This document addresses common questions surrounding the 802.1x vulnerability issue with Catalyst 5000 switches. Also included in this document is how to determine the Catalyst 5000 EARL version. For more information on the 802.1x vulnerability, see the following security advisory:
There are no specific requirements for this document.
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
The Encoded Address Recognition Logic (EARL) is a centralized processing engine for learning and forwarding packets based upon MAC address on the Catalyst 5000 Supervisor Engines. The EARL stores the VLAN, MAC address, and port relationships. These relationships are used to make switching decisions in hardware.
To determine the EARL version from the command line interface (CLI), issue the show module command from the Supervisor. An example is presented below:
Console (enable) sh mod Mod Module-Name Ports Module-Type Model Serial-Num Status --- ------------------- ----- --------------------- --------- --------- ---- --- 1 2 100BaseFX MM Supervis WS-X5506 005441962 ok 2 48 10BaseT Ethernet WS-X5012A 010308246 ok 3 48 10BaseT Ethernet WS-X5012A 010308178 ok 4 24 3 Segment 100BaseTX E WS-X5223 005389389 ok 5 12 100BaseFX MM Ethernet WS-X5201R 008951252 ok Mod MAC-Address(es) Hw Fw Sw --- -------------------------------------- ------ ---------- --------------- -- 1 00-e0-f9-d6-64-00 to 00-e0-f9-d6-67-ff 1.0 2.2(2) 4.2(1) 2 00-90-6f-6e-75-c0 to 00-90-6f-6e-75-ef 1.0 4.2(1) 4.2(1) 3 00-90-6f-6e-5a-f0 to 00-90-6f-6e-5b-1f 1.0 4.2(1) 4.2(1) 4 00-e0-b0-fb-0a-29 to 00-e0-b0-fb-0a-2b 1.0 2.2(1) 4.2(1) 5 00-60-2f-39-3d-d4 to 00-60-2f-39-3d-df 1.1 4.1(1) 4.2(1) Mod Sub-Type Sub-Model Sub-Serial Sub-Hw --- -------- --------- ---------- ------ 1 EARL 1+ WS-F5511 0005442554 1.0
The show module command above issued from the Supervisor will indicate the EARL Hardware Version in the Sub-Type Field. If the Supervisor is an EARL 1, 1.1, or a 1+,1++, the system is affected by the 802.1x vulnerability. Any other version of the EARL indicated in the Sub-Type such as NFFC, NFFC+, or NFFC II are not EARL 1s and are not affected by the 802.1x vulnerability.
Note: The Supervisor IIG and IIIG will not print the Sub-Type. The Supervisor IIG and IIIG are EARL 3s and are not affected by the 802.1x vulnerability.
|Supervisor Part Number||Supervisor Model||Earl Version Sub-Type||EARL Version Sub-Model Type||Affected by 802.1x Vulnerability|
|WS-X5005||Supervisor I||EARL 1||WS-F5510||Yes|
|WS-X5006||Supervisor I||EARL 1||WS-F5510||Yes|
|WS-X5009||Supervisor I||EARL 1||WS-F5510||Yes|
|WS-X5505||Supervisor II||EARL 1+||WS-F5511||Yes|
|WS-X5506||Supervisor II||EARL 1+||WS-F5511||Yes|
|WS-X5509||Supervisor II||EARL 1+||WS-F5511||Yes|
|WS-X5530-E1||Supervisor III||EARL 1++||WS-F5520||Yes|
|WS-X5530-E2||Supervisor III NFFC||EARL 2 (NFFC)||WS-F5521||No|
|WS-X5530-E2A||Supervisor III NFFC-A||EARL 2 (NFFC)||WS-F5521||No|
|WS-X5530-E3||Supervisor III NFFC II||EARL 3 (NFFC II)||WS-F5531||No|
|WS-X5530-E3A||Supervisor III NFFC II-A||EARL 3 (NFFC II)||WS-F5531||No|
|WS-X5534||Supervisor III F||EARL 1++||WS-F5520||Yes|
|WS-X5540||Supervisor II G||EARL 3 (NFFC II)||WS-F5531||No|
|WS-X5550||Supervisor III G||EARL 3 (NFFC II)||WS-F5531||No|
|Switch Part Number||Supervisor Model||Earl Version Sub-Type||EARL Version Sub-Model Type||Affected by 802.1x Vulnerability|
|WS-C2901||Supervisor I||EARL 1||WS-F5510||Yes|
|WS-C2902||Supervisor I||EARL 1||WS-F5510||Yes|
|WS-C2926T||Supervisor II||EARL 1+||WS-F5511||Yes|
|WS-C2926G||Supervisor II||EARL 1+||WS-F5511||Yes|
|WS-C2926GS||Supervisor III NFFC II||EARL 3 (NFFC II)||WS-F5531||No|
|WS-C2926GL||Supervisor III NFFC II||EARL 3 (NFFC II)||WS-F5531||No|
Note: In early software revisions, the EARL 3 (NFFC II) may be referred to as an NFFC+.
The EARL hardware version can be determined by Simple Network Management Protocol (SNMP). Using the .iso.org.dod.internet.private.enterprises.cisco.workgroup.stack.moduleGrp.mo
The return values can be:
wsx5304(6) (RSM--NOT ON SUPERVISOR)
The Supervisor II G and IIIG will not return a value. The Supervisor IIG and IIIG are EARL 3s and are not affected by the 802.1x vulnerability.
EARL 1 versions are only affected because EARL 1s need to be programmed for each reserved MAC address individually. All other EARL versions were programmed with ranges and thus do not forward the 802.1x frame.
Absolutely, the Catalyst 5000 software is still forwarding the packets on all ports. The switch should be dropping these frames inbound. Although the network will not suffer any degradation unless there is STP redundancy, the switch is still operating incorrectly.
The Catalyst 5000 series switches with the EARL 1 are the only affected switch. All other switches will not forward the frame and will actually stop a STP loop from occuring if the switches are located in the STP path.
Currently, Windows XP (Whistler) is the only Microsoft operating system to support 802.1x. According to Microsoft, 802.1x for Windows 2000 might be added at a later time through a software upgrade or patch.Currently, Windows XP (Whistler) is the only Microsoft operating system to support 802.1x. According to Microsoft, 802.1x for Windows 2000 might be added at a later time through a software upgrade or patch.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.