardware Features in Release 12.2(50)SG
New Software Features in Release 12.2(50)SG
New Hardware Features in Release 12.2(46)SG
New Software Features in Release 12.2(46)SG
New Hardware Features in Release 12.2(44)SG
New Software Features in Release 12.2(44)SG
New Hardware Features in Release 12.2(40)SG
New Software Features in Release 12.2(40)SG
New Hardware Features in Release 12.2(37)SG
New Software Features in Release 12.2(37)SG
New Hardware Features in Release 12.2(31)SGA
New Software Features in Release 12.2(31)SGA
New Hardware Features in Release 12.2(31)SG
New Software Features in Release 12.2(31)SG
New Hardware Features in Release 12.2(25)SG
New Software Features in Release 12.2(25)SG
New Hardware Features in Release 12.2(25)EWA
New Software Features in Release 12.2(25)EWA
New Hardware Features in Release 12.2(25)EW
New Software Features in Release 12.2(25)EW
New Hardware Features in Release 12.2(20)EWA
New Software Features in Release 12.2(20)EWA
Upgrading the ROMMON from the Console
Upgrading the ROMMON Remotely Using Telnet
Upgrading the Cisco IOS Software
Open Caveats in Cisco IOS Release 12.2(54)SG1
Resolved Caveats in Cisco IOS Release 12.2(54)SG1
Open Caveats in Cisco IOS Release 12.2(54)SG
Resolved Caveats in Cisco IOS Release 12.2(54)SG
Open Caveats in Cisco IOS Release 12.2(53)SG9
Resolved Caveats in Cisco IOS Release 12.2(53)SG9
Open Caveats in Cisco IOS Release 12.2(53)SG8
Resolved Caveats in Cisco IOS Release 12.2(53)SG8
Open Caveats in Cisco IOS Release 12.2(53)SG7
Resolved Caveats in Cisco IOS Release 12.2(53)SG7
Open Caveats in Cisco IOS Release 12.2(53)SG6
Resolved Caveats in Cisco IOS Release 12.2(53)SG6
Open Caveats in Cisco IOS Release 12.2(53)SG5
Resolved Caveats in Cisco IOS Release 12.2(53)SG5
Open Caveats in Cisco IOS Release 12.2(53)SG4
Resolved Caveats in Cisco IOS Release 12.2(53)SG4
Open Caveats in Cisco IOS Release 12.2(53)SG3
Resolved Caveats in Cisco IOS Release 12.2(53)SG3
Open Caveats in Cisco IOS Release 12.2(53)SG2
Resolved Caveats in Cisco IOS Release 12.2(53)SG2
Open Caveats in Cisco IOS Release 12.2(53)SG1
Resolved Caveats in Cisco IOS Release 12.2(53)SG1
Open Caveats in Cisco IOS Release 12.2(53)SG
Resolved Caveats in Cisco IOS Release 12.2(53)SG
Open Caveats in Cisco IOS Release 12.2(52)SG
Resolved Caveats in Cisco IOS Release 12.2(52)SG
Open Caveats in Cisco IOS Release 12.2(50)SG8
Resolved Caveats in Cisco IOS Release 12.2(50)SG8
Open Caveats in Cisco IOS Release 12.2(50)SG7
Resolved Caveats in Cisco IOS Release 12.2(50)SG7
Open Caveats in Cisco IOS Release 12.2(50)SG6
Resolved Caveats in Cisco IOS Release 12.2(50)SG6
Open Caveats in Cisco IOS Release 12.2(50)SG4
Resolved Caveats in Cisco IOS Release 12.2(50)SG4
Open Caveats in Cisco IOS Release 12.2(50)SG2
Resolved Caveats in Cisco IOS Release 12.2(50)SG2
Open Caveats in Cisco IOS Release 12.2(50)SG1
Resolved Caveats in Cisco IOS Release 12.2(50)SG1
Open Caveats in Cisco IOS Release 12.2(50)SG
Resolved Caveats in Cisco IOS Release 12.2(50)SG
Open Caveats in Cisco IOS Release 12.2(46)SG
Resolved Caveats in Cisco IOS Release 12.2(46)SG
Open Caveats in Cisco IOS Release 12.2(44)SG1
Resolved Caveats in Cisco IOS Release 12.2(44)SG1
Open Caveats in Cisco IOS Release 12.2(44)SG
Resolved Caveats in Cisco IOS Release 12.2(44)SG
Open Caveats in Cisco IOS Release 12.2(40)SG
Resolved Caveats in Cisco IOS Release 12.2(40)SG
Open Caveats in Cisco IOS Release 12.2(37)SG1
Resolved Caveats in Cisco IOS Release 12.2(37)SG1
Open Caveats in Cisco IOS Release 12.2(37)SG
Resolved Caveats in Cisco IOS Release 12.2(37)SG
Open Caveats in Cisco IOS Release 12.2(31)SGA11
Resolved Caveats in Cisco IOS Release 12.2(31)SGA11
Open Caveats in Cisco IOS Release 12.2(31)SGA10
Resolved Caveats in Cisco IOS Release 12.2(31)SGA10
Open Caveats in Cisco IOS Release 12.2(31)SGA9
Resolved Caveats in Cisco IOS Release 12.2(31)SGA9
Open Caveats in Cisco IOS Release 12.2(31)SGA8
Resolved Caveats in Cisco IOS Release 12.2(31)SGA8
Open Caveats in Cisco IOS Release 12.2(31)SGA7
Resolved Caveats in Cisco IOS Release 12.2(31)SGA7
Open Caveats in Cisco IOS Release 12.2(31)SGA6
Resolved Caveats in Cisco IOS Release 12.2(31)SGA6
Open Caveats in Cisco IOS Release 12.2(31)SGA5
Resolved Caveats in Cisco IOS Release 12.2(31)SGA5
Open Caveats in Cisco IOS Release 12.2(31)SGA4
Resolved Caveats in Cisco IOS Release 12.2(31)SGA4
Open Caveats in Cisco IOS Release 12.2(31)SGA3
Resolved Caveats in Cisco IOS Release 12.2(31)SGA3
Open Caveats in Cisco IOS Release 12.2(31)SGA2
Resolved Caveats in Cisco IOS Release 12.2(31)SGA2
Open Caveats in Cisco IOS Release 12.2(31)SGA1
Resolved Caveats in Cisco IOS Release 12.2(31)SGA1
Open Caveats in Cisco IOS Release 12.2(31)SGA
Resolved Caveats in Cisco IOS Release 12.2(31)SGA
Open Caveats in Cisco IOS Release 12.2(31)SG2
Resolved Caveats in Cisco IOS Release 12.2(31)SG3
Open Caveats in Cisco IOS Release 12.2(31)SG2
Resolved Caveats in Cisco IOS Release 12.2(31)SG2
Open Caveats in Cisco IOS Release 12.2(31)SG1
Resolved Caveats in Cisco IOS Release 12.2(31)SG1
Open Caveats in Cisco IOS Release 12.2(31)SG
Resolved Caveats in Cisco IOS Release 12.2(31)SG
Open Caveats in Cisco IOS Release 12.2(25)SG4
Resolved Caveats in Cisco IOS Release 12.2(25)SG4
Open Caveats in Cisco IOS Release 12.2(25)SG3
Resolved Caveats in Cisco IOS Release 12.2(25)SG3
Open Caveats in Cisco IOS Release 12.2(25)SG2
Resolved Caveats in Cisco IOS Release 12.2(25)SG2
Open Caveats in Cisco IOS Release 12.2(25)SG1
Resolved Caveats in Cisco IOS Release 12.2(25)SG1
Open Caveats in Cisco IOS Release 12.2(25)SG
Resolved Caveats in Cisco IOS Release 12.2(25)SG
Open Caveats in Cisco IOS Release 12.2(25)EWA14
Resolved Caveats in Cisco IOS Release 12.2(25)EWA14
Open Caveats in Cisco IOS Release 12.2(25)EWA13
Resolved Caveats in Cisco IOS Release 12.2(25)EWA13
Open Caveats in Cisco IOS Release 12.2(25)EWA12
Resolved Caveats in Cisco IOS Release 12.2(25)EWA12
Open Caveats in Cisco IOS Release 12.2(25)EWA11
Resolved Caveats in Cisco IOS Release 12.2(25)EWA11
Open Caveats in Cisco IOS Release 12.2(25)EWA10
Resolved Caveats in Cisco IOS Release 12.2(25)EWA10
Open Caveats in Cisco IOS Release 12.2(25)EWA9
Resolved Caveats in Cisco IOS Release 12.2(25)EWA9
Open Caveats in Cisco IOS Release 12.2(25)EWA8
Resolved Caveats in Cisco IOS Release 12.2(25)EWA8
Open Caveats in Cisco IOS Release 12.2(25)EWA7
Resolved Caveats in Cisco IOS Release 12.2(25)EWA7
Open Caveats in Cisco IOS Release 12.2(25)EWA6
Resolved Caveats in Cisco IOS Release 12.2(25)EWA6
Open Caveats in Cisco IOS Release 12.2(25)EWA5
Resolved Caveats in Cisco IOS Release 12.2(25)EWA5
Open Caveats in Cisco IOS Release 12.2(25)EWA4
Resolved Caveats in Cisco IOS Release 12.2(25)EWA4
Open Caveats in Cisco IOS Release 12.2(25)EWA3
Resolved Caveats in Cisco IOS Release 12.2(25)EWA3
Open Caveats in Cisco IOS Release 12.2(25)EWA2
Resolved Caveats in Cisco IOS Release 12.2(25)EWA2
Open Caveats in Cisco IOS Release 12.2(25)EWA1
Resolved Caveats in Cisco IOS Release 12.2(25)EWA1
Open Caveats in Cisco IOS Release 12.2(25)EWA
Resolved Caveats in Cisco IOS Release 12.2(25)EWA
Open Caveats in Cisco IOS Release 12.2(25)EW
Resolved Caveats in Cisco IOS Release 12.2(25)EW
Open Caveats in Cisco IOS Release 12.2(20)EWA4
Resolved Caveats in Cisco IOS Release 12.2(20)EWA4
Open Caveats in Cisco IOS Release 12.2(20)EWA3
Resolved Caveats in Cisco IOS Release 12.2(20)EWA3
Open Caveats in Cisco IOS Release 12.2(20)EWA2
Resolved Caveats in Cisco IOS Release 12.2(20)EWA2
Open Caveats in Cisco IOS Release 12.2(20)EWA1
Resolved Caveats in Cisco IOS Release 12.2(20)EWA1
Open Caveats in Cisco IOS Release 12.2(20)EWA
Resolved Caveats in Cisco IOS Release 12.2(20)EWA
Troubleshooting at the System Level
Obtaining Documentation and Submitting a Service Request
Release Notes for the Catalyst 4900 Series Switch, Cisco IOS Release 12.2(54)SG
Current Release
12.2(54)SG1—February 7, 2011Previous Releases
12.2(54)SG, 12.2(53)SG9, 12.2(53)SG8, 12.2(53)SG7, 12.2(53)SG6, 12.2(53)SG5, 12.2(54)SG4, 12.2(53)SG3, 12.2(53)SG2, 12.2(53)SG1, 12.2(53)SG, 12.2(52)SG, 12.2(50)SG8, 12.2(50)SG7, 12.2(50)SG6, 12.2(50)SG4, 12.2(50)SG2, 12.1(50)SG1, 12.2(50)SG, 12.2(46)SG, 12.2(44)SG1, 12.2(44)SG, 12.2(37)SG1, 12..2(37)SG, 12.2(31)SGA11, 12.2(31)SGA10, 12.2(31)SGA9, 12.2(31)SGA8, 12.2(31)SGA7, 12.2(31)SGA6, 12.2(31)SGA5, 12.2(31)SGA4, 12.2(31)SGA3, 12.2(31)SGA2, 12.2(31)SGA1, 12.2(31)SGA, 12.2(31)SG3, 12.2(31)SG2, 12.2(31)SG1, 12.2(31)SG, 112.2(25)SG4, 2.2(25)SG3, 12.2(25)SG2, 12.2(25)SG1, 12.2(25)SG, 12.2(25)EWA14, 12.2(25)EWA13, 12.2(25EWA12, 12.2(25)EWA11, 12.2(25)EWA10, 12.2(25)EWA9, 12.2(25)EWA8, 12.2(25)EWA7, 12.2(25)EWA6, 12.2(25)EWA5, 12.2(25)EWA4, 12.2(25)EWA3, 12.2(25)EWA2, 12.2(25)EWA1, 12.2(25)EW, 12.2(20)EWA4, 12.2(20)EWA3, 12.2(20)EWA2, 12.2(20)EWA1, 12.2(20)EWAThese release notes describe the features, modifications, and caveats for the Cisco IOS software on the Catalyst 4900 series switch. The most current software release is Cisco IOS Release 12.2(54)SG.
Support for Cisco IOS Software Release 12.2(54)SG, the default image, follows the standard Cisco Systems® support policy, available at
http://www.cisco.com/en/US/products/products_end-of-life_policy.html
Note
Although their Release Notes are unique, the 4 platforms (Catalyst 4500, Catalyst 4900,
Catalyst ME 4900, and Catalyst 4900M/4948E) use the same Software Configuration Guide, Command Reference Guide, and System Message Guide.
For more information on the Catalyst 4500 series switches, visit the following URL:
http://www.cisco.com/go/cat4500/docsContents
This publication consists of these sections:
•
•
•
•
Cisco IOS Software Packaging for the
Cisco Catalyst 4900 Series SwitchA new Cisco IOS Software package for Cisco Catalyst 4900 Series switches was introduced in Cisco IOS Software Release 12.2(25)SG. It is a new foundation for features and functionality and provides consistency across all Cisco Catalyst switches. The new Cisco IOS Software release train is designated as 12.2SG.
Prior Cisco Catalyst 4900 Series Cisco IOS Software images for the Cisco Catalyst 4900 Series Switches, formerly known as Basic Layer 3 and Enhanced Layer 3, now map to IP Base and Enterprise Services, respectively. All currently shipping Cisco Catalyst 4900 software features based on Cisco IOS Software are supported in the IP Base image of Release 12.2(54)SG with a few exceptions.
The IP Base image does not support enhanced routing features such as Nonstop Forwarding/Stateful Switchover (NSF/SSO), BGP, Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), Intermediate System-to-Intermediate System (IS-IS), Internetwork Packet Exchange (IPX), AppleTalk, Virtual Routing Forwarding (VRF-lite), GLBP, and policy-based routing (PBR). The IP Base image supports EIGRP-Stub for limited routing on Cisco Catalyst 4900 Series Switches.
The Enterprise Services image supports all Cisco Catalyst 4900 Series software features based on Cisco IOS Software, including enhanced routing. BGP capability is included in the Enterprises Services package.
Cisco IOS Release 12.2(46)SG1 introduced a LAN Base software image and an IP upgrade image for the fixed configuration switches, WS-X4948 and WS-X4948-10GE. These will complement the existing IP Base and Enterprise Services images. The LAN Base image is primarily focused on customer access and Layer 2 requirements and therefore many of the IP Base features are not required. An IP Upgrade image is available if later you require some of those features.
For more information about the Cisco Catalyst 4900 series switch, visit
http://www.cisco.com/en/US/products/ps6021/index.htmlTable 1 contrasts feature support on the LAN Base vs IP Base images.
For information on MiBs support, pls refer to this URL:
http://ftp.cisco.com/pub/mibs/supportlists/cat4000/cat4000-supportlist.html
Table 1 LAN Base/IP Base Image Support
10G Uplink Use
12.2(46)SG1
Yes
Yes
802.1p prioritization
12.2(46)SG1
Yes
Yes
802.1p/802.1q
12.2(46)SG1
Yes
Yes
802.1w/802.1s
12.2(46)SG1
Yes
Yes
802.1X (w/ Guest VLAN and VLAN Assignment)
12.2(50)SG
Yes
Yes
802.1X and MAB with ACL assignment
12.2(50)SG
Yes
Yes
802.1X (Auth-Fail VLAN, Critical Auth, Accounting)
12.2(50)SG
Yes
Yes
802.1X Wake on LAN
12.2(50)SG
Yes
Yes
802.1X Web-Auth
12.2(50)SG
Yes
Yes
802.1X with Multiple authenticated, multi-host
12.2(50)SG
Yes
Yes
802.1X w/ MDA
12.2(50)SG
Yes
Yes
802.1X w/ Open Access
12.2(50)SG
Yes
Yes
802.3ad LACP
12.2(46)SG1
Yes
Yes
802.3x - Flow Control
12.2(46)SG1
Yes
Yes
ACL Logging
12.2(46)SG1
Yes
Yes
All Mibs
12.2(52)SG
Yes
Yes
Auto QoS
12.2(53)SG
Yes
Yes
Auto SmartPort
12.2(54)SG
Yes
Yes
Auto-MDIX
12.2(46)SG1
Yes
Yes
Auto-Voice VLAN (part of Auto QoS)
No support
Yes
Yes
BOOTP
12.2(46)SG1
Yes
Yes
Bootup GOLD
No support
Yes
Yes
Broadcast Suppression
12.2(46)SG1
Yes
Yes
CDP/CDPv2
12.2(46)SG1
Yes
Yes
Community PVLAN support
No support
Yes
Yes
Config File
12.2(46)SG1
Yes
Yes
Console Access
12.2(46)SG1
Yes
Yes
Control Plane Policing
12.2(46)SG1
Yes
Yes
Copy Command
12.2(46)SG1
Yes
Yes
CoS to DSCP Map
Yes
Yes
Yes
Debug Commands
12.2(46)SG1
Yes
Yes
Device Management
12.2(46)SG1
Yes
Yes
DHCP Server
12.2(46)SG1
Yes
Yes
DHCP Snooping
12.2(46)SG1
Yes
Yes
Diagnostics Tools
12.2(46)SG1
Yes
Yes
Downloading Software
12.2(46)SG1
Yes
Yes
DSCP to CoS Map
12.2(46)SG1
Yes
Yes
DSCP to egress queue mapping
12.2(46)SG1
Yes
Yes
Dynamic ARP inspection
12.2(46)SG1
Yes
Yes
EEM and EOT integration
No support
Yes
Yes
EIGRP Stub
No support
Yes
Yes
EnergyWise 1.0
12.2(53)SG
Yes
Yes
EPoE
12.2(53)SG
Yes
Yes
Event Log
12.2(46)SG1
Yes
Yes
Factory Default Settings
12.2(46)SG1
Yes
Yes
File Management
12.2(46)SG1
Yes
Yes
Flex Link
12.2(53)SG
Yes
Yes
GLBP
No support
Yes
Yes
HSRP/VRRP
No support
Yes
Yes
HSRP v2 IPV41
No support
Yes
Yes
HSRP v2 IPV62
No support
No
Yes
ID 4.0 Voice Vlan assignment
12.2(46)SG1
Yes
Yes
ID4.1 Filter ID and per use ACL
12.2(46)SG1
Yes
Yes
IGMP
12.2(46)SG1
Yes
Yes
IGMP Snooping
12.2(46)SG1
Yes
Yes
Ingress Policing
12.2(46)SG1
Yes
Yes
Interface Access (Telnet, Console/Serial, Web)
12.2(46)SG1
Yes
Yes
IP Source Guard
12.2(46)SG1
Yes
Yes
IP Multicast
No support
Yes
Yes
IPv6 HSRP
No support
No
Yes
IPV6 MLD snooping V1 and V2
Future
Yes
Yes
IPV6 Reformation
NA
Yes
Yes
IPV6 Router Advertisement (RA) Guard
12.2(54)SG
Yes
Yes
ISL Trunk
12.2(46)SG1
Yes
Yes
Jumbo Frames
12.2(46)SG1
Yes
Yes
Layer 2 Debug
12.2(46)SG1
Yes
Yes
Layer 2 PT and QinQ
No support
Yes
Yes
Layer 2 Traceroute
12.2(46)SG1
Yes
Yes
Link State Tracking
12.2(54)SG
Yes
Yes
LLDP/LLDP-MED
12.2(52)SG
Yes
Yes
LLDP enhancements (PoE+Layer 2 COS)
12.2(54)SG
No
Yes
Local Web Auth
12.2(52)SG
Yes
Yes
MAB (MAC Authentication Bypass)
12.2(50)SG
Yes
Yes
MAC Address Filtering
12.2(50)SG
Yes
Yes
MAC Based Access List
12.2(50)SG
Yes
Yes
Management IPV6 port
12.2(52)SG
Yes
Yes
MLD Snooping
12.2(53)SG
Yes
Yes
Multicast Filtering
12.2(46)SG1
Yes
Yes
Multihop SXP (CTS)
No support
12.2(52SG
Yes
Network Edge Access Topology (NEAT)
No support
Yes
Yes
No. of QoS Filters
No. of Security ACE
Yes (4K entries)
Yes
Yes
No. of VLAN Support
2048
4096
Yes
PAgP
12.2(46)SG1
Yes
Yes
Passwords
Password clear protection12.2(46)SG1
Yes
Yes
PIM SM/DM
No support
Yes
Yes
PoE (up to 15.4W only)
12.2(46)SG1
Yes
Yes
PoE+ Ready
Yes
Yes
Yes
Port Monitoring (interface Stats)
12.2(46)SG1
Yes
Yes
Port Security
12.2(46)SG1
Yes; only 1024 MACs
Yes
Post Status
12.2(46)SG1
Yes
Yes
PVST+
12.2(53)SG
Yes
Yes
Q-in-Q
No support
Yes
Yes
RACL (DSCP based)
12.2(46)SG1
Yes
Yes
RADIUS/TACACS+ (AAA)
12.2(46)SG1
Yes
Yes
RMON
12.2(46)SG1
Yes
Yes
Routing - RIP, Static
12.2(46)SG1
Yes
Yes
RPR
12.2(46)SG1
Yes
Yes
RPVST+
12.2(53)SG
Yes
Yes
RSPAN
12.2(46)SG1
Yes
Yes
Service Advertisement Framework (SAF)
12.2(54)SG
Yes
Yes
Smart Call Home
No support
Yes
Yes
Smartports (Role based MACRO)
12/2(53)SG
Yes
Yes
SNMP (including SNMv3)
12.2(46)SG1
Yes
Yes
Source port Filtering (Private VLAN)
12.2(46)SG1
Yes
Yes
SPAN (# of sessions) - Port Mirroring
12.2(46)SG1 (2 sessions)
Yes (8 bidirectional sessions)
Yes
SSHv2/Secure Copy, FTP, SSL, Syslog, Sys Information
12.2(46)SG1
Yes
Yes
Storm Control
12.2(46)SG1
Yes
Yes
TDR
No support
Yes
Yes
Time Protocols (SNTP, TimeP)
12.2(46)SG1
Yes
Yes
Time-based ACL
12.2(46)SG1
Yes
Yes
Traffic Mirroring (SPAN)
12.2(46)SG1
Yes
Yes
Trusted Boundary (LLDP & CDP Based)
12.2(46)SG1
Yes
Yes
UDLD
12.2(46)SG1
Yes
Yes
VACL and PACL
12.2(46)SG1
Yes
Yes
Voice VLAN
12.2(46)SG1
Yes
Yes
VRRP
No support
Yes
Yes
VTP
12.2(46)SG1
Yes
Yes
WCCP
No support
Yes
Yes
XML-PI
12.2(54)SG
Yes
Yes
1 Supported on all supervisor engines.
2 Supported only for Catalyst 4900M and Supervisor Engines 6-E/6L-E.
Note
Orderable Product Numbers:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Note
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Catalyst 4900 Series Switch Cisco IOS Release Strategy
Customers with Catalyst 4900 series switches who need the latest hardware support and software features should migrate to Cisco IOS Release 12.2(54)SG.
Catalyst 4900 Series has three maintenance trains. The Cisco IOS Release 12.2(31)SGA train is the longest living train. Currently, the Cisco IOS Release 12.2(31)SGA10 is the recommended release for customers who require a release with a maintenance train. The Cisco IOS Release 12.2(53)SG is the latest maintenance train.
Cisco IOS Software Migration
Figure 1 displays the two active, 12.2(31)SGA and 12.2(50)SG, and newly introduced 12.2(53)SG extended maintenance trains.
Figure 1 Software Release Strategy for the Catalyst 4900 Series Switch
Summary of Migration Plan
•
•
Support
Support for Cisco IOS Software Release 12.2(54)SG follows the standard Cisco Systems® support policy, available at
http://www.cisco.com/en/US/products/products_end-of-life_policy.htmlSystem Requirements
This section describes the system requirements:
Supported Hardware
This section describes the hardware supported on the Catalyst 4900 series switch.
For Catalyst 4900 series switch transciever module compatibility information, see the url:
http://www.cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list.html
Table 2 briefly describes the Catalyst 4900 series switch product set.
Supported Features
Table 3 lists the Cisco IOS software features for the Catalyst 4900 series switch.
Table 3 Cisco IOS Software Feature Set for the Catalyst 4900 Series Switch
Storm control
Multicast storm control
IP Source Guard
IP Source Guard for Static Hosts
PVRST+
Layer 2 protocol tunneling
Layer 2 transparent bridging1
Layer 2 MAC2 learning, aging, and switching by software
Unicast MAC address filtering
VMPS3 Client
Layer 2 hardware forwarding up to 102 Mpps
Layer 2 switch ports and VLAN trunks
Spanning-Tree Protocol (IEEE 802.1D) per VLAN
802.1s and 802.1w
Layer 2 traceroute
Unidirectional Ethernet port
Per-VLAN spanning tree (PVST) and PVST+
Spanning-tree root guard
Spanning-tree Loop guard and PortFast BPDU Filtering
Support for 9216 byte frames
Port security on PVLANs
Private VLANs
Private VLAN DHCP snooping
Community PVLANs
Private VLAN Promiscuous Trunk
ISL
IEEE 802.1Q-based VLAN encapsulation
Multiple VLAN access port
VLAN Trunking Protocol (VTP) and VTP domains
VTP v3
No. of VLAN support per switch: 2048 (for LAN Base), 4096 (for IP Base)
Unidirectional link detection (UDLD) and aggressive UDLD
Sub-second UDLD (Fast UDLD)
Resilient Ethernet Protocol
Ethernet CFM
Ethernet OAM Protocol
802.1Q Tunneling (Q in Q)
QinQ and Protocol Tunneling
Pragmatic General Multicast
ANCP Client
Auto RP Listener
IP and IP multicast routing and switching between Ethernet ports
IP Multicast Load Splitting (Equal Cost Multipath (ECMP) using S, G and Next-hop)
Static IP routing
Classless routing4
PBR5
Dynamic Buffer Limiting
Selective Dynamic Buffer Limiting
QoS-based forwarding based on IP precedence
Trusted boundary
Auto QoS
Match CoS for non-IPV4 traffic
CoS Mutation
CEF6 load balancing
Hardware-based IP CEF routing at 102 Mpps
Up to 32,000 IP routes
Up to 32,000 IP host entries (Layer 3 adjacencies)
Up to 16,000 IP multicast route entries
Up to 55,000 unicast entries
Multicast flooding suppression for STP changes
Software routing of IPX, AppleTalk, and IPv6
IGMPv1, IGMPv2, and IGMPv3 (Full Support)
IGMP Querier
VRF-lite
VRF-aware IP services
VRF-aware TACACS+
Route Leaking7
IP Unnumbered
SVI Autostate Exclude
IS-IS8
DTP9
RIP10 and RIP II
EIGRP11
EIGRP stub
OSPF12
BGP413
BGP route-map Continue
BGP Neighbor Policy
MBGP14
MSDP15
ICMP16 Router Discovery Protocol
PIM17 —sparse and dense mode
Static routes
Classless interdomain routing (CIDR)
DVMRP18
SSM
NTP19
NTP master
WCCPv2 Layer 2 Redirection
VRRP20
SCP21
GLBP22
Cisco EtherChannel technology - 10/100/1000 Mbps, 10 Gbps
Load balancing for routed traffic, based on source and destination IP addresses
Load sharing for bridged traffic based on MAC addresses
ISL on all EtherChannels
IEEE 802.1Q on all EtherChannels
Bundling of up to eight Ethernet ports
Up to 50 active Ethernet port channels
Trunk Port Security over EtherChannel
Link State Tracking
SPAN CPU port mirroring
SPAN packet-type filtering
SPAN destination in-packets option
SPAN ACL filtering
RSPAN23
Enhanced VLAN statistics
Secondary addressing
Bootstrap protocol (BOOTP)
Authentication, authorization, and accounting using TACACS+ and RADIUS protocol
Cisco Discovery Protocol (CDP)
CDP 2nd Port Status TLV
MAC Address-Table Move Update
Flex Link Bi-directional Fast Convergence
Flex Link VLAN Load-Balancing
Flex Links
Flex Links Interface Preemption
Network Mobility Services Protocol
Link Layer Discovery Protocol (LLDP)
LLDP Media Discovery (LLDP-MED)
PoEP via LLDP
DSCP/CoS via LLDP
Sticky port security
Trunk port security
Voice VLAN Sticky Port Security
Cisco Group Management Protocol (CGMP) server support
HSRP24 over Ethernet, EtherChannels - 10/100/1000Mbps, 10 Gbps
IGMP25 snooping version1, version 2, and version 3 (Full Support)
IGMP filtering
Port Aggregation Protocol (PagP)
802.3ad LACP
SSH version 1 and version 226
show interface capabilities command
IfIndex persistence
UDLR27
Enhanced SNMP MIB support
SNMP28 version 1, version 2, and version 3
SNMP version 3 (with encryption)
DHCP server and relay-agent
DHCP snooping
DHCP client autoconfiguration
DHCP Option 82 Pass Through
802.1X port-based authentication
802.1X with port security
802.1X accounting
802.1X with voice VLAN ID29
802.1X private VLAN assignment
802.1X private guest VLAN
802.1X RADIUS-supplied session timeout
802.1X authentication failure VLAN
802.1X MAC Authentication Bypass
802.1X Inaccessible Authentication Bypass
802.1X Unidirectional Controlled Port
802.1X with User Distribution
Cisco TrustSec SGT Exchange Protocol (SXP) IPv4
RADIUS-Provided Session Timeouts
MAC Move and Replace
Flexible Authentication Sequencing
Multi-Authentication
Open Authentication
Web Authentication
Local Web Authentication (EPM syslog and Common session ID)
PPPoE Intermediate Agent
Control Plane Policing
Port flood blocking
Router standard and extended ACLs 30 on all ports with no performance penalty
Identity ACL Policy Enforcement31
Identity 4.1 Network Edge Access Topology
Extended IPX ACL
VLAN ACL
PACL32
Downloadable ACLs
Local Proxy ARP
Dynamic ARP Inspection on PVLANs
Dynamic ARP Inspection
Per-port QoS33 rate-limiting and shaping
Per-port Per-VLAN QoS
Energy Wise
Power redundancy
Non-stop Forwarding Awareness
Non-stop Forwarding Awareness for EIGRP-stub in IP base for all supervisor engines
WCCP34 v2 Layer 2 Redirection
MAC Address Notification
SmartPort macros
Auto SmartPort macros
802.1s standards compliance
IS-IS MIB
OSPF and EIGRP Fast Convergence
OSPF Fast Convergence
Time Domain Reflectometry
CNA35
EEM36
VSS client with PagP+
Ethernet Management Port
IP SLA37
X2 Link Debounce Timer
Enhanced Object Tracking subfeatures:
•
•
•
•
•
Inactivity Timer
boot config command
Crashdump enhancement
Unicast MAC filtering
Smart Call Home
DHCPv6 Ethernet Remote ID option
DHCPv6 Relay - Persistent Interface ID option DHCPv6 Relay Agent notification for Prefix Delegation
PIM SSM Mapping
VRF lite NSF support with routing protocols OSPF/EIGRP/BG
Online Diagnostics
PIM Accept Register - Rogue Multicast Server Protection38
Configuration Rollback
Archiving crashfile information
Per-VLAN Learning
XML Programmatic Interface
IPSG for Static Hosts
Layer Control Packet
1 Hardware-based transparent bridging within a VLAN
2 MAC = Media Access Control
3 VMPS = VLAN Management Policy Server
4 The ip classless command is not supported as classless routing is enabled by default.
5 PBR = policy-based routing
6 CEF = Cisco Express Forwarding
7 Route Leaking from a global routing table into a VRF and Route Leaking from a VRF into a global routing table
8 IS-IS = Intermediate System to Intermediate System
9 DTP = Dynamic Trunking Protocol
10 RIP = Routing Information Protocol
11 EIGRP = Enhanced Interior Gateway Routing Protocol
12 OSPF = Open Shortest Path First
13 BGP4 = Border Gateway Protocol 4
14 MBGP = Multicast Border Gateway Protocol
15 MSDP = Multicast Source Discovery Protocol
16 ICMP = Internet Control Message Protocol
17 PIM = Protocol Independent Multicast
18 DVMRP = Distance Vector Multicast Routing Protocol
19 NTP = Network Time Protocol
20 VRRP = Virtual Router Redundancy Protocol
21 SCP = Secure Copy Protocol
22 GLBP = Gateway Load Balancing Protocol
23 RSPAN = Remote SPAN
24 HSRP = Hot Standby Router Protocol
25 IGMP = Internet Group Management Protocol
26 SSH = Secure Shell Protocol
27 UDLR = Unidirectional Link Routing
28 SNMP = Simple Network Management Protocol
29 PoE is not supported on the Catalyst 4900 series switch.
30 ACLs = Access Control Lists
31 filter-ID and per-user ACL
32 PACL = Port Access Control List
33 QoS = Quality of Service
34 WCCP = Web Content Communication Protocol
35 CNA = Cisco Network Assistant; Minimum CNA release that supports Releases 12.2(25)EW is 1.0(2). Minimum CNA release that supports Release 12.2(20)EWA is 1.0(1).
36 EEM = Embedded Event anager
37 Includes HTTPS-HTTP with SSL 3.0, CEF-MIB, Embedded Syslog Manage, ...
38 The route-map keyword is not supported.
Unsupported Features
These features are not supported in Cisco IOS Release 12.2(54)SG for the 4900 series switches:
•
–
–
–
–
•
•
–
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
New and Changed Information
These sections describe the new and changed information for the Catalyst 4900 series switch running Cisco IOS software:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
New Hardware Features in Release 12.2(54)SG
Release 12.2(54)SG provides the following new hardware on the Catalyst 4900 series switch:
•
•
•
•
•
•
•
New Software Features in Release 12.2(54)SG
Release 12.2(54)SG provides the following new software features on the Catalyst 4900 series switch:
•
•
•
•
For details, refer to the URL:
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_3.2.html•
For details refer to the URL:
http://www.cisco.com/en/US/docs/ios/saf/configuration/guide/saf_cg.html•
For details refer to the URL:
http://www.cisco.com/en/US/docs/switches/lan/energywise/phase2/ios/configuration/guide/ew_v2.html•
•
•
•
•
•
•
•
•
•
•
•
For details refer to the URL:
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_xmlpi_v1.htmlNew Hardware Features in Release 12.2(53)SG3
Release 12.2(53)SG3 provides the following new hardware on the Catalyst 4500 series switch:
Note
•
•
•
•
•
•
•
•
New Software Features in Release 12.2(53)SG3
Release 12.2(53)SG3 provides no new features for the Catalyst 4500 series switch.
New Hardware Features in Release 12.2(53)SG
Release 12.2(53)SG provides the following new hardware for the Catalyst 4900 series switch:
•
New Software Features in Release 12.2(53)SG
Release 12.2(53)SG provides the following Cisco IOS software features for the Catalyst 4900 series switch:
•
New Hardware Features in Release 12.2(52)SG
Release 12.2(52)SG provides no new hardware for the Catalyst 4900 series switch.
New Software Features in Release 12.2(52)SG
Release 12.2(52)SG provides the following new Cisco IOS software features for the Catalyst 4900 series switch:
•
All LAN Base customers looking to upgrade from LAN Base to IP Base or Enterprise services are required to order "The Catalyst 4948 IP Base upgrade license WS-C4900-SW-LIC." This license is not required for customers currently running IP base or enterprise services.
Note
•
–
–
•
•
–
–
•
•
•
•
•
Note
•
•
•
–
–
–
–
–
–
–
–
•
New Hardware Features in Release 12.2(50)SG2
Release 12.2(50)SG2 provides the following new hardware for the Catalyst 4900 series switch:
•
New Software Features in Release 12.2(50)SG2
Release 12.2(50)SG2 provides the following new Cisco IOS software features for the Catalyst 4900 series switch:
•
New Hardware Features in Release 12.2(50)SG1
Release 12.2(50)SG1 provides the following new hardware for the Catalyst 4900 series switch:
•
New Software Features in Release 12.2(50)SG1
Release 12.2(50)SG1 provides the following new Cisco IOS software features for the Catalyst 4900 series switch:
•
New Hardware Features in Release 12.2(50)SG
Release 12.2(50)SG provides the following new hardware for the Catalyst 4900 series switch:
•
•
•
New Software Features in Release 12.2(50)SG
Release 12.2(50)SG provides the following Cisco IOS software features for the Catalyst 4900 series switch:
Note
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
For more information, refer to the following URLs:
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html
and
http://www.cisco.com/en/US/docs/switches/lan/trustsec/release/notes/rn_cts_xplat.html
New Hardware Features in Release 12.2(46)SG
Release 12.2(46)SG provides the following new hardware for the Catalyst 4900 series switch:
•
New Software Features in Release 12.2(46)SG
Release 12.2(46)SG provides the following Cisco IOS software features for the Catalyst 4900 series switch:
Note
•
•
•
–
–
–
–
–
•
•
•
New Hardware Features in Release 12.2(44)SG
Release 12.2(44)SG provides the following new hardware for the Catalyst 4900 series switch:
•
New Software Features in Release 12.2(44)SG
Release 12.2(44)SG provides the following Cisco IOS software features for the Catalyst 4900 series switch:
Note
•
•
After configuring VSS dual-active on a Catalyst 6500 switches, the Catalyst 4500 series switch can detect VSS dual-active with PagP+ support.
•
•
•
•
For details, refer to the ESM Home Page:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_esm.htmlNew Hardware Features in Release 12.2(40)SG
Release 12.2(40)SG provides the following new hardware for the Catalyst 4900 series switch:
•
New Software Features in Release 12.2(40)SG
Release 12.2(40)SG provides the following Cisco IOS software features for the Catalyst 4900 series switch:
Note
•
•
New Hardware Features in Release 12.2(37)SG
Release 12.2(37)SG provides the following new hardware for the Catalyst 4900 series switch:
•
New Software Features in Release 12.2(37)SG
Release 12.2(37)SG provides the following Cisco IOS software features for the Catalyst 4900 series switch:
Note
•
•
•
•
For details, locate the feature entry in the Feature Information Table located toward the end of the "Connecting to a Service Provider Using External BGP" module
•
New Hardware Features in Release 12.2(31)SGA
Cisco IOS Release 12.2(31)SGA is the first IOS release supporting the Cisco ME 4900 Series Ethernet Switch.
Following hardware was supported:
•
New Software Features in Release 12.2(31)SGA
Release 12.2(31)SGA provides the following Cisco IOS software features for the Catalyst 4900 series switch:
Note
•
•
•
•
Note
•
New Hardware Features in Release 12.2(31)SG
There are no new hardware features in Cisco IOS Release 12.2(31)SG.
New Software Features in Release 12.2(31)SG
Release 12.2(31)SG provides the following Cisco IOS software features for the Catalyst 4900 series switch:
Note
•
•
•
•
•
•
•
•
•
•
New Hardware Features in Release 12.2(25)SG
There are no new hardware features in Cisco IOS Release 12.2(25)SG.
New Software Features in Release 12.2(25)SG
Release 12.2(25)SG provides the following Cisco IOS software features for the Catalyst 4900 series switch:
Note
•
Note
•
•
•
•
•
•
•
•
New Hardware Features in Release 12.2(25)EWA
Release 12.2(25)EWA provides the following new hardware for the Catalyst 4900 series switch:
•
Caution
Catalyst 4948-10GE Switch Installation Guide.
New Software Features in Release 12.2(25)EWA
Release 12.2(25)EWA provides the following Cisco IOS software features for the Catalyst 4900 series switch:
Note
•
•
•
•
•
•
New Hardware Features in Release 12.2(25)EW
There are no new hardware features in Release 12.2(25)EW.
New Software Features in Release 12.2(25)EW
There are no new software features in Cisco IOS Release 12.2(25)EW
New Hardware Features in Release 12.2(20)EWA
There are no new hardware features in Cisco IOS Release 12.2(20)EWA.
New Software Features in Release 12.2(20)EWA
Release 12.2(20)EWA provides the following Cisco IOS software features for the Catalyst 4900 series switch:
Note
•
•
Upgrading the System Software
In most cases, upgrading the switch to a newer release of Cisco IOS software does not require a ROMMON upgrade. However, if you are running an early release of Cisco IOS software and plan to upgrade, the following tables list the recommended ROMMON release.
Caution
The following sections describe how to upgrade your switch software:
•
•
•
Upgrading the ROMMON from the Console
Caution
Note
Follow this procedure to upgrade your supervisor engine ROMMON:
Step 1
Note
Step 2
The cat4000-ios-promupgrade-122_25r_EWA programs are available on Cisco.com at the same location from which you download Catalyst 4000 system images.
Step 3
squeeze bootflash: command to reclaim the space.Step 4
The following example shows how to download the PROM upgrade image cat4000-ios-promupgrade-122_25r_EWA from the remote host 172.20.58.78 to bootflash:
Switch# copy tftp: bootflash: Address or name of remote host [172.20.58.78]? Source filename [cat4000-ios-promupgrade-122_25r_EWA]? Destination filename [cat4000-ios-promupgrade-122_25r_EWA]? Accessing tftp://172.20.58.78/cat4000-ios-promupgrade-122_25r_EWA... Loading cat4000-ios-promupgrade-122_25r_EWA from 172.20.58.78 (viaFastEthernet2/1):!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![OK - 455620 bytes]455620 bytes copied in 2.644 secs (172322 bytes/sec) Switch#Step 5
The following example shows the output after a reset into ROMMON:
Switch# reloadProceed with reload? [confirm]2d11h: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.*********************************************************** ** Welcome to Rom Monitor for WS-C4948-10GE System. ** Copyright (c) 1999-2005 by Cisco Systems, Inc. ** All rights reserved. ** ***********************************************************Rom Monitor Program Version 12.2(25r)EWASupervisor: WS-C4948-10GE Chassis: WS-C4948Hardware Revisions - Board: 8.3 CPLD Gill: 17MAC Address : 00-0b-fc-ff-3b-ffIP Address : 10.5.43.225Netmask : 255.255.255.0Gateway : 10.5.43.1TftpServer : 10.5.5.5***** The system will autoboot in 5 seconds *****Type control-C to prevent autobooting.. .Autoboot cancelled......... please wait!!!Autoboot cancelled......... please wait!!!rommon 1 > [interrupt]Step 6
boot bootflash:cat4000-ios-promupgrade-122_25r_EWA
Caution
The following example shows the output from a successful upgrade, followed by a system reset:
rommon 2 > boot bootflash:cat4000-ios-promupgrade-122_25r_EWA*********************************************************** ** Rom Monitor Upgrade Utility For WS-C4948-10GE System ** This upgrades flash Rom Monitor image to the latest ** ** Copyright (c) 1997-2005 by Cisco Systems, Inc. ** All rights reserved. ** ***********************************************************Image size = 1024.0 KBytesMaximum allowed size = 1048576 KBytesUpgrading your PROM... DO NOT RESET the systemunless instructed or upgrade of PROM will fail !!!Beginning erase of 0x100000 bytes at offset 0x3e00000... Done!Beginning write of prom (0x100000 bytes at offset 0x3e00000)...This could take as little as 30 seconds or up to 2 minutes.Please DO NOT RESET!Verifying...Success! The prom has been upgraded successfully.System will reset itself and reboot within few seconds....Step 7
Step 8
The following example shows how to delete the cat4000-ios-promupgrade-122_25r_EWA image from bootflash and reclaim unused space:
Switch# delete bootflash:cat4000-ios-promupgrade-122_25r_EWASwitch# squeeze bootflash:All deleted files will be removed, proceed (y/n) [n]? ySqueeze operation may take some time, proceed (y/n) [n]? ySwitch#Step 9
Switch# show versionCisco IOS Software, Catalyst 4900 L3 Switch Software (cat4500-IPBASE-M), Version 12.2(25)EWA, RELEASE SOFTWARE (fc1)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2005 by Cisco Systems, Inc.Compiled Wed 17-Aug-05 17:09 by alnguyenImage text-base: 0x10000000, data-base: 0x11269914ROM: 12.2(25r)EWAPod Revision 0, Force Revision 31, Tie Revision 17Switch uptime is 1 minuteSystem returned to ROM by reloadSystem image file is "bootflash:cat4500-ipbase-mz.122-25.EWA"cisco WS-C4948-10GE (MPC8540) processor (revision 3) with 262144K bytes of memory.Processor board ID 0MPC8540 CPU at 667Mhz, Fixed ModuleLast reset from Reload1 Virtual Ethernet interface48 Gigabit Ethernet interfaces2 Ten Gigabit Ethernet interfaces511K bytes of non-volatile configuration memory.Configuration register is 0x2Switch#The ROMMON has now been upgraded.
See the "Upgrading the Cisco IOS Software" section for instructions on how to upgrade the Cisco IOS software on your switch.
Upgrading the ROMMON Remotely Using Telnet
Caution
Follow this procedure to upgrade your supervisor engine ROMMON to Release 12.2(25r)EWA. This procedure can be used when console access is not available and when the ROMMON upgrade must be performed remotely.
Note
Step 1
Note
Step 2
The cat4000-ios-promupgrade-122_25r_EWA programs are available on Cisco.com at the same location from which you download Catalyst 4000 system images.
Step 3
squeeze bootflash: command to reclaim the space.Step 4
copy tftp command.The following example shows how to download the PROM upgrade image cat4000-ios-promupgrade-122_25r_EWA from the remote host 10.5.5.5 to bootflash:
Switch# copy tftp: bootflash: Address or name of remote host [10.5.5.5]?Source filename [cat4000-ios-promupgrade-122_25r_EWA]? /tftpboot/pjose/cat4000-ios-promupgrade-122_25r_EWADestination filename [cat4000-ios-promupgrade-122_25r_EWA]?Accessing tftp://10.5.5.5//tftpboot/pjose/cat4000-ios-promupgrade-122_25r_EWA...Loading /tftpboot/pjose/cat4000-ios-promupgrade-122_25r_EWA from 10.5.5.5 (via GigabitEthernet1/1): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![OK - 1244496 bytes]1244496 bytes copied in 9.484 secs (131221 bytes/sec)Switch#Step 5
Switch# configure terminalSwitch(config)# no boot system flash bootflash:cat4000-ios-promupgrade-122_25r_EWASwitch(config)# exitSwitch# writeBuilding configuration...Compressed configuration from 3641 to 1244 bytes [OK]Switch#Use the boot system flash bootflash:file_name command to set the BOOT variable. You will use two BOOT commands: one to upgrade the ROMMON and a second to load the Cisco IOS software image after the ROMMON upgrade is complete. Notice the order of the BOOT variables in the example below. At bootup the first BOOT variable command upgrades the ROMMON. When the upgrade is complete the supervisor engine will autoboot, and the second BOOT variable command will load the Cisco IOS software image specified by the second BOOT command.
Note
In this example, we assume that the console port baud rate is set to 9600 bps and that the config-register is set to 0x0102.Use the config-register command to autoboot using image(s) specified by the BOOT variable. Configure the BOOT variable to upgrade the ROMMON and then autoboot the IOS image after the ROMMON upgrade is complete. In this example, we are upgrading the ROMMON to version 12.2(25r)EWA. After the ROMMON upgrade is complete, the supervisor engine will boot Cisco IOS software Release 12.2(25)EWA.config-register to 0x0102.Switch# configure terminalSwitch(config)# boot system flash bootflash:cat4000-ios-promupgrade-122_25r_EWASwitch(config)# boot system flash bootflash:cat4500-ipbase-mz.122-25.EWASwitch(config)# config-register 0x0102Switch(config)# exitSwitch# writeBuilding configuration...Compressed configuration from 3641 to 1244 bytes [OK]Switch#Step 6
Switch#sh bootvarBOOT variable = bootflash:cat4000-ios-promupgrade-122_25r_EWA,1;bootflash:cat4500-ipbase-mz.122-25.EWACONFIG_FILE variable does not existBOOTLDR variable does not existConfiguration register is 0x2102Step 7
Caution
The following example shows the console port output from a successful ROMMON upgrade followed by a system reset. Your Telnet session will be disconnected during the ROMMON upgrade, so you will not see this output. This step could take 2-3 minutes to complete. You will need to reconnect your Telnet session after 2-3 minutes when the Cisco IOS software image and the interfaces are loaded.
Switch# reloadProceed with reload? [confirm]00:00:36: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.*********************************************************** ** Welcome to Rom Monitor for WS-C4948-10GE System. ** Copyright (c) 1999-2005 by Cisco Systems, Inc. ** All rights reserved. ** ***********************************************************Rom Monitor Program Version 12.2(25r)EWASupervisor: WS-C4948-10GE Chassis: WS-C4948Hardware Revisions - Board: 8.0 CPLD : 17 FPGA : 0MAC Address : 00-0b-fc-ff-3b-ffIP Address : 10.5.43.225Netmask : 255.255.255.0Gateway : 10.5.43.1TftpServer : 10.5.5.5***** The system will autoboot in 5 seconds *****Type control-C to prevent autobooting.. . . . .******** The system will autoboot now ********config-register = 0x102Autobooting using BOOT variable specified file.....Current BOOT file is --- bootflash:cat4000-ios-promupgrade-122_25r_EWA*********************************************************** ** Rom Monitor Upgrade Utility For WS-C4948-10GE System ** This upgrades flash Rom Monitor image to the latest ** ** Copyright (c) 1997-2005 by Cisco Systems, Inc. ** All rights reserved. ** ***********************************************************Image size = 1024.0 KBytesMaximum allowed size = 1048576 KBytesUpgrading your PROM... DO NOT RESET the systemunless instructed or upgrade of PROM will fail !!!Beginning erase of 0x100000 bytes at offset 0x3e00000... Done!Beginning write of prom (0x100000 bytes at offset 0x3e00000)...This could take as little as 30 seconds or up to 2 minutes.Please DO NOT RESET!Verifying...Success! The prom has been upgraded successfully.System will reset itself and reboot within few seconds....****(output truncated). . . . .******** The system will autoboot now ********config-register = 0x102Autobooting using BOOT variable specified file.....Current BOOT file is --- bootflash:cat4500-ipbase-mz.122-25.EWARommon reg: 0x00004180###########(output truncated)Exiting to ios...Rommon reg: 0x00000180###############################Restricted Rights LegendUse, duplication, or disclosure by the Government issubject to restrictions as set forth in subparagraph(c) of the Commercial Computer Software - RestrictedRights clause at FAR sec. 52.227-19 and subparagraph(c) (1) (ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS sec. 252.227-7013.cisco Systems, Inc.170 West Tasman DriveSan Jose, California 95134-1706Cisco IOS Software, Catalyst 4900 L3 Switch Software (cat4500-IPBASE-M), Version 12.2(25)EWA, RELEASE SOFTWARE (fc1)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2005 by Cisco Systems, Inc.Compiled Wed 17-Aug-05 17:09 by alnguyenImage text-base: 0x10000000, data-base: 0x11269914cisco WS-C4948-10GE (MPC8540) processor (revision 3) with 262144K bytes of memory.Processor board ID 0MPC8540 CPU at 667Mhz, Fixed ModuleLast reset from Reload1 Virtual Ethernet interface48 Gigabit Ethernet interfaces2 Ten Gigabit Ethernet interfaces511K bytes of non-volatile configuration memory.Uncompressed configuration from 1171 bytes to 2726 bytesPress RETURN to get started!Switch>enSwitch#Step 8
Switch# configure terminalSwitch(config)# no boot system flash bootflash:cat4000-ios-promupgrade-122_25r_EWASwitch(config)# exitSwitch# writeBuilding configuration...Compressed configuration from 3641 to 1244 bytes [OK]Switch#Step 9
Switch# show versionCisco IOS Software, Catalyst 4900 L3 Switch Software (cat4500-IPBASE-M), Version 12.2(25)EWA, RELEASE SOFTWARE (fc1)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2005 by Cisco Systems, Inc.Compiled Wed 17-Aug-05 17:09 by alnguyenImage text-base: 0x10000000, data-base: 0x11269914ROM: 12.2(25r)EWAPod Revision 0, Force Revision 31, Tie Revision 17Switch uptime is 0 minutesSystem returned to ROM by reloadSystem image file is "bootflash:cat4500-ipbase-mz.122-25.EWA"cisco WS-C4948-10GE (MPC8540) processor (revision 3) with 262144K bytes of memory.Processor board ID 0MPC8540 CPU at 667Mhz, Fixed ModuleLast reset from Reload1 Virtual Ethernet interface48 Gigabit Ethernet interfaces2 Ten Gigabit Ethernet interfaces511K bytes of non-volatile configuration memory.Configuration register is 0x102Switch#Step 10
The following example shows how to delete the cat4000-ios-promupgrade-122_25r_EWA image from bootflash and reclaim unused space:
Switch# delete bootflash:cat4000-ios-promupgrade-122_25r_EWASwitch# squeeze bootflash:All deleted files will be removed, proceed (y/n) [n]? ySqueeze operation may take some time, proceed (y/n) [n]? ySwitch#Step 11
Switch# show bootvarBOOT variable = bootflash:cat4500-ipbase-mz.122-25.EWA,12;CONFIG_FILE variable does not existBOOTLDR variable does not existConfiguration register is 0x2102Switch#The ROMMON has now been upgraded.
See the "Upgrading the Cisco IOS Software" section for instructions on how to upgrade the Cisco IOS software on your switch.
Upgrading the Cisco IOS Software
Caution
Before you proceed, observe the following rules for hostname:
•
Uppercase and lowercase characters look the same to many internet software applications. It may seem appropriate to capitalize a name the same way you might do in English, but conventions dictate that computer names appear all lowercase. For more information, refer to RFC 1178, Choosing a Name for Your Computer.
•
•
•
•
To upgrade the Cisco IOS software on your Catalyst 4900 series switch, use this procedure:
Step 1
Step 2
Step 3
The following example shows how to download the Cisco IOS software image cat4500-ipbase-mz.122-25.EWA from the remote host 172.20.58.78 to bootflash:
Switch# copy tftp: bootflash:Address or name of remote host [172.20.58.78]?Source filename [cat4500-ipbase-mz.122_25.EWA]?Destination filename [cat4500-ipbase-mz.122-25.EWA]?Accessing tftp://172.20.58.78/cat4500-ipbase-mz.122-25.EWA...Loading cat4500-ipbase-mz.122-25.EWA from 172.20.58.78 (viaFastEthernet2/1):!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!|!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![OK - 6923388/13846528 bytes]6923388 bytes copied in 72.200 secs (96158 bytes/sec)Switch#Step 4
The following example shows how to clear the BOOT variable:
Switch# configure terminalSwitch(config)# no boot system flash bootflash:cat4500-ipbase-mz.122_25.EWASwitch(config)# exitSwitch# writeBuilding configuration...Compressed configuration from 3641 to 1244 bytes [OK]Switch#Step 5
The following example shows how to add the cat4500-ipbase-mz.122-25.EWA image to the BOOT variable:
Switch# configure terminalSwitch(config)# boot system flash bootflash:cat4500-ipbase-mz.122_25.EWASwitch(config)# exitSwitch# writeBuilding configuration...Compressed configuration from 3641 to 1244 bytes [OK]Switch#Step 6
The following example show how to set the second least significant bit in the configuration register:
Switch# configure terminalSwitch(config)# config-register 0x2102Switch(config)# exitSwitch# writeBuilding configuration...Compressed configuration from 3723 to 1312 bytes [OK]Switch#Step 7
Caution
The following example shows the output from a successful upgrade followed by a system reset:
Switch# reloadSystem configuration has been modified. Save? [yes/no]: yesBuilding configuration...Compressed configuration from 2668 bytes to 1127 bytes[OK]Proceed with reload? [confirm]00:02:11: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.*********************************************************** ** Welcome to Rom Monitor for WS-C4948-10GE System. ** Copyright (c) 1999-2005 by Cisco Systems, Inc. ** All rights reserved. ** ***********************************************************Rom Monitor Program Version 12.2(25r)EWASupervisor: WS-C4948-10GE Chassis: WS-C4948Hardware Revisions - Board: 8.3 CPLD Gill: 17MAC Address : 00-0b-fc-ff-3b-ffIP Address : 10.5.43.225Netmask : 255.255.255.0Gateway : 10.5.43.1TftpServer : 10.5.5.5***** The system will autoboot in 5 seconds *****Type control-C to prevent autobooting.. . . . .******** The system will autoboot now ********config-register = 0x2102Autobooting using BOOT variable specified file.....Current BOOT file is --- bootflash:cat4500-ipbase-mz.122-25.EWARommon reg: 0x00004180###########k2diags version 5.0.1_eprod: WS-C4948-10GE part: 0 serial: 0Power-on-self-test for Module 1: WS-C4948-10GEPort/Test Status: (. = Pass, F = Fail, U = Untested)Cpu Subsystem Tests ...seeprom: . temperature_sensor: .Port Traffic: L2 Serdes Loopback ...0: . 1: . 2: . 3: . 4: . 5: . 6: . 7: . 8: . 9: . 10: . 11: .12: . 13: . 14: . 15: . 16: . 17: . 18: . 19: . 20: . 21: . 22: . 23: .24: . 25: . 26: . 27: . 28: . 29: . 30: . 31: . 32: . 33: . 34: . 35: .36: . 37: . 38: . 39: . 40: . 41: . 42: . 43: . 44: . 45: . 46: . 47: .62: . 63: .Port Traffic: L2 Asic Loopback ...0: . 1: . 2: . 3: . 4: . 5: . 6: . 7: . 8: . 9: . 10: . 11: .12: . 13: . 14: . 15: . 16: . 17: . 18: . 19: . 20: . 21: . 22: . 23: .24: . 25: . 26: . 27: . 28: . 29: . 30: . 31: . 32: . 33: . 34: . 35: .36: . 37: . 38: . 39: . 40: . 41: . 42: . 43: . 44: . 45: . 46: . 47: .62: . 63: .Port Traffic: L3 Asic Loopback ...0: . 1: . 2: . 3: . 4: . 5: . 6: . 7: . 8: . 9: . 10: . 11: .12: . 13: . 14: . 15: . 16: . 17: . 18: . 19: . 20: . 21: . 22: . 23: .24: . 25: . 26: . 27: . 28: . 29: . 30: . 31: . 32: . 33: . 34: . 35: .36: . 37: . 38: . 39: . 40: . 41: . 42: . 43: . 44: . 45: . 46: . 47: .62: . 63: .Switch Subsystem Memory ...1: . 2: . 3: . 4: . 5: . 6: . 7: . 8: . 9: . 10: . 11: . 12: .13: . 14: . 15: . 16: . 17: . 18: . 19: . 20: . 21: . 22: . 23: . 24: .25: . 26: . 27: . 28: . 29: . 30: . 31: . 32: . 33: . 34: . 35: . 36: .37: . 38: . 39: . 40: . 41: . 42: . 43: . 44: . 45: . 46: . 47: . 48: .49: . 50: . 51: .Front Panel Ports ...1: . 2: . 3: . 4: . 5: . 6: . 7: . 8: . 9: . 10: . 11: . 12: .13: . 14: . 15: . 16: . 17: . 18: . 19: . 20: . 21: . 22: . 23: . 24: .25: . 26: . 27: . 28: . 29: . 30: . 31: . 32: . 33: . 34: . 35: . 36: .37: . 38: . 39: . 40: . 41: . 42: . 43: . 44: . 45: . 46: . 47: . 48: .Module 1 PassedExiting to ios...Rommon reg: 0x00000180###############################Restricted Rights LegendUse, duplication, or disclosure by the Government issubject to restrictions as set forth in subparagraph(c) of the Commercial Computer Software - RestrictedRights clause at FAR sec. 52.227-19 and subparagraph(c) (1) (ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS sec. 252.227-7013.cisco Systems, Inc.170 West Tasman DriveSan Jose, California 95134-1706Cisco IOS Software, Catalyst 4900 L3 Switch Software (cat4500-IPBASE-M), Version12.2(25)EWA, RELEASE SOFTWARE (fc1)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2005 by Cisco Systems, Inc.Compiled Wed 17-Aug-05 17:09 by alnguyenImage text-base: 0x10000000, data-base: 0x11269914# # ## ##### # # # # # ##### # # # # # ## # # ## # # ## # # # # # # # # # # # # ## ## # ###### ##### # # # # # # # # ##### ## # # # # # ## # # ## # ## # # # # # # # # # # ####The following environment variable(s) are set. Setting theseenvironment variables may cause the system to behave unpredictably."DontShipAllowChassisSimulation""gdbEnable"Use 'clear platform environment variable unsupported' to clear these variables.cisco WS-C4948-10GE (MPC8540) processor (revision 3) with 262144K bytes of memory.Processor board ID 0MPC8540 CPU at 667Mhz, Fixed ModuleLast reset from Reload1 Virtual Ethernet interface48 Gigabit Ethernet interfaces2 Ten Gigabit Ethernet interfaces511K bytes of non-volatile configuration memory.Uncompressed configuration from 1127 bytes to 2668 bytesPress RETURN to get started!00:00:06: %C4K_IOSMODPORTMAN-4-POWERSUPPLYBAD: Power supply 2 has failed or beenturned off00:00:06: %C4K_IOSMODPORTMAN-4-POWERSUPPLYFANBAD: Fan of power supply 2 has failed00:00:15: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan00:00:15: %C4K_IOSMODPORTMAN-6-MODULEONLINE: Module 1 (WS-C4948-10GE S/N: 0 Hw:0.3) is online00:00:16: %SYS-5-CONFIG_I: Configured from memory by console00:00:16: %SYS-5-RESTART: System restarted --Cisco IOS Software, Catalyst 4900 L3 Switch Software (cat4500-IPBASE-M), Version12.2(25)EWA, RELEASE SOFTWARE (fc1)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2005 by Cisco Systems, Inc.Compiled Wed 17-Aug-05 17:09 by alnguyenSwitch>Switch#Step 8
Limitations and Restrictions
These sections list the limitations and restrictions for the current release of Cisco IOS software on the Catalyst 4900 series switch.
•
–
–
–
–
•
–
–
–
–
•
–
–
–
•
–
–
–
–
•
–
–
–
•
•
•
•
•
•
Workaround: Display the configuration with the show standby command, then remove the CLI. Here is sample output of the show standby GigabitEthernet1/1 command:
switch(config)# interface g1/1switch(config)# no standby 0 name (0 is hsrp group number)•
Use the standby delay reload option if the router is rebooting after reloading the image.
•
Workaround: Since the problem is caused by mismatched MTUs, the solution is to change the MTU on either router to match the neighbor's MTU.
•
•
•
•
•
Workaround: Verify whether or not the Neighbor discovery cache has an entry, separate from regular troubleshooting areas of IPv6 address configurations and other configurations.
•
•
•
•
•
•
•
•
switchport private-vlan mapping trunk command above is 1000. For example, one thousand secondary VLANs could map to one primary VLAN, or one thousand secondary VLANs could map one to one to one thousand primary VLANs.•
•
•
•
00:02:57: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.20.246.206:1645,1646 is not responding.If this message appears, check that there is network connectivity between the switch and the ACS. You should also check that the switch has been properly configured as an AAA client on the ACS.
•
•
Workaround: Disable idle timeouts. (CSCec30214)
•
–
–
•
•
•
•
•
–
–
•
–
–
–
–
•
•
% Hardware MTU table exhaustedIn such a scenario, the ipv6 MTU value programmed in hardware will be different from the ipv6 interface MTU value. This will happen if there is no room in the hw MTU table to store additional values.
You must free up some space in the table by unconfiguring some unused MTU values and subsequently disable/re-enable ipv6 on the interface or reapply the MTU configuration.
•
Switch(config-if)# no ip verify sourceSwitch(config-if)# no ip device tracking max"To enable IPSG with Static Hosts on a port, issue the following commands:
Switch(config)# ip device tracking ****enable IP device tracking globallySwitch(config)# ip device tracking max <n> ***set an IP device tracking maximum on intSwitch(config-if)# ip verify source tracking [port-security] ****activate IPSG on port
Caution
Note
•
•
CSCsy31324
•
•
•
•
–
–
–
–
–
–
•
The outputs of certain commands, such as show ip route and show access-lists, contain non-deterministic text. While the output is easily understood, the output text does not contain strings that are consistently output. A general purpose specification file entry is unable to parse all possible output.
Workaround (1):
While a general purpose specification file entry may not be possible, a specification file entry might be created that returns the desired text by searching for text that is guaranteed to be in the output. If a string is guaranteed to be in the output, it can be used for parsing.
For example, the output of the show ip access-lists SecWiz_Gi3_17_out_ip command is this:
Extended IP access list SecWiz_Gi3_17_out_ip10 deny ip 76.0.0.0 0.255.255.255 host 65.65.66.6720 deny ip 76.0.0.0 0.255.255.255 host 44.45.46.4730 permit ip 76.0.0.0 0.255.255.255 host 55.56.57.57The first line is easily parsed because access list is guaranteed to be in the output:
<Property name="access list" alias="Name" distance="1.0" length="-1" type="String" />The remaining lines all contain the term host. As a result, the specification file may report the desired values by specifying that string. For example, this line
<Property name="host" alias="rule" distance="s.1" length="1" type="String" />will produce the following for the first and second rules
<rule>deny</rule>and the following for the third statement
<rule>permit<rule>Workaround (2):
Request the output of the show running-config command using NETCONF and parse that output for the desired strings. This is useful when the desired lines contain nothing in common. For example, the rules in this access list do not contain a common string and the order (three permits, then a deny, then another permit), prevent the spec file entry from using permit as a search string, as in the following example:
Extended MAC access list MACCOYpermit 0000.0000.ffef ffff.ffff.0000 0000.00af.bcef ffff.ff00.0000 appletalkpermit any host 65de.edfe.fefe xns-idppermit any any protocol-family rarp-non-ipv4deny host 005e.1e5d.9f7d host 3399.e3e1.ff2c dec-spanningpermit any anyThe XML output of show running-config command includes the following, which can then be parsed programmatically, as desired:
<mac><access-list><extended><ACLName>MACCOY</ACLName></extended></access-list></mac><X-Interface> permit 0000.0000.ffef ffff.ffff.0000 0000.00af.bcef ffff.ff00.0000 appletalk</X-Interface><X-Interface> permit any host 65de.edfe.fefe xns-idp</X-Interface><X-Interface> permit any any protocol-family rarp-non-ipv4</X-Interface><X-Interface> deny host 005e.1e5d.9f7d host 3399.e3e1.ff2c dec-spanning</X-Interface><X-Interface> permit any any</X-Interface>•
•
•
Workarounds:
–
–
CSCtq33048
•
Caveats
Caveats describe unexpected behavior in Cisco IOS releases. Caveats listed as open in a prior release are carried forward to the next release as either open or resolved.
Note
http://tools.cisco.com/security/center/publicationListing
Open Caveats in Cisco IOS Release 12.2(54)SG1
This section lists the open caveats in Cisco IOS Release 12.2(54)SG1:
•
show policy-map interface fa6/1 do not show the packets being matched:Switch# sh policy-map intFastEthernet3/2Service-policy output: p1Class-map: c1 (match-all)0 packets <--------It stays at '0' despite of traffic being receivedMatch: access-group name fnacl21police: Per-interfaceConform: 9426560 bytes Exceed: 16573440 bytesWorkaround: Verify that the MAC addresses being transmitted through the system are learned.
(CSCef01798)
•
–
–
On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.
Workaround: Re-connect. (CSCsb11964)
•
This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.
Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:
Switch(config)# no monitor session n source cpu queue all rxSwitch(config)# monitor session n source cpu queue <new_Queue_Name>(CSCsc94802)
•
Workaround: None. (CSCsc11726)
•
This could occur for these reasons:
–
–
Workarounds:
–
–
•
qos account layer2 encapsulation.Workaround: None. (CSCsg58526)
•
This does not impact performance.
Workaround: Issue the no shutdown command. (CSCsg27395)
•
Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).
•
Workaround: None. (CSCsm30320)
•
Workaround: None. (CSCso93282)
•
Workarounds: Do one of the following:
–
–
–
(CSCsq63051)
•
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)
•
Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internalsoftware error occurred. Null0 linked to wrong hwidb Null0Workaround: None. (CSCso68331)
•
Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)
•
Workaround: When a log message appears indicating that the SFP+ has been removed, do one of the following:
–
–
–
(CSCsv90044)
•
Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:
a.
b.
c.
d.
(CSCsv69853)
•
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.101 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.102 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SGWorkaround: None. (CSCsw14005)
•
If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.
Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661
•
Workaround: None. CSCsy72343
•
show policy-map interface command are wrong.Workaround: None.
The queue transmit counters as well as the policing statistics (if any) are correct. CSCsz20149
•
This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.
Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored. CSCsz34522
•
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command. CSCta16492
•
Workaround: None.
Despite the different default value, you can configure any value in the time range. CSCte51948
•
Workarounds: The Cisco switch default link-flap detection value is 5 flaps in 10 seconds. Use the default value or larger numbers. CSCtg07677
•
Workaround: Do shut, then no shut on the SVI. CSCtg72559
•
Similarly, the show epm sessions command always displays the authentication method as DOT1X.
Workaround: To view the authentication method used for a client, enter the
show authentication sessions command. CSCsx42157•
Workaround: Configure an ACL on the port. CSCte18760
•
–
–
Workaround: Configure the ASW or any other switch upstream as the root-bridge for all the VLANs. CSCtg71030
•
Workaround: None. CSCtj56811
•
Workaround: Disable the ip cef accounting non-recursive command. CSCtn68186
•
Workarounds:
–
–
Resolved Caveats in Cisco IOS Release 12.2(54)SG1
This section lists the resolved caveats in Release 12.2(54)SG1:
•
switchport port-security maximum <number> vlan accessswitchport port-security maximum <number> vlan voiceWorkaround: None. CSCti74791..ALL
•
Workaround: Upgrade to 12.2(53)SG3, 12.2(50)SG8, or later. CSCth00398 .....ALL
•
c3560sw2# show ip ospf intVlan804 is up, line protocol is upInternet Address 10.0.0.2/24, Area 0Process ID 1, Router ID 10.0.0.2, Network Type BROADCAST, Cost: 1Transmit Delay is 1 sec, State DR, Priority 1Designated Router (ID) 10.0.0.2, Interface address 10.0.0.2--More--%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8,changed state to down%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan804, changedstate to down%OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.1 on Vlan804 from FULL to DOWN,Neighbor Down: Interface down or detached%LINK-3-UPDOWN: Interface FastEthernet0/8, changed state to downThe next line in the output of the show ip ospf int command is the following:
Backup Designated router (ID) 10.0.0.1, Interface address 10.0.0.1If you now advance the output by pressing either Enter or the space bar, the device reloads and the following error message displays:
Unexpected exception to CPUvector 2000, PC = 261FC60Workaround: None. CSCtd73256
•
Workaround: None. CSCta96363
Open Caveats in Cisco IOS Release 12.2(54)SG
This section lists the open caveats in Cisco IOS Release 12.2(54)SG:
•
show policy-map interface fa6/1 do not show the packets being matched:Switch# sh policy-map intFastEthernet3/2Service-policy output: p1Class-map: c1 (match-all)0 packets <--------It stays at '0' despite of traffic being receivedMatch: access-group name fnacl21police: Per-interfaceConform: 9426560 bytes Exceed: 16573440 bytesWorkaround: Verify that the MAC addresses being transmitted through the system are learned.
(CSCef01798)
•
–
–
On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.
Workaround: Re-connect. (CSCsb11964)
•
This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.
Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:
Switch(config)# no monitor session n source cpu queue all rxSwitch(config)# monitor session n source cpu queue <new_Queue_Name>(CSCsc94802)
•
Workaround: None. (CSCsc11726)
•
This could occur for these reasons:
–
–
Workarounds:
–
–
•
qos account layer2 encapsulation.Workaround: None. (CSCsg58526)
•
This does not impact performance.
Workaround: Issue the no shutdown command. (CSCsg27395)
•
Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).
•
Workaround: None. (CSCsm30320)
•
Workaround: None. (CSCso93282)
•
Workarounds: Do one of the following:
–
–
–
(CSCsq63051)
•
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)
•
Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internalsoftware error occurred. Null0 linked to wrong hwidb Null0Workaround: None. (CSCso68331)
•
Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)
•
Workaround: When a log message appears indicating that the SFP+ has been removed, do one of the following:
–
–
–
(CSCsv90044)
•
Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:
a.
b.
c.
d.
(CSCsv69853)
•
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.101 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.102 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SGWorkaround: None. (CSCsw14005)
•
If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.
Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661
•
Workaround: None. CSCsy72343
•
show policy-map interface command are wrong.Workaround: None.
The queue transmit counters as well as the policing statistics (if any) are correct. CSCsz20149
•
This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.
Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored. CSCsz34522
•
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command. CSCta16492
•
Workaround: None.
Despite the different default value, you can configure any value in the time range. CSCte51948
•
Workarounds: The Cisco switch default link-flap detection value is 5 flaps in 10 seconds. Use the default value or larger numbers. CSCtg07677
•
Workaround: Do shut, then no shut on the SVI. CSCtg72559
•
Similarly, the show epm sessions command always displays the authentication method as DOT1X.
Workaround: To view the authentication method used for a client, enter the
show authentication sessions command. CSCsx42157•
Workaround: Configure an ACL on the port. CSCte18760
•
–
–
Workaround: Configure the ASW or any other switch upstream as the root-bridge for all the VLANs. CSCtg71030
•
Workaround: None. CSCtj56811
•
Workaround: Disable the ip cef accounting non-recursive command. CSCtn68186
•
Workarounds:
–
–
Resolved Caveats in Cisco IOS Release 12.2(54)SG
This section lists the resolved caveats in Release 12.2(54)SG:
•
Cisco IOS Release 12.2(53)SG1 or 12.2(50)SG6, Layer 2 multicast is not blocked.Prior to Cisco IOS Release 12.2(53)SG1, 12.2(50)SG6, the switchport block multicast command would block IP Multicast, Layer 2 multicast, and broadcast traffic .
Workaround: None CSCta61825
•
Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. CSCsv54529
•
This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.
Workaround: Shut down then reopen the interface. CSCso50921
•
Workaround: None. CSCsv42869
•
Workaround: None. CSCsy38640
•
Workaround: None. CSCsu35604
•
Switch# call-home send alert-group diagnostic module 2Sending diagnostic info call-home message ...Please wait. This may take some time ...Switch#*Jan 3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand message failed to send (ERR 18, The alert group is not subscribed)Workaround: Specify a profile name when you enter the diagnostic command.
You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.CSCsz05888
•
Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port.
The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding.
Workaround: Enter shut, then no shut on the port.
CSCta04665
•
Workaround: Configure the route map to only match on ACL(s).
CSCtg22126
•
The statistics are displayed properly on the active supervisor.
Workaround: None.
CSCsx64308
•
Workaround: Attempt an authorization after a timeout.
CSCte84432
•
Workaround: Disable the debug management expression evaluator command. (CSCsu67323)
•
This occurs only if the following conditions are satisfied:
–
–
–
Workaround: None. CSCsz63739
•
"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis type"Or"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is WS-C4507R-E, but chassis' serial eeprom chassis type is Unknown chassis type""%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 14" (where n is a slot number)Workaround: Load Cisco IOS Release 12.2(54)SG or 12.2(53)SG4 on WS-C4507R+E and WS-C4510R+E.
Open Caveats in Cisco IOS Release 12.2(53)SG9
This section lists the open caveats in Cisco IOS Release 12.2(53)SG9:
•
show policy-map interface fa6/1 do not show the packets being matched:Switch# sh policy-map intFastEthernet3/2Service-policy output: p1Class-map: c1 (match-all)0 packets <--------It stays at '0' despite of traffic being receivedMatch: access-group name fnacl21police: Per-interfaceConform: 9426560 bytes Exceed: 16573440 bytesWorkaround: Verify that the MAC addresses being transmitted through the system are learned.
(CSCef01798)
•
–
–
On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.
Workaround: Re-connect. (CSCsb11964)
•
This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.
Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:
Switch(config)# no monitor session n source cpu queue all rxSwitch(config)# monitor session n source cpu queue <new_Queue_Name>(CSCsc94802)
•
Workaround: None. (CSCsc11726)
•
This could occur for these reasons:
–
–
Workarounds:
–
–
•
qos account layer2 encapsulation.Workaround: None. (CSCsg58526)
•
This does not impact performance.
Workaround: Issue the no shutdown command. (CSCsg27395)
•
Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).
•
Workaround: None. (CSCsm30320)
•
Workaround: None. (CSCsq72572)
•
Workaround: None. (CSCso93282)
•
Workarounds: Do one of the following:
–
–
–
(CSCsq63051)
•
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)
•
Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internalsoftware error occurred. Null0 linked to wrong hwidb Null0Workaround: None. (CSCso68331)
•
Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)
•
Workarounds: Use either of the following to set the sxp default password:
–
–
(CSCsv33006)
•
This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.
Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)
•
This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.
Workaround: Shut down then reopen the interface.
(CSCso50921)
•
Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)
•
*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 2.2.2.1(64999)This issue is seen when the default SXP password is encrypted with type-6 encryption.
Workaround: Do one of the following:
–
–
(CSCsv33136)
•
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.101 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.102 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SGWorkaround: None. (CSCsw14005)
•
If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.
Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661
•
Workaround: None. CSCsy72343
•
Workaround: None.
CSCsy38640
•
Workaround: None.
CSCsu35604
•
Switch# call-home send alert-group diagnostic module 2Sending diagnostic info call-home message ...Please wait. This may take some time ...Switch#*Jan 3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand message failed to send (ERR 18, The alert group is not subscribed)Workaround: Specify a profile name when you enter the diagnostic command.
You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.CSCsz05888
•
show policy-map interface command are wrong.Workaround: None.
The queue transmit counters as well as the policing statistics (if any) are correct.
CSCsz20149
•
Workaround: None.
CSCsz06719
•
Workaround: Manually re-enter all entries with new time settings.
CSCsy27389
•
This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.
Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.
CSCsz34522
•
Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port.
The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding.
Workaround: Enter shut, then no shut on the port.
CSCta04665
•
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command.
CSCta16492
•
This occurs only if the following conditions are satisfied:
–
–
–
Workaround: None.
CSCsz63739
•
Workaround: None.
Despite the different default value, you can configure any value in the time range.
CSCte51948
•
The show memory debug leak lowmem command can work in extremely low memory conditions but might crash the switch due to its very high CPU intensity. It also takes between 20 and 90 minutes to complete.
Workaround: If call or packet drops persist, contact TAC rather than entering these commands on your own. CSCsi48986
•
Workaround: When creating the file, enter some characters, remove the ftp command, then re-enter it as follows:
Switch(config)# no ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.$Switch(config)# ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.logCSCsk38763
•
"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis type"Or"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is WS-C4507R-E, but chassis' serial eeprom chassis type is Unknown chassis type""%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 14" (where n is a slot number)Workaround: Load Cisco IOS Release 12.2(54)SG or 12.2(53)SG4 on WS-C4507R+E and WS-C4510R+E.
CSCtl70275
•
%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis typeThe active supervisor engine also displays following log message for each linecard slot in the chassis:
%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 14where n is the slot number
If the standby supervisor engine boots, the active supervisor engine displays the following message and reboots:
%C4K_REDUNDANCY-2-POSTFAIL_RESET: Power-On Self Test (POST) failure on ACTIVE supervisor detected. Detected the Standby Supervisor bootupFailedWhile active supervisor engine is up, no traffic can be handled by the switch.
The two supervisor engines might alternately reboot continuously.
Workaround: Use Cisco IOS Release 12.2(53)SG4, 12.2(54)SG, 15.0(1)SG or later images with WS-C4510R+E and WS-C4507R+E chassis.
CSCtl84092
•
Workaround: None.
CSCtq73579
Resolved Caveats in Cisco IOS Release 12.2(53)SG9
This section lists the resolved caveats in Release 12.2(53)SG9:
•
Workaround: Retain the default setting (VLAN 1) for the native VLAN on trunks ports. CSCud05521
•
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-nat
Note: The March 27, 2013, Cisco IOS Software Security Advisory bundled publication includes seven Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2013 bundled publication.
Individual publication links are in "Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication" at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar13.html
CSCtg47129
Open Caveats in Cisco IOS Release 12.2(53)SG8
This section lists the open caveats in Cisco IOS Release 12.2(53)SG8:
•
show policy-map interface fa6/1 do not show the packets being matched:Switch# sh policy-map intFastEthernet3/2Service-policy output: p1Class-map: c1 (match-all)0 packets <--------It stays at '0' despite of traffic being receivedMatch: access-group name fnacl21police: Per-interfaceConform: 9426560 bytes Exceed: 16573440 bytesWorkaround: Verify that the MAC addresses being transmitted through the system are learned.
(CSCef01798)
•
–
–
On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.
Workaround: Re-connect. (CSCsb11964)
•
This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.
Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:
Switch(config)# no monitor session n source cpu queue all rxSwitch(config)# monitor session n source cpu queue <new_Queue_Name>(CSCsc94802)
•
Workaround: None. (CSCsc11726)
•
This could occur for these reasons:
–
–
Workarounds:
–
–
•
qos account layer2 encapsulation.Workaround: None. (CSCsg58526)
•
This does not impact performance.
Workaround: Issue the no shutdown command. (CSCsg27395)
•
Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).
•
Workaround: None. (CSCsm30320)
•
Workaround: None. (CSCsq72572)
•
Workaround: None. (CSCso93282)
•
Workarounds: Do one of the following:
–
–
–
(CSCsq63051)
•
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)
•
Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internalsoftware error occurred. Null0 linked to wrong hwidb Null0Workaround: None. (CSCso68331)
•
Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)
•
Workarounds: Use either of the following to set the sxp default password:
–
–
(CSCsv33006)
•
This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.
Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)
•
This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.
Workaround: Shut down then reopen the interface.
(CSCso50921)
•
Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)
•
*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 2.2.2.1(64999)This issue is seen when the default SXP password is encrypted with type-6 encryption.
Workaround: Do one of the following:
–
–
(CSCsv33136)
•
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.101 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.102 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SGWorkaround: None. (CSCsw14005)
•
If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.
Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661
•
Workaround: None. CSCsy72343
•
Workaround: None.
CSCsy38640
•
Workaround: None.
CSCsu35604
•
Switch# call-home send alert-group diagnostic module 2Sending diagnostic info call-home message ...Please wait. This may take some time ...Switch#*Jan 3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand message failed to send (ERR 18, The alert group is not subscribed)Workaround: Specify a profile name when you enter the diagnostic command.
You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.CSCsz05888
•
show policy-map interface command are wrong.Workaround: None.
The queue transmit counters as well as the policing statistics (if any) are correct.
CSCsz20149
•
Workaround: None.
CSCsz06719
•
Workaround: Manually re-enter all entries with new time settings.
CSCsy27389
•
This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.
Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.
CSCsz34522
•
Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port.
The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding.
Workaround: Enter shut, then no shut on the port.
CSCta04665
•
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command.
CSCta16492
•
This occurs only if the following conditions are satisfied:
–
–
–
Workaround: None.
CSCsz63739
•
Workaround: None.
Despite the different default value, you can configure any value in the time range.
CSCte51948
•
The show memory debug leak lowmem command can work in extremely low memory conditions but might crash the switch due to its very high CPU intensity. It also takes between 20 and 90 minutes to complete.
Workaround: If call or packet drops persist, contact TAC rather than entering these commands on your own. CSCsi48986
•
Workaround: When creating the file, enter some characters, remove the ftp command, then re-enter it as follows:
Switch(config)# no ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.$Switch(config)# ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.logCSCsk38763
•
"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis type"Or"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is WS-C4507R-E, but chassis' serial eeprom chassis type is Unknown chassis type""%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 14" (where n is a slot number)Workaround: Load Cisco IOS Release 12.2(54)SG or 12.2(53)SG4 on WS-C4507R+E and WS-C4510R+E.
CSCtl70275
•
%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis typeThe active supervisor engine also displays following log message for each linecard slot in the chassis:
%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 14where n is the slot number
If the standby supervisor engine boots, the active supervisor engine displays the following message and reboots:
%C4K_REDUNDANCY-2-POSTFAIL_RESET: Power-On Self Test (POST) failure on ACTIVE supervisor detected. Detected the Standby Supervisor bootupFailedWhile active supervisor engine is up, no traffic can be handled by the switch.
The two supervisor engines might alternately reboot continuously.
Workaround: Use Cisco IOS Release 12.2(53)SG4, 12.2(54)SG, 15.0(1)SG or later images with WS-C4510R+E and WS-C4507R+E chassis. CSCtl84092
•
Workaround: None. CSCtq73579
•
Workaround: Retain the default setting (VLAN 1) for the native VLAN on trunks ports. CSCud05521
Resolved Caveats in Cisco IOS Release 12.2(53)SG8
This section lists the resolved caveats in Release 12.2(53)SG8:
•
Workaround: Enter the no cdp run command to disable CDP. CSCub45763
Open Caveats in Cisco IOS Release 12.2(53)SG7
This section lists the open caveats in Cisco IOS Release 12.2(53)SG7:
•
show policy-map interface fa6/1 do not show the packets being matched:Switch# sh policy-map intFastEthernet3/2Service-policy output: p1Class-map: c1 (match-all)0 packets <--------It stays at '0' despite of traffic being receivedMatch: access-group name fnacl21police: Per-interfaceConform: 9426560 bytes Exceed: 16573440 bytesWorkaround: Verify that the MAC addresses being transmitted through the system are learned.
(CSCef01798)
•
–
–
On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.
Workaround: Re-connect. (CSCsb11964)
•
This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.
Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:
Switch(config)# no monitor session n source cpu queue all rxSwitch(config)# monitor session n source cpu queue <new_Queue_Name>(CSCsc94802)
•
Workaround: None. (CSCsc11726)
•
This could occur for these reasons:
–
–
Workarounds:
–
–
•
qos account layer2 encapsulation.Workaround: None. (CSCsg58526)
•
This does not impact performance.
Workaround: Issue the no shutdown command. (CSCsg27395)
•
Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).
•
Workaround: None. (CSCsm30320)
•
Workaround: None. (CSCsq72572)
•
Workaround: None. (CSCso93282)
•
Workarounds: Do one of the following:
–
–
–
(CSCsq63051)
•
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)
•
Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internalsoftware error occurred. Null0 linked to wrong hwidb Null0Workaround: None. (CSCso68331)
•
Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)
•
Workarounds: Use either of the following to set the sxp default password:
–
–
(CSCsv33006)
•
This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.
Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)
•
This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.
Workaround: Shut down then reopen the interface.
(CSCso50921)
•
Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)
•
*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 2.2.2.1(64999)This issue is seen when the default SXP password is encrypted with type-6 encryption.
Workaround: Do one of the following:
–
–
(CSCsv33136)
•
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.101 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.102 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SGWorkaround: None. (CSCsw14005)
•
If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.
Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661
•
Workaround: None. CSCsy72343
•
Workaround: None.
CSCsy38640
•
Workaround: None.
CSCsu35604
•
Switch# call-home send alert-group diagnostic module 2Sending diagnostic info call-home message ...Please wait. This may take some time ...Switch#*Jan 3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand message failed to send (ERR 18, The alert group is not subscribed)Workaround: Specify a profile name when you enter the diagnostic command.
You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.CSCsz05888
•
show policy-map interface command are wrong.Workaround: None.
The queue transmit counters as well as the policing statistics (if any) are correct.
CSCsz20149
•
Workaround: None.
CSCsz06719
•
Workaround: Manually re-enter all entries with new time settings.
CSCsy27389
•
This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.
Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.
CSCsz34522
•
Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port.
The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding.
Workaround: Enter shut, then no shut on the port.
CSCta04665
•
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command.
CSCta16492
•
This occurs only if the following conditions are satisfied:
–
–
–
Workaround: None.
CSCsz63739
•
Workaround: None.
Despite the different default value, you can configure any value in the time range.
CSCte51948
•
The show memory debug leak lowmem command can work in extremely low memory conditions but might crash the switch due to its very high CPU intensity. It also takes between 20 and 90 minutes to complete.
Workaround: If call or packet drops persist, contact TAC rather than entering these commands on your own. CSCsi48986
•
Workaround: When creating the file, enter some characters, remove the ftp command, then re-enter it as follows:
Switch(config)# no ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.$Switch(config)# ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.logCSCsk38763
•
"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis type"Or"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is WS-C4507R-E, but chassis' serial eeprom chassis type is Unknown chassis type""%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 14" (where n is a slot number)Workaround: Load Cisco IOS Release 12.2(54)SG or 12.2(53)SG4 on WS-C4507R+E and WS-C4510R+E.
CSCtl70275
•
%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis typeThe active supervisor engine also displays following log message for each linecard slot in the chassis:
%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 14where n is the slot number
If the standby supervisor engine boots, the active supervisor engine displays the following message and reboots:
%C4K_REDUNDANCY-2-POSTFAIL_RESET: Power-On Self Test (POST) failure on ACTIVE supervisor detected. Detected the Standby Supervisor bootupFailedWhile active supervisor engine is up, no traffic can be handled by the switch.
The two supervisor engines might alternately reboot continuously.
Workaround: Use Cisco IOS Release 12.2(53)SG4, 12.2(54)SG, 15.0(1)SG or later images with WS-C4510R+E and WS-C4507R+E chassis.
CSCtl84092
•
Workaround: None.
CSCtq73579
•
Workaround: Enter the no cdp run command to disable CDP. CSCub45763
•
Workaround: Retain the default setting (VLAN 1) for the native VLAN on trunks ports. CSCud05521
Resolved Caveats in Cisco IOS Release 12.2(53)SG7
This section lists the resolved caveats in Release 12.2(53)SG7:
•
Workaround: Do not use AAA accounting with the broadcast keyword. CSCts56125
•
Products that are not running Cisco IOS software are not vulnerable.
Cisco has released free software updates that address these vulnerabilities.
The HTTP server may be disabled as a workaround for the vulnerability described in this advisory.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-paiAdditional information on Cisco's security vulnerability policy can be found at the URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.htmlCSCtr91106
•
Workaround: None. CSCtj48387
•
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp
Note
Individual publication links are in ''Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication'' at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.htmlCSCtr28857
•
%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (Unknown MAC) on Interface Gi5/39 AuditSessionID AC156241000000670001BC9.provided the following conditions apply:
–
authentication event server dead action authorize...
authenticaton event server alive action reinitalize
–
The RADIUS server becomes available again, and the IAB-authorized port transitions to another state.
Workaround: None. CSCtx61557
Open Caveats in Cisco IOS Release 12.2(53)SG6
This section lists the open caveats in Cisco IOS Release 12.2(53)SG6:
•
show policy-map interface fa6/1 do not show the packets being matched:Switch# sh policy-map intFastEthernet3/2Service-policy output: p1Class-map: c1 (match-all)0 packets <--------It stays at '0' despite of traffic being receivedMatch: access-group name fnacl21police: Per-interfaceConform: 9426560 bytes Exceed: 16573440 bytesWorkaround: Verify that the MAC addresses being transmitted through the system are learned.
(CSCef01798)
•
–
–
On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.
Workaround: Re-connect. (CSCsb11964)
•
This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.
Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:
Switch(config)# no monitor session n source cpu queue all rxSwitch(config)# monitor session n source cpu queue <new_Queue_Name>(CSCsc94802)
•
Workaround: None. (CSCsc11726)
•
This could occur for these reasons:
–
–
Workarounds:
–
–
•
qos account layer2 encapsulation.Workaround: None. (CSCsg58526)
•
This does not impact performance.
Workaround: Issue the no shutdown command. (CSCsg27395)
•
Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).
•
Workaround: None. (CSCsm30320)
•
Workaround: None. (CSCsq72572)
•
Workaround: None. (CSCso93282)
•
Workarounds: Do one of the following:
–
–
–
(CSCsq63051)
•
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)
•
Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internalsoftware error occurred. Null0 linked to wrong hwidb Null0Workaround: None. (CSCso68331)
•
Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)
•
Workarounds: Use either of the following to set the sxp default password:
–
–
(CSCsv33006)
•
This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.
Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)
•
This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.
Workaround: Shut down then reopen the interface.
(CSCso50921)
•
Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)
•
*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 2.2.2.1(64999)This issue is seen when the default SXP password is encrypted with type-6 encryption.
Workaround: Do one of the following:
–
–
(CSCsv33136)
•
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.101 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.102 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SGWorkaround: None. (CSCsw14005)
•
If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.
Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661
•
Workaround: None. CSCsy72343
•
Workaround: None.
CSCsy38640
•
Workaround: None.
CSCsu35604
•
Switch# call-home send alert-group diagnostic module 2Sending diagnostic info call-home message ...Please wait. This may take some time ...Switch#*Jan 3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand message failed to send (ERR 18, The alert group is not subscribed)Workaround: Specify a profile name when you enter the diagnostic command.
You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.CSCsz05888
•
show policy-map interface command are wrong.Workaround: None.
The queue transmit counters as well as the policing statistics (if any) are correct.
CSCsz20149
•
Workaround: None.
CSCsz06719
•
Workaround: Manually re-enter all entries with new time settings.
CSCsy27389
•
This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.
Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.
CSCsz34522
•
Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port.
The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding.
Workaround: Enter shut, then no shut on the port.
CSCta04665
•
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command.
CSCta16492
•
This occurs only if the following conditions are satisfied:
–
–
–
Workaround: None.
CSCsz63739
•
Workaround: None.
Despite the different default value, you can configure any value in the time range.
CSCte51948
•
The show memory debug leak lowmem command can work in extremely low memory conditions but might crash the switch due to its very high CPU intensity. It also takes between 20 and 90 minutes to complete.
Workaround: If call or packet drops persist, contact TAC rather than entering these commands on your own. CSCsi48986
•
Workaround: When creating the file, enter some characters, remove the ftp command, then re-enter it as follows:
Switch(config)# no ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.$Switch(config)# ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.logCSCsk38763
•
"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis type"Or"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is WS-C4507R-E, but chassis' serial eeprom chassis type is Unknown chassis type""%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 14" (where n is a slot number)Workaround: Load Cisco IOS Release 12.2(54)SG or 12.2(53)SG4 on WS-C4507R+E and WS-C4510R+E.
CSCtl70275
•
%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis typeThe active supervisor engine also displays following log message for each linecard slot in the chassis:
%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 14where n is the slot number
If the standby supervisor engine boots, the active supervisor engine displays the following message and reboots:
%C4K_REDUNDANCY-2-POSTFAIL_RESET: Power-On Self Test (POST) failure on ACTIVE supervisor detected. Detected the Standby Supervisor bootupFailedWhile active supervisor engine is up, no traffic can be handled by the switch.
The two supervisor engines might alternately reboot continuously.
Workaround: Use Cisco IOS Release 12.2(53)SG4, 12.2(54)SG, 15.0(1)SG or later images with WS-C4510R+E and WS-C4507R+E chassis.
CSCtl84092
•
Workaround: None.
CSCtq73579
•
Workaround: Do not use AAA accounting with the broadcast keyword. CSCts56125
•
Products that are not running Cisco IOS software are not vulnerable.
Cisco has released free software updates that address these vulnerabilities.
The HTTP server may be disabled as a workaround for the vulnerability described in this advisory.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-paiAdditional information on Cisco's security vulnerability policy can be found at the URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.htmlCSCtr91106
•
Workaround: None. CSCtj48387
•
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp
Note
Individual publication links are in ''Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication'' at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.htmlCSCtr28857
•
%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (Unknown MAC) on Interface Gi5/39 AuditSessionID AC156241000000670001BC9.provided the following conditions apply:
–
authentication event server dead action authorize...
authenticaton event server alive action reinitalize
–
The RADIUS server becomes available again, and the IAB-authorized port transitions to another state.
Workaround: None. CSCtx61557
•
Workaround: Retain the default setting (VLAN 1) for the native VLAN on trunks ports. CSCud05521
Resolved Caveats in Cisco IOS Release 12.2(53)SG6
This section lists the resolved caveats in Release 12.2(53)SG6:
•
Workaround: Re-enter the rep preempt segment command.
CSCtr89862
•
Workaround: Ensure that a policy is configured on an interface prior to changing a default next-hop in route-map. CSCtr31759
•
–
–
Workaround: Perform the following task:
1. Disable the SNMP engine with the no snmp-server command.
2. Configure an IPv4 address and an IPv6 address on loopback interfaces.
3. Enable the SNMP engine.
CSCsw76894
•
Workaround: Perform the following task:
1. Disable the SNMP engine with the no snmp-server command.
2. Configure an IP address and an IPv6 address on loopback interfaces.
3. Enable the SNMP engine.
CSCsw92921
•
Workaround: Configure static MAC addresses for the source addresses on the backup flex link interface. CSCtr40070
•
uPE1#sh ip sla stat | inc TimeoutLatest RTT: NoConnection/Busy/TimeoutIssue is likely not to appear in environments with low latency (<5msec).
Workarounds:
–
–
•
Workaround: Disable LLDP MA TLV sending on the peers. CSCtj22354
•
Workaround: Use getnext rather than get to list valid indicies for the MIB OID. CSCtr52740
•
Workaround: None. CSCto72927
•
Workarounds:
–
–
•
Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:
a.
b.
c.
d.
(CSCsv69853)
•
Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:
a.
b.
c.
d.
(CSCsv69853)
Open Caveats in Cisco IOS Release 12.2(53)SG5
This section lists the open caveats in Cisco IOS Release 12.2(53)SG5:
•
show policy-map interface fa6/1 do not show the packets being matched:Switch# sh policy-map intFastEthernet3/2Service-policy output: p1Class-map: c1 (match-all)0 packets <--------It stays at '0' despite of traffic being receivedMatch: access-group name fnacl21police: Per-interfaceConform: 9426560 bytes Exceed: 16573440 bytesWorkaround: Verify that the MAC addresses being transmitted through the system are learned.
(CSCef01798)
•
–
–
On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.
Workaround: Re-connect. (CSCsb11964)
•
This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.
Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:
Switch(config)# no monitor session n source cpu queue all rxSwitch(config)# monitor session n source cpu queue <new_Queue_Name>(CSCsc94802)
•
Workaround: None. (CSCsc11726)
•
This could occur for these reasons:
–
–
Workarounds:
–
–
•
qos account layer2 encapsulation.Workaround: None. (CSCsg58526)
•
This does not impact performance.
Workaround: Issue the no shutdown command. (CSCsg27395)
•
Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).
•
Workaround: None. (CSCsm30320)
•
Workaround: None. (CSCsq72572)
•
Workaround: None. (CSCso93282)
•
Workarounds: Do one of the following:
–
–
–
(CSCsq63051)
•
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)
•
Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internalsoftware error occurred. Null0 linked to wrong hwidb Null0Workaround: None. (CSCso68331)
•
Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)
•
Workarounds: Use either of the following to set the sxp default password:
–
–
(CSCsv33006)
•
This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.
Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)
•
This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.
Workaround: Shut down then reopen the interface.
(CSCso50921)
•
Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)
•
*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 2.2.2.1(64999)This issue is seen when the default SXP password is encrypted with type-6 encryption.
Workaround: Do one of the following:
–
–
(CSCsv33136)
•
Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:
a.
b.
c.
d.
(CSCsv69853)
•
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.101 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.102 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SGWorkaround: None. (CSCsw14005)
•
If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.
Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661
•
Workaround: None. CSCsy72343
•
Workaround: None.
CSCsy38640
•
Workaround: None.
CSCsu35604
•
Switch# call-home send alert-group diagnostic module 2Sending diagnostic info call-home message ...Please wait. This may take some time ...Switch#*Jan 3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand message failed to send (ERR 18, The alert group is not subscribed)Workaround: Specify a profile name when you enter the diagnostic command.
You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.CSCsz05888
•
show policy-map interface command are wrong.Workaround: None.
The queue transmit counters as well as the policing statistics (if any) are correct.
CSCsz20149
•
Workaround: None.
CSCsz06719
•
Workaround: Manually re-enter all entries with new time settings.
CSCsy27389
•
This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.
Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.
CSCsz34522
•
Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port.
The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding.
Workaround: Enter shut, then no shut on the port.
CSCta04665
•
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command.
CSCta16492
•
This occurs only if the following conditions are satisfied:
–
–
–
Workaround: None.
CSCsz63739
•
Workaround: None.
Despite the different default value, you can configure any value in the time range.
CSCte51948
•
The show memory debug leak lowmem command can work in extremely low memory conditions but might crash the switch due to its very high CPU intensity. It also takes between 20 and 90 minutes to complete.
Workaround: If call or packet drops persist, contact TAC rather than entering these commands on your own. CSCsi48986
•
Workaround: When creating the file, enter some characters, remove the ftp command, then re-enter it as follows:
Switch(config)# no ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.$Switch(config)# ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.logCSCsk38763
•
"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis type"Or"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is WS-C4507R-E, but chassis' serial eeprom chassis type is Unknown chassis type""%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 14" (where n is a slot number)Workaround: Load Cisco IOS Release 12.2(54)SG or 12.2(53)SG4 on WS-C4507R+E and WS-C4510R+E.
CSCtl70275
•
%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis typeThe active supervisor engine also displays following log message for each linecard slot in the chassis:
%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 14where n is the slot number
If the standby supervisor engine boots, the active supervisor engine displays the following message and reboots:
%C4K_REDUNDANCY-2-POSTFAIL_RESET: Power-On Self Test (POST) failure on ACTIVE supervisor detected. Detected the Standby Supervisor bootupFailedWhile active supervisor engine is up, no traffic can be handled by the switch.
The two supervisor engines might alternately reboot continuously.
Workaround: Use Cisco IOS Release 12.2(53)SG4, 12.2(54)SG, 15.0(1)SG or later images with WS-C4510R+E and WS-C4507R+E chassis.
CSCtl84092
•
Workaround: None.
CSCtq73579
•
Workaround: Do not use AAA accounting with the broadcast keyword. CSCts56125
•
Products that are not running Cisco IOS software are not vulnerable.
Cisco has released free software updates that address these vulnerabilities.
The HTTP server may be disabled as a workaround for the vulnerability described in this advisory.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-paiAdditional information on Cisco's security vulnerability policy can be found at the URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.htmlCSCtr91106
•
Workaround: None. CSCtj48387
•
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp
Note
Individual publication links are in ''Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication'' at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.htmlCSCtr28857
•
%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (Unknown MAC) on Interface Gi5/39 AuditSessionID AC156241000000670001BC9.provided the following conditions apply:
–
authentication event server dead action authorize...
authenticaton event server alive action reinitalize
–
The RADIUS server becomes available again, and the IAB-authorized port transitions to another state.
Workaround: None. CSCtx61557
•
Workaround: Retain the default setting (VLAN 1) for the native VLAN on trunks ports. CSCud05521
Resolved Caveats in Cisco IOS Release 12.2(53)SG5
This section lists the resolved caveats in Release 12.2(53)SG5:
•
Workarounds:
–
–
•
Workaround: Disable gratuitous ARP on the Windows device. CSCtn27420
•
Workarounds:
–
–
•
Workaround: Disable AAA accounting. CSCtl77241
•
The problem is not observed for another 72 weeks.
Workaround: None. CSCsl70722
•
Workaround: Configure ip routing. CSCtj20399
•
This happens only if you use a custom banner configured like the following:
ip auth-proxy auth-proxy-banner http ^C Custom Banner here ^CWorkaround: Remove the custom banner. CSCtb77378
•
Workarounds:
–
–
•
LLDP IEEE standard requires frames sent untagged. With this issue, some peer devices may reject the tagged LLDP frame.
Workaround: Use the default native VLAN for the trunks. CSCtn29321
•
Workaround: If you include snmp-server enable traps envmon in the device configuration, a ciscoEnvMonSuppStatusChangeNotification is generated when the power supply either turns off or fails. CSCtl72109
•
Workaround: Disable IP cef accounting. CSCtn68186
•
–
–
Workaround: None. CSCtj90471
•
%C4K_IOSMODPORTMAN-4-POWERSUPPLYREMOVED: Power supply 1 has been removed%C4K_CHASSIS-3-INSUFFICIENTPOWERSUPPLIESDETECTED: Insufficient power supplies present for specified configuration%C4K_CHASSIS-2-INSUFFICIENTPOWERDETECTED: Insufficient power available for theWorkaround: None. CSCtn38000
•
Workaround: Ensure that all trunk ports in the REP ring topology have the same list of VLANs, including ports in other REP rings that export STCNs into the REP ring where the problem is observed. CSCto67625
•
Workaround: Avoid using DHCP load balancing. CSCth00482
•
Workaround: Use a different host-mode. CSCti92970
•
Workaround: Allow SSH connections only from trusted hosts. CSCth87458
•
Workarounds
–
–
•
This behavior is anticipated. In multi-auth mode, the system cannot distinguish between the data client that is attached to the phone and those that are attached to the switch through a hub.
Workaround: None. CSCtd70009
•
Workaround: Remove the entire route-map and re-create it. CSCsr23563
•
pqiu@apt-cse-613% ssh cisco@10.66.79.211"$(hostname) via line $(line) $(line-desc)"Here is how you configured the banner:
banner login ^CC$(hostname) via line $(line) $(line-desc)^C!If you telnet to the router, the banner shows correctly as follows:
"SV-9-5 via line 67"Workaround: None. CSCei24145
•
Workaround: Enter shut and no shut on the alternate interface. CSCtn03533
•
Workaround: Avoid configuring overlapping IP addresses. CSCtj96095
Open Caveats in Cisco IOS Release 12.2(53)SG4
This section lists the open caveats in Cisco IOS Release 12.2(53)SG4:
•
show policy-map interface fa6/1 do not show the packets being matched:Switch# sh policy-map intFastEthernet3/2Service-policy output: p1Class-map: c1 (match-all)0 packets <--------It stays at '0' despite of traffic being receivedMatch: access-group name fnacl21police: Per-interfaceConform: 9426560 bytes Exceed: 16573440 bytesWorkaround: Verify that the MAC addresses being transmitted through the system are learned.
(CSCef01798)
•
–
–
On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.
Workaround: Re-connect. (CSCsb11964)
•
This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.
Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:
Switch(config)# no monitor session n source cpu queue all rxSwitch(config)# monitor session n source cpu queue <new_Queue_Name>(CSCsc94802)
•
Workaround: None. (CSCsc11726)
•
This could occur for these reasons:
–
–
Workarounds:
–
–
•
qos account layer2 encapsulation.Workaround: None. (CSCsg58526)
•
This does not impact performance.
Workaround: Issue the no shutdown command. (CSCsg27395)
•
Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).
•
Workaround: None. (CSCsm30320)
•
Workaround: None. (CSCsq72572)
•
Workaround: None. (CSCso93282)
•
Workarounds: Do one of the following:
–
–
–
(CSCsq63051)
•
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)
•
Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internalsoftware error occurred. Null0 linked to wrong hwidb Null0Workaround: None. (CSCso68331)
•
Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)
•
Workarounds: Use either of the following to set the sxp default password:
–
–
(CSCsv33006)
•
This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.
Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)
•
This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.
Workaround: Shut down then reopen the interface.
(CSCso50921)
•
Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)
•
*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 2.2.2.1(64999)This issue is seen when the default SXP password is encrypted with type-6 encryption.
Workaround: Do one of the following:
–
–
(CSCsv33136)
•
Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:
a.
b.
c.
d.
(CSCsv69853)
•
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.101 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.102 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SGWorkaround: None. (CSCsw14005)
•
If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.
Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661
•
Workaround: None. CSCsy72343
•
Workaround: None.
CSCsy38640
•
Workaround: None.
CSCsu35604
•
Switch# call-home send alert-group diagnostic module 2Sending diagnostic info call-home message ...Please wait. This may take some time ...Switch#*Jan 3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand message failed to send (ERR 18, The alert group is not subscribed)Workaround: Specify a profile name when you enter the diagnostic command.
You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.CSCsz05888
•
show policy-map interface command are wrong.Workaround: None.
The queue transmit counters as well as the policing statistics (if any) are correct.
CSCsz20149
•
Workaround: None.
CSCsz06719
•
Workaround: Manually re-enter all entries with new time settings.
CSCsy27389
•
This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.
Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.
CSCsz34522
•
Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port.
The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding.
Workaround: Enter shut, then no shut on the port.
CSCta04665
•
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command.
CSCta16492
•
This occurs only if the following conditions are satisfied:
–
–
–
Workaround: None.
CSCsz63739
•
Workaround: None.
Despite the different default value, you can configure any value in the time range.
CSCte51948
•
The show memory debug leak lowmem command can work in extremely low memory conditions but might crash the switch due to its very high CPU intensity. It also takes between 20 and 90 minutes to complete.
Workaround: If call or packet drops persist, contact TAC rather than entering these commands on your own. CSCsi48986
•
Workaround: When creating the file, enter some characters, remove the ftp command, then re-enter it as follows:
Switch(config)# no ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.$Switch(config)# ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.logCSCsk38763
•
"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis type"Or"%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is WS-C4507R-E, but chassis' serial eeprom chassis type is Unknown chassis type""%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 14" (where n is a slot number)Workaround: Load Cisco IOS Release 12.2(54)SG or 12.2(53)SG4 on WS-C4507R+E and WS-C4510R+E.
CSCtl70275
•
Workarounds:
–
–
CSCtk67010
•
%C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis typeThe active supervisor engine also displays following log message for each linecard slot in the chassis:
%C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot <n> of unsupported type 14where n is the slot number
If the standby supervisor engine boots, the active supervisor engine displays the following message and reboots:
%C4K_REDUNDANCY-2-POSTFAIL_RESET: Power-On Self Test (POST) failure on ACTIVE supervisor detected. Detected the Standby Supervisor bootupFailedWhile active supervisor engine is up, no traffic can be handled by the switch.
The two supervisor engines might alternately reboot continuously.
Workaround: Use Cisco IOS Release 12.2(53)SG4, 12.2(54)SG, 15.0(1)SG or later images with WS-C4510R+E and WS-C4507R+E chassis.
CSCtl84092
•
Workaround: Disable the ip cef accounting non-recursive command.
(CSCtn68186)
•
Workaround: Do not use AAA accounting with the broadcast keyword. CSCts56125
•
Products that are not running Cisco IOS software are not vulnerable.
Cisco has released free software updates that address these vulnerabilities.
The HTTP server may be disabled as a workaround for the vulnerability described in this advisory.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-paiAdditional information on Cisco's security vulnerability policy can be found at the URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.htmlCSCtr91106
•
Workaround: None. CSCtj48387
•
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp
Note
Individual publication links are in ''Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication'' at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.htmlCSCtr28857
•
%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (Unknown MAC) on Interface Gi5/39 AuditSessionID AC156241000000670001BC9.provided the following conditions apply:
–
authentication event server dead action authorize...
authenticaton event server alive action reinitalize
–
The RADIUS server becomes available again, and the IAB-authorized port transitions to another state.
Workaround: None. CSCtx61557
•
Workaround: Retain the default setting (VLAN 1) for the native VLAN on trunks ports. CSCud05521
Resolved Caveats in Cisco IOS Release 12.2(53)SG4
This section lists the resolved caveats in Release 12.2(53)SG4:
•
Workaround: Unconfigure the customized HTML page to use default internal Webauth pages and reload the switch after changing the configuration. CSCti81874
•
Workaround: When a log message appears indicating that the SFP+ has been removed, do one of the following:
–
–
–
(CSCsv90044)
Open Caveats in Cisco IOS Release 12.2(53)SG3
This section lists the open caveats in Cisco IOS Release 12.2(53)SG3:
•
show policy-map interface fa6/1 do not show the packets being matched:Switch# sh policy-map intFastEthernet3/2Service-policy output: p1Class-map: c1 (match-all)0 packets <--------It stays at '0' despite of traffic being receivedMatch: access-group name fnacl21police: Per-interfaceConform: 9426560 bytes Exceed: 16573440 bytesWorkaround: Verify that the MAC addresses being transmitted through the system are learned.
(CSCef01798)
•
–
–
On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.
Workaround: Re-connect. (CSCsb11964)
•
This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.
Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:
Switch(config)# no monitor session n source cpu queue all rxSwitch(config)# monitor session n source cpu queue <new_Queue_Name>(CSCsc94802)
•
Workaround: None. (CSCsc11726)
•
This could occur for these reasons:
–
–
Workarounds:
–
–
•
qos account layer2 encapsulation.Workaround: None. (CSCsg58526)
•
This does not impact performance.
Workaround: Issue the no shutdown command. (CSCsg27395)
•
Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).
•
Workaround: None. (CSCsm30320)
•
Workaround: None. (CSCsq72572)
•
Workaround: None. (CSCso93282)
•
Workarounds: Do one of the following:
–
–
–
(CSCsq63051)
•
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)
•
Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internalsoftware error occurred. Null0 linked to wrong hwidb Null0Workaround: None. (CSCso68331)
•
Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)
•
Workarounds: Use either of the following to set the sxp default password:
–
–
(CSCsv33006)
•
This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.
Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)
•
This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.
Workaround: Shut down then reopen the interface.
(CSCso50921)
•
Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)
•
Workaround: When a log message appears indicating that the SFP+ has been removed, do one of the following:
–
–
–
(CSCsv90044)
•
*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 2.2.2.1(64999)This issue is seen when the default SXP password is encrypted with type-6 encryption.
Workaround: Do one of the following:
–
–
(CSCsv33136)
•
Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:
a.
b.
c.
d.
(CSCsv69853)
•
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.101 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.102 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SGWorkaround: None. (CSCsw14005)
•
If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.
Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661
•
Workaround: None. CSCsy72343
•
Workaround: None.
CSCsy38640
•
Workaround: None.
CSCsu35604
•
Switch# call-home send alert-group diagnostic module 2Sending diagnostic info call-home message ...Please wait. This may take some time ...Switch#*Jan 3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand message failed to send (ERR 18, The alert group is not subscribed)Workaround: Specify a profile name when you enter the diagnostic command.
You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.CSCsz05888
•
show policy-map interface command are wrong.Workaround: None.
The queue transmit counters as well as the policing statistics (if any) are correct.
CSCsz20149
•
Workaround: None.
CSCsz06719
•
Workaround: Manually re-enter all entries with new time settings.
CSCsy27389
•
This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.
Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.
CSCsz34522
•
Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port.
The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding.
Workaround: Enter shut, then no shut on the port.
CSCta04665
•
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command.
CSCta16492
•
This occurs only if the following conditions are satisfied:
–
–
–
Workaround: None.
CSCsz63739
•
Workaround: None.
Despite the different default value, you can configure any value in the time range.
CSCte51948
•
The show memory debug leak lowmem command can work in extremely low memory conditions but might crash the switch due to its very high CPU intensity. It also takes between 20 and 90 minutes to complete.
Workaround: If call or packet drops persist, contact TAC rather than entering these commands on your own. CSCsi48986
•
Workaround: Unconfigure the customized HTML page to use default internal Webauth pages and reload the switch after changing the configuration. CSCti81874
•
Workaround: Disable the ip cef accounting non-recursive command.
(CSCtn68186)
•
%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (Unknown MAC) on Interface Gi5/39 AuditSessionID AC156241000000670001BC9.provided the following conditions apply:
–
authentication event server dead action authorize...
authenticaton event server alive action reinitalize
–
The RADIUS server becomes available again, and the IAB-authorized port transitions to another state.
Workaround: None. CSCtx61557
•
Workaround: Retain the default setting (VLAN 1) for the native VLAN on trunks ports. CSCud05521
Resolved Caveats in Cisco IOS Release 12.2(53)SG3
This section lists the resolved caveats in Release 12.2(53)SG3:
•
Workaround: None. CSCsv42869
•
Cisco IOS Release 12.2(53)SG1 or 12.2(50)SG6, Layer 2 multicast is not blocked.Prior to Cisco IOS Release 12.2(53)SG1, 12.2(50)SG6, the switchport block multicast command would block IP Multicast, Layer 2 multicast, and broadcast traffic (CSCta61825).
Workaround: None CSCtb30327
•
Workaround: Configure the route map to only match on ACL(s). CSCtg22126
•
After upgrading to Cisco IOS Release 12.2(53)SG3, ensure that the vrf-also keyword follows any access-class under the SSH configuration.
Workaround: None. CSCsv86113
Open Caveats in Cisco IOS Release 12.2(53)SG2
This section lists the open caveats in Cisco IOS Release 12.2(53)SG2:
•
show policy-map interface fa6/1 do not show the packets being matched:Switch# sh policy-map intFastEthernet3/2Service-policy output: p1Class-map: c1 (match-all)0 packets <--------It stays at '0' despite of traffic being receivedMatch: access-group name fnacl21police: Per-interfaceConform: 9426560 bytes Exceed: 16573440 bytesWorkaround: Verify that the MAC addresses being transmitted through the system are learned.
(CSCef01798)
•
–
–
On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.
Workaround: Re-connect. (CSCsb11964)
•
This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.
Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:
Switch(config)# no monitor session n source cpu queue all rxSwitch(config)# monitor session n source cpu queue <new_Queue_Name>(CSCsc94802)
•
Workaround: None. (CSCsc11726)
•
This could occur for these reasons:
–
–
Workarounds:
–
–
•
qos account layer2 encapsulation.Workaround: None. (CSCsg58526)
•
This does not impact performance.
Workaround: Issue the no shutdown command. (CSCsg27395)
•
Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).
•
Workaround: None. (CSCsm30320)
•
Workaround: None. (CSCsq72572)
•
Workaround: None. (CSCso93282)
•
Workarounds: Do one of the following:
–
–
–
(CSCsq63051)
•
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)
•
Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internalsoftware error occurred. Null0 linked to wrong hwidb Null0Workaround: None. (CSCso68331)
•
Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)
•
Workarounds: Use either of the following to set the sxp default password:
–
–
(CSCsv33006)
•
This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.
Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)
•
This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.
Workaround: Shut down then reopen the interface.
(CSCso50921)
•
Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)
•
Workaround: When a log message appears indicating that the SFP+ has been removed, do one of the following:
–
–
–
(CSCsv90044)
•
*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 2.2.2.1(64999)This issue is seen when the default SXP password is encrypted with type-6 encryption.
Workaround: Do one of the following:
–
–
(CSCsv33136)
•
Workaround: None. (CSCsv42869)
•
Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:
a.
b.
c.
d.
(CSCsv69853)
•
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.101 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.102 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SGWorkaround: None. (CSCsw14005)
•
If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.
Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661
•
Workaround: None. CSCsy72343
•
Workaround: None.
CSCsy38640
•
Workaround: None.
CSCsu35604
•
Switch# call-home send alert-group diagnostic module 2Sending diagnostic info call-home message ...Please wait. This may take some time ...Switch#*Jan 3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand message failed to send (ERR 18, The alert group is not subscribed)Workaround: Specify a profile name when you enter the diagnostic command.
You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.CSCsz05888
•
show policy-map interface command are wrong.Workaround: None.
The queue transmit counters as well as the policing statistics (if any) are correct.
CSCsz20149
•
Workaround: None.
CSCsz06719
•
Workaround: Manually re-enter all entries with new time settings.
CSCsy27389
•
This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.
Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.
CSCsz34522
•
Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port.
The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding.
Workaround: Enter shut, then no shut on the port.
CSCta04665
•
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command.
CSCta16492
•
Cisco IOS Release 12.2(53)SG1 or 12.2(50)SG6, Layer 2 multicast is not blocked.Prior to Cisco IOS Release 12.2(53)SG1, 12.2(50)SG6, the switchport block multicast command would block IP Multicast, Layer 2 multicast, and broadcast traffic (CSCta61825).
Workaround: None
CSCtb30327
•
This occurs only if the following conditions are satisfied:
–
–
–
Workaround: None.
CSCsz63739
•
Workaround: None.
Despite the different default value, you can configure any value in the time range.
CSCte51948
•
Workaround: Configure the route map to only match on ACL(s).
CSCtg22126
•
Workaround: Disable the ip cef accounting non-recursive command.
(CSCtn68186)
•
Workaround: Do not use AAA accounting with the broadcast keyword. CSCts56125
•
Products that are not running Cisco IOS software are not vulnerable.
Cisco has released free software updates that address these vulnerabilities.
The HTTP server may be disabled as a workaround for the vulnerability described in this advisory.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-paiAdditional information on Cisco's security vulnerability policy can be found at the URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.htmlCSCtr91106
•
Workaround: None. CSCtj48387
•
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp
Note
Individual publication links are in ''Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication'' at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.htmlCSCtr28857
•
%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (Unknown MAC) on Interface Gi5/39 AuditSessionID AC156241000000670001BC9.provided the following conditions apply:
–
authentication event server dead action authorize...
authenticaton event server alive action reinitalize
–
The RADIUS server becomes available again, and the IAB-authorized port transitions to another state.
Workaround: None. CSCtx61557
•
Workaround: Retain the default setting (VLAN 1) for the native VLAN on trunks ports. CSCud05521
Resolved Caveats in Cisco IOS Release 12.2(53)SG2
This section lists the resolved caveats in Release 12.2(53)SG2:
•
Workaround: Configure the port in multi-domain mode (rather than multi-auth mode) with the authentication host-mode multi-domain command
CSCtb28114
•
This is a side effect of a heavily shared path.
Workaround: None.
CSCtc90702
•
%Error copying flash:/eem_pnt_2 (Invalid path)Workaround: Rename the flash device to the default name flash:.
CSCte05909
•
Workaround: None.
You will need to disableWake-on-LAN on the interface.
CSCtc58982
•
Workaround: Reconfigure tracking on the newly created interface. (CSCsr66876)
•
Workaround: Do one of the following:
–
–
–
(CSCsu39009)
•
Workarounds: Do one of the following:
–
–
(CSCsv05205)
•
Workaround: Enter shut, then no shut on the port.
CSCsz63355
•
Workaround: Disable explicit host tracking in the affected VLANs.
CSCsz28612
•
All software releases up to and including Cisco IOS Releases 12.2(31)SGA9, 12.2(50)SG6 and 12,2(53)SG1 are affected.
Workaround: After rebooting the switch, adjust the system clock with the clock set command.
CSCtc65375
•
%C4K_EBM-4-HOSTFLAPPING: happening between master loopback port and the source port during layer3 (IPv4 and IPv6) packets loop using ethernet oam (EOAM)This message is does not impact performance.
Workaround: None.
CSCtc26043
•
–
–
–
This occurs when the time change for the next year occurs after the time change for the current year.
Before the time change occurs, use one of these workarounds:
–
–
–
CSCtc91312
•
This problem is observed on images later than Cisco IOS Release 12.2(46)SG.
CSCtf26763
Open Caveats in Cisco IOS Release 12.2(53)SG1
This section lists the open caveats in Cisco IOS Release 12.2(53)SG1:
•
show policy-map interface fa6/1 do not show the packets being matched:Switch# sh policy-map intFastEthernet3/2Service-policy output: p1Class-map: c1 (match-all)0 packets <--------It stays at '0' despite of traffic being receivedMatch: access-group name fnacl21police: Per-interfaceConform: 9426560 bytes Exceed: 16573440 bytesWorkaround: Verify that the MAC addresses being transmitted through the system are learned.
(CSCef01798)
•
–
–
On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.
Workaround: Re-connect. (CSCsb11964)
•
This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.
Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:
Switch(config)# no monitor session n source cpu queue all rxSwitch(config)# monitor session n source cpu queue <new_Queue_Name>(CSCsc94802)
•
Workaround: None. (CSCsc11726)
•
This could occur for these reasons:
–
–
Workarounds:
–
–
•
qos account layer2 encapsulation.Workaround: None. (CSCsg58526)
•
This does not impact performance.
Workaround: Issue the no shutdown command. (CSCsg27395)
•
Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).
•
Workaround: None. (CSCsm30320)
•
Workaround: None. (CSCsq72572)
•
Workaround: None. (CSCso93282)
•
Workarounds: Do one of the following:
–
–
–
(CSCsq63051)
•
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)
•
Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internalsoftware error occurred. Null0 linked to wrong hwidb Null0Workaround: None. (CSCso68331)
•
Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)
•
Workarounds: Use either of the following to set the sxp default password:
–
–
(CSCsv33006)
•
This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.
Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)
•
On a switch with multiple Layer 3 interfaces, if the CTS SXP connection is configured without specifying source IP address and no default SXP source IP address is configured on the box, different SXP connections may pickup different source IP address for each connection.
Workaround: Do one of the following:
–
–
–
(CSCsv28348)
•
This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.
Workaround: Shut down then reopen the interface.
(CSCso50921)
•
Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)
•
Workarounds: Do one of the following:
–
–
(CSCsv05205)
•
Workaround: When a log message appears indicating that the SFP+ has been removed, do one of the following:
–
–
–
(CSCsv90044)
•
Workaround: Do one of the following:
–
–
–
(CSCsu39009)
•
Workaround: Reconfigure tracking on the newly created interface. (CSCsr66876)
•
*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 2.2.2.1(64999)This issue is seen when the default SXP password is encrypted with type-6 encryption.
Workaround: Do one of the following:
–
–
(CSCsv33136)
•
Workaround: None. (CSCsv42869)
•
Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:
a.
b.
c.
d.
(CSCsv69853)
•
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.101 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.102 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SGWorkaround: None. (CSCsw14005)
•
If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.
Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661
•
Workaround: None. CSCsy72343
•
Workaround: None.
CSCsy38640
•
Workaround: None.
CSCsu35604
•
Switch# call-home send alert-group diagnostic module 2Sending diagnostic info call-home message ...Please wait. This may take some time ...Switch#*Jan 3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand message failed to send (ERR 18, The alert group is not subscribed)Workaround: Specify a profile name when you enter the diagnostic command.
You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.CSCsz05888
•
No TCAM entries are available for the new access-list.
Workaround: Manually remove and reapply the ACL after freeing hardware TCAM resources by removing or shortening other classification policies on the switch.
CSCsy85006
•
show policy-map interface command are wrong.Workaround: None.
The queue transmit counters as well as the policing statistics (if any) are correct.
CSCsz20149
•
Workaround: None.
CSCsz06719
•
Workaround: Enter shut, then no shut on the port.
CSCsz63355
•
Workaround: Disable explicit host tracking in the affected VLANs.
CSCsz28612
•
This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.
Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.
CSCsz34522
•
Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port.
The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding.
Workaround: Enter shut, then no shut on the port.
CSCta04665
•
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command.
CSCta16492
•
Workaround: Configure the port in multi-domain mode (rather than multi-auth mode) with the authentication host-mode multi-domain command
CSCtb28114
•
All software releases up to and including Cisco IOS Releases 12.2(31)SGA9, 12.2(50)SG6 and 12,2(53)SG1 are affected.
Workaround: After rebooting the switch, adjust the system clock with the clock set command.
CSCtc65375
•
Cisco IOS Release 12.2(53)SG1 or 12.2(50)SG6, Layer 2 multicast is not blocked.Prior to Cisco IOS Release 12.2(53)SG1, 12.2(50)SG6, the switchport block multicast command would block IP Multicast, Layer 2 multicast, and broadcast traffic (CSCta61825).
Workaround: None
CSCtb30327
•
%C4K_EBM-4-HOSTFLAPPING: happening between master loopback port and the source port during layer3 (IPv4 and IPv6) packets loop using ethernet oam (EOAM)This message is does not impact performance.
Workaround: None.
CSCtc26043
•
This occurs only if the following conditions are satisfied:
–
–
–
Workaround: None.
CSCsz63739
•
–
–
–
This occurs when the time change for the next year occurs after the time change for the current year.
Before the time change occurs, use one of these workarounds:
–
–
–
CSCtc91312
•
%Error copying flash:/eem_pnt_2 (Invalid path)Workaround: Rename the flash device to the default name flash:.
CSCte05909
•
Workaround: None.
Despite the different default value, you can configure any value in the time range.
CSCte51948
•
Workaround: Disable the ip cef accounting non-recursive command.
(CSCtn68186)
•
Workaround: Do not use AAA accounting with the broadcast keyword. CSCts56125
•
Products that are not running Cisco IOS software are not vulnerable.
Cisco has released free software updates that address these vulnerabilities.
The HTTP server may be disabled as a workaround for the vulnerability described in this advisory.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-paiAdditional information on Cisco's security vulnerability policy can be found at the URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.htmlCSCtr91106
•
Workaround: None. CSCtj48387
•
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp
Note
Individual publication links are in ''Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication'' at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.htmlCSCtr28857
•
%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (Unknown MAC) on Interface Gi5/39 AuditSessionID AC156241000000670001BC9.provided the following conditions apply:
–
authentication event server dead action authorize...
authenticaton event server alive action reinitalize
–
The RADIUS server becomes available again, and the IAB-authorized port transitions to another state.
Workaround: None. CSCtx61557
•
Workaround: Retain the default setting (VLAN 1) for the native VLAN on trunks ports. CSCud05521
Resolved Caveats in Cisco IOS Release 12.2(53)SG1
This section lists the resolved caveats in Release 12.2(53)SG1:
•
Workaround: Configure an access-list to permit the CPU generated packets and apply the ACL to the class-map.
CSCsy43967
•
Workaround: Manually re-enter all entries with new time settings.
CSCsy27389
•
ROM by abort at PC 0x0Workaround: None.
Downgrade to Cisco IOS Release 12.2(50)SG3 if needed.
CSCta49512
•
Workaround: None.
CSCsz38442
•
A syslog warning message "%SM-4-BADEVENT: Event 'forward' is invalid for the current state 'present': pm_vp .."A traceback error messageThis issue happens only on flexlink ports under the following two scenarios:
–
–
Workaround: None
The syslog and Traceback do not impact functionality. Flexlink states end up with correct states and there is no impact on traffic forwarding.
CSCta05317
•
The existing per-port error disable (that is, when a violation happens, the entire port will be error disabled) still works on flexlink.
Workaround: Use flexlink with VLAN load balancing.
If you do not want to use vlan load balancing, then enter the
switchport backup interface perfer vlan command on the Active interface, where vlan z is set to an unused vlan on the systemCSCta76320
•
Workaround: Change the VTP version from 3 to version 2 or 1 and then revert to version 3.
CSCsy66803
•
Workarounds:
–
–
CSCta09651
•
Workaround: Manually re-enter all entries with new time settings.
CSCsy27389
Open Caveats in Cisco IOS Release 12.2(53)SG
This section lists the open caveats in Cisco IOS Release 12.2(53)SG:
•
show policy-map interface fa6/1 do not show the packets being matched:Switch# sh policy-map intFastEthernet3/2Service-policy output: p1Class-map: c1 (match-all)0 packets <--------It stays at '0' despite of traffic being receivedMatch: access-group name fnacl21police: Per-interfaceConform: 9426560 bytes Exceed: 16573440 bytesWorkaround: Verify that the MAC addresses being transmitted through the system are learned.
(CSCef01798)
•
–
–
On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.
Workaround: Re-connect. (CSCsb11964)
•
This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.
Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:
Switch(config)# no monitor session n source cpu queue all rxSwitch(config)# monitor session n source cpu queue <new_Queue_Name>(CSCsc94802)
•
Workaround: None. (CSCsc11726)
•
This could occur for these reasons:
–
–
Workarounds:
–
–
•
qos account layer2 encapsulation.Workaround: None. (CSCsg58526)
•
This does not impact performance.
Workaround: Issue the no shutdown command. (CSCsg27395)
•
Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).
•
Workaround: None. (CSCsm30320)
•
Workaround: None. (CSCsq72572)
•
Workaround: None. (CSCso93282)
•
Workarounds: Do one of the following:
–
–
–
(CSCsq63051)
•
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)
•
Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internalsoftware error occurred. Null0 linked to wrong hwidb Null0Workaround: None. (CSCso68331)
•
Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)
•
Workarounds: Use either of the following to set the sxp default password:
–
–
(CSCsv33006)
•
This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.
Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)
•
On a switch with multiple Layer 3 interfaces, if the CTS SXP connection is configured without specifying source IP address and no default SXP source IP address is configured on the box, different SXP connections may pickup different source IP address for each connection.
Workaround: Do one of the following:
–
–
–
(CSCsv28348)
•
This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.
Workaround: Shut down then reopen the interface.
(CSCso50921)
•
Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)
•
Workarounds: Do one of the following:
–
–
(CSCsv05205)
•
Workaround: When a log message appears indicating that the SFP+ has been removed, do one of the following:
–
–
–
(CSCsv90044)
•
Workaround: Do one of the following:
–
–
–
(CSCsu39009)
•
Workaround: Reconfigure tracking on the newly created interface. (CSCsr66876)
•
*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 2.2.2.1(64999)This issue is seen when the default SXP password is encrypted with type-6 encryption.
Workaround: Do one of the following:
–
–
(CSCsv33136)
•
Workaround: None. (CSCsv42869)
•
Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:
a.
b.
c.
d.
(CSCsv69853)
•
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.101 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.102 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SGWorkaround: None. (CSCsw14005)
•
If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.
Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661
•
Workaround: None. CSCsy72343
•
Workaround: None.
CSCsy38640
•
Workaround: None.
CSCsu35604
•
Workaround: Change the VTP version from 3 to version 2 or 1 and then revert to version 3.
CSCsy66803
•
Switch# call-home send alert-group diagnostic module 2Sending diagnostic info call-home message ...Please wait. This may take some time ...Switch#*Jan 3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand message failed to send (ERR 18, The alert group is not subscribed)Workaround: Specify a profile name when you enter the diagnostic command.
You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.CSCsz05888
•
No TCAM entries are available for the new access-list.
Workaround: Manually remove and reapply the ACL after freeing hardware TCAM resources by removing or shortening other classification policies on the switch.
CSCsy85006
•
show policy-map interface command are wrong.Workaround: None.
The queue transmit counters as well as the policing statistics (if any) are correct.
CSCsz20149
•
Workaround: None.
CSCsz38442
•
Workaround: None.
CSCsz06719
•
Workaround: Enter shut, then no shut on the port.
CSCsz63355
•
Workaround: Manually re-enter all entries with new time settings.
CSCsy27389
•
Workaround: Disable explicit host tracking in the affected VLANs.
CSCsz28612
•
This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.
Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.
CSCsz34522
•
Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port.
The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding.
Workaround: Enter shut, then no shut on the port.
CSCta04665
•
|auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated.Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command.
CSCta16492
•
A syslog warning message "%SM-4-BADEVENT: Event 'forward' is invalid for the current state 'present': pm_vp .."A traceback error messageThis issue happens only on flexlink ports under the following two scenarios:
–
–
Workaround: None
The syslog and Traceback do not impact functionality. Flexlink states end up with correct states and there is no impact on traffic forwarding.
CSCta05317
•
The existing per-port error disable (that is, when a violation happens, the entire port will be error disabled) still works on flexlink.
Workaround: Use flexlink with VLAN load balancing.
If you do not want to use vlan load balancing, then enter the
switchport backup interface perfer vlan command on the Active interface, where vlan z is set to an unused vlan on the systemCSCta76320
•
This occurs only if the following conditions are satisfied:
–
–
–
Workaround: None.
CSCsz63739
•
Workarounds:
–
–
CSCta09651
•
–
–
–
This occurs when the time change for the next year occurs after the time change for the current year.
Before the time change occurs, use one of these workarounds:
–
–
–
CSCtc91312
•
%Error copying flash:/eem_pnt_2 (Invalid path)Workaround: Rename the flash device to the default name flash:.
CSCte05909
•
Workaround: None.
Despite the different default value, you can configure any value in the time range.
CSCte51948
•
Workaround: Disable the ip cef accounting non-recursive command.
(CSCtn68186)
•
Workaround: Do not use AAA accounting with the broadcast keyword. CSCts56125
•
Products that are not running Cisco IOS software are not vulnerable.
Cisco has released free software updates that address these vulnerabilities.
The HTTP server may be disabled as a workaround for the vulnerability described in this advisory.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-paiAdditional information on Cisco's security vulnerability policy can be found at the URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.htmlCSCtr91106
•
Workaround: None. CSCtj48387
•
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp
Note
Individual publication links are in ''Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication'' at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.htmlCSCtr28857
•
%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (Unknown MAC) on Interface Gi5/39 AuditSessionID AC156241000000670001BC9.provided the following conditions apply:
–
authentication event server dead action authorize...
authenticaton event server alive action reinitalize
–
The RADIUS server becomes available again, and the IAB-authorized port transitions to another state.
Workaround: None. CSCtx61557
•
Workaround: Retain the default setting (VLAN 1) for the native VLAN on trunks ports. CSCud05521
Resolved Caveats in Cisco IOS Release 12.2(53)SG
This section lists the resolved caveats in Release 12.2(53)SG:
•
Entering shut/no shut on the port after deleting a secondary VLAN.
Workarounds:
–
–
(CSCsz73895)
•
The link partner detects the link as up although the link on the 4948 is still down, causing the partner to start forwarding traffic. Because the Catalyst 4948 is down, it drops the traffic.
Workarounds:
–
–
CSCsz21181
•
Workarounds:
–
–
–
•
CSCsq24002
•
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
CSCsx70889
Open Caveats in Cisco IOS Release 12.2(52)SG
This section lists the open caveats in Cisco IOS Release 12.2(52)SG:
•
show policy-map interface fa6/1 do not show the packets being matched:Switch# sh policy-map intFastEthernet3/2Service-policy output: p1Class-map: c1 (match-all)0 packets <--------It stays at '0' despite of traffic being receivedMatch: access-group name fnacl21police: Per-interfaceConform: 9426560 bytes Exceed: 16573440 bytesWorkaround: Verify that the MAC addresses being transmitted through the system are learned.
(CSCef01798)
•
–
–
On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server.
Workaround: Re-connect. (CSCsb11964)
•
This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.
Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example:
Switch(config)# no monitor session n source cpu queue all rxSwitch(config)# monitor session n source cpu queue <new_Queue_Name>(CSCsc94802)
•
Workaround: None. (CSCsc11726)
•
This could occur for these reasons:
–
–
Workarounds:
–
–
•
qos account layer2 encapsulation.Workaround: None. (CSCsg58526)
•
This does not impact performance.
Workaround: Issue the no shutdown command. (CSCsg27395)
•
Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).
•
Workaround: None. (CSCsm30320)
•
Workaround: None. (CSCsq72572)
•
Workaround: None. (CSCso93282)
•
Workarounds: Do one of the following:
–
–
–
(CSCsq63051)
•
%PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent:Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the portchannel, create a new channel. (CSCsr00333)
•
Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internalsoftware error occurred. Null0 linked to wrong hwidb Null0Workaround: None. (CSCso68331)
•
Workaround: Before removing a linecard, delete the statically configured ip source binding entries on any of the interfaces on the line-card. (CSCsv54529)
•
Workarounds: Use either of the following to set the sxp default password:
–
–
(CSCsv33006)
•
This problem impacts X2, OneX converters, and SFP+ on the Supervisor Engine 6-E, and linecards.
Workaround: Remove and reinsert the One X Convertor with SFP+, SFP+ alone, or X2 after some perceivable delay. (CSCsu43461)
•
On a switch with multiple Layer 3 interfaces, if the CTS SXP connection is configured without specifying source IP address and no default SXP source IP address is configured on the box, different SXP connections may pickup different source IP address for each connection.
Workaround: Do one of the following:
–
–
–
(CSCsv28348)
•
This problem occurs when an 802.1X client is authorized on a multi-auth port. After the access VLAN is deleted, then restored, the client is reauthorized but the spanning tree state of the access VLAN remains Disabled.
Workaround: Shut down then reopen the interface.
(CSCso50921)
•
Workaround: For VTP database propagation, configure ISL/dot1q trunk port. (CSCsu43445)
•
Workarounds: Do one of the following:
–
–
(CSCsv05205)
•
Workaround: When a log message appears indicating that the SFP+ has been removed, do one of the following:
–
–
–
(CSCsv90044)
•
Workaround: Do one of the following:
–
–
–
(CSCsu39009)
•
Workaround: Reconfigure tracking on the newly created interface. (CSCsr66876)
•
*Oct 27 10:32:01.159: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.3(50374) to 2.2.2.1(64999)This issue is seen when the default SXP password is encrypted with type-6 encryption.
Workaround: Do one of the following:
–
–
(CSCsv33136)
•
Workaround: None. (CSCsv42869)
•
Workaround: To reconfigure VLAN Load Balancing with a different configuration, do the following:
a.
b.
c.
d.
(CSCsv69853)
•
%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.101 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8%SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.102 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SGWorkaround: None. (CSCsw14005)
•
If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine's MAC address table, causing possible connectivity interruption on the host.
Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661
•
Workaround: None. CSCsy72343
•
Workaround: None.
CSCsy38640
•
Workaround: None.
CSCsu35604
•
Workaround: Change the VTP version from 3 to version 2 or 1 and then revert to version 3.
CSCsy66803
•
Switch# call-home send alert-group diagnostic module 2Sending diagnostic info call-home message ...Please wait. This may take some time ...Switch#*Jan 3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand message failed to send (ERR 18, The alert group is not subscribed)Workaround: Specify a profile name when you enter the diagnostic command.
You might want to avoid requesting on demand send for invalid modules. First, enter the
show module command to check for valid or present modules.CSCsz05888
•
No TCAM entries are available for the new access-list.
Workaround: Manually remove and reapply the ACL after freeing hardware TCAM resources by removing or shortening other classification policies on the switch.
CSCsy85006
•
show policy-map interface command are wrong.Workaround: None.
The queue transmit counters as well as the policing statistics (if any) are correct.
CSCsz20149
•
Workaround: None.
CSCsz38442
•
Workaround: None.
CSCsz06719
•
Workaround: Enter shut, then no shut on the port.
CSCsz63355
•
Workaround: Manually re-enter all entries with new time settings.
CSCsy27389
•
Workaround: Disable explicit host tracking in the affected VLANs.
CSCsz28612
•
This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.
Workaround: Use VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS. Specifically, the IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.
CSCsz34522
•
Entering shut/no shut on the port after deleting a secondary VLAN. (CSCsz73895)
Workarounds:
–
–
Entering shut/no shut on the port after configuring port-security vp err disable and a violation occurs. (CSCsz80415)
Workarounds:
–
–
–
•
This occurs only if the following conditions are satisfied:
–
–
–
Workaround: None.
CSCsz63739
•
Workarounds:
–
–
CSCta09651
•
–
–
–
This occurs when the time change for the next year occurs after the time change for the current year.
Before the time change occurs, use one of these workarounds:
–
–
–
CSCtc91312
•
%Error copying flash:/eem_pnt_2 (Invalid path)Workaround: Rename the flash device to the default name flash:.
CSCte05909
•
Workaround: None.
Despite the different default value, you can configure any value in the time range.
CSCte51948
Resolved Caveats in Cisco IOS Release 12.2(52)SG
This section lists the resolved caveats in Release 12.2(52)SG:
•
macro global apply system-cpp command and use predefined ACLs to match traffic) increment both their packet and byte count. So, both counters are non-zero.In contrast, data plane classes (the classes that are configured manually by user written ACLs), the byte counter increments as expected, but the packet count remains 0.
Workaround: None.
CSCsw16557
•
This impacts Cisco IOS Releases 12.2(31)SGA08, 12.2(37)SG, 12.2(40)SG, 12.2(44)SG, 12.2(46)SG, 12.2(50)SG, and 12.2(50)SG1.
Workarounds:
For a Classic Series Supervisor Engine, disable and configure QoS on the port.
For example, to configure Gig 2/1 as an isolated private VLAN trunk port, do the following:
Switch# conf tEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# interface gigabitEthernet 2/1Switch(config-if)# no qosSwitch(config-if)# qosSwitch(config-if)# endSwitch#You can configure the following EEM script to automate this workaround. QoS will be disabled and re-enabled whenever a port flaps.
logging event link-status globalevent manager applet linkup-reqosevent syslog pattern "changed state to up"action 1 cli command "enable"action 2 cli command "conf t"action 3 cli command "interface gigabitEthernet 2/1"action 4 cli command "no qos"action 5 cli command "qos"CSCsw19087
•
Workaround: None, other than stopping the query.
CSCsw89720
•
Workaround: Disable the authentication control-direction in command.
If you require authentication control-direction in, configure the port for multi-authentication or Multi-Domain Authentication (MDA).
CSCsx98360
