Table Of Contents
Release Notes for Cisco IOS Release 12.2 SX on the Catalyst 6500 Series MSFC
Contents
Chronological List of Releases
Hierarchical List of Releases
Supported Hardware
CAT6000-MSFC3
CAT6000-MSFC2A
CAT6000-MSFC2
Service Modules
Content Services Gateway (CSG) Module
Application-Oriented Networking Module
SSL Services Module
Content Switching Module
FlexWAN and Enhanced FlexWAN Modules
FlexWAN Module Port Adapters
Unsupported Hardware
Features Set Guidelines and Restriction
New Features
New Features in Release 12.2(18)SXF17
New Hardware Features in Release 12.2(18)SXF17
New Software Features in Release 12.2(18)SXF17
New Features in Release 12.2(18)SXF16
New Hardware Features in Release 12.2(18)SXF16
New Software Features in Release 12.2(18)SXF16
New Features in Release 12.2(18)SXF15a
New Hardware Features in Release 12.2(18)SXF15a
New Software Features in Release 12.2(18)SXF15a
New Features in Release 12.2(18)SXF15
New Hardware Features in Release 12.2(18)SXF15
New Software Features in Release 12.2(18)SXF15
New Features in Release 12.2(18)SXF14
New Hardware Features in Release 12.2(18)SXF14
New Software Features in Release 12.2(18)SXF14
New Features in Release 12.2(18)SXF13
New Hardware Features in Release 12.2(18)SXF13
New Software Features in Release 12.2(18)SXF13
New Features in Release 12.2(18)SXF12a
New Hardware Features in Release 12.2(18)SXF12a
New Software Features in Release 12.2(18)SXF12a
New Features in Release 12.2(18)SXF12
New Hardware Features in Release 12.2(18)SXF12
New Software Features in Release 12.2(18)SXF12
New Features in Release 12.2(18)SXF11
New Hardware Features in Release 12.2(18)SXF11
New Software Features in Release 12.2(18)SXF11
New Features in Release 12.2(18)SXF10a
New Hardware Features in Release 12.2(18)SXF10a
New Software Features in Release 12.2(18)SXF10a
New Features in Release 12.2(18)SXF10
New Hardware Features in Release 12.2(18)SXF10
New Software Features in Release 12.2(18)SXF10
New Features in Release 12.2(18)SXF9
New Hardware Features in Release 12.2(18)SXF9
New Software Features in Release 12.2(18)SXF9
New Features in Release 12.2(18)SXF8
New Hardware Features in Release 12.2(18)SXF8
New Software Features in Release 12.2(18)SXF8
New Features in Release 12.2(18)SXF7
New Hardware Features in Release 12.2(18)SXF7
New Software Features in Release 12.2(18)SXF7
New Features in Release 12.2(18)SXF6
New Hardware Features in Release 12.2(18)SXF6
New Software Features in Release 12.2(18)SXF6
New Features in Release 12.2(18)SXF5
New Hardware Features in Release 12.2(18)SXF5
New Software Features in Release 12.2(18)SXF5
New Features in Release 12.2(18)SXF4
New Hardware Features in Release 12.2(18)SXF4
New Software Features in Release 12.2(18)SXF4
New Features in Release 12.2(18)SXF3
New Hardware Features in Release 12.2(18)SXF3
New Software Features in Release 12.2(18)SXF3
New Features in Release 12.2(18)SXF2
New Hardware Features in Release 12.2(18)SXF2
New Software Features in Release 12.2(18)SXF2
New Features in Release 12.2(18)SXF
New Hardware Features in Release 12.2(18)SXF
New Software Features in Release 12.2(18)SXF
New Features in Release 12.2(17d)SXB11a
New Hardware Features in Release 12.2(17d)SXB11a
New Software Features in Release 12.2(17d)SXB11a
New Features in Release 12.2(17d)SXB11
New Hardware Features in Release 12.2(17d)SXB11
New Software Features in Release 12.2(17d)SXB11
New Features in Release 12.2(17d)SXB10
New Hardware Features in Release 12.2(17d)SXB10
New Software Features in Release 12.2(17d)SXB10
New Features in Release 12.2(17d)SXB9
New Hardware Features in Release 12.2(17d)SXB9
New Software Features in Release 12.2(17d)SXB9
New Features in Release 12.2(17d)SXB8
New Hardware Features in Release 12.2(17d)SXB8
New Software Features in Release 12.2(17d)SXB8
New Features in Release 12.2(17d)SXB7
New Hardware Features in Release 12.2(17d)SXB7
New Software Features in Release 12.2(17d)SXB7
New Features in Release 12.2(17d)SXB6
New Hardware Features in Release 12.2(17d)SXB6
New Software Features in Release 12.2(17d)SXB6
New Features in Release 12.2(17d)SXB5
New Hardware Features in Release 12.2(17d)SXB5
New Software Features in Release 12.2(17d)SXB5
New Features in Release 12.2(17d)SXB4
New Hardware Features in Release 12.2(17d)SXB4
New Software Features in Release 12.2(17d)SXB4
New Features in Release 12.2(17d)SXB3
New Hardware Features in Release 12.2(17d)SXB3
New Software Features in Release 12.2(17d)SXB3
New Features in Release 12.2(17d)SXB2
New Hardware Features in Release 12.2(17d)SXB2
New Software Features in Release 12.2(17d)SXB2
New Features in Release 12.2(17d)SXB1
New Hardware Features in Release 12.2(17d)SXB1
New Software Features in Release 12.2(17d)SXB1
New Features in Release 12.2(17a)SX4
New Hardware Features in Release 12.2(17a)SX4
New Software Features in Release 12.2(17a)SX4
New Features in Release 12.2(17a)SX2
New Hardware Features in Release 12.2(17a)SX2
New Software Features in Release 12.2(17a)SX2
New Features in Release 12.2(17a)SX1
New Hardware Features in Release 12.2(17a)SX1
New Software Features in Release 12.2(17a)SX1
New Features in Release 12.2(14)SX2
New Hardware Features in Release 12.2(14)SX2
New Software Features in Release 12.2(14)SX2
Features From Earlier Releases
Configuring Unicast Reverse Path Forwarding Check
Cisco IOS Firewall Feature Set
Local Proxy ARP
Jumbo Frame Feature on the MSFC
ARP on STP Topology Change Notification
Router-Port Group Management Protocol
Unsupported Features and Commands
Limitations and Restrictions
MSFC Limitations and Restrictions
FlexWAN Module Limitations and Restrictions
Caveats
Caveats in Release 12.2(18)SXF and Rebuilds
Open Caveats in Release 12.2(18)SXF and Rebuilds
Resolved Caveats in Release 12.2(18)SXF17
Resolved Caveats in Release 12.2(18)SXF16
Resolved Caveats in Release 12.2(18)SXF15a
Resolved Caveats in Release 12.2(18)SXF15
Resolved Caveats in Release 12.2(18)SXF14
Resolved Caveats in Release 12.2(18)SXF13
Resolved Caveats in Release 12.2(18)SXF12a
Resolved Caveats in Release 12.2(18)SXF12
Resolved Caveats in Release 12.2(18)SXF11
Resolved Caveats in Release 12.2(18)SXF10a
Resolved Caveats in Release 12.2(18)SXF10
General Caveats in Release 12.2(18)SXF and Rebuilds
FlexWAN Caveats in Release 12.2(18)SXF and Rebuilds
Service Module Caveats in Release 12.2(18)SXF
Caveats in Release 12.2(17d)SXB Rebuilds
General Caveats in Release 12.2(17d)SXB Rebuilds
FlexWAN Module Caveats in Release 12.2(17d)SXB Rebuilds
Service Module Caveats in Release 12.2(17d)SXB Rebuilds
Caveats in Release 12.2(17a)SX Rebuilds
General Caveats in Release 12.2(17a)SX Rebuilds
Open Service Module Caveats in Release 12.2(17a)SX4
Open FlexWAN Module Caveats in Release 12.2(17a)SX4
Caveats in Release 12.2(14)SX2
Open Caveats in Release 12.2(14)SX2
Resolved Caveats in Release 12.2(14)SX2
Troubleshooting Information
Related Documentation
Platform-Specific Documents
Cisco Feature Navigator
Cisco IOS Software Documentation Set
Release 12.2 Documentation Set
Notices
OpenSSL/Open SSL Project
License Issues
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Notes for Cisco IOS Release 12.2 SX on the Catalyst 6500 Series MSFC
September 30, 2009
Note
•This publication applies to these platforms:
•CAT6000-MSFC3
•CAT6000-MSFC2A (not supported in all releases)
•CAT6000-MSFC2 (not supported in all releases)
•Use this publication if you are running the Catalyst operating system on the supervisor engine and Cisco IOS Release 12.2 SX on the Multilayer Switch Feature Card (MSFC). If you are running Cisco IOS software on both the supervisor engine and the MSFC, refer to the Release Notes for Cisco IOS Release 12.2 SX on the Catalyst 6500 and Cisco 7600 Supervisor Engine and MSFC publication at this URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/release/notes/OL_4164.html
The most current version of these release notes are available on Cisco.com at this URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/hybrid/release/notes/ol_4563.html
This publication describes the features, modifications, and caveats for Release 12.2 SX on the Catalyst 6500 series MSFC. For features, modifications, and caveats for the Catalyst operating system, refer to the Catalyst operating system Release Notes at this URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/8.x/system/release/notes/OL_4498.html
Contents
This publication consists of these sections:
•Chronological List of Releases
•Hierarchical List of Releases
•Supported Hardware
•Unsupported Hardware
•Features Set Guidelines and Restriction
•New Features
•Unsupported Features and Commands
•Limitations and Restrictions
•Caveats
•Troubleshooting Information
•Related Documentation
•Notices
•Obtaining Documentation, Obtaining Support, and Security Guidelines
Chronological List of Releases
Note See the "Hierarchical List of Releases" section for information about parent releases.
This is a chronological list of the 12.2SX releases for the CAT6000-MSFC3, CAT6000-MSFC2A, and CAT6000-MSFC2 platforms:
•30 Sep 2009—Release 12.2(18)SXF17
•23 Feb 2009—Release 12.2(18)SXF16
•29 Oct 2008—Release 12.2(18)SXF15a
•05 Sep 2008—Release 12.2(18)SXF15
•09 May 2008—Release 12.2(18)SXF14
•17 Feb 2008—Release 12.2(18)SXF13
•15 Jan 2008—Release 12.2(18)SXF12a
•19 Nov 2007—Release 12.2(18)SXF12
•21 Sep 2007—Release 12.2(18)SXF10a
•18 Sep 2007—Release 12.2(18)SXF11
•16 Jul 2007—Release 12.2(18)SXF10
•21 May 2007—Release 12.2(18)SXF9
•07 Mar 2007—Release 12.2(18)SXF8
•30 Nov 2006—Release 12.2(18)SXF7
•22 Sep 2006—Release 12.2(18)SXF6
•10 Jul 2006—Release 12.2(18)SXF5
•17 Apr 2006—Release 12.2(17d)SXB11a
•27 Mar 2006—Release 12.2(18)SXF4
•16 Feb 2006—Release 12.2(18)SXF3
•20 Jan 2006—Release 12.2(18)SXF2
•17 Nov 2005—Release 12.2(17d)SXB11
•12 Sep 2005—Release 12.2(18)SXF
•16 Aug 2005—Release 12.2(17d)SXB10
•21 Jul 2005—Release 12.2(17d)SXB9
•02 May 2005—Release 12.2(17d)SXB8
•01 Mar 2005—Release 12.2(17d)SXB7
•21 Dec 2004—Release 12.2(17d)SXB6
•01 Nov 2004—Release 12.2(17d)SXB5
•07 Sep 2004—Release 12.2(17d)SXB4
•17 Aug 2004—Release 12.2(17d)SXB3
•21 Jul 2004—Release 12.2(17d)SXB2
•01 Jun 2004—Release 12.2(17d)SXB1
•23 Apr 2004—Release 12.2(17a)SX4
•22 Apr 2004—Release 12.2(17b)SXA2 (no MSFC3 images)
•05 Mar 2004—Release 12.2(17d)SXB (no MSFC3 images)
•05 Mar 2004—Release 12.2(17a)SX3 (no MSFC3 images)
•29 Jan 2004—Release 12.2(17a)SX2
•31 Dec 2003—Release 12.2(17b)SXA (no MSFC3 images)
•30 Oct 2003—Release 12.2(17a)SX1
•06 Oct 2003—Release 12.2(17a)SX (no MSFC3 images)
•01 Jul 2003—Release 12.2(14)SX2
•28 May 2003—Release 12.2(14)SX1 (no MSFC3 images)
•14 Apr 2003—Release 12.2(14)SX (no MSFC3 images)
Hierarchical List of Releases
These releases support the hardware listed in "Supported Hardware" section:
•Release 12.2(18)SXF17 (30 Sep 2009)—Rebuild based on Release 12.2(18)SXF16.
•Release 12.2(18)SXF16 (23 Feb 2009)—Rebuild based on Release 12.2(18)SXF15a.
•Release 12.2(18)SXF15a (29 Oct 2008)—Rebuild based on Release 12.2(18)SXF15.
•Release 12.2(18)SXF15 (05 Sep 2008)—Rebuild based on Release 12.2(18)SXF14.
•Release 12.2(18)SXF14 (09 May 2008)—Rebuild based on Release 12.2(18)SXF13.
•Release 12.2(18)SXF13 (17 Feb 2008)—Rebuild based on Release 12.2(18)SXF12.
•Release 12.2(18)SXF12a (15 Jan 2008)—Rebuild based on Release 12.2(18)SXF12.
•Release 12.2(18)SXF12 (19 Nov 2007)—Rebuild based on Release 12.2(18)SXF11.
•Release 12.2(18)SXF11 (18 Sep 2007)—Rebuild based on Release 12.2(18)SXF10.
•Release 12.2(18)SXF10a (21 Sep 2007)—Rebuild based on Release 12.2(18)SXF10.
•Release 12.2(18)SXF10 (16 Jul 2007)—Rebuild based on Release 12.2(18)SXF9.
•Release 12.2(18)SXF9 (21 May 2007)—Rebuild based on Release 12.2(18)SXF8.
•Release 12.2(18)SXF8 (07 Mar 2007)—Rebuild based on Release 12.2(18)SXF7.
•Release 12.2(18)SXF7 (30 Nov 2006)—Rebuild based on Release 12.2(18)SXF6.
•Release 12.2(18)SXF6 (22 Sep 2006)—Rebuild based on Release 12.2(18)SXF5.
•Release 12.2(18)SXF5 (10 Jul 2006)—Rebuild based on Release 12.2(18)SXF4.
•Release 12.2(18)SXF4 (27 Mar 2006)—Rebuild based on Release 12.2(18)SXF3.
•Release 12.2(18)SXF3 (16 Feb 2006)—Rebuild based on Release 12.2(18)SXF2.
•Release 12.2(18)SXF2 (20 Jan 2006)—Rebuild based on Release 12.2(18)SXF.
•Release 12.2(18)SXF (12 Sep 2005)—Based on Release 12.2(18)SXE3. Includes all fixes in 12.2(18)SXE3, Release 12.2(18)SXD6, and Release 12.2(17d)SXB10.
•Release 12.2(17d)SXB11a (17 Apr 2006)—Rebuild based on Release 12.2(17d)SXB11.
•Release 12.2(17d)SXB11 (17 Nov 2005)—Rebuild based on Release 12.2(17d)SXB10.
•Release 12.2(17d)SXB10 (16 Aug 2005)—Rebuild based on Release 12.2(17d)SXB9.
•Release 12.2(17d)SXB9 (21 Jul 2005)—Rebuild based on Release 12.2(17d)SXB8.
•Release 12.2(17d)SXB8 (24 Apr 2005)—Rebuild based on Release 12.2(17d)SXB7.
•Release 12.2(17d)SXB7 (01 Mar 2005)—Rebuild based on Release 12.2(17d)SXB6.
•Release 12.2(17d)SXB6 (21 Dec 2004)—Rebuild based on Release 12.2(17d)SXB5.
•Release 12.2(17d)SXB5 (01 Nov 2004)—Rebuild based on Release 12.2(17d)SXB4.
•Release 12.2(17d)SXB4 (07 Sep 2004)—Rebuild based on Release 12.2(17d)SXB3.
•Release 12.2(17d)SXB3 (17 Aug 2004)—Rebuild based on Release 12.2(17d)SXB2.
•Release 12.2(17d)SXB2 (21 Jul 2004)—Rebuild based on Release 12.2(17d)SXB1.
•Release 12.2(17d)SXB1 (01 Jun 2004)—Rebuild based on Release 12.2(17d)SXB, Release 12.2(17b)SXA, and Release 12.2(17a)SX4.
•Release 12.2(17a)SX4 (23 Apr 2004)—Rebuild based on Release 12.2(17a)SX2.
•Release 12.2(17a)SX2 (29 Jan 2004)—Rebuild based on Release 12.2(17a)SX1.
•Release 12.2(17a)SX1 (30 Oct 2003)—Rebuild based on Release 12.2(14)SX2 and on Release 12.2(17a).
For information about Release 12.2(17a), refer to these publications on Cisco.com:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_installation_and_configuration_guides_list.html
•Release 12.2(14)SX2 (01 Jul 2003)—Rebuild based on Release 12.2(14)S.
For information about Release 12.2(14)S, refer to these publications on Cisco.com:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guides_list.html
For more information about the Cisco IOS software release process, refer to the Cisco IOS Software Releases: Product Bulletin #537 on Cisco.com at this URL:
http://www.cisco.com/warp/public/cc/pd/iosw/iore/prodlit/537_pp.htm
This publication does not describe features that are available in Release 12.2, Release 12.2 T, Release 12.2 S, or other Release 12.2 early deployment releases.
For a list of the Release 12.2 caveats that apply to Release 12.2 SX, see the "Caveats" section and refer to this URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_release_notes_list.html
For a list of the Release 12.2 S caveats that apply to Release 12.2 SX, see the "Caveats" section and refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_2s/release/notes/122Srn.html
For general product information about the Catalyst 6500 series switches, refer to the Catalyst 4000, 5000, and 6000 Family Software Product Bulletin (URL below). For general information about Release 12.2 SX, refer to the Product Bulletin at this URL:
http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/index.shtml
Supported Hardware
Note Refer to the Catalyst 6500 operating system Release Notes for information about the hardware supported by the Catalyst operating system on the Supervisor Engine 720. Refer to this publication:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/8.x/system/release/notes/OL_4498.html
•CAT6000-MSFC3
•CAT6000-MSFC2
•Service Modules
•FlexWAN and Enhanced FlexWAN Modules
•FlexWAN Module Port Adapters
CAT6000-MSFC3
Note With Cisco IOS software Release 12.2(18)SXF and later releases, the minimum MSFC ROMMON version is 12.2(17r)S1. See this document for more information:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/rommon/OL_4497.html
Product Number
(append "=" for spares)
|
Product Description
|
Minimum Software Version
|
MSFC3 on Supervisor Engine 720-3BXL (WS-SUP720-3BXL)
|
Not applicable
|
Multilayer Switch Feature Card 3 (MSFC3)
•64-MB bootflash device
•1-GB DRAM
|
12.2(17d)SXB1
|
MSFC3 on Supervisor Engine 720-3B (WS-SUP720-3B)
|
Not applicable
|
Multilayer Switch Feature Card 3 (MSFC3)
•64-MB bootflash device
•512-MB DRAM
|
12.2(17d)SXB1
|
MSFC3 on Supervisor Engine 720 (WS-SUP720)
|
Not applicable
|
Multilayer Switch Feature Card 3 (MSFC3)
•64-MB bootflash device
•512-MB DRAM
|
12.2(14)SX2
|
CAT6000-MSFC2A
Product Number
(append "=" for spares)
|
Product Description
|
Minimum Software Version
|
MSFC2A on Supervisor Engine 32
|
Not applicable
|
Multilayer Switch Feature Card 2A (MSFC2A)
•64-MB bootflash device
•256-MB DRAM
|
MSFC2A on WS-SUP32-GE
|
12.2(17d)SXB8
|
MSFC2A on WS-SUP32-10GE
|
12.2(17d)SXB9
|
CAT6000-MSFC2
Product Number
(append "=" for spares)
|
Product Description
|
Minimum Software Version
|
MSFC2 on Supervisor Engine 2
|
Not applicable
|
Multilayer Switch Feature Card 2 (MSFC2)
•32-MB bootflash device
•256-MB DRAM
|
12.2(18)SXF
|
Service Modules
Note Other service modules are supported on the supervisor engines in Catalyst 6500 operating system software releases. Refer to the Catalyst 6500 operating system Release Notes for more information:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/8.x/system/release/notes/OL_4498.html
•Content Services Gateway (CSG) Module
•Application-Oriented Networking Module
•SSL Services Module
•Content Switching Module
Content Services Gateway (CSG) Module
Product ID
(append "=" for spares)
|
Product Description
|
Minimum Software Version
|
WS-SVC-CSG-1
|
Content Services Gateway (CSG) Module
|
| |
With MSFC3 on Supervisor Engine 720
|
12.2(18)SXF
|
| |
With MSFC2 on Supervisor Engine 2
|
12.2(17d)SXB1
|
Note
•MSFC2A on Supervisor Engine 32 does not support WS-SVC-CSG-1.
•WS-SVC-CSG-1 runs its own software—Refer to this publication for more information:
http://www.cisco.com/en/US/products/sw/wirelssw/ps779/tsd_products_support_series_home.html
See the WS-SVC-CSG-1 software release notes for information about the minimum required WS-SVC-CSG-1 software version.
|
Application-Oriented Networking Module
Product ID
(append "=" for spares)
|
Product Description
|
Minimum Software Versions
|
WS-SVC-AON-1-K9
|
Application-Oriented Networking (AON) Module
|
With MSFC3 on Supervisor Engine 720
|
12.2(18)SXF
|
With MSFC2 on Supervisor Engine 2
|
12.2(18)SXF
|
Note
•MSFC2A on Supervisor Engine 32 does not support WS-SVC-AON-1-K9.
•WS-SVC-AON-1-K9 runs its own software—See this publication:
http://www.cisco.com/en/US/products/ps6480/tsd_products_support_series_home.html
|
SSL Services Module
Product Number
(append "=" for spares)
|
Product Description
|
Minimum Software Version
|
WS-SVC-SSL-1
|
SSL Services Module
|
With MSFC3 on Supervisor Engine 720
|
12.2(17a)SX1
|
With MSFC2A on Supervisor Engine 32
|
12.2(17d)SXB7
|
With MSFC2 on Supervisor Engine 2
|
12.2(18)SXF
|
Content Switching Module
Product Number
(append "=" for spares)
|
Product Description
|
Minimum Software Version
|
WS-X6066-SLB-APC
|
Content Switching Module
|
With MSFC3 on Supervisor Engine 720
|
12.2(17a)SX1
|
With MSFC2 on Supervisor Engine 2
|
12.2(18)SXF
|
Note MSFC2A on Supervisor Engine 32 does not support WS-X6066-SLB-APC.
|
FlexWAN and Enhanced FlexWAN Modules
Product Number
(append "=" for spares)
|
Product Description
|
Minimum Software Version
|
WS-X6582-2PA
|
Enhanced FlexWAN Module
|
With MSFC3 on Supervisor Engine 720
|
12.2(18)SXF
|
With MSFC2A on Supervisor Engine 32
|
12.2(18)SXF
|
With MSFC2 on Supervisor Engine 2
|
12.2(18)SXF
|
WS-X6182-2PA
|
FlexWAN Module
|
With MSFC3 on Supervisor Engine 720
Note Requires software release 8.2(1) or later on the Supervisor Engine 720.
|
12.2(17a)SX1
|
With MSFC2 on Supervisor Engine 2
|
12.2(18)SXF
|
Note
•WS-X6182-2PA is not supported with MSFC2A on Supervisor Engine 32.
•WS-X6182-2PA and WS-X6582-2PA do not maintain state when an NSF with SSO switchover occurs.
|
FlexWAN Module Port Adapters
Product Number
(append "=" for spares)
|
Product Description
|
Minimum Software Version
|
PA-2FE
|
2-port Fast Ethernet Port Adapter (supported only in WS-X6582-2PA)
|
12.2(18)SXF
|
PA-1FE
|
1-port Fast Ethernet Port Adapter (supported only in WS-X6582-2PA)
|
12.2(18)SXF
|
PA-POS-1OC3
|
1-port Packet over SONET OC3c/STM1 Port Adapter
|
12.2(18)SXF
|
PA-POS-2OC3
|
2-port Packet over SONET OC3c/STM1
|
12.2(17d)SXB1
|
SFPs for PA-POS-2OC3
|
POM-OC3-MM
|
Short range, multimode fiber
|
12.2(17d)SXB1
|
POM-OC3-SMIR
|
Intermediate range, single-mode fiber
|
12.2(17d)SXB1
|
POM-OC3-SMLR
|
Long range, single-mode fiber
|
12.2(17d)SXB1
|
PA-A6-OC3MM
|
1-port ATM OC-3c/STM-1 multimode port adapter, enhanced
|
12.2(17d)SXB1
|
PA-A6-OC3SMI
|
1-port ATM OC-3c/STM-1 single-mode (IR) port adapter, enhanced
|
12.2(17d)SXB1
|
PA-A6-OC3SML
|
1-port ATM OC-3c/STM-1 single-mode (LR) port adapter, enhanced
|
12.2(17d)SXB1
|
PA-A6-T3
|
1-port ATM DS3 port adapter, enhanced
|
12.2(17d)SXB1
|
PA-A6-E3
|
1-port ATM E3 port adapter, enhanced
|
12.2(17d)SXB1
|
PA-POS-OC3MM
PA-POS-OC3SMI
PA-POS-OC3SML
|
Packet over SONET (OC-3)
|
12.2(17a)SX1
|
PA-A3-OC3MM
PA-A3-OC3SMI
PA-A3-T3
PA-A3-OC3SML
PA-A3-E3
PA-A3-8T1IMA
PA-A3-8E1IMA
|
ATM with traffic shaping
Note These port adapters do not support LANE when installed in the FlexWAN module.
|
12.2(17a)SX1
|
PA-T3
PA-T3+
PA-2T3
PA-2T3+
PA-E3
PA-2E3
PA-MC-T3
PA-MC-E3
PA-MC-2T3+
|
T3/E3 (clear-channel and channelized)
|
12.2(17a)SX1
|
PA-4T+
PA-8T-V35
PA-8T-X21
PA-8T-232
PA-MC-2E1/120
PA-MC-8T1
PA-MC-8E1/120
PA-MC-2T1
PA-MC-4T1
|
T1/E1
|
12.2(17a)SX1
|
PA-4E1G/75
PA-4E1G/120
|
T1/E1
|
12.2(17a)SX1
|
PA-MC-8TE1+
|
Multichannel T1/E1 8PRI
Note This port adapter does not support ISDN PRI when installed in the FlexWAN module.
|
12.2(17a)SX1
|
PA-H
PA-2H
|
HSSI
|
12.2(17a)SX1
|
PA-MC-STM-1
|
Multichannel STM-1
|
12.2(17a)SX1
|
Unsupported Hardware
Release 12.2 SX images for the MSFC3, MSFC2A, and MSFC2 do not support:
•Optical Service Modules (OSMs)
•Shared Port Adapter (SPA) Interface Processors (SIPs)
•Shared Port Adapters (SPAs)
Features Set Guidelines and Restriction
•The MSFC3 does not require a bootloader image.
•The MSFC2A does not require a bootloader image.
•The MSFC2 does not require a bootloader image.
•You can boot MSFC3 images from bootflash, sup-disk0, sup-disk1, or sup-bootflash.
•You can boot MSFC2A images from bootflash, sup-disk0, or sup-bootdisk.
•You can boot MSFC2 images from bootflash, sup-disk0 or sup-bootflash.
•The FlexWAN module is not supported with Supervisor Engine 720 and software release 8.1(1).
•Release 12.2 SX includes Cisco strong encryption images. Cisco strong encryption images are subject to U.S. and local country export, import, and use laws. The country and class of user eligible to receive and use Cisco encryption solutions are limited. Refer to this URL for more information:
http://www.cisco.com/pcgi-bin/Software/Crypto/crypto_main.pl
•With releases earlier than Release 12.2(18)SXF, use of the EGP, BGP4, and IS-IS routing protocols requires the additional purchase of the InterDomain Routing Feature License (FR-IRC6).
•Many TFTP implementations cannot transfer 16 MB or larger files. To transfer 16 MB or larger files, you might need to use FTP or rcp. Refer to this online publication for procedures:
http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf008.html
•The k9 images support the IPSec Network Security feature (configured with the crypto ipsec command) and Secure Shell (SSH) access in software only for administrative connections to the switch.
•For information about the firewall images, which support Cisco IOS software firewall features, see "New Features in Release 12.2(14)SX2" section.
New Features
These sections describe the new features:
•New Features in Release 12.2(18)SXF17
•New Features in Release 12.2(18)SXF16
•New Features in Release 12.2(18)SXF15a
•New Features in Release 12.2(18)SXF15
•New Features in Release 12.2(18)SXF14
•New Features in Release 12.2(18)SXF13
•New Features in Release 12.2(18)SXF12a
•New Features in Release 12.2(18)SXF12
•New Features in Release 12.2(18)SXF11
•New Features in Release 12.2(18)SXF10a
•New Features in Release 12.2(18)SXF10
•New Features in Release 12.2(18)SXF9
•New Features in Release 12.2(18)SXF8
•New Features in Release 12.2(18)SXF7
•New Features in Release 12.2(18)SXF6
•New Features in Release 12.2(18)SXF5
•New Features in Release 12.2(18)SXF4
•New Features in Release 12.2(18)SXF3
•New Features in Release 12.2(18)SXF2
•New Features in Release 12.2(18)SXF
•New Features in Release 12.2(17d)SXB11a
•New Features in Release 12.2(17d)SXB11
•New Features in Release 12.2(17d)SXB10
•New Features in Release 12.2(17d)SXB9
•New Features in Release 12.2(17d)SXB9
•New Features in Release 12.2(17d)SXB7
•New Features in Release 12.2(17d)SXB6
•New Features in Release 12.2(17d)SXB5
•New Features in Release 12.2(17d)SXB4
•New Features in Release 12.2(17d)SXB3
•New Features in Release 12.2(17d)SXB2
•New Features in Release 12.2(17d)SXB1
•New Features in Release 12.2(17a)SX4
•New Features in Release 12.2(17a)SX2
•New Features in Release 12.2(17a)SX1
•New Features in Release 12.2(14)SX2
•Features From Earlier Releases
New Features in Release 12.2(18)SXF17
These sections describe the new features in Release 12.2(18)SXF17, 30 Sep 2009:
•New Hardware Features in Release 12.2(18)SXF17
•New Software Features in Release 12.2(18)SXF17
New Hardware Features in Release 12.2(18)SXF17
None.
New Software Features in Release 12.2(18)SXF17
None.
New Features in Release 12.2(18)SXF16
These sections describe the new features in Release 12.2(18)SXF16, 23 Feb 2009:
•New Hardware Features in Release 12.2(18)SXF16
•New Software Features in Release 12.2(18)SXF16
New Hardware Features in Release 12.2(18)SXF16
None.
New Software Features in Release 12.2(18)SXF16
None.
New Features in Release 12.2(18)SXF15a
These sections describe the new features in Release 12.2(18)SXF15a, 29 Oct 2008:
•New Hardware Features in Release 12.2(18)SXF15a
•New Software Features in Release 12.2(18)SXF15a
New Hardware Features in Release 12.2(18)SXF15a
None.
New Software Features in Release 12.2(18)SXF15a
None.
New Features in Release 12.2(18)SXF15
These sections describe the new features in Release 12.2(18)SXF15, 05 Sep 2008:
•New Hardware Features in Release 12.2(18)SXF15
•New Software Features in Release 12.2(18)SXF15
New Hardware Features in Release 12.2(18)SXF15
None.
New Software Features in Release 12.2(18)SXF15
None.
New Features in Release 12.2(18)SXF14
These sections describe the new features in Release 12.2(18)SXF14, 09 May 2008:
•New Hardware Features in Release 12.2(18)SXF14
•New Software Features in Release 12.2(18)SXF14
New Hardware Features in Release 12.2(18)SXF14
None.
New Software Features in Release 12.2(18)SXF14
None.
New Features in Release 12.2(18)SXF13
These sections describe the new features in Release 12.2(18)SXF13, 17 Feb 2008:
•New Hardware Features in Release 12.2(18)SXF13
•New Software Features in Release 12.2(18)SXF13
New Hardware Features in Release 12.2(18)SXF13
None.
New Software Features in Release 12.2(18)SXF13
None.
New Features in Release 12.2(18)SXF12a
These sections describe the new features in Release 12.2(18)SXF12a, 15 Jan 2008:
•New Hardware Features in Release 12.2(18)SXF12a
•New Software Features in Release 12.2(18)SXF12a
New Hardware Features in Release 12.2(18)SXF12a
None.
New Software Features in Release 12.2(18)SXF12a
None.
New Features in Release 12.2(18)SXF12
These sections describe the new features in Release 12.2(18)SXF12, 19 Nov 2007:
•New Hardware Features in Release 12.2(18)SXF12
•New Software Features in Release 12.2(18)SXF12
New Hardware Features in Release 12.2(18)SXF12
None.
New Software Features in Release 12.2(18)SXF12
None.
New Features in Release 12.2(18)SXF11
These sections describe the new features in Release 12.2(18)SXF11, 18 Sep 2007:
•New Hardware Features in Release 12.2(18)SXF11
•New Software Features in Release 12.2(18)SXF11
New Hardware Features in Release 12.2(18)SXF11
None.
New Software Features in Release 12.2(18)SXF11
None.
New Features in Release 12.2(18)SXF10a
These sections describe the new features in Release 12.2(18)SXF10a, 21 Sep 2007:
•New Hardware Features in Release 12.2(18)SXF10a
•New Software Features in Release 12.2(18)SXF10a
New Hardware Features in Release 12.2(18)SXF10a
None.
New Software Features in Release 12.2(18)SXF10a
None.
New Features in Release 12.2(18)SXF10
These sections describe the new features in Release 12.2(18)SXF10, 16 Jul 2007:
•New Hardware Features in Release 12.2(18)SXF10
•New Software Features in Release 12.2(18)SXF10
New Hardware Features in Release 12.2(18)SXF10
None.
New Software Features in Release 12.2(18)SXF10
None.
New Features in Release 12.2(18)SXF9
These sections describe the new features in Release 12.2(18)SXF9, 21 May 2007:
•New Hardware Features in Release 12.2(18)SXF9
•New Software Features in Release 12.2(18)SXF9
New Hardware Features in Release 12.2(18)SXF9
None.
New Software Features in Release 12.2(18)SXF9
None.
New Features in Release 12.2(18)SXF8
These sections describe the new features in Release 12.2(18)SXF8, 07 Mar 2007:
•New Hardware Features in Release 12.2(18)SXF8
•New Software Features in Release 12.2(18)SXF8
New Hardware Features in Release 12.2(18)SXF8
None.
New Software Features in Release 12.2(18)SXF8
None.
New Features in Release 12.2(18)SXF7
These sections describe the new features in Release 12.2(18)SXF7, 30 Nov 2006:
•New Hardware Features in Release 12.2(18)SXF7
•New Software Features in Release 12.2(18)SXF7
New Hardware Features in Release 12.2(18)SXF7
None.
New Software Features in Release 12.2(18)SXF7
None.
New Features in Release 12.2(18)SXF6
These sections describe the new features in Release 12.2(18)SXF6, 22 Sep 2006:
•New Hardware Features in Release 12.2(18)SXF6
•New Software Features in Release 12.2(18)SXF6
New Hardware Features in Release 12.2(18)SXF6
None.
New Software Features in Release 12.2(18)SXF6
None.
New Features in Release 12.2(18)SXF5
These sections describe the new features in Release 12.2(18)SXF5, 10 Jul 2006:
•New Hardware Features in Release 12.2(18)SXF5
•New Software Features in Release 12.2(18)SXF5
New Hardware Features in Release 12.2(18)SXF5
None.
New Software Features in Release 12.2(18)SXF5
None.
New Features in Release 12.2(18)SXF4
These sections describe the new features in Release 12.2(18)SXF4, 27 Mar 2006:
•New Hardware Features in Release 12.2(18)SXF4
•New Software Features in Release 12.2(18)SXF4
New Hardware Features in Release 12.2(18)SXF4
None.
New Software Features in Release 12.2(18)SXF4
None.
New Features in Release 12.2(18)SXF3
These sections describe the new features in Release 12.2(18)SXF3, 16 Feb 2006:
•New Hardware Features in Release 12.2(18)SXF3
•New Software Features in Release 12.2(18)SXF3
New Hardware Features in Release 12.2(18)SXF3
None.
New Software Features in Release 12.2(18)SXF3
None.
New Features in Release 12.2(18)SXF2
These sections describe the new features in Release 12.2(18)SXF2, 20 Jan 2006:
•New Hardware Features in Release 12.2(18)SXF2
•New Software Features in Release 12.2(18)SXF2
New Hardware Features in Release 12.2(18)SXF2
None.
New Software Features in Release 12.2(18)SXF2
None.
New Features in Release 12.2(18)SXF
These sections describe the new features in Release 12.2(18)SXF, 12 Sep 2005:
•New Hardware Features in Release 12.2(18)SXF
•New Software Features in Release 12.2(18)SXF
New Hardware Features in Release 12.2(18)SXF
•Multilayer Switch Feature Card 2 (MSFC2) on Supervisor Engine 2
•Enhanced FlexWAN Module with these MSFCs and Supervisor Engines:
–MSFC3 on Supervisor Engine 720
–MSFC2A on Supervisor Engine 32
–MSFC2 on Supervisor Engine 2
•2-port Fast Ethernet Port Adapter (supported only in WS-X6582-2PA)
•1-port Fast Ethernet Port Adapter (supported only in WS-X6582-2PA)
•1-port Packet over SONET OC3c/STM1 Port Adapter
New Software Features in Release 12.2(18)SXF
Note•The MSFC2 supports the features introduced in earlier releases for the MSFC3 and MSFC2A.
•Software release 8.5(1) introduces hardware acceleration for some MSFC features. When upgrading from software release 8.4(x) to software release 8.5(1), there are no issues with MSFC features that were already configured and running. In addition to NAT, features such as reflexive ACLs and Context Based Access Control (CBAC) can work in hardware as long as there is no flow mask conflict. A feature will work in hardware unless the feature needs a flow mask that is in conflict with another feature such as NDE or QoS microflow policer. (Refer to the Catalyst software release notes for information about NDE and QoS.)
Hardware acceleration is also introduced in software release 8.5(1) for WCCP and TCP intercept. These MSFC features can coexist with NDE if there is no flow mask conflict. The ACL manager attempts to merge the flow mask requirements of different features. The basic idea is to allocate a new flow mask only for a strict flow mask requirement that is incompatible with already allocated flow masks. NDE does not have a strict flow mask requirement, so the flow mask for NDE can be moved up.
To use the hardware acceleration functionality for NAT, if a flow mask has been configured for NDE (enter the show mls command to display flow masks), you need to perform the following steps:
1. Enter the set mls flow null command.
2. The MSFC needs to request a flow mask. This is accomplished by reconfiguring the specific MSFC feature.
NDE will fail if any of the following events occur:
—Hardware-accelerated NAT is enabled.
—Two or more features with conflicting flow masks have been configured on the switch.
Conversely, once NDE is successfully configured, NAT cannot be configured to work in hardware and two different features with conflicting flow mask requirements cannot be configured on the switch.
•Nonstop Forwarding with Stateful Switchover (NSF with SSO) redundancy, with support for these NSF with SSO features:
–Nonstop Forwarding (NSF) for BGP
–Nonstop Forwarding (NSF) for EIGRP
–Nonstop Forwarding (NSF) for IS-IS
–Nonstop Forwarding (NSF) for OSPF
Note NSF with SSO redundancy is supported with software release 8.5(1) and later releases.
The FlexWAN module (WS-X6182-2PA) and Enhanced FlexWAN module (WS-X6582-2PA) do not maintain state when an NSF with SSO switchover occurs.
Refer to this publication for information about NSF with SSO redundancy:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/8.x/configuration/guide/nsf_sso.html
•WCCP 2.0 Layer 2 PFC redirection (supported with MSFC3, MSFC2A, and MSFC2)—See this publication:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/wccp.html
•With a PFC3, hardware-assisted TCP intercept—See this publication:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfdenl.html
•With a PFC3, hardware-assisted IP-in-IP tunneling and generic routing encapsulation (GRE) tunneling—The PFC3 supports the following tunnel commands:
–tunnel destination
–tunnel mode gre
–tunnel mode ipip
–tunnel source
–tunnel ttl
–tunnel tos
Other supported types of tunneling run in software on the MSFC3. The PFC3 does not provide hardware acceleration for tunnels configured with the tunnel key command.
The tunnel ttl command (default 255) sets the TTL of encapsulated packets.
The tunnel tos command, if present, sets the ToS byte of a packet when it is encapsulated. If the tunnel tos command is not present and QoS is not enabled, the ToS byte of a packet sets the ToS byte of the packet when it is encapsulated. If the tunnel tos command is not present and QoS is enabled, the ToS byte of a packet as modified by PFC QoS sets the ToS byte of the packet when it is encapsulated.
To configure GRE Tunneling and IP in IP Tunneling, refer to these publications:
http://www.cisco.com/en/US/docs/ios/12_2/interface/configuration/guide/icflogin.html
http://www.cisco.com/en/US/docs/ios/12_2/interface/command/reference/irfshoip.html
To configure the tunnel tos and tunnel ttl commands, refer to this publication:
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_tos.html
Note the following information about tunnels:
–Each hardware-assisted tunnel must have a unique source. Hardware-assisted tunnels cannot share a source even if the destinations are different. Use secondary addresses on loopback interfaces or create multiple loopback interfaces. (CSCdy72539)
–Each tunnel interface uses one internal VLAN.
–Each tunnel interface uses one additional router MAC address entry per router MAC address.
–The PFC3A does not support any PFC QoS features on tunnel interfaces.
–The PFC3B and PFC3BXL support PFC QoS features on tunnel interfaces.
–The PFC3 does not support GRE tunnel encapsulation and de-encapsulation of multicast traffic.
–The MSFC supports tunnels configured with egress features on the tunnel interface. Examples of egress features are output Cisco IOS ACLs, NAT and PAT (for inside to outside translation), TCP intercept, context-based access control (CBAC), and encryption.
•With a PFC3, hardware-assisted Network Address Translation (NAT) and Port Address Translation (PAT) for IPv4 unicast and multicast traffic—Note the following information about hardware-assisted NAT:
–A PFC3A on a Supervisor Engine 720 does not support NAT or PAT for UDP traffic.
Note PFC3B and PFC3BXL modes support NAT and PAT for UDP traffic.
–The PFC3 does not support NAT or PAT for multicast traffic.
–The PFC3 does not support NAT or PAT configured with a route map that specifies length.
–When you configure NAT or PAT and NDE on an interface, the PFC3 sends all traffic in fragmented packets to the MSFC3 to be processed in software. (CSCdz51590)
–In software release 8.5(1) and later releases, with a large number of NetFlow entries in the NetFlow table, statistics may not be received by the MSFC if the NAT timeout value expires. The configurable timeout value determines when a translation times out after a period of nonuse. If the NAT timeout value expires, NetFlow entries are dropped resulting in shortcuts needing to be reinstalled. The recommended value for the NAT timer on the MSFC is 600 seconds and is configured using the following commands:
ip nat translation timeout value
ip nat translation tcp-timeout value
ip nat translation udp-timeout value
With the NetFlow table full and a 600 second timeout value configured on the MSFC, there should be no dropped NetFlow entries.
To configure NAT or PAT, refer to the Cisco IOS IP Configuration Guide, Release 12.2, "IP Addressing and Services," "Configuring IP Addressing," "Configuring Network Address Translation," at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfipadr.html
For information about configuring NAT or PAT with route maps, refer to this publication:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml
To prevent a significant volume of NAT or PAT traffic from being sent to the MSFC, due to either a DoS attack or a misconfiguration, enter the mls rate-limit unicast acl {ingress | egress} command on a VLAN interface, as described in this publication:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/hybrid/command/reference/msfc_cr.html
(CSCea23296)
•ATM VC access trunk emulation—See this publication:
http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/flexwan-config-guide.html
•On VLAN interface, Multi-VRF for CE Routers (VRF Lite) with IPv4 forwarding between VRFs interfaces, IPv4 ACLs, and IPv4 HSRP.
Note Multi-VRF for CE Routers (VRF Lite) with the Supervisor Engine 720 supports multi-VRF CE functionality with EIGRP, OSPF, BGP and RIPv2 routing protocols running on a per VRF basis. Static routes are also supported. Also supported on WAN ports.
•Distributed network-based application recognition (dNBAR) on FlexWAN module interfaces—See this publication:
http://www.cisco.com/en/US/docs/ios/12_4t/qos/configuration/guide/qsnbar1.html
•ATM Cell Loss Priority (CLP) Setting on FlexWAN module ATM interfaces—See this publication:
http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/features.html
•Distributed MLPPP (dMLPPP) on FlexWAN module interfaces—See this publication:
http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/features.html
•Inverse Multiplexing over ATM (IMA) on FlexWAN module interfaces—See this publication:
http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/features.html
•QoS: ingress shaping on FlexWAN module interfaces—See this publication:
http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/flexwan-config-guide.html
•Packet classification based on layer 3 packet length on FlexWAN module interfaces—See this publication:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftmchpkt.html
•Shortcut-consistency checker (requires software release 8.5(1) or later)—The mls ip multicast consistency-check command checks the multicast route table and the multicast-hardware entries for consistency and corrects any inconsistencies. See the Catalyst 6500 Series MSFC Cisco IOS Command Reference, 12.2SX, at this URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/hybrid/command/reference/msfc_cr.html
New Features in Release 12.2(17d)SXB11a
These sections describe the new features in Release 12.2(17d)SXB11a, 17 Apr 2006:
•New Hardware Features in Release 12.2(17d)SXB11a
•New Software Features in Release 12.2(17d)SXB11a
New Hardware Features in Release 12.2(17d)SXB11a
None.
New Software Features in Release 12.2(17d)SXB11a
None.
New Features in Release 12.2(17d)SXB11
These sections describe the new features in Release 12.2(17d)SXB11, 17 Nov 2005:
•New Hardware Features in Release 12.2(17d)SXB11
•New Software Features in Release 12.2(17d)SXB11
New Hardware Features in Release 12.2(17d)SXB11
None.
New Software Features in Release 12.2(17d)SXB11
None.
New Features in Release 12.2(17d)SXB10
These sections describe the new features in Release 12.2(17d)SXB10, 16 Aug 2005:
•New Hardware Features in Release 12.2(17d)SXB10
•New Software Features in Release 12.2(17d)SXB10
New Hardware Features in Release 12.2(17d)SXB10
None.
New Software Features in Release 12.2(17d)SXB10
None.
New Features in Release 12.2(17d)SXB9
These sections describe the new features in Release 12.2(17d)SXB9, 21 Jul 2005:
•New Hardware Features in Release 12.2(17d)SXB9
•New Software Features in Release 12.2(17d)SXB9
New Hardware Features in Release 12.2(17d)SXB9
None.
New Software Features in Release 12.2(17d)SXB9
None.
New Features in Release 12.2(17d)SXB8
These sections describe the new features in Release 12.2(17d)SXB8, 02 May 2005:
•New Hardware Features in Release 12.2(17d)SXB8
•New Software Features in Release 12.2(17d)SXB8
New Hardware Features in Release 12.2(17d)SXB8
None.
New Software Features in Release 12.2(17d)SXB8
None.
New Features in Release 12.2(17d)SXB7
These sections describe the new features in Release 12.2(17d)SXB7, 01 Mar 2005:
•New Hardware Features in Release 12.2(17d)SXB7
•New Software Features in Release 12.2(17d)SXB7
New Hardware Features in Release 12.2(17d)SXB7
Initial support for the CAT6000-MSFC2 on the Supervisor Engine 32.
New Software Features in Release 12.2(17d)SXB7
None.
Note The MSFC2A supports the features introduced in earlier releases for the MSFC3.
New Features in Release 12.2(17d)SXB6
These sections describe the new features in Release 12.2(17d)SXB6, 21 Dec 2004:
•New Hardware Features in Release 12.2(17d)SXB6
•New Software Features in Release 12.2(17d)SXB6
New Hardware Features in Release 12.2(17d)SXB6
None.
New Software Features in Release 12.2(17d)SXB6
None.
New Features in Release 12.2(17d)SXB5
These sections describe the new features in Release 12.2(17d)SXB5, 01 Nov 2004:
•New Hardware Features in Release 12.2(17d)SXB5
•New Software Features in Release 12.2(17d)SXB5
New Hardware Features in Release 12.2(17d)SXB5
None.
New Software Features in Release 12.2(17d)SXB5
None.
New Features in Release 12.2(17d)SXB4
These sections describe the new features in Release 12.2(17d)SXB4, 07 Sep 2004:
•New Hardware Features in Release 12.2(17d)SXB4
•New Software Features in Release 12.2(17d)SXB4
New Hardware Features in Release 12.2(17d)SXB4
None.
New Software Features in Release 12.2(17d)SXB4
None.
New Features in Release 12.2(17d)SXB3
These sections describe the new features in Release 12.2(17d)SXB3, 17 Aug 2004:
•New Hardware Features in Release 12.2(17d)SXB3
•New Software Features in Release 12.2(17d)SXB3
New Hardware Features in Release 12.2(17d)SXB3
None.
New Software Features in Release 12.2(17d)SXB3
None.
New Features in Release 12.2(17d)SXB2
These sections describe the new features in Release 12.2(17d)SXB2, 21 Jul 2004:
•New Hardware Features in Release 12.2(17d)SXB2
•New Software Features in Release 12.2(17d)SXB2
New Hardware Features in Release 12.2(17d)SXB2
None.
New Software Features in Release 12.2(17d)SXB2
None.
New Features in Release 12.2(17d)SXB1
These sections describe the new features in Release 12.2(17d)SXB1, 01 Jun 2004:
•New Hardware Features in Release 12.2(17d)SXB1
•New Software Features in Release 12.2(17d)SXB1
New Hardware Features in Release 12.2(17d)SXB1
•MSFC3 on Supervisor Engine 720-3BXL (see the "CAT6000-MSFC3" section)
•MSFC3 on Supervisor Engine 720-3B (see the "CAT6000-MSFC3" section)
•These FlexWAN port adapters:
–2-port Packet-over-SONET OC-3c/STM-1 (PA-POS-2OC3)
–PA-A6-OC3MM 1-port ATM OC-3c/STM-1 multimode port adapter, enhanced
–PA-A6-OC3SMI 1-port ATM OC-3c/STM-1 single-mode (IR) port adapter, enhanced
–PA-A6-OC3SML 1-port ATM OC-3c/STM-1 single-mode (LR) port adapter, enhanced
–PA-A6-T3 1-port ATM DS3 port adapter, enhanced
–PA-A6-E3 1-port ATM E3 port adapter, enhanced
New Software Features in Release 12.2(17d)SXB1
•Support for IGMP version 3 snooping with Multicast Multilayer Switching (MMLS) in software release 8.3(1)—Refer to this publication:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/8.x/system/release/notes/OL_4498.html
•Gateway Load Balancing Protocol (GLBP)—Refer to this publication:
http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fs_glbp2.html
•Bidirectional Protocol Independent Multicast (PIM) in software—Refer to this publication:
http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfbipim.html
•Link Fragmentation and Interleaving (LFI) for Frame Relay and ATM Virtual Circuits on FlexWAN module interfaces—Refer to this publication:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftdlfi2.html
•RFC 1889 Compressed Real-Time Protocol (cRTP) on FlexWAN module interfaces—Refer to this publication:
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfcrtp.html
•Voice over Frame Relay (VoFR) FRF.11and FRF.12 on FlexWAN module interfaces—Refer to this publication:
http://www.cisco.com/en/US/docs/ios/12_2/voice/configuration/guide/vvfvofr.html
Note Because the Catalyst 6500 series switches do not support voice modules, they can act only as a VoFR tandem switch when FRF.11 or FRF.12 is configured on the FlexWAN.
•Low Latency Queueing (LLQ) and Class-based Weighted Fair Queueing (CBWFQ) on MLPPP FlexWAN module links—Refer to this publication:
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/fqos_c.html
•Multilink Frame Relay (FRF.16) on FlexWAN module interfaces—Refer to this publication:
http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fs_mfr.html
New Features in Release 12.2(17a)SX4
These sections describe the new features in Release 12.2(17a)SX4, 23 Apr 2004:
•New Hardware Features in Release 12.2(17a)SX4
•New Software Features in Release 12.2(17a)SX4
New Hardware Features in Release 12.2(17a)SX4
None.
New Software Features in Release 12.2(17a)SX4
None.
New Features in Release 12.2(17a)SX2
These sections describe the new features in Release 12.2(17a)SX2, 29 Jan 2004:
•New Hardware Features in Release 12.2(17a)SX2
•New Software Features in Release 12.2(17a)SX2
New Hardware Features in Release 12.2(17a)SX2
None.
New Software Features in Release 12.2(17a)SX2
None.
New Features in Release 12.2(17a)SX1
These sections describe the new features in Release 12.2(17a)SX1, 30 Oct 2003:
•New Hardware Features in Release 12.2(17a)SX1
•New Software Features in Release 12.2(17a)SX1
New Hardware Features in Release 12.2(17a)SX1
•FlexWAN module (WS-X6182-2PA)—Refer to this publication for more information:
http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/flexwan-config-guide.html
•SSL Services Module (WS-SVC-SSL-1)—Refer to this publication for more information:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ssl/1.2/release/notes/OL_3396.html
•Content Switching Module (WS-X6066-SLB-APC)—Refer to these publications:
http://www.cisco.com/en/US/products/hw/modules/ps2706/ps780/tsd_products_support_model_home.html
http://www.cisco.com/en/US/products/hw/modules/ps2706/ps780/tsd_products_support_model_home.html
New Software Features in Release 12.2(17a)SX1
None.
New Features in Release 12.2(14)SX2
These sections describe the new features in Release 12.2(14)SX2, 01 Jul 2003:
•New Hardware Features in Release 12.2(14)SX2
•New Software Features in Release 12.2(14)SX2
New Hardware Features in Release 12.2(14)SX2
Initial support of the CAT6000-MSFC3.
New Software Features in Release 12.2(14)SX2
•PFC3 hardware support for policy-based routing (PBR) route-map sequences that use the match ip address, set ip next-hop, and set ip default next-hop PBR commands.
To configure PBR, refer this URL:
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html
Note•If the MSFC address falls within the range of a PBR ACL, traffic addressed to the MSFC is policy routed in hardware instead of being forwarded to the MSFC. To prevent policy routing of traffic addressed to the MSFC, configure PBR ACLs to deny traffic addressed to the MSFC. (CSCse86399)
•The PFC3 does not support Unicast RPF check for policy-based routing (PBR) traffic. (CSCea53554)
•PFC3 hardware support for Unicast Reverse Path Forwarding (RPF) Check—To configure unicast RPF check, see the "Configuring Unicast Reverse Path Forwarding Check" section.
•Interior Border Gateway Protocol (IBGP) multipath—Refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsbgpls.html
Features From Earlier Releases
•The standby delay minimum reload interface command configures the delay period before the initialization of HSRP groups. Use the no form of this command to disable the delay period.
This is the syntax of the command:
standby delay minimum [min_delay] reload [reload_delay]
no standby delay minimum [min_delay] reload [reload_delay]
These are the variable parameters:
–min_delay—(Optional) Minimum time, in seconds, to delay HSRP group initialization after an interface comes up. This minimum delay period applies to all subsequent interface events.
–reload_delay—(Optional) Time, in seconds, to delay after the router has reloaded. This delay period applies only to the first interface-up event after the router has reloaded.
The default minimum delay is 1 second; the default reload delay is 5 seconds.
If the active router fails or is removed from the network, the standby router automatically becomes the new active router. If the former active router comes back online, you can control whether it takes over as the active router by using the standby preempt command.
Even if the standby preempt command is not configured, the former active router resumes the active role after it reloads and comes back online. Use the standby delay minimum reload command to set a delay period for HSRP group initialization. This command provides time for the packets to get through before the router resumes the active role.
We recommend that you use the standby delay minimum reload command if the standby timers command is configured in milliseconds or if HSRP is configured on a VLAN interface of a switch.
In most configurations, the default values provide sufficient time for the packets to get through, and you do not need to configure longer delay values.
The delay is canceled if an HSRP packet is received on an interface.
•Support for the mls ip reflect-threshold, mls ip delete-threshold, and mls ip install-threshold commands.
•New commands for Protocol Independent Multicast (PIM) scalability and convergence enhancements:
–[no] ip multicast rpf interval command
–[no] ip multicast rpf triggered {min | max} command
With this command, you can change the periodic polling of the routing tables so that PIM joins are triggered only when there are changes in the routing tables.
•Support for RADIUS load balancing and Virtual Private Network (VPN) load balancing.
•Single router mode (SRM) redundancy.
•Support for source-specific multicast with IGMPv3, IGMP v3lite, and URD. For complete information and procedures, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_1t/12_1t5/feature/guide/dtssm5t.html
•The highest value for the maximum-paths command has been raised from six to eight.
•The alt keyword is optional with the standby [group_number] ip [ip_address [secondary]] command. Without the alt keyword, the same HSRP IP address and HSRP group is configured on a given interface for both MSFCs in the chassis. You can enter the alt keyword if desired. If you enter the alt keyword, you must configure the same HSRP IP address on both the designated and nondesignated MSFC.
•Secure Shell Version 1 with 3DES encryption. Refer to these URLs:
http://www.cisco.com/en/US/docs/ios/12_1t/12_1t1/feature/guide/sshv1.html
http://www.cisco.com/en/US/docs/ios/12_1t/12_1t3/feature/guide/sshv1c.html
•Private VLAN support—The following applies to private VLAN support:
–Enter the show pvlan command to display information about private VLANs.
Note The show pvlan command displays information about private VLANs only when the primary private VLAN is up.
–Entering the set pvlan mapping or the clear pvlan mapping commands on the supervisor engine generates MSFC syslog messages as follows:
%PV-6-PV_MSG:Created a private vlan mapping, Primary 100, Secondary 101
%PV-6-PV_MSG:Created a private vlan mapping, Primary 200, Secondary 201
%PV-6-PV_MSG:Purged a private vlan mapping, Primary 100, Secondary 101
–Enter the interface vlan command to configure Layer 3 parameters only for primary private VLANs.
–On the supervisor engine, you cannot create isolated or community VLANs using VLAN numbers for which the interface vlan commands have been entered on the MSFC.
–ARP entries learned on Layer 3 private VLAN interfaces are sticky ARP entries. (We recommend that you display and verify private VLAN interface ARP entries.)
–For security reasons, private VLAN interface sticky ARP entries do not age out. Connecting new equipment with the same IP address generates a message and the ARP entry is not created.
–Because the private VLAN interface ARP entries do not age out, you must manually remove private VLAN interface ARP entries if a MAC address changes.
–You can add or remove private VLAN ARP entries manually as follows:
Router(config)# no arp 11.1.3.30
IP ARP:Deleting Sticky ARP entry 11.1.3.30
Router(config)# arp 11.1.3.30 0000.5403.2356 arpa
IP ARP:Overwriting Sticky ARP entry 11.1.3.30, hw:00d0.bb09.266e by
hw:0000.5403.2356
–Some commands clear and recreate private VLAN mapping as follows:
Router(config)# xns routing
%PV-6-PV_MSG:Purged a private vlan mapping, Primary 100, Secondary 101
%PV-6-PV_MSG:Purged a private vlan mapping, Primary 100, Secondary 102
%PV-6-PV_MSG:Purged a private vlan mapping, Primary 100, Secondary 103
%PV-6-PV_MSG:Created a private vlan mapping, Primary 100, Secondary 101
%PV-6-PV_MSG:Created a private vlan mapping, Primary 100, Secondary 102
%PV-6-PV_MSG:Created a private vlan mapping, Primary 100, Secondary 103
•Data-link switching plus (DLSw+)
•Configuring Unicast Reverse Path Forwarding Check
•Cisco IOS Firewall Feature Set
•Local Proxy ARP
•Jumbo Frame Feature on the MSFC
•ARP on STP Topology Change Notification
•Router-Port Group Management Protocol
Configuring Unicast Reverse Path Forwarding Check
These sections describe configuring Cisco IOS Unicast Reverse Path Forwarding Check (unicast RPF check):
•Understanding Unicast RPF Check Support
•Configuring Unicast RPF Check
Understanding Unicast RPF Check Support
For a complete explanation of how unicast RPF check works, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrpf.html
The PFC3 provides hardware support for unicast RPF check of traffic from multiple interfaces.
With strict-method unicast RPF check, the PFC3 supports two parallel paths for all prefixes in the routing table, and up to four parallel paths for prefixes reached through any of four user-configurable RPF interface groups (each interface group can contain four interfaces).
With loose-method unicast RPF check (also known as exist-only method), the PFC3 supports up to eight reverse-path interfaces (the Cisco IOS software is limited to eight reverse paths in the routing table).
There are four methods of performing unicast RPF check in Cisco IOS:
•Strict unicast RPF check
•Strict unicast RPF check with allow-default
•Loose unicast RPF check
•Loose unicast RPF check with allow-default
You configure unicast RPF check on a per-interface basis, but the PFC3 supports only one Unicast RPF method for all interfaces that have unicast RPF check enabled. When you configure an interface to use a Unicast RPF method that is different from the currently configured method, all other interfaces in the system that have unicast RPF check enabled use the new method.
Note•If you configure unicast RPF check to filter with an ACL, the PFC3 determines whether or not traffic matches the ACL. The PFC3 sends the traffic denied by the RPF ACL to the MSFC for the unicast RPF check. Packets permitted by the ACL are forwarded in hardware without a unicast RPF check.
•Because the packets in a denial-of-service attack typically match the deny ACE and are sent to the MSFC for the unicast RPF check, they can overload the MSFC.
•The PFC3 provides hardware support for traffic that does not match the unicast RPF check ACL, but that does match an input security ACL.
•ACL-based unicast RPF check is processed in software on the MSFC. (CSCdz35099)
•The PFC3 does not support unicast RPF check for policy-based routing (PBR) traffic. (CSCea53554)
Configuring Unicast RPF Check
These sections describe how to configure unicast RPF check:
•Configuring the Unicast RPF Check Mode
•Configuring the Multiple-Path Unicast RPF Check Mode
•Enabling Self-Pinging
Configuring the Unicast RPF Check Mode
There are two unicast RPF check modes:
•Strict check mode, which verifies that the source IP address exists in the FIB table and verifies that the source IP address is reachable through the input port.
•Exist-only check mode, which only verifies that the source IP address exists in the FIB table.
Note The most recently configured mode is automatically applied to all ports configured for unicast RPF check.
To configure unicast RPF check mode, perform this task:
| |
Command
|
Purpose
|
Step 1
|
Router(config)# interface vlan vlan_ID
|
Selects an interface to configure.
Note Based on the input interface, unicast RPF check verifies the best return path before forwarding the packet on to the next destination.
|
Step 2
|
Router(config-if)# ip verify unicast source
reachable-via {rx | any} [allow-default] [list]
|
Configures the unicast RPF check mode.
|
Router(config-if)# no ip verify unicast
|
Reverts to the default unicast RPF check mode.
|
Step 3
|
Router(config-if)# exit
|
Exits interface configuration mode.
|
Step 4
|
Router# show mls cef ip rpf
|
Verifies the configuration.
|
Note When you enter the ip verify unicast source reachable-via command, the unicast RPF check mode changes on all ports in the switch.
When configuring the unicast RPF check mode, note the following syntax information:
•Use the rx keyword to enable strict check mode.
•Use the any keyword to enable exist-only check mode.
•Use the allow-default keyword to allow use of the default route for RPF verification.
•Use the list option to identify an access list.
–If the access list denies network access, spoofed packets are dropped at the port.
–If the access list permits network access, spoofed packets are forwarded to the destination address. Forwarded packets are counted in the interface statistics.
–If the access list includes the logging action, information about the spoofed packets is sent to the log server.
This example shows how to enable Unicast RPF exist-only check mode on VLAN interface 100:
Router(config)# interface vlan 100
Router(config-if)# ip verify unicast source reachable-via any
This example shows how to enable Unicast RPF strict check mode on VLAN interface 200:
Router(config)# interface vlan 200
Router(config-if)# ip verify unicast source reachable-via rx
This example shows how to verify the configuration:
Router# show running-config interface vlan 200 | begin 200
ip address 42.0.0.1 255.0.0.0
ip verify unicast reverse-path
Router# show running-config interface vlan 100 | begin 100
ip address 41.0.0.1 255.0.0.0
ip verify unicast reverse-path 
(RPF mode on g4/1 also changed to strict-check RPF mode)
Configuring the Multiple-Path Unicast RPF Check Mode
To configure the multiple-path unicast RPF check mode, perform this task:
| |
Command
|
Purpose
|
Step 1
|
Router(config)# mls ip cef rpf mpath {punt | pass
| interface-group}
|
Configures the multiple-path unicast RPF check mode.
|
Step 2
|
Router(config)# no mls ip cef rpf mpath {punt |
interface-group}
|
Returns to the default (mls ip cef rpf mpath punt).
|
Step 3
|
Router(config)# end
|
Exits configuration mode.
|
Step 4
|
Router# show mls cef ip rpf
|
Verifies the configuration.
|
When configuring multiple-path unicast RPF check, note the following syntax information:
•punt (default)—The PFC3 performs the unicast RPF check in hardware for up to two interfaces per prefix. Packets arriving on any additional interfaces are redirected (punted) to the MSFC for unicast RPF check in software.
•pass—The PFC3 performs the unicast RPF check in hardware for single-path and two-path prefixes. unicast RPF check is disabled for packets coming from multipath prefixes with three or more reverse-path interfaces (these packets always pass the unicast RPF check).
•interface-group—The PFC3 performs the unicast RPF check in hardware for single-path and two-path prefixes. The PFC3 also performs the unicast RPF check for up to four additional interfaces per prefix through user-configured multipath unicast RPF check interface groups. unicast RPF check is disabled for packets coming from other multiple-path prefixes that have three or more reverse-path interfaces (these packets always pass the unicast RPF check).
This example shows how to configure multiple-path unicast RPF check:
Router(config)# mls ip cef rpf mpath punt
Configuring Multiple-Path Interface Groups
To configure multiple-path unicast RPF check interface groups, perform this task:
| |
Command
|
Purpose
|
Step 1
|
Router(config)# mls ip cef rpf interface-group [0
| 1 | 2 | 3] interface1 [interface2 [interface3
[interface4]]]
|
Configures a multiple-path RPF interface group.
|
Step 2
|
Router(config)# mls ip cef rpf interface-group
group_number
|
Removes an interface group.
|
Step 3
|
Router(config)# end
|
Exits configuration mode.
|
Step 4
|
Router# show mls cef ip rpf
|
Verifies the configuration.
|
This example shows how to configure interface group 2:
Router(config)# mls ip cef rpf interface-group 2 vlan 100 vlan 102 vlan 102 vlan 103
Enabling Self-Pinging
With unicast RPF check enabled, by default the switch cannot ping itself.
To enable self-pinging, perform this task:
| |
Command
|
Purpose
|
Step 1
|
Router(config)# interface vlan vlan_ID
|
Selects the interface to configure.
|
Step 2
|
Router(config-if)# ip verify unicast source
reachable-via any allow-self-ping
|
Enables the switch to ping itself or a secondary address.
|
Router(config-if)# no ip verify unicast source
reachable-via any allow-self-ping
|
Disables self-pinging.
|
Step 3
|
Router(config-if)# exit
|
Exits interface configuration mode.
|
This example shows how to enable self-pinging:
Router(config)# interface vlan 100
Router(config-if)# ip verify unicast source reachable-via any allow-self-ping
Cisco IOS Firewall Feature Set
These sections describe the Cisco IOS Firewall feature set on the Catalyst 6500 series switches:
•Cisco IOS Firewall Feature Set Support Overview
•Guidelines and Restrictions
•Configuring CBAC on Catalyst 6500 Series Switches
Cisco IOS Firewall Feature Set Support Overview
The Firewall feature set images for the MSFC3 support these Cisco IOS Firewall features:
•Context-based Access Control (CBAC)
•Port-to-Application Mapping (PAM)
•Authentication Proxy
Refer to the Cisco IOS Security Configuration Guide, Release 12.1, "Traffic Filtering and Firewalls" online publications:
•The "Cisco IOS Firewall Overview" chapter at this URL:
http://www.cisco.com/en/US/docs/ios/12_1/security/configuration/guide/scdfirwl.html
•The "Configuring Context-Based Access Control" chapter at this URL:
http://www.cisco.com/en/US/docs/ios/12_1/security/configuration/guide/scdcbac.html
•The "Configuring Authentication Proxy" chapter at this URL:
http://www.cisco.com/en/US/docs/ios/12_1/security/configuration/guide/scdauthp.html
•The Cisco IOS Security Command Reference publication at this URL:
http://www.cisco.com/en/US/docs/ios/12_1/security/command/reference/secur_r.html
The following features are supported both with and without the use of a Cisco IOS firewall image:
•Standard access lists and static extended access lists
•Lock-and-key (Dynamic Access Lists)
•IP session filtering (Reflexive Access Lists)
•Security server support
•Network address translation
•Neighbor router authentication
•Event logging
•User authentication and authorization
Note Catalyst 6500 series switches do not support the Cisco IOS Firewall intrusion detection system (IDS) feature, which is configured with the ip audit command.
Guidelines and Restrictions
•On other platforms, if you enter the ip inspect command on an interface, CBAC modifies ACLs on other interfaces to permit the inspected traffic to flow through the network device. On Catalyst 6500 series switches, you must enter the mls ip inspect commands to permit traffic through any ACLs that would deny the traffic through other interfaces. See the "Configuring CBAC on Catalyst 6500 Series Switches" section.
•Reflexive ACLs and CBAC have conflicting flow mask requirements. When CBAC is configured, reflexive ACLs are processed in software on the MSFC3.
•CBAC is incompatible with VACLs. CBAC and VACLs can both be configured on the switch but not in the same subnet (VLAN).
Note The IDSM uses VACLs to select traffic. To use the IDSM in a subnet where CBAC is configured, enter the mls ip ids acl_name interface command, where acl_name is configured to select traffic for the IDSM.
•Redundancy on the Catalyst 6500 series switches does not support CBAC. You can configure CBAC with high availability on the supervisor engine and HSRP on the MSFC3, but no CBAC state information is preserved.
•To inspect Microsoft NetMeeting (2.0 or greater) traffic, turn on both h323 and tcp inspection.
•To inspect web traffic, turn on tcp inspection. To avoid reduced performance, do not turn on http inspection to block Java.
Note QoS and CBAC do not interact or interfere with each other.
Configuring CBAC on Catalyst 6500 Series Switches
CBAC requires additional configuration on the Catalyst 6500 series switches.
On a network device other than a Catalyst 6500 series switch, when interfaces are configured to deny traffic, CBAC permits traffic to flow bidirectionally through the interface configured with the ip inspect command and also any other interface that the traffic must go through, as shown in this example:
Router(config)# ip inspect name permit_ftp ftp
Router(config)# interface vlan 100
Router(config-if)# ip inspect permit_ftp in
Router(config-if)# ip access-group deny_ftp_a in
Router(config-if)# ip access-group deny_ftp_b out
Router(config)# interface vlan 200
Router(config-if)# ip access-group deny_ftp_c in
Router(config-if)# ip access-group deny_ftp_d out
Router(config)# interface vlan 300
Router(config-if)# ip access-group deny_ftp_e in
Router(config-if)# ip access-group deny_ftp_f out
If the FTP session enters on VLAN 100 and must leave on VLAN 200, CBAC permits the FTP traffic through ACLs deny_ftp_a, deny_ftp_b, deny_ftp_c, and deny_ftp_d. If another FTP session enters on VLAN 100 and must leave on VLAN 300, CBAC permits the FTP traffic through ACLs deny_ftp_a, deny_ftp_b, deny_ftp_e, and deny_ftp_f.
On a Catalyst 6500 series switch, when interfaces are configured to deny traffic, CBAC permits traffic to flow bidirectionally only through the interface configured with the ip inspect command. You must configure other interfaces with the mls ip inspect command.
If the FTP session enters on VLAN 100 and must leave on VLAN 200, CBAC on a Catalyst 6500 series switch permits the FTP traffic only through ACLs deny_ftp_a and deny_ftp_b. To permit the traffic through ACLs deny_ftp_c and deny_ftp_d, you must enter the mls ip inspect deny_ftp_c and mls ip inspect deny_ftp_d commands, as shown in this example:
Router(config)# mls ip inspect deny_ftp_c
Router(config)# mls ip inspect deny_ftp_d
With the configuration in the example, FTP traffic cannot leave on VLAN 300 unless you enter the mls ip inspect deny_ftp_e and mls ip inspect deny_ftp_f commands.
Enter the show fm insp [detail] command to verify the configuration. The show fm insp [detail] command displays the list of ACLs and interfaces on which CBAC is configured and the status (ACTIVE or INACTIVE), as shown in this example:
interface:Vlan305(in) status :ACTIVE
Vlan305(out):status ACTIVE
On VLAN 305, inspection is active in the inbound direction and there is no ACL. ACL deny is applied on VLAN 305 in the outbound direction and inspection is active.
Use the detail keyword to display all of the flow information.
If a VACL is configured on the interface before configuring CBAC, the status displayed is INACTIVE; otherwise, it is ACTIVE. If all PFC resources are already in use, the command displays BRIDGE followed by the number of failed currently active NetFlow requests that have been sent to the MSFC3 for processing.
Local Proxy ARP
The local proxy ARP feature allows the MSFC to respond to ARP requests for IP addresses within a subnet where normally no routing is required. With the local proxy ARP feature enabled, the MSFC responds to all ARP requests for IP addresses within the subnet and forwards all traffic between hosts in the subnet. Use this feature only on subnets where hosts are intentionally prevented from communicating directly with each other by the configuration on the switch to which they are connected.
The local proxy ARP feature is disabled by default. Use the ip local-proxy-arp interface configuration command to enable the local proxy ARP feature on an interface. Use the no ip local-proxy-arp interface configuration command to disable the feature. ICMP redirects are disabled on interfaces where the local proxy ARP feature is enabled.
To use the local proxy ARP feature, enable the IP proxy ARP feature. The IP proxy ARP feature is enabled by default. Refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfssm.html
Jumbo Frame Feature on the MSFC
With an MSFC, you can configure the MTU size on VLAN interfaces to support routing of jumbo frames.
To configure the MTU value, perform this task:
| |
Command
|
Purpose
|
Step 1
|
Router(config)# interface vlan vlan_ID
|
Accesses VLAN interface configuration mode.
|
Step 2
|
Router(config-if)# mtu mtu_size
|
Configures the MTU size. Valid values are from 64 to 17952 bytes.
Note Set the MTU size no larger than 9216, which is the size supported by the supervisor engine.
|
Step 3
|
Router# show interface vlan 111
|
Verifies the configuration.
|
This example shows how to set the MTU size on a VLAN interface and verify the configuration:
Router(config)# interface vlan 111
Router(config-if)# mtu 9216
Router# show interface vlan 111 | include MTU
MTU 9216 bytes, BW 1000000 Kbit, DLY 10 usec,
Configure support for jumbo frames on the supervisor engine as described in the "Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching" chapter of the Catalyst 6500 Series Software Configuration Guide.
ARP on STP Topology Change Notification
The ARP on STP topology change notification feature ensures that excessive flooding does not occur when the MSFC receives a topology change notification (TCN) from the supervisor engine. The feature causes the MSFC to send ARP requests for all the ARP entries belonging to the VLAN interface where the TCN is received. When the ARP replies come back, the PFC learns the MAC entries, which were lost as a result of the topology change. If the MSFC learns the entries immediately following a topology change, excessive flooding is prevented later. No configuration is required on the MSFC. This feature works with supervisor engine software release 5.4(2) or later.
Router-Port Group Management Protocol
These sections describe the Router-Port Group Management Protocol (RGMP):
•Overview
•Restrictions
•Configuration Tasks
Overview
RGMP constrains multicast traffic that exits through ports to which disinterested multicast routers are connected. To effectively constrain traffic, RGMP must be supported on both the switches and the routers in the network.
Note CGMP and IGMP snooping constrain multicast traffic that exits through switch ports to which hosts are connected. They do not constrain traffic that exits through ports to which one or more multicast routers are connected.
Restrictions
The following restrictions apply to RGMP on the MSFC:
•RGMP supports PIM sparse mode only.
RGMP does not support PIM dense mode. RGMP explicitly supports the two AutoRP groups in dense mode by not restricting traffic to those groups but by flooding it to all router ports. For this reason, you should configure PIM sparse-dense mode. If you configure groups other than the AutoRP groups for dense mode, their traffic will not be correctly forwarded through router ports that have been enabled for RGMP.
•You must enable IGMP snooping on the switch.
•To effectively constrain multicast traffic with RGMP, connect RGMP-enabled routers to separate ports on RGMP-enabled switches.
•RGMP only constrains traffic that exits through ports on which it detects an RGMP-enabled router. If a non-RGMP enabled router is detected on a port, that port receives all multicast traffic.
•RGMP does not support directly connected sources in the network. A directly connected source will send traffic into the network without signaling this through RGMP or PIM. This traffic will not be received by an RGMP-enabled router unless the router already requested receipt of that group through RGMP. This restriction applies to hosts and to functions in routers that source multicast traffic, such as the ping and mtrace commands, and multicast applications that source multicast traffic, such as UDPTN.
•RGMP supports directly connected receivers in the network. Traffic to these receivers will be restricted by IGMP snooping, or if the receiver is a router itself, by PIM and RGMP. CGMP is not supported in networks where RGMP is enabled on routers. Enabling RGMP and CGMP on a router interface is mutually exclusive. If RGMP is enabled on an interface, CGMP is silently disabled or vice versa.
•The following properties of RGMP are the same as for IGMP snooping:
–RGMP restricts traffic based on the multicast group, not on the sender's IP address.
–If spanning tree topology changes occur in the network, the state is not flushed as it is with CGMP.
–RGMP does not restrict traffic for the multicast groups 224.0.0.x (x = 0...255), allowing PIMv2 BSR to be used in an RGMP-controlled network.
–RGMP in Cisco switches operates on MAC addresses, not on the IP multicast addresses. Because more than one IP multicast addresses are mapped to one MAC address (refer to RFC 1112), RGMP does not restrict traffic between different IP multicast groups that map to the same MAC address.
–The capability of the switch to restrict traffic is limited by its CAM table capacity.
Configuration Tasks
Step 1 Establish an appropriate topology on the VLANs where you want to use RGMP.
Step 2 Enable RGMP on the switch:
Switch> (enable) set igmp enable
Switch> (enable) set rgmp enable
The first command enables IGMP snooping, and the second enables RGMP. Enabling these features on the switch is a global configuration. RGMP has no effect in those VLANs where there is not at least a single router also configured for RGMP.
Step 3 Enable RGMP on each interface that has a topology appropriate for RGMP:
Router(config)# vlan-interface 10
Router(config-if)# ip rgmp
Step 4 Monitor RGMP on the switch:
Switch> (enable) show rgmp group [mac_addr] [vlan_id]
Switch> (enable) show rgmp group count [vlan_id]
Switch> (enable) show rgmp statistics [vlan_id]
Switch> (enable) clear rgmp statistics
Switch> (enable) show multicast router [igmp | rgmp] [mod/port] [vlan_id]
Switch> (enable> show multicast protocol status
Step 5 Monitor RGMP on the MSFC:
router(enable)# debug ip rgmp [name_or_group_address]
Unsupported Features and Commands
•IOS-SLB
•MPLS
•IPv6
•OSPFv3
•In Release 12.2(18)SXF and later releases, these QoS interface commands are no longer supported on FlexWAN interfaces:
–traffic shape
–priority-group
–custom-queue-list
–tx-queue-limit
Limitations and Restrictions
These sections describe limitations and restrictions:
•MSFC Limitations and Restrictions
•FlexWAN Module Limitations and Restrictions
MSFC Limitations and Restrictions
•IPSec in software on the MSFC is supported only for administrative connections to Catalyst 6500 series switches and Cisco 7600 series routers.
•In a redundant configuration, if you enter the RSA key on the active MSFC, a prompt also appears on the redundant MSFC console. If you do not respond to the prompt on the redundant MSFC console, the RSA key is not created on the redundant MSFC, and upon switchover the newly active MSFC might not have an RSA key or might not have the most recent RSA key.
Workaround: Respond to the prompt on the redundant MSFC console or change the RSA key after the first SRM switchover. (CSCeb54304)
•In Catalyst software releases where caveat CSCeb54315 is not resolved, if you enter the set acllog ratelimit command on the Supervisor Engine 720, NAT does not work on the MSFC.
•In Catalyst software releases where caveat CSCeb37469 is not resolved, with a redundant Supervisor Engine 720 installed, the active MSFC3 boots twice.
•Do not configure input features (for example, policy routing) on tunnel interfaces. (CSCea50523)
•For multicast flows, the PFC does not provide Layer 3 switching on output interfaces with MTU sizes smaller than the flow's input interface MTU size.
Workaround: Configure the same MTU size on both the input and output interfaces. (CSCds42685)
•Before you can enable SRM on the MSFC, high availability must be enabled on the supervisor engine. Failure to do so might result in unexpected system behavior. (CSCdu78927)
•With SRM configured, IP traffic is software switched by the MSFC for several minutes after a switchover to the redundant supervisor engine and MSFC. (CSCdv25906)
•When the outgoing interface list for group G traffic transitions to null on a last-hop multicast router, the router sends a (*,G) prune message to the PIM neighbor toward the rendezvous point (RP) to stop the flow of group G traffic (if any) down the shared tree. The last-hop multicast router does not send an (S,G) prune message to stop the flow of traffic down the shortest path tree (SPT). The transition of the outgoing interface list to null does not trigger an (S,G) prune message. (S,G) prune messages are triggered by the arrival of (S,G) traffic.
If the last-hop multicast router is a Catalyst 6500 series switch, traffic is forwarded by the PFC3. In most cases, RPF-MFD is installed for the (S,G) entries. The MSFC does not see the multicast traffic flowing down the SPT and does not send any traffic-triggered (S,G) prunes to stop the flow of traffic down the SPT. This situation does not have any adverse effect on the MSFC because the PFC3 processes and drops the unwanted (S,G) traffic. (CSCdu40065)
•Integrated routing and bridging (IRB) and concurrent routing and bridging (CRB) have deliberately been disabled on the Catalyst 6500 series switches. Layer 2 VLANs and VLAN interfaces should be used for normal bridging and interVLAN routing. Bridge groups are supported only to bridge nonrouted protocols. (CSCdz21959)
•Catalyst 6500 series switches do not support remote source-route bridging (RSRB).
•With MISTP configured on the supervisor engine, use only the vlan-bridge or dec Spanning Tree Protocols for bridge groups on the MSFC. We recommend the vlan-bridge Spanning Tree Protocol. With MISTP configured on the supervisor engine, the MSFC does not support the IEEE Spanning Tree Protocol. This restriction does not apply to PVST+ or MISTP-PVST+. (CSCdr99236, CSCds09253)
•Use the same Spanning Tree Protocol on all devices that are bridging between VLANs.
•IP unreachable messages and IP redirects are automatically disabled if you configure secondary addresses on a VLAN to avoid out-of order packets when packets are routed between two subnets on the same VLAN. (CSCdr84706)
•The MSFC does not support the MultiNode Load Balancing (MNLB) forwarding agent of the MNLD feature set for LocalDirector. (CSCdr65433)
•The ip multicast rate-limit command is not supported on Catalyst 6500 series switch LAN ports. Refer to the "Configuring QoS" chapter of the Catalyst 6500 Series Software Configuration Guide for information about policing. (CSCds22281)
•If you are using the Catalyst 6500 series switch to handle thousands of IPX flows that might all arrive in simultaneous bursts, we recommend that you enter the following command to avoid excessive CPU load:
Router(config)# ipx route-cache inactivity-timeout 1 100
This command sets the IPX cache inactivity timeout to 1 minute and the maximum invalidations per minute to 100.
•To boot a system image stored on the supervisor engine Flash PC card, at least one VLAN interface must be configured and be active.
•At power up or manual reset, you must configure the MSFC to boot from its bootflash (or the supervisor engine's Flash PC card; however, bootflash is preferred). When you reset the supervisor engine through either a power up or a manual reset, the MSFC cannot boot from a TFTP server on the network. However, when the supervisor engine is up and the port over which the network is being accessed is in forwarding state, you can boot the MSFC from a TFTP server on the network.
•By default, the MSFC sends Internet Control Message Protocol (ICMP) unreachable messages when a packet is denied by an access group; these access-group-denied packets are not dropped in hardware but are bridged to the MSFC so it can generate the ICMP-unreachable message. To drop access-group-denied packets in hardware, you must disable ICMP unreachable messages using the no ip unreachables interface configuration command. The ip unreachables command is enabled by default.
•When using the Network Address Translation (NAT) router feature on the MSFC, with certain configurations, packets traversing the NAT outside interface might be software routed instead of being shortcut, regardless of whether they should or should not be translated. Ideally, for packets traversing the NAT outside interface, you would want only those packets requiring NAT to be software routed. Cisco IOS software will only translate traffic in software that is traversing from NAT inside interfaces to NAT outside interfaces and vice versa.
By making the ACL used for NAT more specific, you can limit the software-handled packets to only those requiring NAT translation.
For example, if you use a general ACL (such as permit ip any any) to specify the traffic that requires NAT, then all traffic inbound or outbound on the NAT outside interface will be software routed (including traffic not originating or destined to NAT inside interfaces). If it is possible to use a more specific ACL (such as permit ip 10.1.1.0 0.0.0.255 any), then only the NAT outside traffic matching that ACL will be software routed. This traffic will still be software routed regardless of whether it is originating or destined to NAT inside interfaces. By making the ACL more specific, you can limit the amount of traffic that is software routed due to the NAT ACL.
•When configuring ACLs on an interface with the tcam priority {high | low | normal} configuration command, entering high Ternary Content Addressable Memory (TCAM) priority gives ACLs on that interface higher priority for getting into the TCAM over ACLs of interfaces with lower (low or normal) priority.
If the ACLs on an interface with high priority exceed the capacity of the TCAM, the ACLs for interfaces with low priority are not be inserted into the TCAM until all high-priority ACLs can fit in the TCAM.
•You can configure VLAN access control lists (VACLs) on the switch to apply to all packets that are routed into or out of a VLAN or that are bridged within a VLAN. VACLs are used strictly for security packet filtering and redirecting traffic to specific physical switch ports. Unlike Cisco IOS ACLs, VACLs are not defined by direction (input or output). For more information, refer to the "Configuring Access Control Lists" chapter of the Catalyst operating system Catalyst 6500 Series Software Configuration Guide.
•MAC address-based Cisco IOS ACLs are not supported for packets shortcut in hardware. MAC address-based Cisco IOS ACLs will be applied on software-switched packets. MAC address-based access control can be supported in hardware for non-IP/IPX packets using VACLs. We recommend that you use VACLs to do MAC-addressed-based ACLs.
•Broadcast-to-multicast translation used with the multicast helper command does not work if a flow is hardware switched.
•If you enable multicast routing globally, then you should also enable multicast routing (using the ip pim command) on all Layer 3 interfaces on which you anticipate receiving IP multicast traffic. This command causes the packets to be sent to the process-switching level for creating the route entry. However, if you disable multicast routing on the RPF interface, the entry cannot be created and the packet is dropped. Exceeding the source-traffic rate that can be handled by the process level can have an undesirable impact on the system. For instance, HSRP timers can expire on a standby router and cause HSRP flapping.
•This message indicates delivery acknowledgment timeouts:
SCP-4-DACK_TIMEOUT_MSG:SCP delivery ack timeout for opcode=118
When a delivery acknowledgment timeout occurs for opcode 118 (that is, multicast MLS SCP messages), then the impact on performance depends on whether MMLS is in IDLE or ACTIVE state. You can determine the state by entering the show mls ip multicast statistics command. If MMLS is active, the message is only a warning and can be ignored. If MMLS is idle, this message is displayed:
Multicast MLS is disabled due to internal messaging error
The feature is disabled on the MSFC. You must disable and reenable the IGMP feature on the supervisor engine before reenabling MMLS on the MSFC.
•After enabling PIM on an interface, you need to enter the ip mroute-cache command on the interface to enable multicast fast switching. If you have "no ip mroute-cache" configured, multicast packets that are not hardware switched will go to a process level. This process increases the load on the router. Software fast switching is useful for flows that can only be partially hardware switched.
•The scheduler allocate command is enabled by default to provide adequate process level cycles under heavy switching loads. (CSCdp90088)
•Topology changes that occur in MISTP spanning tree instances on the supervisor engine are not detected by the VLAN-bridge or DEC Spanning Tree Protocols. MISTP spanning tree instances do not detect topology changes in VLAN-bridge or DEC spanning tree instances. Spanning tree instances that fail to detect topology changes in adjoining spanning tree instances do not age out address tables, which can then result in some loss of connectivity while stale address table entries age out (typically, within the standard aging time of 300 seconds). MISTP-PVST+ mode detects topology changes in IEEE STP bridge groups. (CSCds19906)
•In a redundant configuration, IP access lists can prevent the MSFC from pinging its own interface IP address or the interface HSRP IP address. (CSCdp77698)
•Fast-switched IP multicast traffic that matches a permit access list entry with the log keyword is dropped. Fast switching of IP multicast packets is enabled by default. (CSCds28581)
•For the Response Time Reporter (RTR) agent to send out traps, enter the rtr reaction-configuration 2 timeout-enable action-type traponly command. (CSCdz58158)
•A border router that is positioned between a protocol independent multicast (PIM) dense mode router and a PIM sparse mode router might not register some indirectly connected sources. This problem occurs for traffic that is on an ingress interface configured with the ip pim dense-mode proxy-register command.
Workaround: Disable the multicast routing cache on the incoming interface. This action will cause packets to be process-switched in software on the MSFC instead of fast-switched. (CSCek39668)
•If the MSFC address falls within the range of a PBR ACL, traffic addressed to the MSFC is policy routed in hardware instead of being forwarded to the MSFC. To prevent policy routing of traffic addressed to the MSFC, configure PBR ACLs to deny traffic addressed to the MSFC. (CSCse86399)
FlexWAN Module Limitations and Restrictions
•The FlexWAN module does not support IPX CEF for PFC2 or IPX multilayer switching (MLS) with Release 12.1(6)E and earlier.
•To use the interfaces on the FlexWAN module, you must enable IP routing on the MSFC. (CSCdp34896)
•Named access lists are not supported on the FlexWAN module.
Caveats
•Caveats in Release 12.2(18)SXF and Rebuilds
•Caveats in Release 12.2(17d)SXB Rebuilds
•Caveats in Release 12.2(17a)SX Rebuilds
•Caveats in Release 12.2(14)SX2
Note•All caveats resolved in Release 12.2(17a) are also resolved in Release 12.2(17a)SX1, Release 12.2(17a)SX2, and Release 12.2(17a)SX4. Refer to this URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_release_notes_list.html
•All caveats in Release 12.2(14)S also apply to Release 12.2(14)SX2. Refer to the "Caveats" section in the Cross-Platform Release Notes for Cisco IOS Release 12.2 S publication:
http://www.cisco.com/en/US/docs/ios/12_2s/release/notes/122Srn.html#1008788
•If you have a Cisco.com account that supports access to the Bug Toolkit, you can search for the most current Release 12.2SX caveat information at this URL:
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
Caveats in Release 12.2(18)SXF and Rebuilds
•Open Caveats in Release 12.2(18)SXF and Rebuilds
•Resolved Caveats in Release 12.2(18)SXF17
•Resolved Caveats in Release 12.2(18)SXF16
•Resolved Caveats in Release 12.2(18)SXF15a
•Resolved Caveats in Release 12.2(18)SXF15
•Resolved Caveats in Release 12.2(18)SXF14
•Resolved Caveats in Release 12.2(18)SXF13
•Resolved Caveats in Release 12.2(18)SXF12a
•Resolved Caveats in Release 12.2(18)SXF12
•Resolved Caveats in Release 12.2(18)SXF11
•Resolved Caveats in Release 12.2(18)SXF10a
•Resolved Caveats in Release 12.2(18)SXF10
•General Caveats in Release 12.2(18)SXF and Rebuilds
•FlexWAN Caveats in Release 12.2(18)SXF and Rebuilds
•Service Module Caveats in Release 12.2(18)SXF
Note The caveat information for Release 12.2(18)SXF and rebuilds is being updated frequently.
Open Caveats in Release 12.2(18)SXF and Rebuilds
None.
Resolved Caveats in Release 12.2(18)SXF17
Resolved Security Caveats
•CSCsh97579—Resolved in 12.2(18)SXF17
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
•CSCsx70889—Resolved in 12.2(18)SXF17
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml
•CSCsq31776—Resolved in 12.2(18)SXF17
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml
Resolved Unknown Caveats
•CSCsy15227—Resolved in 12.2(18)SXF17
Cisco IOS Software configured with Authentication Proxy for HTTP(S), Web Authentication or the consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the authentication proxy server or bypass the consent webpage.
There are no workarounds that mitigate this vulnerability.
This advisory is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20090923-auth-proxy.shtml
Other Resolved Caveats in Resolved in 12.2(18)SXF17
Identifier
|
Technology
|
Description
|
CSCin79116
|
Infrastructure
|
show memory summary could push the CPU util to 100%
|
CSCsa91716
|
Infrastructure
|
Command sh archive config diff hangs with a remote file in argument
|
CSCse09553
|
Infrastructure
|
no snmp-server sparse-table: ds1 physical layer has none 0 for HC
|
CSCsj06593
|
Infrastructure
|
CPU hog msgs for RFSS worker process and Async write process
|
CSCsk41686
|
Infrastructure
|
PARSER-3-CFGLOG_NOMEM: constanlty in log
|
CSCsr17897
|
Infrastructure
|
SXF : increase the buffer size for config generation
|
CSCsr60789
|
Infrastructure
|
W1.3: VSL crash after preemptive switchover in ifs_open_file_decrement
|
CSCsx05021
|
Infrastructure
|
Router crashes when filesystem becomes full
|
CSCta43093
|
Infrastructure
|
Add a check similar to CSCek58956
|
CSCef09586
|
IPServices
|
CMs stuck in init(d) if DHCP ser. ip addr. overlaps with diff VRF
|
CSCsa41736
|
IPServices
|
Router crash after enable NAT rate-limit feature
|
CSCsg00102
|
IPServices
|
SSLVPN service stops accepting any new SSLVPN connections
|
CSCsh49973
|
IPServices
|
NAT-ALG corrupts offset value of DNS PTR response
|
CSCsk23972
|
IPServices
|
Telnet failed with "No wild listener" error
|
CSCso42170
|
IPServices
|
CPUHOG & Traceback messages seen for IP NAT Ager process.
|
CSCsx33622
|
IPServices
|
Fix MSS calcuation issue in TCP
|
CSCsy88271
|
IPServices
|
6500 - SXF - Nat add-route does not work
|
CSCsz56393
|
IPServices
|
Modular IOS - SUP720 - Sends malformed syslog packet
|
CSCsz63733
|
IPServices
|
Traceback seen with FM Nat configuration
|
CSCsz89107
|
IPServices
|
high cpu due to ip_input process during SNMP trap
|
CSCta24043
|
IPServices
|
"%IPNAT-4-ADDR_ALLOC_FAIL" message seen when all ports are not allocated
|
CSCtb12332
|
IPServices
|
NAT: switch crashes at ipnat_find_map_entry with cat6k SXF16 image
|
CSCsw85254
|
MPLS
|
Bus error and crash at p_enqueue when modifying main:text
|
CSCsz19255
|
MPLS
|
LFIB: Tag rewrites are missing on LC for one of load sharable paths
|
CSCsz30515
|
MPLS
|
SUP720 crash due to tsptun_frr_process process hang
|
CSCsx15396
|
Multicast
|
Mcast IIF stays up while physical interface is down
|
CSCsx34506
|
Multicast
|
RPF failure with no PIM neighbor triggers PIM Hello
|
CSCsw43022
|
platform-76xx
|
HSRP Virtual IP Unreachable for some users
|
CSCsy38911
|
platform-76xx
|
MPLS TE Forwarding broken when enable LDP on TE tunnel
|
CSCta26106
|
QoS
|
RSVP-3-CONSISTENCY error followed by an unexpected reboot.
|
CSCsh15066
|
Routing
|
VRF has 2 ospf process, when one process is removed the router crashed
|
CSCsh23176
|
Routing
|
Router crashes @ rip_timer_process .
|
CSCsm57494
|
Routing
|
BGP update is not sent after reloading opposite router
|
CSCso07476
|
Routing
|
One way audio when RTP header compression is turned on
|
CSCsq49201
|
Routing
|
Password in BGP peer-session template not inherited
|
CSCsr11662
|
Routing
|
EIGRP active routes never go to SIA, queries not sent
|
CSCsr27794
|
Routing
|
BGP updates stuck during peer flap
|
CSCsr90248
|
Routing
|
"aggregate-address advertise-map" not updated dynamically
|
CSCsx06457
|
Routing
|
BGP may modify routes it does not own
|
CSCsx51299
|
Routing
|
Crash when remove and configure ipv6 ACL via telnet and console
|
CSCsx51596
|
Routing
|
TCAM ACL entry not correct after removing IP accounting
|
CSCsy58115
|
Routing
|
Continuous BGP mem increase with non established neighbors
|
CSCsy84134
|
Routing
|
ARP table is flushed when deleting secondary IP address
|
CSCuk55357
|
Routing
|
ALIGN-3-TRACE at ip_broadcast
|
CSCsb80803
|
Security
|
SSH Process: SCHED-3-UNEXPECTEDEVENT error message
|
CSCsg56609
|
Security
|
Crash on talk /tmp/tbdaemon-99/../os/connect.c:1105 seen at bootup
|
CSCsy17893
|
Security
|
Ping to itself doesn't work on IPIP tunnels
|
CSCsz84055
|
Security
|
System crashed unexpected while open ssh2 session
|
CSCek68108
|
Unknown
|
Router crashed at ace_policyloader_util.c after remove crypto map .
|
CSCek74844
|
Unknown
|
sysObjectID is wrong for 7603-S and 7609-S
|
CSCek77996
|
Unknown
|
High CPU caused by data traffic with crypto map in crypto connect mode
|
CSCsb25490
|
Unknown
|
Data is not being hardware switched after OIR/SSO on WS-X6148X2-RJ45
|
CSCsb88996
|
Unknown
|
slb traceback spurious memory access after slb statefull switchover
|
CSCsb96452
|
Unknown
|
IGMPV3 TO_INC{} leave mac entry table do not expire
|
CSCsc85962
|
Unknown
|
Replaying Main Mode packet causing IKE SA deletion
|
CSCsd45698
|
Unknown
|
Cat6K: SLB punted to CPU if src_index is port-channel index
|
CSCsf05390
|
Unknown
|
CPU HOG @ hwidb_iftype_unlist followed by router crash.
|
CSCsf10203
|
Unknown
|
MLD gces not freed even after MLD leaves and L3 traffic stopped
|
CSCsf27621
|
Unknown
|
False Command-Active condition blocking execute-on on MWAM processor
|
CSCsg32319
|
Unknown
|
Probe connections not cleaned up when access/vrf is configured .
|
CSCsg37484
|
Unknown
|
Bus Error in crypto_map
|
CSCsi54373
|
Unknown
|
OSM maps EXP into dBus-CoS during SVI based EoMPLS disposition
|
CSCsj26698
|
Unknown
|
Acct-Session-Id in Accounting-Request is different from in Access-Reques
|
CSCsk38024
|
Unknown
|
VS2: EtherChannel state on standby is incorrect due to out of order FEC
|
CSCsk87604
|
Unknown
|
Device crashes on configuring LPIP with multiple hosts.
|
CSCsl69123
|
Unknown
|
SIP-400:QoS:Police drops MPLSCP, CDPCP negotiation packets - SRA,SRB
|
CSCso35659
|
Unknown
|
L3 traffic rate limited after adding and removing Xcon to a SVI
|
CSCso75862
|
Unknown
|
Negative counter values for input queue on layer 3 interfaces
|
CSCso93350
|
Unknown
|
Boot string fails to set in rommon but no error message
|
CSCsq69567
|
Unknown
|
SSO Switchover + unicast-routing chg cause MC traffic loss for 2 minutes
|
CSCsr06037
|
Unknown
|
the monitor session source is removed by deleting sub-interface
|
CSCsr12976
|
Unknown
|
High CPU in ION ios-base process
|
CSCsr39272
|
Unknown
|
%DATACORRUPTION-1 due to spa sensor temp overruning buffer
|
CSCsr97097
|
Unknown
|
VS: RP IPC-5-WATERMARK msgs due to CARD_RESET, after SSO
|
CSCsr99518
|
Unknown
|
Granikos should not init rekey after recieving new outbound SA at QM3
|
CSCsu29301
|
Unknown
|
C2W21: Ingress SPAN on Sup - ACE module duplicates packets
|
CSCsu76360
|
Unknown
|
Memory Leak in IPSec Key Engine with HA on Sup720 RP
|
CSCsw17070
|
Unknown
|
18SXF: SSO switchover cause portchannel configuation lost in sup uplink
|
CSCsw21852
|
Unknown
|
CSM: memory leak in process "Laminar Icc Event"
|
CSCsw28582
|
Unknown
|
IPSec Tunnels go down after a "show run"
|
CSCsw43377
|
Unknown
|
add user warning for empty classes in OSM qos policy SXF7 and later
|
CSCsw52819
|
Unknown
|
Kernel dumper needs a few enhancements.
|
CSCsw53362
|
Unknown
|
c2w2b: Device crashes with NAT stress test
|
CSCsw68514
|
Unknown
|
SLB probes iin TESTing state while using client cmd in Vserver config
|
CSCsw87563
|
Unknown
|
packets with multicast mac and unicast ip are software routed by cat6500
|
CSCsw92171
|
Unknown
|
multiple "power-input" for new 6kW DC PS do not exist on Standby
|
CSCsx16206
|
Unknown
|
Traffic loss issue from SFM capable modules to other device through DEC
|
CSCsx21886
|
Unknown
|
ISSU switchover command sync issue
|
CSCsx23929
|
Unknown
|
MLPP link are not able pass traffic after SSO even when UP/UP stat on os
|
CSCsx39263
|
Unknown
|
TCAM entries are not installed for TCP intercept after SSO
|
CSCsx49889
|
Unknown
|
SPA-IPSEC-2G-3-ACEI0TCAMFAILE:SpdSpInstall:cannot install Sp TmInsertSp
|
CSCsx51231
|
Unknown
|
Service-policy removed from the interface, but FIE still has NBAR active
|
CSCsx58248
|
Unknown
|
Disable Crypto ACL in SXF
|
CSCsx67510
|
Unknown
|
Memory leak on SP when add/deleting channel groups on PA-MC-2T3+
|
CSCsx76308
|
Unknown
|
HA client crashing attempting to free unassigned memory
|
CSCsy06804
|
Unknown
|
DSCP not preserved during SVI based Eompls Disposition
|
CSCsy08838
|
Unknown
|
Zamboni allows clear packet inbound on protected interface
|
CSCsy24691
|
Unknown
|
entPhysicalTable has power-input 3 Sensor for 6kW DC PS1 and not PS2
|
CSCsy34566
|
Unknown
|
Disable VLAN mapping on ME6524, 6148A-GE-TX
|
CSCsy54365
|
Unknown
|
frequent datapath recovery and traffic loss on WS-X6704 with DFC
|
CSCsy74418
|
Unknown
|
Ping fail with bridging on interface - 6500 w/SUP2 and 6816
|
CSCsy78994
|
Unknown
|
Memory leak in Service Task
|
CSCsy82121
|
Unknown
|
IGMP Source only not working due to MC_CAP not set
|
CSCsy83830
|
Unknown
|
IOS-RLB crashes while deleting the username sticky
|
CSCsy85171
|
Unknown
|
CDL2 Read Error: Time out
|
CSCsy94866
|
Unknown
|
C2W2B: CSM Config sync causes memory leak
|
CSCsz01976
|
Unknown
|
Need a cli to dump the rommon environment and unset rommon variable
|
CSCsz14742
|
Unknown
|
EZVPN config not downloaded on the SPA/VPNSM
|
CSCsz20625
|
Unknown
|
Error message seen if SIP Is OIR'd during Standby SUP bootup
|
CSCsz42143
|
Unknown
|
WS-X6148A-GE-TX module fails keepalives when excessive errors on port.
|
CSCsz43438
|
Unknown
|
Encapsulation change on T1/E1 removes QoS Service Policy
|
CSCsz55834
|
Unknown
|
GLBP may provided BIA MAC instead of Virtual MAC for mobile users
|
CSCsz55950
|
Unknown
|
EoMPLS:DFC LTL programming is not correct for SRP as Core
|
CSCsz62046
|
Unknown
|
Crash at memcpy after CPUHOG in SNMP ENGINE
|
CSCsz67334
|
Unknown
|
ciscoEnvMonTemperatureStatus trap sent sporadically as NotFunctioning
|
CSCsz76015
|
Unknown
|
C2W2: Need cli to set PF_BIAS to ensure lower slot# Sup boots as active
|
CSCsz84544
|
Unknown
|
output drops increment on not-connected interface of 6548GE-TX module
|
CSCsz87648
|
Unknown
|
SP/RP and redundant system handshake broken when the kernel crashes.
|
CSCsz92508
|
Unknown
|
SPA module reloads when no response to keep-alive polling
|
CSCta12382
|
Unknown
|
Udld port config does not sync to standby in rpr-plus mode
|
CSCta12543
|
Unknown
|
Linecard takes MAC address from the linecard.
|
CSCta21771
|
Unknown
|
%CONST_DIAG-SP-3-HM_FCI_0_STUCK: Flow control stuck at 0 error on modul
|
CSCta26529
|
Unknown
|
Standby Reset set entPhysicalAssetID on PS1
|
CSCta27279
|
Unknown
|
WCCP s/w switching with Ingress redirection & interface ACL
|
CSCta32802
|
Unknown
|
Umbrella ddts for porting SR HA fixes+ 2T3E3 SPA fixes into SXF
|
CSCta42989
|
Unknown
|
"%CSM parser state" configuring CLI when configuring via XML also
|
CSCta47653
|
Unknown
|
Cat6k: SXF: Console hangs on reapplying running config with ACL
|
CSCta48521
|
Unknown
|
%DATACORRUPTION-1-DATAINCONSISTENCY: copy error
|
CSCta48968
|
Unknown
|
Modular IOS kernel crashinfo has missing information
|
CSCta52689
|
Unknown
|
cat6k crash in RP due to address error with wccp configuration
|
CSCta53157
|
Unknown
|
SPA-4XT3/E3 int in SIP-200 admin-down on standby after fpd upgrade
|
CSCta55498
|
Unknown
|
[Modular IOS] MIPS CP0 registers save algorthim needs a few improvements
|
CSCta62394
|
Unknown
|
RP crashes @crypto_ipsec_profile_map_val on removing vlan with HA config
|
CSCta71873
|
Unknown
|
Mcast traffic stops flowing across fabric to required fpoes
|
CSCta72199
|
Unknown
|
"aggregate-address advertise-map" not updated dynamically with ION image
|
CSCta76808
|
Unknown
|
add CLI command for medium buffer pool
|
CSCtb02774
|
Unknown
|
PI_E scanner needs to check high LTL index(0x740-0x77f) for PO interface
|
CSCtb23289
|
Unknown
|
Major temperature alarm has to force system shutdown
|
CSCtb23840
|
Unknown
|
%SYS-3-CPUHOG in Time Range Process with QoS Time based ACL
|
CSCtb28032
|
Unknown
|
Changing module corrupts Flex Link
|
CSCtb38547
|
Unknown
|
Incorrect CP0 values and empty kernel variable section in kernel crashin
|
CSCtb68478
|
Unknown
|
"Illegal nextSsIndex value" message should be removed
|
CSCsi56413
|
WAN
|
PA-POS-OC3SMI interface output stuck .
|
Resolved Caveats in Release 12.2(18)SXF16
Resolved AAA Caveats
•CSCsv73509—Resolved in 12.2(18)SXF16
Symptoms: When "no aaa new-model" is configured, authentication happens through the local even when tacacs is configured. This happens for the exec users under vty configuration.
Conditions: Configure "no aaa new-model", configure login local under line vty 0 4 and configure login tacacs under line vty 0 4.
Workaround: There is no workaround.
Resolved Infrastructure Caveats
•CSCse85652—Resolved in 12.2(18)SXF16
Symptom: The Cisco IOS HTTP server and the Cisco IOS HTTPS server provide web server functionality to be used by other Cisco IOS features that require it to function. For example, embedded device managers available for some Cisco IOS devices need the Cisco IOS HTTP server or the Cisco IOS HTTPS server to be enabled as a prerequisite.
One of the functionalities provided by the Cisco IOS HTTP server and the Cisco IOS HTTPS server is the WEB_EXEC module, which is the HTTP-based IOS EXEC Server. The WEB_EXEC module allows for both "show" and "configure" commands to be executed on the device through requests sent over the HTTP protocol.
Both the Cisco IOS HTTP server and the Cisco IOS HTTPS server use the locally configured enable password (configured by using the enable password or enable secret commands) as the default authentication mechanism for any request received. Other mechanisms can also be configured to authenticate requests to the HTTP or HTTPS interface. Some of those mechanisms are the local user database, an external RADIUS server or an external TACACS+ server.
If an enable password is not present in the device configuration, and no other mechanism has been configured to authenticate requests to the HTTP interface, the Cisco IOS HTTP server and the Cisco IOS HTTPS server may execute any command received without requiring authentication. Any commands up to and including commands that require privilege level 15 might then be executed on the device. Privilege level 15 is the highest privilege level on Cisco IOS devices.
Conditions: For a Cisco IOS device to be affected by this issue all of the following conditions must be met:
–An enable password is not present in the device configuration
–Either the Cisco IOS HTTP server or the Cisco IOS HTTPS server is enabled
–No other authentication mechanism has been configured for access to the Cisco IOS HTTP server or Cisco IOS HTTPS server. Such mechanisms might include the local user database, RADIUS (Remote Authentication Dial In User Service), or TACACS+ (Terminal Access Controller Access-Control System)
The Cisco IOS HTTP server is enabled by default on some Cisco IOS releases.
Workaround: Any of the following workarounds can be implemented:
–Enabling authentication of requests to the Cisco IOS HTTP Server or the Cisco IOS HTTPS server by configuring an enable password
Customers requiring the functionality provided by the Cisco IOS HTTP server or the Cisco IOS HTTPS server must configure an authentication mechanism for any requests received. One option is to use the enable password or enable secret commands to configure an enable password. The enable password is the default authentication mechanism used by both the Cisco IOS HTTP server and the Cisco IOS HTTPS server if no other method has been configured.
In order to configure an enable password by using the enable secret command, add the following line to the device configuration:
Replace mypassword with a strong password of your choosing. For guidance on selecting strong passwords, please refer to your site security policy. The document entitled "Cisco IOS Password Encryption Facts" explains the differences between using the enable secret and the enable password commands to configure an enable password. This document is available at the following link: http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00809d38a7.shtml
–Enabling authentication of requests to the Cisco IOS HTTP Server or the Cisco IOS HTTPS server by configuring an authentication mechanism other than the default
Configure an authentication mechanism for access to the Cisco IOS HTTP server or the Cisco IOS HTTPS server other than the default. Such authentication mechanism can be the local user database, an external RADIUS server, an external TACACS+ server or a previously defined AAA (Authentication, Authorization and Accounting) method. As the procedure to enable an authentication mechanism for the Cisco IOS HTTP server and the Cisco IOS HTTPS server varies across Cisco IOS releases and considering other additional factors, no example will be provided. Customers looking for information about how to configure an authentication mechanism for the Cisco IOS HTTP server and for the Cisco IOS HTTPS server are encouraged to read the document entitled "AAA Control of the IOS HTTP Server", which is available at the following link: http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml
–Disabling the Cisco IOS HTTP Server and/or the Cisco IOS HTTPS server functionality
Customers who do not require the functionality provided by the Cisco IOS HTTP server or the Cisco IOS HTTPS server can disable it by adding the following commands to the device configuration:
no ip http server no ip http secure-server
The second command might return an error message if the Cisco IOS version installed and running on the device does not support the HTTPS server feature. This error message is harmless and can safely be ignored.
Please be aware that disabling the Cisco IOS HTTP server or the Cisco IOS HTTPS server may impact other features that rely on it. As an example, disabling the Cisco IOS HTTP server or the Cisco IOS HTTPS server will disable access to any embedded device manager installed on the device.
Further Problem Description: In addition to the explicit workarounds detailed above it is highly recommended that customers limit access to Cisco IOS HTTP server and the Cisco IOS HTTPS server to only trusted management hosts. Information on how to restrict access to the Cisco IOS HTTP server and the Cisco IOS HTTPS server based on IP addresses is available at the following link: http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_http_web_ps6350_TSD_Products_Configuration_Guide_Chapter.html
Customers are also advised to review the "Management Plane" section of the document entitled "Cisco Guide to Harden Cisco IOS Devices" for additional recommendations to secure management connections to Cisco IOS devices. This document is available at the following link: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
•CSCsi13344—Resolved in 12.2(18)SXF16
Symptom: Three separate Cisco IOS Hypertext Transfer Protocol (HTTP) cross-site scripting (XSS) vulnerabilities and a cross-site request forgery (CSRF) vulnerability have been reported to Cisco by three independent researchers.
The Cisco Security Response is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml
Conditions: See "Additional Information" section in the posted response for further details.
Workarounds: See "Workaround" section in the posted response for further details.
•CSCsr72301—Resolved in 12.2(18)SXF16
Symptom: Three separate Cisco IOS Hypertext Transfer Protocol (HTTP) cross-site scripting (XSS) vulnerabilities and a cross-site request forgery (CSRF) vulnerability have been reported to Cisco by three independent researchers.
The Cisco Security Response is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml
Conditions: See "Additional Information" section in the posted response for further details.
Workarounds: See "Workaround" section in the posted response for further details.
Resolved IPServices Caveats
•CSCsk64158—Resolved in 12.2(18)SXF16
Several features within Cisco IOS Software are affected by a crafted UDP packet vulnerability. If any of the affected features are enabled, a successful attack will result in a blocked input queue on the inbound interface. Only crafted UDP packets destined for the device could result in the interface being blocked, transit traffic will not block the interface.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the workarounds section of the advisory.
This advisory is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
•CSCsv04836—Resolved in 12.2(18)SXF16
Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system.
In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.
Cisco has released free software updates for download from the Cisco website that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml.
•CSCsw18636—Resolved in 12.2(18)SXF16
Symptom: High CPU utilization after receives a ARP packet with protocol type as 0x1000.
Conditions: This problem occurs on SUP32 running 12.2(33)SXI. This problem does not occur on SUP720. The problem is only seen when you have bridge-group CLI being used which lead to arp pkts with protocol types as 0x1000 being bridged. The problem does not apply for IP ARP packets.
Workaround: Filter the ARP packet. The device Config should have bridge-group creation first; followed by interface specific bridge-group options.
Additional Information: This problem is now isolated to command ordering in the startup-config file. The bridge <> command is saved before the bridge-group <> command (which is run in the interface-config mode) is saved. The linking of IDB to bridge structure is not happening correctly and some check fails in the bridge code that lets the packet to be processed again and again instead of being dropped.
If the bridge-group <> command is removed in the startup-config and only applied after the bridge <> command is run, the problem will go away. Please use this workaround until a fix is put in.
•CSCsr29468—Resolved in 12.2(18)SXF16
Cisco IOS Software contains a vulnerability in multiple features that could allow an attacker to cause a denial of service (DoS) condition on the affected device. A sequence of specially crafted TCP packets can cause the vulnerable device to reload.
Cisco has released free software updates that address this vulnerability.
Several mitigation strategies are outlined in the workarounds section of this advisory.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
•CSCsm27071—Resolved in 12.2(18)SXF16
A vulnerability in the handling of IP sockets can cause devices to be vulnerable to a denial of service attack when any of several features of Cisco IOS Software are enabled. A sequence of specially crafted TCP/IP packets could cause any of the following results:
–The configured feature may stop accepting new connections or sessions.
–The memory of the device may be consumed.
–The device may experience prolonged high CPU utilization.
–The device may reload.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the "workarounds" section of the advisory.
The advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
Resolved LAN Caveats
•CSCsv05934—Resolved in 12.2(18)SXF16
Summary: Cisco's VTP protocol implementation in some versions of Cisco IOS and CatOS may be vulnerable to a DoS attack via a specially crafted VTP packet sent from the local network segment when operating in either server or client VTP mode. When the device receives the specially crafted VTP packet, the switch may crash (and reload/hang). The crafted packet must be received on a switch interface configured to operate as a trunk port.
Workarounds: There are no workarounds available for this vulnerability.
This response is posted at http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml
Resolved Multicast Caveats
•CSCso90058—Resolved in 12.2(18)SXF16
Symptom: MSFC crashes with RedZone memory corruption.
Conditions: This problem is seen when processing an Auto-RP packet and NAT is enabled.
Workaround: None known at this time.
Resolved Routing Caveats
•CSCsx73770—Resolved in 12.2(18)SXF16
Symptom: A Cisco IOS device that receives a BGP update message and as a result of AS prepending needs to send an update downstream that would have over 255 AS hops will send an invalid formatted update. This update when received by a downstream BGP speaker triggers a NOTIFICATION back to the sender which results in the BGP session being reset.
Conditions: This problem is seen when a Cisco IOS device receives a BGP update and due to a combination of either inbound, outbound, or both AS prepending it needs to send an update downstream that has more than 255 AS hops.
Workaround: The workaround is to implement bgp maxas-limit X on the device that after prepending would need to send an update with over 255 AS hops. Since IOS limits the route-map prepending value to 10 the most that could be added is 21 AS hops (10 on ingress, 10 on egress, and 1 for normal eBGP AS hop addition). Therefore, a conservative value to configure would be 200 to prevent this condition.
Other Resolved Caveats in Resolved in 12.2(18)SXF16
Identifier
|
Technology
|
Description
|
CSCef97900
|
AAA
|
AAAA-3-DROPACCTLOWMEM warning message somewhat misleading
|
CSCin40015
|
AAA
|
telnet to NAS fails when user profile has access-profile
|
CSCsl29214
|
AAA
|
AAA server change leads to bus error crash after "show run" is issued
|
CSCso95210
|
AAA
|
AAA Client creates bad Message Authenticator attr for every first packet
|
CSCsx28646
|
ATM
|
Unable to configure atm pvp l2transport
|
CSCsx40747
|
Content
|
Router hangs while doing ip casa configurations
|
CSCsc86307
|
Infrastructure
|
c3845 crashed @ show_systat
|
CSCsm32392
|
Infrastructure
|
memory corruption crash at nv_ifs_open and nv_ifs_close
|
CSCso49598
|
Infrastructure
|
Stby reloads cont. when upto MAXINT logical int created thru int ran
|
CSCsq03621
|
Infrastructure
|
Timestamps in "show rmon events" wrap at 2^32-1 milliseconds (7+ weeks)
|
CSCsw35917
|
Infrastructure
|
SP syslog messages not sent as SNMP traps by RP's SNMP agent
|
CSCec72958
|
IPServices
|
Software forced crash when translating LDAP packet
|
CSCsk16821
|
IPServices
|
DHCP does not NAK after DHCPREQUEST from unknown client .
|
CSCso02053
|
IPServices
|
NAT does not add dynamic aliases after reload.
|
CSCso04657
|
IPServices
|
SSLVPN service stops accepting any new SSLVPN connections
|
CSCso54027
|
IPServices
|
Spurious memory access in ttcp_rcv_stats
|
CSCsq60504
|
IPServices
|
Modular IOS Sup720: crashed with tcp timeout logs
|
CSCsr08771
|
IPServices
|
Crash seen @ dhcpd_pool_nvgen and dhcpd_copy_bootfile
|
CSCsx32283
|
IPServices
|
Malformed L field in LDAP crashes 6k with NAT
|
CSCsh33167
|
LegacyProtocols
|
Dlsw transparent cache holds MAC address for disconnected circuit
|
CSCsk41552
|
Management
|
T/B %SCHED-3-THRASHING of cdp2.iosproc process_wait_for_event
|
CSCsb52253
|
MPLS
|
IPv4 iBGP multipath in MPLS network needs to be blocked or hardcoded
|
CSCsc78971
|
MPLS
|
LDP:Incorrect address withdraw after IP address removal on shutdown i/f
|
CSCse22900
|
MPLS
|
w/mis-config'd dup vrf CEF/BGP table MPLS label mismatch may occur
|
CSCsk99530
|
MPLS
|
LFIB untagged entries while LIB has valid lables in CSC MPLS VPN c12000
|
CSCsm70668
|
MPLS
|
OIR over E3:POS impacting complete Traffic with biscuit tunnel
|
CSCsu45425
|
MPLS
|
FIB/LFIB not updated correctly on GSR runing 12.0(33)S1 after route-flap
|
CSCsw19951
|
MPLS
|
SP & DFC crash when forwarding a packet with MPLS
|
CSCse03637
|
Multicast
|
PIM Dense Mode - Prune sent in error after assert is won .
|
CSCsj88725
|
Multicast
|
Wrong (S,G) RPF after route change, no upstream join
|
CSCsm77608
|
Multicast
|
IP Multicast packets are Process switched.
|
CSCsr09312
|
Multicast
|
crash when doing mrm stop
|
CSCsr49316
|
Multicast
|
Crash ipv6_static_route_find after configured & executed show ipv6 rpf x
|
CSCsv99150
|
platform-76xx
|
status led of ge-wan module not showing proper status
|
CSCsg25664
|
PPP
|
dLIFoMLPPPoATM PA: Corrupted PC crash PR
|
CSCsr81271
|
PPP
|
Invalid VCD error messages upon PVC flap
|
CSCek63384
|
QoS
|
Service-Policy is Lost When the Multilink Interface is Reset .
|
CSCsv85791
|
QoS
|
Flexwan+/PA-MC-2T3+ introduce 5+ seconds delay on egress
|
CSCee30355
|
Routing
|
Memory leak at ip_multicast_ctl
|
CSCeg49075
|
Routing
|
MSFC2 remark lines in ACLs duplicated in the NDR MSFC
|
CSCei86031
|
Routing
|
changing match command on fly does not filter route correctly .
|
CSCej49366
|
Routing
|
Removing default-metric under EIGRP deletes routes erroneously
|
CSCek75079
|
Routing
|
Problem in type7 to type5 translation if summary-addr configured
|
CSCsa72878
|
Routing
|
ISIS: clns route from end-system not in database
|
CSCsb15164
|
Routing
|
Security holes while configuring a standard ACE with host address
|
CSCsc01880
|
Routing
|
%FIB-4-FIBCBLK: Missing cef table for tableid 770 during routing table e
|
CSCse53019
|
Routing
|
redistribution not triggered when BGP as-path/community changes
|
CSCse68877
|
Routing
|
CEF/BGP table MPLS label mismatch YW3 Non Multi-path
|
CSCsg46366
|
Routing
|
OSPF NSSA LSA forwarding address set even when P bit wil be clear.
|
CSCsg68717
|
Routing
|
A weird behavior in maxpath configuration in ebgp+ibgp case
|
CSCsi01324
|
Routing
|
Modifying acl concerned with distribute-list withdraw summary route
|
CSCsi03434
|
Routing
|
Memory leak @ ospf_redist_work_enqueue
|
CSCsj09838
|
Routing
|
RR some prefix might not be sent after bgp neighbor flaps .
|
CSCsj13911
|
Routing
|
Cat3750:EIGRP does not receive reply for query between some Vlan
|
CSCsk35688
|
Routing
|
Aggregate routes not processed if child routes are deleted pre-maturely
|
CSCsk72259
|
Routing
|
Auto-repair not updating inconsistent cef entries
|
CSCsl32318
|
Routing
|
OSPF: new fix for CSCsk36324 SPF loop
|
CSCsl84712
|
Routing
|
Error- %OSPF-4-FLOOD_WAR: Process 123 re-originates LSA ID 10.55.122.148
|
CSCsm50741
|
Routing
|
Removal of DCbitless LSA causes problems
|
CSCsm95129
|
Routing
|
"no ip next-hop-self eigrp" not working when redistribute from BGP
|
CSCsm96901
|
Routing
|
Unable to ping between vrfs through transparent bridge
|
CSCso08786
|
Routing
|
Standby reloads due to config sync failure on inherit peer-policy cmd.
|
CSCso54167
|
Routing
|
BGP peer stuck with table version 0
|
CSCsr67361
|
Routing
|
I/O memory leaks when BGP neighbor points to a local address
|
CSCsr88362
|
Routing
|
eigrp routes aren't updated after SSO switchover
|
CSCsu24087
|
Routing
|
Cisco7609 crashes after "clear ip bgp neighbor x.x.x.x soft in"
|
CSCsu36709
|
Routing
|
Unable to boot IOS image on PE (vrf-enabled) router - software fault
|
CSCsv01474
|
Routing
|
'ip rip advertise' command lost after interface flap/clear ip route
|
CSCsv27607
|
Routing
|
BGP: Outbound route-map updating withdraw only one member
|
CSCsw28893
|
Routing
|
Cost no longer showing with each eigrp route after IOS upgrade
|
CSCsw65441
|
Routing
|
ARP packets drops due to excessive ARP requests sourced from SVI
|
CSCsx15841
|
Routing
|
aggregate-address does not NVGEN upon switchover on cat6k
|
CSCsc91824
|
Security
|
SSH from router disconnects vty session if there is no matching cipher
|
CSCsd81870
|
Security
|
Teraterm + TTSSH2 does not work in SSH Ver.2
|
CSCeh00399
|
Unknown
|
RRI: refcount not inc on rekey in certain circ lead to route removal
|
CSCei29284
|
Unknown
|
Rockies3 SUP32 SNMP:Traceback msg when execute private vlan script
|
CSCek28863
|
Unknown
|
Need to change default SCP keepalive timeout on IOS to CSM module
|
CSCsc73409
|
Unknown
|
IGMPv3 report suppression doesnt send out group records correctly
|
CSCsc98850
|
Unknown
|
ZAMBONI:Could not send pmtu information vlan 65535 pmtu 0 Error
|
CSCsd04937
|
Unknown
|
Crash in chunk_free called from mfib_const_rp_free after (*,G) HW enable
|
CSCse12518
|
Unknown
|
MET optimized update can cause blackholing and duplicates
|
CSCsg14926
|
Unknown
|
Standby can not boot because of insufficient memory with 32K interfaces
|
CSCsg53526
|
Unknown
|
Some packets to vip are denied by inbound acl after server nat
|
CSCsh22225
|
Unknown
|
CWAN_HA-STDBY-4-IFCFG_PLAYBACK_ERROR:
|
CSCsh98849
|
Unknown
|
SIERRA: Active and stby SP and active RP crashed@rf_proxy_fatal_error
|
CSCsi14145
|
Unknown
|
runt counter not implemented correctly
|
CSCsi66012
|
Unknown
|
2 garbage values in show module csm x ft details
|
CSCsi88920
|
Unknown
|
MLD rcvr in SVI stops receiving v6 mcast trffc if another rcvr leaves
|
CSCsk23521
|
Unknown
|
EARL-SPSTBY-2-SWITCH_BUS_IDLE is seen with SW switched traffic
|
CSCsl02190
|
Unknown
|
ICMPv6 to all node multicast address fail .
|
CSCsm31178
|
Unknown
|
policy-map stops working on a good int if wrongly applied on another int
|
CSCsm43962
|
Unknown
|
Cat6k L2TP packet looped through blocked port
|
CSCsm66023
|
Unknown
|
IPv6 VTI RP crashed ace_reverse_map when changing tnlsrc from v4 to v6
|
CSCsm75286
|
Unknown
|
bgp route-map doesn't work correctly when deleted part of sequences
|
CSCsm76792
|
Unknown
|
PM HA bulk sync posting RF_DONE before bulk sync has finished
|
CSCsm85936
|
Unknown
|
UUT cpu at 40% with bi-dir traffic across a single tunnel
|
CSCsm93648
|
Unknown
|
C2W2:080226 Rtr crashed when moving tunnels from VTI to GRE/TP
|
CSCso11822
|
Unknown
|
LACP PC switchport, on OIR, "channel group 112 active" config gets lost
|
CSCso29141
|
Unknown
|
DFC installs drop index for MAC-address
|
CSCso88042
|
Unknown
|
Wism module Allowed-Vlan statements lost on reload
|
CSCso88772
|
Unknown
|
sp-inband tx capture causes primary SUP to hang
|
CSCsq22383
|
Unknown
|
SP crash due to CPU hog by online diags
|
CSCsq42885
|
Unknown
|
Line card crashes with %IPC-2-ONINT error on OSM
|
CSCsq51378
|
Unknown
|
ATM PA Interface shows up/up after force redundancy, no cables connected
|
CSCsq56941
|
Unknown
|
6500 - Static MAC cleared from port-channel member ints after reload
|
CSCsq73122
|
Unknown
|
Proxy-ARP returns BIA instead of VMAC with LAM
|
CSCsq75704
|
Unknown
|
FW2 FE PA Interface stays up/down with no conn and goes up/up after sso
|
CSCsq80145
|
Unknown
|
VACL does not work against self initiated packet
|
CSCsq83789
|
Unknown
|
LTL for unknow unicast is wrongly programmed for some L3 interfaces
|
CSCsq84116
|
Unknown
|
Cisco 7604 with OC3, Flexwan crashes into ROMMON
|
CSCsq90844
|
Unknown
|
bridge-group config make packets be routed
|
CSCsq94136
|
Unknown
|
Burst of traffic cause anti-replay check to fail
|
CSCsr29559
|
Unknown
|
WCCP flap corrupts mcast CEF adjacency
|
CSCsr37131
|
Unknown
|
buginf calls in l2trace when 'debug l2trace' is disabled
|
CSCsr45495
|
Unknown
|
PBR with deny statements : TCAM running out of masks
|
CSCsr51799
|
Unknown
|
pa-mc-8t1 interface down after stopping BERT prematurely
|
CSCsr69929
|
Unknown
|
ACL based uRPF check is causing acl permit packets to be dropped
|
CSCsr88625
|
Unknown
|
Seeing ME_AR#0 WARNING: Cannot FLUSH Dic#0 when WS-X6708-10GE boots
|
CSCsr88845
|
Unknown
|
unicast BootP replies dropped by DHCP snooping
|
CSCsu05800
|
Unknown
|
C2W2: need to extend the wait time for bus sync after sso
|
CSCsu07931
|
Unknown
|
cbQosPoliceConformedByte64 counter displays aggregate instead conformed
|
CSCsu18231
|
Unknown
|
IKE process fails to start phase1 if in up-no-ike and DPD triggered
|
CSCsu33707
|
Unknown
|
Multicast traffic will not stop after PIM prune
|
CSCsu37481
|
Unknown
|
Netflow Incorrect Octet value with packet-based sampling
|
CSCsu37899
|
Unknown
|
SXF15: autostate configuration missing after SSO
|
CSCsu45210
|
Unknown
|
Upgrade 12.2SXF-> 12.2SXH with Port-Security causes standby boot loop
|
CSCsu46982
|
Unknown
|
I/O rate counter inaccurate when applying serv policy and MPLS traffic
|
CSCsu49002
|
Unknown
|
ciscoIpMRouteBps sometimes indicates wrongful value
|
CSCsu49257
|
Unknown
|
Cstn-id timer should be restarted when access-request is seen
|
CSCsu57958
|
Unknown
|
DHCP-Snooping not intercepting DHCP messages from the Server
|
CSCsu68698
|
Unknown
|
No syslogs and stack on console when SP crashes due RP boot timeout
|
CSCsu86524
|
Unknown
|
IKMP process leak: check_ipsec_proposal
|
CSCsu91725
|
Unknown
|
Bus crash problem due to cipSecGlobalStats MIB query
|
CSCsu99270
|
Unknown
|
CPUHOG observed when configuring more vlan interfaces
|
CSCsv07858
|
Unknown
|
IfIndex for unconfigured VLAN on 7613
|
CSCsv10229
|
Unknown
|
Failed to assert Physical Port Administrative State Down alarm
|
CSCsv17989
|
Unknown
|
interface in SIP200 show "admin down" when it is physical down
|
CSCsv18579
|
Unknown
|
'recognized & transferred a satvcl packet' observed on 6708 / module 1
|
CSCsv63144
|
Unknown
|
Controller remains DOWN after switchover
|
CSCsv64079
|
Unknown
|
SXF7: Patching fails with WiSM Card on Cat6500
|
CSCsv66827
|
Unknown
|
Clearing the SSH session from a different vty session crashes the box.
|
CSCsv85551
|
Unknown
|
SP crash due to consume all scp triggered by OIR loop when PS go off
|
CSCsw35155
|
Unknown
|
reduce move count for SAs in SXF
|
CSCsw38075
|
Unknown
|
%SYS-2-GETBUF: Bad getbuffer error messages after IOS upgrade
|
CSCsw43953
|
Unknown
|
Error message seen if SIP Is OIR'd during Standby SUP bootup
|
CSCsw65477
|
Unknown
|
MLD snooping broken in SXF16 engg (pre-release) images
|
CSCsw68032
|
Unknown
|
Serial links UP/DOWN after SSO on OSM Module
|
CSCsw69911
|
Unknown
|
SIP-400 POS WRED queues tail dropping without random drops
|
CSCsw75293
|
Unknown
|
18SXF: RP Mapping not seen in last hop router in Sup2 image
|
CSCsw82431
|
Unknown
|
18SXF16:Device crashes while unconfiguring PBR configs.
|
CSCsw96891
|
Unknown
|
CPUHOG observerd after issuing exec commands
|
CSCei77073
|
WAN
|
NTP client need to reset auto learnt source IP address
|
Resolved Caveats in Release 12.2(18)SXF15a
Identifier
|
Product
|
Component
|
Description
|
CSCsu45425
|
all
|
mpls-lfib
|
FIB/LFIB not updated correctly on GSR runing 12.0(33)S1 after route-flap
|
Resolved Caveats in Release 12.2(18)SXF15
Resolved Caveats for Product `all' and Component `bgp'
•CSCsk69927—Resolved in 12.2(18)SXF15
Symptoms:
All the BGP routes are dropped when IOS device receives BGP update with atomic-aggregate length as 254 (0xfe).
Conditions:
The topology consists of two eBGP peers with test traffic across the link. The BGP process does not crash, and routes are not restored after the event.
Workaround:
None.
Resolved Caveats for Product `all' and Component `mlp'
•CSCsa49019—Resolved in 12.2(18)SXF15
Symptoms: A memory leak may occur in the "Multilink Events" process, which can be seen in the output of the show memory summary command:
0x60BC47D0 0000000024 0000000157 0000003768 MLP bundle name
0x60BC47D0 0000000028 0000000003 0000000084 MLP bundle name
0x60BC47D0 0000000044 0000000001 0000000044 MLP bundle name
0x60BC47D0 0000000048 0000000001 0000000048 MLP bundle name
0x60BC47D0 0000000060 0000000001 0000000060 MLP bundle name
0x60BC47D0 0000000064 0000000013 0000000832 MLP bundle name
0x60BC47D0 0000000068 0000000008 0000000544 MLP bundle name
0x60BC47D0 0000000072 0000000001 0000000072 MLP bundle name
0x60BC47D0 0000000076 0000000001 0000000076 MLP bundle name
0x60BC47D0 0000000088 0000000018 0000001584 MLP bundle name
Conditions: This symptom is observed when two interfaces are configured in the same multilink group or are bound to the same dialer profile.
Workaround: There is no workaround.
Other Resolved Caveats in Release 12.2(18)SXF15
Identifier
|
Product
|
Component
|
Description
|
CSCsg18288
|
all
|
aaa
|
Enable authentication ignores Tacacs+ configuration in rare situation
|
CSCso95426
|
all
|
aaa
|
Exposure of Radius-Keys in debugs.
|
CSCei33231
|
all
|
atmcommon
|
ATM PVC bundle protected group test failed with bumping exhausted
|
CSCek74474
|
all
|
atmcommon
|
no/default proto ip inarp cmd ineffective until ATM VC bounced.
|
CSCsd92325
|
all
|
bgp
|
Config sync: no neighbor 192.168.240.34 triggers standby reset
|
CSCsf06946
|
all
|
bgp
|
Removing loopback interface causes continuous standby RP reloading
|
CSCsi27696
|
all
|
bgp
|
oldest ebgp bestpath not retained in eibgp multpath cases
|
CSCsi68795
|
all
|
bgp
|
PE wrongly assigns local label to a vpnv4 confederation prefix
|
CSCsi98730
|
all
|
bgp
|
CEF/BGP table MPLS label mismatch in IOS 12.4(6)T5
|
CSCsl92283
|
all
|
bgp
|
Unable to add into routing table if static route use interface + gateway
|
CSCso62166
|
all
|
bgp
|
Crash @ bgp_netlist_validate when ibgp established with metric
|
CSCso93535
|
all
|
bgp
|
Upon removing a VRF, BGP route timers in other VRF's get reset
|
CSCsq13938
|
all
|
bgp
|
reload on 'show ip bgp vpnv4' when import src delinked by BGP deconfig
|
CSCsq21198
|
all
|
bgp
|
PE loses VPNv4-MDTs from a RR when another RR fails (or shuts neighbor)
|
CSCsl04386
|
all
|
cat6000-env
|
%BIT-STDBY-4-OUTOFRANGE : Traceback on Bootup .
|
CSCse53517
|
all
|
cat6000-wireless
|
WiSM: Tracebacks seen after SSO switchover
|
CSCsm78651
|
all
|
csg
|
malloc memory issue in standby SP supervisor
|
CSCsi15183
|
all
|
eigrp
|
change MTU value causes %DUAL-3-INTERNAL in ipigrp2_add_item_dest
|
CSCsm70580
|
all
|
ftp
|
c2w2:ciscoFtpClientMIB: ftp_fs.proc extra processes can deadlock & crash
|
CSCsi76936
|
all
|
glbp
|
Crash in GLBP if debug is enabled and it rcvs pkt from unknown group
|
CSCsl70070
|
all
|
hsrp
|
CPUHOG when doing HSRP SNMP query
|
CSCsq29165
|
all
|
install
|
Rockies-sup3:UUT hangs during installation
|
CSCsm45634
|
all
|
ip
|
BGP VPNv4 route is not actived immediately after receving update
|
CSCsl60092
|
all
|
ipc
|
Active SP crashed @ipc_fragment_cleanup with VSL shut/no shut test
|
CSCsl92316
|
all
|
ipmulticast
|
LNS: %SYS-3-CPUHOG when clear l2tp tunnel, sessions have multicast
|
CSCsl26998
|
all
|
ip-pbr
|
Switch crashes on applying PBR with next-hop verify-availability
|
CSCsm04442
|
all
|
ip-rip
|
Router crash at rip_find_sum_idb
|
CSCsh38140
|
all
|
isis
|
CEF drops when using CEF LB paths and active link recovers from failure
|
CSCsm30973
|
all
|
mpls-lfib
|
bgp multipath with ipv4+label nexthop: label missing in cef
|
CSCso22730
|
all
|
mpls-lfib
|
Prefixes get assigned imp-null local label after OIR linecard
|
CSCsi77983
|
all
|
netflow-switch
|
RP crashed ipflow_pak_pre_check on shutdown the trunk port
|
CSCso87348
|
all
|
netflow-switch
|
Corruption in subflow code
|
CSCsm04256
|
all
|
neutrino
|
CPUHOG and crash after 'show memory detailed all statistics' issued
|
CSCsm69827
|
all
|
neutrino
|
%SYS-2-MALLOCFAIL:Process= "GraphIt" in SXH1_fc3
|
CSCsg32308
|
all
|
ntp
|
copy/paste of ntp-authentication-key statement is not possible
|
CSCek58956
|
all
|
os
|
Need process_ok_to_reschedule check in process_may_suspend
|
CSCsq50429
|
all
|
osm-qos
|
OSM card unexpected reload @ cwtlc_qos_create_global_qid_info
|
CSCsa73179
|
all
|
ospf
|
Memory corruption/crash when 'no default-information orig' under RIP
|
CSCsm91801
|
all
|
ospf
|
ASBR not updating metric in LSA-5 redistributing from 2-nd OSPF process
|
CSCsm01126
|
all
|
parser
|
PRE-B crashes while in progress to standby cold-config
|
CSCsj49293
|
all
|
pas-2pos-7xxx
|
POS Interface Output Rate (200 mbps) > Line rate (155 Mbps)
|
CSCsd14706
|
all
|
pim
|
PIMV2 router send PIMV1 RP-reachable messages loading recieve router CPU
|
CSCsq14151
|
all
|
pim
|
RPF of (S,G) is set to NULL, When (S, G, R) entry is convered to (S, G)
|
CSCsd62013
|
all
|
snmp
|
Traceback on Standby RP@add_lpmapping_entry_private+74
|
CSCso26788
|
all
|
ssh
|
Re-work CSCin91851 for SXF
|
CSCsr60782
|
all
|
ssh
|
Fix SA warnings in ssh2_support.c
|
CSCsr85093
|
all
|
ssh
|
SXF15: SSH session fails withRSA signature verification failed after SSO
|
CSCsq48201
|
all
|
trans-bridging
|
c7300:Bridge IRB-Router crash and traffic flow issue
|
CSCsi63649
|
all
|
ts
|
%SYS-3-TIMERNEG:Cannot start timer with negative offset,TTY Background
|
CSCsd37499
|
c12000
|
ifs
|
%IFS-3-FSMAX: Failed to add ?, maximum filesystems 64 msg with Traceback
|
CSCsq48271
|
c6venus-slb
|
laminar
|
adding redundant CSM causes config sync to indicate in sync when not
|
CSCsk32095
|
c7200
|
pas-2fast-ethernet
|
PA-2FE-TX port flaps on applying qos policy
|
CSCsq20970
|
c7500
|
7x00-t1e1
|
ATM option missing, while configuring T1 controller for mode atm
|
CSCsg22830
|
c7600
|
c7600-ha
|
Standby not coming up after sso switchover
|
CSCsj43677
|
c7600
|
c7600-ha
|
Active Sup720 crash when removing Standy supervisor
|
CSCsm32363
|
c7600
|
cat6000-acl
|
Netflow SLB sw-installed entries not aging out
|
CSCek78066
|
c7600
|
cat6000-env
|
Whitney:CLI & MIB mismatch for aux-1 temperature Sensor SUP32
|
CSCsi41749
|
c7600
|
cs7
|
ITP-76:%SYS-2-INTSCHED: 'sleep for' at level 2 (Process- "MIP Mailbox")
|
CSCsq60553
|
c7600
|
cwpa2
|
Create cwslc-rommon3.bin for cwpa2 to accomodate release Rommon (1.8)
|
CSCsm87735
|
c7600
|
osm-choc-ds0
|
OSM CHOC12/T1 - t1 shutdown does not disable Serial interface
|
CSCso78097
|
c7600
|
osm-ct3
|
OSM-ct3 MFR interface is flapping
|
CSCsq47166
|
c7600
|
osm-gigwan
|
GE-WAN interface stays down with autonegotiation enabled
|
CSCso59971
|
c7600
|
osm-pos
|
OSM OC3 POS : Wrong traffic counters
|
CSCsq19159
|
c7600
|
snmp
|
RP crashes in chassismib_add_sub_card_entry after linecard reload
|
CSCsc69804
|
c7600
|
vipmlp
|
SIP1-ChOC3:Initial packets fail with SW-MLP on SIP-200
|
CSCsi00712
|
cat6000
|
c6k-wan-common
|
Connected ipv4 routes for WAN interfaces missing on reload
|
CSCsi99875
|
cat6000
|
c6k-wan-common
|
BOOM: spa_eeprom_read_bit on BOOTUP
|
CSCsg39754
|
cat6000
|
cat6000-acl
|
DHCP snooping redirect ACL permits more than just bootpc and bootps port
|
CSCso97524
|
cat6000
|
cat6000-acl
|
Packet drop after TCAM exception happened
|
CSCsf17163
|
cat6000
|
cat6000-cm
|
TCAM mask/entry resource not released after conf/unconf pacl
|
CSCso87838
|
cat6000
|
cat6000-filesys
|
HSRP: with aggressive timers HSRP peer flaps when "wr mem"
|
CSCsk93587
|
cat6000
|
cat6000-firmware
|
TestFabricCh0Health test failure with unidir traffic via Ch1on Berytos
|
CSCsl39710
|
cat6000
|
cat6000-firmware
|
cat6000 mac-address-table does not add entries for local fwsm mac . .
|
CSCsq14259
|
cat6000
|
cat6000-firmware
|
TX Flowcontrol goes on when link negotiation is disabled
|
CSCsq85850
|
cat6000
|
cat6000-firmware
|
Opnext GLC-LH-SM :remote port stays up when local RX cable is removed
|
CSCsq41311
|
cat6000
|
cat6000-hw-fwding
|
I/O memory leak in Medium buffers
|
CSCsl72912
|
cat6000
|
cat6000-ipc
|
VS2: WS-X6708 DFC crash in local_cb1(Segment violation)
|
CSCsr09554
|
cat6000
|
cat6000-ipc
|
Move SIBYTE SB_RMON_OVRFL messages under debug
|
CSCsq59297
|
cat6000
|
cat6000-l2-infra
|
port-channel IDB gets mixed up
|
CSCsh16213
|
cat6000
|
cat6000-mcast
|
Disabling MLDsnooping does not clean special MACs 3333.0000.0016, 3333.0
|
CSCsm59926
|
cat6000
|
cat6000-mcast
|
RP receives 2 copies of each PIM register with MVPN
|
CSCso44072
|
cat6000
|
cat6000-mcast
|
High CPU due to multicast traffic getting punted to software
|
CSCso71355
|
cat6000
|
cat6000-mcast
|
PVLAN - 6500 - Multicast flood broken from pvlan port to promiscuous
|
CSCso85395
|
cat6000
|
cat6000-svc
|
Unable to add the 256th vlan
|
CSCso84567
|
cat6000
|
cat6000-wccp
|
6500 with WCCP and CoPP punts non-TCP packets into CoPP policy.
|
CSCsb60078
|
cat6000
|
