Cisco Catalyst 5000 Series Switches

Document ID: 10590

Contents

Introduction
Prerequisites
      Requirements
      Components Used
      Conventions
What is the EARL?
Determining EARL Version From CLI
Determine EARL Version from Part Number Matrix
      Modular Supervisor Catalyst 5000 Series Supervisors
      Fixed Configuration Catalyst 5000 Series Switches
Determining EARL Version Through SNMP
Why Are Catalyst 5000 EARL 1 Versions Only Affected?
If There is no STP Redundancy in the Network Should I Still Upgrade?
Catalyst 4000 and 6000 Not Affected By 802.1x Vulnerability
Windows 2000 Participation in 802.1x
Related Information

Introduction

This document addresses common questions surrounding the 802.1x vulnerability issue with Catalyst 5000 switches. Also included in this document is how to determine the Catalyst 5000 EARL version. For more information on the 802.1x vulnerability, see the following security advisory:

http://www.cisco.com/warp/public/707/cisco-sa-20010413-cat5k-8021x.shtml

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

What is the EARL?

The Encoded Address Recognition Logic (EARL) is a centralized processing engine for learning and forwarding packets based upon MAC address on the Catalyst 5000 Supervisor Engines. The EARL stores the VLAN, MAC address, and port relationships. These relationships are used to make switching decisions in hardware.

Determining EARL Version From CLI

To determine the EARL version from the command line interface (CLI), issue the show module command from the Supervisor. An example is presented below:

Console (enable) sh mod
Mod Module-Name Ports Module-Type Model Serial-Num Status 
--- ------------------- ----- --------------------- --------- --------- ---- --- 
1 2 100BaseFX MM Supervis WS-X5506 005441962 ok 
2 48 10BaseT Ethernet WS-X5012A 010308246 ok 
3 48 10BaseT Ethernet WS-X5012A 010308178 ok 
4 24 3 Segment 100BaseTX E WS-X5223 005389389 ok 
5 12 100BaseFX MM Ethernet WS-X5201R 008951252 ok 

Mod MAC-Address(es) Hw Fw Sw 
--- -------------------------------------- ------ ---------- --------------- -- 
1 00-e0-f9-d6-64-00 to 00-e0-f9-d6-67-ff 1.0 2.2(2) 4.2(1) 
2 00-90-6f-6e-75-c0 to 00-90-6f-6e-75-ef 1.0 4.2(1) 4.2(1) 
3 00-90-6f-6e-5a-f0 to 00-90-6f-6e-5b-1f 1.0 4.2(1) 4.2(1) 
4 00-e0-b0-fb-0a-29 to 00-e0-b0-fb-0a-2b 1.0 2.2(1) 4.2(1) 
5 00-60-2f-39-3d-d4 to 00-60-2f-39-3d-df 1.1 4.1(1) 4.2(1) 

Mod Sub-Type Sub-Model Sub-Serial Sub-Hw 
--- -------- --------- ---------- ------ 
1 EARL 1+ WS-F5511 0005442554 1.0

The show module command above issued from the Supervisor will indicate the EARL Hardware Version in the Sub-Type Field. If the Supervisor is an EARL 1, 1.1, or a 1+,1++, the system is affected by the 802.1x vulnerability. Any other version of the EARL indicated in the Sub-Type such as NFFC, NFFC+, or NFFC II are not EARL 1s and are not affected by the 802.1x vulnerability.

Note: The Supervisor IIG and IIIG will not print the Sub-Type. The Supervisor IIG and IIIG are EARL 3s and are not affected by the 802.1x vulnerability.

Determine EARL Version from Part Number Matrix

Modular Supervisor Catalyst 5000 Series Supervisors

Fixed Configuration Catalyst 5000 Series Switches

Determining EARL Version Through SNMP

The EARL hardware version can be determined by Simple Network Management Protocol (SNMP). Using the .iso.org.dod.internet.private.enterprises.cisco.workgroup.stack.moduleGrp.mo

duleTable.moduleEntry.moduleSubType

.1.3.6.1.4.1.9.5.1.3.1.1.16

The return values can be:

• other(1)

• empty(2)

• wsf5510(3) (EARL1)

• wsf5511(4) (EARL1+)

• wsx5304(6) (RSM--NOT ON SUPERVISOR)

• wsf5520(7) (EARL1++)

• wsf5521(8) (EARL2/NFFC)

• wsf5531(9) (EARL3/NFFCII)

The Supervisor II G and IIIG will not return a value. The Supervisor IIG and IIIG are EARL 3s and are not affected by the 802.1x vulnerability.

Why Are Catalyst 5000 EARL 1 Versions Only Affected?

EARL 1 versions are only affected because EARL 1s need to be programmed for each reserved MAC address individually. All other EARL versions were programmed with ranges and thus do not forward the 802.1x frame.

If There is no STP Redundancy in the Network Should I Still Upgrade?

Absolutely, the Catalyst 5000 software is still forwarding the packets on all ports. The switch should be dropping these frames inbound. Although the network will not suffer any degradation unless there is STP redundancy, the switch is still operating incorrectly.

Catalyst 4000 and 6000 Not Affected By 802.1x Vulnerability

The Catalyst 5000 series switches with the EARL 1 are the only affected switch. All other switches will not forward the frame and will actually stop a STP loop from occuring if the switches are located in the STP path.

Windows 2000 Participation in 802.1x

Currently, Windows XP (Whistler) is the only Microsoft operating system to support 802.1x. According to Microsoft, 802.1x for Windows 2000 might be added at a later time through a software upgrade or patch.Currently, Windows XP (Whistler) is the only Microsoft operating system to support 802.1x. According to Microsoft, 802.1x for Windows 2000 might be added at a later time through a software upgrade or patch.

Related Information

• Release Notes for Catalyst 5000 Family Software Release 4.x
• Technical Support & Documentation - Cisco Systems