Table Of Contents
Release Notes for Catalyst 5000 Family ATM Module Release 12.0W5
Supported Cisco IOS Trains by Feature
Orderable Product Number Matrix
New Software Features in Release 12.0(28)W5(30b)
New Software Features in Release 12.0(28)W5(30)
New Software Features in Release 12.0(26)W5(28b)
New Software Features in Release 12.0(26)W5(28a)
New Software Features in Release 12.0(24)W5(26a)
New Software Features in Release 12.0(22)W5(25)
New Software Features in Release 12.0(20)W5(24a)
New Software Features in Release 12.0(20)W5(24)
New Software Features in Release 12.0(19)W5(23)
New Software Features in Release 12.0(18)W5(22)
New Software Features in Release 12.0(16)W5(21)
New Software Features in Release 12.0(14)W5(20)
New Software Features in Release 12.0(13)W5(19)
New Software Features in Release 12.0(10)W5(18a)
New Software Features in Release 12.0(9)W5(17a)
New Software Features in Release 12.0(9)W5(17)
New Software Features in Release 12.0(7)W5(15b)
New Software Features in Release 12.0(4a)W5(10)
Open Caveats in Release 12.0(28)W5(30b)
Resolved Caveats in Release 12.0(28)W5(30b)
Open Caveats in Release 12.0(28)W5(30)
Resolved Caveats in Release 12.0(28)W5(30)
Open Caveats in Release 12.0(27)W5(29)
Resolved Caveats in Release 12.0(27)W5(29)
Open Caveats in Release 12.0(26)W5(28b)
Resolved Caveats in Release 12.0(26)W5(28b)
Open Caveats in Release 12.0(26)W5(28a)
Resolved Caveats in Release 12.0(26)W5(28a)
Open Caveats in Release 12.0(24)W5(26a)
Resolved Caveats in Release 12.0(24)W5(26a)
Open Caveats in Release 12.0(22)W5(25)
Resolved Caveats in Release 12.0(22)W5(25)
Open Caveats in Release 12.0(20)W5(24a)
Resolved Caveats in Release 12.0(20)W5(24a)
Open Caveats in Release 12.0(20)W5(24)
Resolved Caveats in Release 12.0(20)W5(24)
Open Caveats in Release 12.0(19)W5(23)
Resolved Caveats in Release 12.0(19)W5(23)
Open Caveats in Release 12.0(18)W5(22)
Resolved Caveats in Release 12.0(18)W5(22)
Open Caveats in Release 12.0(16)W5(21)
Resolved Caveats in Release 12.0(16)W5(21)
Open Caveats in Release 12.0(14)W5(20)
Resolved Caveats in Release 12.0(14)W5(20)
Open Caveats in Release 12.0(13)W5(19)
Resolved Caveats in Release 12.0(13)W5(19)
Open Caveats in Release 12.0(10)W5(18a)
Resolved Caveats in Release 12.0(10)W5(18a)
Open Caveats in Release 12.0(9)W5(17a)
Resolved Caveats in Release 12.0(9)W5(17a)
Open Caveats in Release 12.0(9)W5(17)
Resolved Caveats in Release 12.0(9)W5(17)
Open Caveats in Release 12.0(7)W5(15b)
Resolved Caveats in Release 12.0(7)W5(15b)
Open Caveats in Release 12(4a)W5(10)
Resolved Caveats in Release 12(4a)W5(10)
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Obtaining Technical Assistance
Cisco Technical Support & Documentation Website
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for Catalyst 5000 Family ATM Module Release 12.0W5
Current Release: 12.0(28)W5(30b)
September 16, 2005
Previous Releases:
12.0(28)W5(30), 12.0(27)W5(29), 12.0(26)W5(28b), 12.0(26)W5(28a), 12.0(24)W5(26a), 12.0(22)W5(25), 12. 0(20)W5(24a), 12.0(20)W5(24), 12.0(19)W5(23), 12.0(18)W5(22), 12.0(16)W5(21), 12.0(14)W5(20), 12.0(13)W5(19), 12.0(10)W5(18a), 12.0(9)W5(17a), 12.0(9)W5(17), 12.0(7)W5(15b), 12.0(4a)W5(10)
Note
Release 12.0(13)W5(19) is obsolete. You can use Release 12.0(14)W5(20) for the Catalyst 5000 family ATM module images.
Contents
These release notes include the following sections:
•
•
Introduction
These release notes describe the Catalyst 5000 family ATM module Release 12.0(28)W5(30).
The Catalyst 5000 family includes the Catalyst 5002, the Catalyst 5000, the Catalyst 5505, the Catalyst 5509, and the Catalyst 5500 switches. Throughout this publication and all Catalyst 5000 family documents, the phrase "Catalyst 5000 family switches" refers to all Catalyst 5000 family switches, unless otherwise noted.
The following modules are supported in this release:
•
•
•
•
The ATM dual PHY OC-3 modules (WS-X5153, WS-X5154, WS-X5155, WS-X5156, WS-X5157, and WS-X5158) use the c5atm-wl-mz image. These modules do not support Multiprotocol over ATM (MPOA). This image supports LAN Emulation (LANE) and RFC 1483 non-traffic-shaping permanent virtual connections (PVCs). If you want traffic-shaping PVC functionality, use the c5atm-wt-mz image.
The ATM dual PHY OC-12 modules (WS-X5161 and WS-X5162), the ATM dual PHY OC-3 modules (WS-X5167 and WS-X5168), and the ATM Fabric Integration Module (WS-X5165) use the c5atm-lc-mz image. These modules support MPOA, LANE, and RFC 1483 with traffic-shaping. The same software image supports all three features.
The Catalyst 5000 family ATM LANE modules are Year 2000 compliant in ATM Release 3.1 and later.
For more information on Cisco's Year 2000 compliance, visit this URL:
http://www.cisco.com/warp/public/752/2000/
System Requirements
This section describes the system requirements.
Supported Cisco IOS Trains by Feature
The modules supported by the c5atm-wl-mz, c5atm-lc-mz, and c5atm-wt-mz images are supported on the following release trains. Table 1 lists the ATM module features and the applicable Cisco IOS train that supports each feature.
Note
For a list of Cisco IOS software caveats that apply to this release, refer to the Caveats for Cisco IOS Release 12.0 publications. For Cisco IOS release notes that apply to this release, refer to the Release Notes for Cisco IOS Release 12.0. These documents are located on Cisco.com. For more information, see the Cisco.com section in this note.
For information on ATM module releases prior to Release 12.0(7)W5(15b), refer to this World Wide Web location:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/c5krn/atm_rns/index.htm
Release Images
Table 2 lists the current release image names on Cisco.com for the Catalyst 5000 family ATM modules.
Orderable Product Number Matrix
Table 3 lists the software version and applicable ordering information for the Catalyst 5000 family ATM module software.
New and Changed Information
These sections describe the new and changed information for the Catalyst 5000 family ATM module.
New Software Features in Release 12.0(28)W5(30b)
There are no new software features in Release 12.0(28)W5(30b).
New Software Features in Release 12.0(28)W5(30)
There are no new software features in Release 12.0(28)W5(30).
New Software Features in Release 12.0(26)W5(28b)
There are no new software features in Release 12.0(26)W5(28b).
New Software Features in Release 12.0(26)W5(28a)
There are no new software features in Release 12.0(26)W5(28a).
New Software Features in Release 12.0(24)W5(26a)
There are no new software features in Release 12.0(24)W5(26a).
New Software Features in Release 12.0(22)W5(25)
There are no new software features in Release 12.0(22)W5(25).
New Software Features in Release 12.0(20)W5(24a)
There are no new software features in Release 12.0(20)W5(24a).
New Software Features in Release 12.0(20)W5(24)
There are no new software features in Release 12.0(20)W5(24).
New Software Features in Release 12.0(19)W5(23)
There are no new software features in Release 12.0(19)W5(23).
New Software Features in Release 12.0(18)W5(22)
There are no new software features in Release 12.0(18)W5(22).
New Software Features in Release 12.0(16)W5(21)
There are no new software features in Release 12.0(16)W5(21).
New Software Features in Release 12.0(14)W5(20)
There are no new software features in Release 12.0(14)W5(20).
New Software Features in Release 12.0(13)W5(19)
There are no new software features in Release 12.0(13)W5(19).
New Software Features in Release 12.0(10)W5(18a)
Release 12.0(10)W5(18a) supports PVC traffic-shaping on the Catalyst 5000 family ATM modules, and it is the first maintenance release for the PVC traffic-shaping feature supported on the Catalyst 5000 family ATM modules.
New Software Features in Release 12.0(9)W5(17a)
There are no new software features in Release 12.0(9)W5(17a).
New Software Features in Release 12.0(9)W5(17)
There are no new software features in Release 12.0(9)W5(17).
New Software Features in Release 12.0(7)W5(15b)
There are no new software features in Release 12.0(7)W5(15b).
New Software Features in Release 12.0(4a)W5(10)
This section contains new feature information, usage guidelines, and restrictions for Release 12.0(4a)W5(10).
New Features
Release 12.0(4a)W5(10) supports these new features:
•
•
FSSRP
FSSRP differs from the current Simple Server Redundancy Protocol (SSRP) in that all configured LAN Emulation Servers (LESs) (the master LES, as well as the secondary LESs) of an Emulated LAN (ELAN) can accept join requests from any FSSRP-aware client. The benefit of establishing connections with all the LES broadcast and unknown server (BUS) pairs is that an LEC can switch over to a new LES/BUS in the event of a failure and without any noticeable delay. The fast switchover is made possible by handing out all the configured LES addresses (in the order in which they are configured) to the LAN Emulation Clients (LECs) in the configuration response through a Cisco proprietary type-length-value (TLV). The list of configured LES addresses (a maximum of four addresses) includes the address that is returned in the configuration response, all the FSSRP-capable LES addresses, and an old-style LES (if that is the master LES).
LECs can join an FSSRP LES by including the FSSRP TLV in the join request, which uniquely identifies the client's capability to the LES. The master LES also tracks any FSSRP-unaware clients that have joined the ELAN and redirects them to a new master LES in the event of a switchover (a preempt configuration). With FSSRP implemented, only FSSRP-unaware clients need to go to LECS to get the new (master) LES address and rejoin the ELAN. All LESs know if they are the master LES or a secondary LES.
There is only one new command for this feature. Use the lane fssrp command to enable FSSRP.
Defaults
By default, FSSRP is not enabled.
Syntax Description
Cisco IOS ATM command.
Command Modes
Interface configuration.
Usage Guidelines
Use the lane fssrp command from the major interface configuration level to enable all LESs, LECs, and BUSs on the subinterfaces configured on that major interface.
When you enable FSSRP on a major interface, all LECs and LES/BUS pairs configured on the subinterfaces of that major interface become FSSRP enabled.
Examples
This example shows how to enable FSSRP on the major interface:
ATM#config termEnter configuration commands, one per line. End with CNTL/Z.ATM(config)#interface atm0ATM(config-if)#lane fssrpATM(config-if)#ATM#There are also modifications to the show lane client display output:
•
•
Fast PHY Switchover
In previous releases, when switching from the active PHY to the redundant PHY, the link went down on all the LECs. The Catalyst 5000 family supervisor engine received a message for every VLAN configured on the module. This operation updated the spanning tree in the supervisor engine. After the redundant PHY became the active PHY, new LECs were created and a message was sent to the supervisor engine for every VLAN. Traffic was stopped while these changes were taking place.
With Release 12.0(4a)W5(10), fast PHY switchover reduces the time to restore traffic flow when traffic switches from the active PHY to the redundant PHY in the Catalyst 5000 family dual PHY ATM modules.
There are no new or modified commands for this feature.
Limitations and Restrictions
This section describes the limitations and restrictions for the Cisco IOS Release 12.0W5:
•
The Catalyst 5000 family ATM modules take a long time to boot if too many PVCs (for example, 4000 PVCs) are bound to 2 VLANs.
Workaround: None.
•
The Catalyst 5000 family LANE modules may freeze if a show memory command is issued with the term length set to 0.
Workaround: Ensure that the term length is set to a non-zero value prior to entering the command.
•
The WS-X5161 and WS-X5162 modules produce CPUHOG messages if the interface shuts down and is brought up with a high number of PVCs configured on the ATM interface. This problem occurs when approximately 2400 or more PVCs are configured on the interface.
•
On the Catalyst 5000 family ATM modules (WS-X516x except WS-X5166), if the last (or only) LAN Emulation Client (LEC) is present on a subinterface, and traffic is removed, your session into the ATM module may fail. The diagnostic port remains functional.
To prevent this problem, before removing a sub-interface where the last (or only) LEC is present, do the following:
–
–
–
–
Workaround: Using the diagnostic port, configure an LEC.
•
The recommended image for the WS-X5166 (DS3) ATM module is c5atm-wt-mz only. It is possible to download a c5atm-wl-mz image on the WS-X5166 ATM module, but the module does not come up.
Workaround: Set the hardware download jumper and load the c5atm-wt-mz image.
•
When using the PVC traffic-shaping image (c5atm-wt-mz) with WS-X515xx and the WS-X5166 modules, the performance for 64-byte packets is below 70 Kpps.
Workaround: Use a WS-X5167/WS-X5168 module.
•
Changing the traffic-shaping values for a PVC when traffic is heavy can lead to these error messages on the OC-3 and OC-12 ATM modules:
17:54:46: ## ATMDRV ERROR REPORT ## THost: Host Response Status: P1CMDS_TX_VC_CLEAR(3) Response Status = P1CMDS_STATUS_SAR_TIMEOUT(12)17:54:46: ## ATMDRV ## msg = 0x03000CB5 0x00104D08 0x409C1140 0x40122214 0x40538F3C 0x407067A0 0x00000064 0x00000007Binding for the PVC being changed will go off, and if you try to bind again, you may receive this message:
00:31:40: ## ATMDRV ERROR REPORT ## THost: Host Response Status: P1CMDS_BIND_LEC_TO_VC(12 or 0x0c) Response Status = P1CMDS_STATUS_WRONG_TYPE(10)00:31:40: ## ATMDRV ## msg = 0x0C000AD3 0x00200020 0x000C0040 0xC00C0000 0x0000000 0x00370000 0x00000020 0x40867A2EWorkaround: None. Reload the module. Unbind the PVC before changing the traffic-shaping values, and then bind back the PVC.
•
•
•
–
–
–
–
•
•
•
•
•
–
3.2(14) for the ATM dual PHY OC-3 modules (WS-X5153, WS-X5154, WS-X5155, WS-X5156, WS-X5157, and WS-X5158)
4.12 for the ATM dual PHY OC-12 modules (WS-X5161 and WS-X5162), the ATM dual PHY OC-3 modules (WS-X5167 and WS-X5168), and the ATM Fabric Integration Module (WS-X5165)
–
–
All three releases are identical.
•
•
•
•
When you use the Hot Standby Router Protocol (HSRP) with the Catalyst 5000 family ATM module, we recommend that you also use the standby use-bia command when configuring the routers. This command speeds up the HSRP switchover time.
•
If system time synchronization is not supported, the following message displays during the ATM module startup time:
ATM_INSTANCE message does not contain timestamp info.If you receive this message, use the set clock command to set the system clock.
Note
•
•
Important Note
Release 12.0(13)W5(19) is obsolete. You can use Release 12.0(14)W5(20) for the Catalyst 5000 family ATM module images.
Caveats
These sections describe open and resolved caveats:
Release 12.0(28)W5(30b)
These sections describe the open and resolved caveats in Release 12.0(28)W5(30b) for the Catalyst 5000 series ATM modules:
•
•
Open Caveats in Release 12.0(28)W5(30b)
There are no open caveats in ATM software Release 12.0(28)W5(30b).
Resolved Caveats in Release 12.0(28)W5(30b)
This section describes the resolved caveats in Release 12.0(28)W5(30b):
•
Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.
Cisco has made free software available that includes the additional integrity checks for affected customers.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml.
•
Through normal software maintenance processes, Cisco is removing deprecated functionality. These changes have no impact on system operation or feature availability.
Release 12.0(28)W5(30)
These sections describe the open and resolved caveats in Release 12.0(28)W5(30) for the Catalyst 5000 series ATM modules:
•
•
Open Caveats in Release 12.0(28)W5(30)
There are no open caveats in ATM software Release 12.0(28)W5(30).
Resolved Caveats in Release 12.0(28)W5(30)
This section describes the resolved caveats in Release 12.0(28)W5(30):
•
A vulnerability in Transmission Control Protocol specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in much shorter time then was previously publicly discussed. This can lead to a Denial of Service attack. Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated session, which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (e.g., router, switch, computer) and not to the sessions that are only passing through the device (e.g., transit traffic that is being routed by a router).
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040421-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS software.
•
A vulnerability in Transmission Control Protocol specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in much shorter time then was previously publicly discussed. This can lead to a Denial of Service attack. Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated session, which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (e.g., router, switch, computer) and not to the sessions that are only passing through the device (e.g., transit traffic that is being routed by a router).
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040421-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS software.
•
An ATM LANE module WS-X5161 running Cisco IOS software Release 12.1(10)E or Release 12.0(20)W5(24a) displays an incorrect five-minute output rate when you enter the show interface atm0 command. For single-mode fiber (SMF) modules, this problem is corrected in Release 12.0(28)W5(30). For multimode fiber (MMF) modules, this problem is corrected in Release 12.0(26)W5(28a). This problem does not appear in Release 12.0(10)W5(18a) and earlier Cisco IOS software releases.
•
A Catalyst 5000 WS-X515X ATM module that is configured for ATM PVCs fails to come online and operate if any administratively shut down subinterfaces are configured on the module.
If the module is reset under these conditions, the module will come online but will place the E0 and ATM0 interfaces in a shutdown state, resulting in the inability to session to the module or pass traffic. If the ATM interface is not connected to anything, the module will come online with the E0 interface up, but as soon as a link is established on the ATM interface, the E0 and ATM0 interfaces will shut down, and the ability to session to the module or pass any traffic through the module will be lost.
Workaround: Remove any administratively shut down subinterfaces from the configuration (or eliminate the use of subinterfaces completely), and configure all PVCs under the main ATM interface.
Release 12.0(27)W5(29)
These sections describe the open and resolved caveats in Release 12.0(27)W5(29) for the Catalyst 5000 series ATM modules:
•
•
Open Caveats in Release 12.0(27)W5(29)
There are no open caveats in ATM software Release 12.0(27)W5(29).
Resolved Caveats in Release 12.0(27)W5(29)
This section describes the resolved caveats in Release 12.0(27)W5(29):
•
A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. BGP MD5 is a valid workaround for this problem.
Cisco has made free software available to address this problem. For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.
•
A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. BGP MD5 is a valid workaround for this problem.
Cisco has made free software available to address this problem. For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.
•
Frames with a size of 1534 bytes are supported on the following c5atm modules:
–
–
–
Only the traffic-shaping image supports frames with a size of 1534 bytes. The LANE image does not support frames of this size.
Workaround: None.
•
When you create a PVC on a LANE ATM module WS-X5158 in a Catalyst 5000 switch, the following informational message is displayed on the console if the rate-queue total in Kbps exceeds the interface bandwidth, which is 155 Mbps:
Interface ATM0: Total rateq allocation 157500Kbps exceeded maximum plim rate of 155Mbps.If the PVC is configured with a value lower than 2081 Kbps, this message is not displayed.
Workaround: None. This message is informational and does not alter the manner in which resources are allocated to the PVC or how the PVC is shaped.
•
When you perform an SNMP walk or a Get Next query, an unexpected delay (of a few seconds) or a timeout might be observed by the Network Management Station (NMS) for responses to some of the MIB objects. This problem occurs when a Catalyst 6000 family ATM module is present in a Catalyst 6000 switch chassis or when a Catalyst 5000 ATM module is present in a Catalyst 5000 family switch chassis and when there are no LANE servers or LANE configuration servers configured or running on the module. This problem may also occur when there are no LANE clients configured or running on the module.
Workaround: None. Make sure that the supervisor engine is running the following releases:
–
–
Release 12.0(26)W5(28b)
These sections describe the open and resolved caveats in Release 12.0(26)W5(28b) for the Catalyst 5000 series ATM modules:
•
•
Open Caveats in Release 12.0(26)W5(28b)
This section describes the open caveats in Release 12.0(26)W5(28b):
•
When creating a permanent virtual circuit (PVC) on a Catalyst 5000 family switch module WS-X5158, an informational message appears on the console if the total number of rate queues (in Kbps) exceeds the interface bandwidth of 155 Mbps. If the PVC is configured with a value lower than 2081 Kbps and contributes to the total number of rate queues exceeding the maximum bandwidth, the information message does not appear on the console. This message is informational and does not alter the shaping of the PVC or the way resources are allocated to the PVC.
Workaround: None.
Resolved Caveats in Release 12.0(26)W5(28b)
This section describes the resolved caveats in Release 12.0(26)W5(28b):
•
ATM modules WS-X5158 and WS-X5156 lock up, and no traffic passes through when the lockup occurs.
Workaround: Reset the ATM module.
•
The Catalyst 5000 family ATM OC-3 modules WS-X5157 and WS-X5158 lose buffers at the receiving segmentation and reassembly stage (RxSAR) upon removal of the PVC-VLAN bindings when the PVCs are receiving traffic.
Workaround: None.
Release 12.0(26)W5(28a)
These sections describe the open and resolved caveats in Release 12.0(26)W5(28a) for the Catalyst 5000 series ATM modules:
•
•
Open Caveats in Release 12.0(26)W5(28a)
This section describes the open caveats in Release 12.0(26)W5(28a):
•
When sending packets between an ATM network and a Frame-Relay network, and the ATM side is a LANE module, the Frame-Relay router running integrated routing and bridging (IRB) is not able to handle incoming packets that have a SNAP Protocol Identifier (PID) of 0007. When the Frame-Relay side has a priority that makes it the root, the switch recognizes the router as the root. If the priority on the switch for the VLAN is changed to make it the root, the router still shows itself as the root.
Workaround: Set the router to be the root.
Resolved Caveats in Release 12.0(26)W5(28a)
This section describes the resolved caveats in Release 12.0(26)W5(28a):
•
A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. BGP MD5 is a valid workaround for this problem.
Cisco has made free software available to address this problem. For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.
•
A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. BGP MD5 is a valid workaround for this problem.
Cisco has made free software available to address this problem. For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.
•
An ATM LANE module WS-X5158 or WS-X5161 operating in a Catalyst 5000 family switch will incorrectly display the maximum datagram size as 1580 when you enter the show atm interface atm0 command. This display does not indicate a problem and is present in all Cisco IOS releases for the Catalyst 5000 family LANE modules. The maximum datagram size that these modules currently support is 1514 bytes.
•
An ATM LANE module WS-X5161 running Cisco IOS software Release 12.1(10)E or Release 12.0(20)W5(24a) displays an incorrect five-minute output rate when you enter the show interface atm0 command. This problem does not appear in Release 12.0(10)W5(18a) and earlier Cisco IOS software releases.
•
An SNMP walk or a Get Next query might time out at the network management system (NMS) in response to some MIB objects. This problem occurs when a Catalyst 6500 ATM module is present in a Catalyst 6500 series chassis or when a Catalyst 5000 ATM module is present in the Catalyst 5000 family chassis and when there are no LANE servers or LANE-configured servers that are configured or running on the module.
Workaround: The supervisor engine must run the following software releases:
–
–
Release 12.0(24)W5(26a)
These sections describe the open and resolved caveats in Release 12.0(24)W5(26a) for the Catalyst 5000 series ATM modules:
•
•
Open Caveats in Release 12.0(24)W5(26a)
This section describes the open caveats in Release 12.0(24)W5(26a):
•
A WS-X5161 LANE module running Release 12.1(10)E or Release 12.0(20)W5(24a) displays an incorrect five-minute output rate when you enter the show interface atm0 command. This problem does not appear in Release 12.0(10)W5(18a) or earlier releases.
Workaround: None
•
The CAM table on a Catalyst 5000 family switch with a LANE module points to a nonexisting virtual circuit. This situation occurs only occasionally.
Workaround: Clear the CAM.
•
Catalyst 5000 family ATM LANE modules WS-X5158 and WS-X5156 might lock up and not allow traffic to pass when the lockup occurs.
Workaround: Reset the ATM LANE module.
•
ATM module WS-X5157/8 in Catalyst 5509 switch memory gets fragmented, and malloc failures occur.
Workaround: None.
Resolved Caveats in Release 12.0(24)W5(26a)
This section describes the resolved caveats in Release 12.0(24)W5(26a):
•
Cisco routers and switches running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets are vulnerable to a Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets sent directly to the device may cause the input interface to stop processing traffic once the input queue is full. No authentication is required to process the inbound packet. Processing of IPv4 packets is enabled by default. Devices running only IP version 6 (IPv6) are not affected. A workaround is available.
Cisco has made software available, free of charge, to correct the problem.
This advisory is available at this URL:
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
This problem is resolved in Release 12.0(24)W5(26a).
•
A Catalyst 5000 family LANE module running Release 12.0(20)W5(24) might display CPUHOG messages similar to the following:
Feb 16 01:35:06: %SYS-3-CPUHOG: Task ran for 2448 msec (0/0), process = ATMPeriodic, PC = 400A77BC.-Traceback= 400A7768 400A77C4 401D3534 401D3AA6Workaround: None.
•
If you enter a show mem command on Catalyst 5000 family ATM module WS-X5158, the ATM module might freeze.
Workaround: Reset the ATM module.
•
Under heavy traffic conditions (when the ATM LANE module is subscribed to 80 percent of its capacity), you may not be able to session in to the LANE module. Heavy traffic might also cause the MPOA-capable LANE modules to drop BPDUs that are meant to be sent over LANE. This problem is not present if the LANE module is configured for PVCs. The problem occurs only if the LANE module is configured for LANE.
Workaround: None.
Release 12.0(22)W5(25)
These sections describe the open and resolved caveats in Release 12.0(22)W5(25) for the Catalyst 5000 series ATM modules:
•
•
Open Caveats in Release 12.0(22)W5(25)
This section describes the open caveats in Release 12.0(22)W5(25):
•
A Catalyst 5000 family LANE module running Release 12.0(20)W5(24) can display CPUHOG messages similar to this:
Feb 16 01:35:06: %SYS-3-CPUHOG: Task ran for 2448 msec (0/0), process = ATMPeriodic, PC=400A77BC.-Traceback=400A7768 400A77C4 401D3534 401D3AA6Workaround: None.
•
When you try to connect the console port of the WS-X5158 module, this message appears:
%% Low on memory: try again later%% Low on memory: try again laterAfter the ATM module is reset, this alarm appears:
ATM#sh runATM#Mar 17 10:12:32.075: %SYS-2-MALLOCFAIL: Memory allocation of 130042bytes failed from 0x400303C4, pool Processor, alignment 0-Process= "Virtual Exec", ipl= 0, pid= 53-Traceback= 4009BD9E 4009CFCA 400303CC 40053952 40042DF0 40056906Workaround: None. Try to connect to the console port at a later time.
•
When an LEC on a Cisco device receives wrongly formatted LANE control frames, this message is generated:
%LANE-3-LEC_CONTROL_MSG: Received bad control message on interface ATM1/0.101Workaround: You do not need to bring down the LEC because this message usually appears only a few times. However, if the message keeps reappearing, you can restart the LEC or move the LES from the Catalyst 5000 family ATM module to another device.
Resolved Caveats in Release 12.0(22)W5(25)
This section describes the resolved caveats in Release 12.0(22)W5(25):
•
When using traffic-shaping code on a WS-X515 series LANE module in a Catalyst 5000 chassis, bridged AAL5SNAP frames will not be padded to the minimum Ethernet frame size. The resulting frame then becomes shorter than the valid minimum packet length, so the packet is dropped by the next receiving device. This condition greatly affects the AppleTalk and IPX protocols.
Workaround: You can use the LANE code on the WS-X515 series LANE modules (which limits you from being able to regulate the traffic on the PVCs), or use a WS-X516 series LANE module.
•
When 2000 PVCs (or greater) in 1000 VLANs are configured on the WS-X6101-OC12-MMF module, and ILMI and signalling PVCs are removed, the interface goes down and comes up, and then the module crashes. If the module has no PVCs other than the ILMI and signalling PVCs, the interface goes down and comes up when those PVCs are removed.
Workaround: None.
•
When you enter a show lane client command, part of the command output includes a statement that indicates how long the LEC has been operating, such as "LEC up for 8 hours 41 minutes." The current MIBS, such as interface MIBS, ATM MIBS, and the LEC MIB do not have this support.
Workaround: None.
Release 12.0(20)W5(24a)
These sections describe the open and resolved caveats in Release 12.0(20)W5(24a) for the Catalyst 5000 series ATM modules:
•
•
Open Caveats in Release 12.0(20)W5(24a)
This section describes the open caveats in Release 12.0(20)W5(24a):
•
An error can occur with management protocol processing. Use this URL for further information:
http://www.cisco.com/pcgi-bin/bugtool/onebug.pl?bugid=CSCdw65903
•
When an LEC on a Cisco device receives wrongly formatted LANE control frames, this message is generated:
%LANE-3-LEC_CONTROL_MSG: Received bad control message on interface ATM1/0.101When the message is generated, LECs may be shut down and brought up again.
Workaround: None.
Resolved Caveats in Release 12.0(20)W5(24a)
This section describes the resolved caveats in Release 12.0(20)W5(24a):
•
An error can occur with management protocol processing. Use the following URL for further information: http://www.cisco.com/pcgi-bin/bugtool/onebug.pl?bugid=CSCdw65903
Release 12.0(20)W5(24)
These sections describe the open and resolved caveats in Release 12.0(20)W5(24) for the Catalyst 5000 series ATM modules:
•
Guest
