Device Manager System Requirements
Finding the Software Version and Feature Set
Upgrading a Switch by Using the Device Manager or Network Assistant
Upgrading a Switch by Using the CLI
Recovering from a Software Failure
New in Cisco IOS Release 15.0(2)SE5
New in Cisco IOS Release 15.0(2)SE3
New in Cisco IOS Release 15.0(2)SE 1
New in Cisco IOS Release 15.0(2)SE
Minimum Cisco IOS Release for Major Features
Cisco Redundant Power System 2300
Cisco Transceiver Modules and SFP Modules
Stacking (Catalyst 3750-X and Catalyst 3750-E Switch Stack only)
Stack Power (Catalyst 3750-X only)
C3KX-SM-10G Network Module (Catalyst 3750-X and 3560-X only)
Caveats Resolved in Cisco IOS Release 15.0(2)SE13
Caveats Resolved in Cisco IOS Release 15.0(2)SE12
Caveats Resolved in Cisco IOS Release 15.0(2)SE11
Caveats Resolved in Cisco IOS Release 15.0(2)SE10a
Caveats Resolved in Cisco IOS Release 15.0(2)SE10
Caveats Resolved in Cisco IOS Release 15.0(2)SE9
Caveats Resolved in Cisco IOS Release 15.0(2)SE8
Caveats Resolved in Cisco IOS Release 15.0(2)SE7
Caveats Resolved in Cisco IOS Release 15.0(2)SE6
Caveats Resolved in Cisco IOS Release 15.0(2)SE5
Caveats Resolved in Cisco IOS Release 15.0(2)SE4
Caveats Resolved in Cisco IOS Release 15.0(2)SE3
Caveats Resolved in Cisco IOS Release 15.0(2)SE2
Caveats Resolved in Cisco IOS Release 15.0(2)SE1
Caveats Resolved in Cisco IOS Release 15.0(2)SE
Obtaining Documentation and Submitting a Service Request
Cisco IOS Release 15.0(2)SE and higher runs on Catalyst 3750-X, Catalyst 3750-E, Catalyst 3560-X, and Catalyst 3560-E switches and on Cisco enhanced EtherSwitch service modules.
The Catalyst 3750-X and 3750-E switches support stacking through Cisco StackWise Plus technology. The Catalyst 3750-X also supports StackPower. The Catalyst 3560-X switches, Catalyst 3560-E switches, and the Cisco enhanced EtherSwitch service modules do not support switch stacking.
Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Cisco enhanced EtherSwitch service modules and Catalyst 3560-E switches support the same features.
For more information, see the Deciding Which Files to Use and the “Related Documentation” section.
These release notes include important information about Cisco IOS release 15.0(2)SE and higher, and later and any limitations, restrictions, and caveats that apply to it. Verify that these release notes are correct for your switch:
You can download the switch software from this site (registered Cisco.com users with a login password):
http://www.cisco.com/cisco/web/download/index.html
24 10/100/1000 Ethernet ports, 1 network module slot, 350 W power supply; IP Services feature set |
||
48 10/100/1000 Ethernet ports, 1 network module slot, 350 W power supply; IP Services feature set |
||
24 10/100/1000 PoE+ 2 ports, 1 network module slot, 715 W power supply; IP Services feature set |
||
48 10/100/1000 PoE+ 2 ports, 1 network module slot, 715 W power supply; IP Services feature set |
||
48 10/100/1000 PoE+2 ports, 1 network module slot, 1100 W power supply; IP Services feature set |
||
24 10/100/1000 Ethernet ports, StackWise Plus, StackPower, 1 network module slot, 350 W power supply; IP Services feature set |
||
48 10/100/1000 Ethernet ports, StackWise Plus, StackPower, 1 network module slot, 350 W power supply; IP Services feature set |
||
24 10/100/1000 PoE+2 ports, StackWise Plus, StackPower, 1 network module slot, 715 W power supply; IP Services feature se |
||
48 10/100/1000 PoE+ 2 ports, StackWise Plus, StackPower, 1 network module slot, 715 W power supply; IP Services feature set |
||
48 10/100/1000 PoE+2 ports, StackWise Plus, StackPower, 1 network module slot, 1100 W power supply; IP Services feature set |
||
12 SFP module slots, StackWise Plus, StackPower, 1 network module slot, 350-W power supply; IP Base feature set |
||
24 SFP module slots, StackWise Plus, StackPower, 1 network module slot, 350-W power supply; IP Base feature set |
||
12 SFP module slots, StackWise Plus, StackPower, 1 network module slot, 350-W power supply; IP Services feature set |
||
24 SFP module slots, StackWise Plus, StackPower, 1 network module slot, 350-W power supply; IP Services feature set |
||
24 10/100/1000 Ethernet ports, StackWise Plus, 1 network module slot, 350 W power supply; LAN Base feature set |
||
48 10/100/1000 Ethernet ports, StackWise Plus, 1 network module slot, 350 W power supply; LAN Base feature set |
||
24 10/100/1000 PoE+1 ports, StackWise Plus, 1 network module slot, 715 W power supply; LAN Base feature set |
||
48 10/100/1000 PoE+2 ports, StackWise Plus, 1 network module slot, 715 W power supply; LAN Base feature set |
||
48 10/100/1000 PoE+2 ports, StackWise Plus, 1 network module slot, 1100 W power supply; LAN Base feature set |
||
24 10/100/1000 Ethernet ports, StackWise Plus, StackPower, 1 network module slot, 350 W power supply; IP Base feature set |
||
48 10/100/1000 Ethernet ports, StackWise Plus, StackPower, 1 network module slot, 350 W power supply; IP Base feature set |
||
24 10/100/1000 PoE+2 ports, StackWise Plus, StackPower, 1 network module slot, 715 W power supply; IP Base feature set |
||
48 10/100/1000 PoE+2 ports, StackWise Plus, StackPower, 1 network module slot, 715 W power supply; IP Base feature set |
||
48 10/100/1000 PoE+2 ports, StackWise Plus, StackPower, 1 network module slot, 1100 W power supply; IP Base feature set1 |
||
24 10/100/1000 Ethernet ports, 1 network module slot, 350 W power supply; LAN Base feature set |
||
48 10/100/1000 Ethernet ports, 1 network module slot, 350 W power supply; LAN Base feature set |
||
24 10/100/1000 PoE+2 ports, 1 network module slot, 715 W power supply; LAN Base feature set |
||
48 10/100/1000 PoE+2 ports, 1 network module slot, 715 W power supply; LAN Base feature set |
||
48 10/100/1000 PoE+2 ports, 1 network module slot, 1100 W power supply; LAN Base feature set |
||
24 10/100/1000 Ethernet ports, 1 network module slot, 350 W power supply; IP Base feature set |
||
48 10/100/1000 Ethernet ports, 1 network module slot, 350 W power supply; IP Base feature set |
||
24 10/100/1000 PoE+2 ports, 1 network module slot, 715 W power supply; IP Base feature set |
||
48 10/100/1000 PoE+2 ports, 1 network module slot, 715 W power supply; IP Base feature set |
||
48 10/100/1000 PoE+2 ports, 1 network module slot, 1100 W power supply; IP Base feature set |
||
100FX-SFP 1000BASE-LX/LH Note For a complete list of supported SFP modules, see the hardware installation guide or the data sheets at: |
||
SFP-10G-SR |
||
SFP-10G-ER4 |
||
Only version 02 (or later) of the CX15 cables are supported: |
||
SFP module patch cable6 |
||
C3KX-PWR-1100WAC Note For power supply module descriptions and configurations supported on switch models, see the hardware installation guide. |
||
Four SFP slots. |
||
Two 10-Gigabit Ethernet (copper) ports. Note To configure the port speed to 1 Gigabit per second, use the hw-module switch global configuration command. |
||
24 10/100/1000 Ethernet ports, 2 10-Gigabit Ethernet X2 module slots |
||
48 10/100/1000 Ethernet ports, 2 10-Gigabit Ethernet X2 module slots |
||
24 10/100/1000 PoE7 ports, 2 10-Gigabit Ethernet X2 module slots |
||
48 10/100/1000 ports with 370 W of PoE, 2 10-Gigabit Ethernet X2 module slots |
||
48 10/100/1000 ports with 740 W of PoE, 2 10-Gigabit Ethernet X2 module slots |
||
24 10/100/1000 Ethernet ports, 2 10-Gigabit Ethernet X2 module slots |
||
48 10/100/1000 Ethernet ports, 2 10-Gigabit Ethernet X2 module slots |
||
24 10/100/1000 PoE ports, 2 10-Gigabit Ethernet X2 module slots |
||
48 10/100/1000 ports with 370 W of PoE, 2 10-Gigabit Ethernet X2 module slots |
||
48 10/100/1000 ports with 740 W of PoE, 2 10-Gigabit Ethernet X2 module slots |
||
12 SFP8 module slots, 2 10-Gigabit Ethernet X2 module slots |
||
X2-10GB-SR V02 or later |
Cisco IOS Release 12.2(35)SE2 |
|
Dual SFP X2 converter module to allow the switch to support SFP Gigabit Ethernet modules |
||
1000BASE-LX/LH For a complete list of supported SFPs and part numbers, see the data sheet: |
||
DOM10 support for these SFP modules. |
||
SFP module patch cable11 |
||
SFP-10G-SR= Only version 02 or later CX112 cables support these SFP modules: |
||
SM-D-ES2-48 7 |
||
SM-D-ES3-48-P 7 |
||
SM-D-ES3G-48-P 7 |
||
SM-ES2-16-P13 |
||
SM-ES2-24 7 |
||
SM-ES2-24-P 7 |
Layer 2-capable, 23 10/100 ports with PoE, 1 10/100/1000 port with PoE |
|
SM-ES3-16-P 7 |
||
SM-ES3-24-P 7 |
||
SM-ES3G-16-P 7 |
||
SM-ES3G-24-P 7 |
The device manager verifies the browser version when starting a session and does not require a plug-in.
You cannot create and manage switch clusters through the device manager. To create and manage switch clusters, use the command-line interface (CLI) or the Network Assistant application.
When creating a switch cluster or adding a switch to a cluster, follow these guidelines:
For additional information about clustering, see Getting Started with Cisco Network Assistant, Release Notes for Cisco Network Assistant, the Cisco enhanced EtherSwitch service module documentation, the software configuration guide, and the command reference.
Cisco IOS 15.0(1)SE will be supported in a future release of the Cisco Network Assistant. Cisco IOS 12.2(35)SE2 and later is only compatible with Cisco Network Assistant 5.0 and later. You can download Cisco Network Assistant from this URL:
http://www.cisco.com/pcgi-bin/tablebuild.pl/NetworkAssistant
For more information about Cisco Network Assistant, see the Release Notes for Cisco Network Assistant on Cisco.com.
The Cisco IOS image is stored as a bin file in a directory that is named with the Cisco IOS release. A subdirectory contains the files needed for web management. The image is stored on the system board flash device (flash:).
You can use the show version privileged EXEC command to see the software version that is running on your switch. The second line of the display shows the version.
Note Although the show version output always shows the software image running on the switch, the model name shown at the end of this display is the factory configuration and does not change if you upgrade the software license.
You can also use the dir filesystem : privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.
If you have a service support contract and order a software license or if you order a switch, you receive the universal software image and a specific software license. If you do not have a service support contract, such as a SMARTnet contract, download the IP base image from Cisco.com. For Catalyst 3750-X and 3560-X switches, this image has the IP base and LAN base feature sets. For Catalyst 3750-E and 3560-E switches, this image has the IP base feature set.
Note A Catalyst 3750-X or 3560-X switch running the LAN base feature set supports only 255 VLANs.
The switches running the universal software images can use permanent and temporary software licenses. See the “Cisco IOS Software Activation Conceptual Overview” chapter in the Cisco IOS Software Activation Configuration Guide :
http://www.cisco.com/en/US/docs/ios/csa/configuration/guide/12.4T/csa_book.html
The universal software images support multiple feature sets. Use the software activation feature to deploy a software license and to enable a specific feature set.
For information about Catalyst 3750-E and 3560-E software activation, see the Cisco Software Activation and Compatibility Document on Cisco.com:
http://www.cisco.com/en/US/products/ps7077/products_installation_and_configuration_guides_list.html
Catalyst 3750-X and 3560-X switches running payload-encryption images can encrypt management and data traffic. Switches running nonpayload-encryption images can encrypt only management traffic, such as a Secure Shell (SSH) management session.
For more information about Catalyst 3750-X and 3560-X software licenses and available images, see the Cisco IOS Software Installation Document on Cisco.com:
http://www.cisco.com/en/US/products/ps10745/products_installation_and_configuration_guides_list.html
Layer 2 and basic Layer 3 features, SSH16, SSL17, and SNMPv318, and Kerberos IP base image, as well as LAN base image with Layer 2 features |
||
Layer 2 and basic Layer 3 features, SSH, SSL, SNMPv3, Kerberos, and MACsec19 IP base image, as well as LAN base image with Layer 2 features |
||
All the supported universal image features, Kerberos, SSH, SSL, and SNMPv3 |
||
All the supported universal image features, Kerberos, SSH, SSL, SNMPv3, and MACsec |
||
Layer 2 and basic Layer 3 features, SSH, SSL, SNMPv3, and Kerberos |
||
All the supported universal image features, Kerberos, SSH, SSL, and SNMPv3 |
||
Layer 2 features, SSH, SNMPv3, and Kerberos For these service modules: SM-D-ES2-48, SM-ES2-16-P, SM-ES2-24, and SM-ES2-24-P6. |
||
All the supported universal image features, Kerberos, SSH, SSL, and SNMPv3 IP base and IP services software licenses For these service modules: SM-D-ES3-48-P, SM-D-ES3G-48-P, SM-ES3-16-P, SM-ES3-24-P, SM-ES3G-16-P, and SM-ES3G-24-P. |
The upgrade procedures in these release notes describe how to perform the upgrade by using a combined tar file. This file contains the Cisco IOS image file and the files needed for the embedded device manager. You must use the combined tar file to upgrade the switch through the device manager. To upgrade the switch through the command-line interface (CLI), use the tar file and the archive download-sw privileged EXEC command.
Before upgrading your switch software, make sure that you have archived copies of the current Cisco IOS release and the Cisco IOS release from which you are upgrading. You should keep these archived images until you have upgraded all devices in the network to the new Cisco IOS image and until you have verified that the new Cisco IOS image works properly in your network.
Cisco routinely removes old Cisco IOS versions from Cisco.com. See Product Bulletin 2863 for more information:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6969/ps1835/prod_bulletin0900aecd80281c0e.html
You can copy the bin software image file on the flash memory to the appropriate TFTP directory on a host by using the copy flash: tftp: privileged EXEC command.
Note Although you can copy any file on the flash memory to the TFTP server, it is time-consuming to copy all of the HTML files in the tar file. We recommend that you download the tar file from Cisco.com and archive it on an internal host in your network.
You can also configure the switch as a TFTP server to copy files from one switch to another without using an external TFTP server by using the tftp-server global configuration command. For more information about the tftp-server command, see the “Basic File Transfer Services Commands” section of the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 :
http://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_t1.html
Note When you upgrade the switch from Cisco IOS Release 15.0(2)SE to 15.0(2)SE1, a microcode upgrade is started when the switch is reloaded for the first time. The switch may take unusually long to start.
We recommend that you download the software on the switch using the archive download-sw /force-ucode-reload or archive download-sw /upgrade-ucode privileged EXEC command to shorten the reload time of the switch. For more information about using these commands, see the archive download-sw command in the Catalyst 3750-X and Catalyst 3560-X Switch Command Reference, Cisco IOS Release 15.0(2)SE and Later guide on Cisco.com: http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/15.0_2_se/command/reference/cli1.html#wp2273183.
You can upgrade switch software by using the device manager or Network Assistant. For detailed instructions, click Help.
Note When using the device manager to upgrade your switch, do not use or close your browser session after the upgrade process begins. Wait until after the upgrade process completes.
This procedure is for copying the combined tar file to the switch. You copy the file to the switch from a TFTP server and extract the files. You can download an image file and replace or keep the current image.
To download software, follow these steps:
Step 1 Use Table 4 to identify the file that you want to download.
Step 2 Download the software image file:
a. If you are a registered customer, go to this URL and log in:
http://www.cisco.com/cisco/web/download/index.html
b. Navigate to Switches > LAN Switches - Access
c. Navigate to your switch model.
d. Click IOS Software, and select the latest IOS release.
e. Download the image you identified in Step 1.
Step 3 Copy the image to the appropriate TFTP directory on the workstation, and make sure that the TFTP server is properly configured.
For more information, see Appendix B in the software configuration guide for this release.
Step 4 Log into the switch through the console port or a Telnet session.
Step 5 (Optional) Ensure that you have IP connectivity to the TFTP server by entering this privileged EXEC command:
For more information about assigning an IP address and default gateway to the switch, see the software configuration guide for this release.
Step 6 Download the image file from the TFTP server to the switch. If you are installing the same version of software that is currently on the switch, overwrite the current image by entering this privileged EXEC command:
The /overwrite option overwrites the software image in flash memory with the downloaded one.
The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.
For // location, specify the IP address of the TFTP server.
For / directory / image-name .tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.
This example shows how to download an image from a TFTP server at 198.30.20.19 and to overwrite the image on the switch:
You can also download the image file from the TFTP server to the switch and keep the current image by replacing the /overwrite option with the /leave-old-sw option.
Use these methods to assign IP information to your switch:
Note This feature is available on the Advanced IP Services feature set.
Note The images for the Cisco IOS Release 15.0(2)SE1 on the Catalyst 3750-X and 3560-X switches are FIPS certified. For information about using FIPS certified images, see the “Boot Loader Upgrade and Image Verification for the FIPS Mode of Operation” section in the “Assigning the Switch IP Address and Default Gateway” chapter of the software configuration guide..
FIPS 140-2 is a cryptographic-focused certification, required by many government and enterprise customers, which ensures the compliance of the encryption and decryption operations performed by the switch to the approved FIPS cryptographic strengths and management methods for safeguarding these operations. For more information, see the following links:
– The security policy document at: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2011.htm#1657
– The installation notes at: http://www.cisco.com/en/US/products/ps10745/prod_installation_guides_list.html
Common Criteria is an international standard (ISO/IEC 15408) for computer security certification. This standard is a set of requirements, tests, and evaluation methods that ensures that the Target of Evaluation complies with a specific Protection Profile or custom Security Target. For more information, see the security target document at:
http://www.niap-ccevs.org/st/vid10488/.
Table 5 lists the minimum software release after the first release of required to support the major features on the switches. The first release of the Catalyst 3750-X sand 3560-X switches was Cisco IOS Release 12.2(53)SE2).
Cisco TrustSec SXP version 2, syslog messages, and SNMP support |
||
Built-in Traffic Simulator using Cisco IOS IP SLAs video operations |
||
Auto Smartports enhancements to enable auto-QoS on a digital media player. |
||
Support for 16 static routes on SVIs on the LAN Base feature set |
||
DHCPv6 bulk-lease query and DHCPv6 relay source configuration |
||
NSF IETF mode for OSPFv2 and OSPFv3 (IP services feature set) |
||
Auto-QoS enhancements that add automatic configuration classification of traffic flow from video devices. |
||
AutoSmartports enhancements—support for global macros, last-resort macros, event trigger control, access points, EtherChannels, auto-QoS with Cisco Medianet, and IP phones. |
||
CDP and LLDP enhancements for exchanging location information with video end points.s. |
||
Smart Install enhancements including client backup files, zero-touch replacement for clients with the same product-ID, and automatic generation of the image_list file. |
||
Dynamic creation or attachment of an auth-default ACL on a port with no configured static ACLs. |
||
Cisco EnergyWise Phase 2 to manage power usage of EnergyWise-enabled Cisco devices and non-Cisco end points running EnergyWise agents20 |
||
AutoSmartports enhancements (macro persistency, LLDP-based triggers, MAC address and OUI-based triggers. |
||
EEM 3.2 Neighbor Discovery, Identity, and MAC-Address-Table. |
||
802.1x User Distribution to allow deployments with multiple VLANs. |
||
Network Edge Access Topology (NEAT) to change the port host mode and to apply a standard port configuration on the authenticator switch port. |
||
MAC move to allow hosts to move across ports within the same switch without any restrictions to enable mobility. |
||
SNMPv3 with Triple Data Encryption Standard (3DES) and 128-bit, 192-bit, and 256-bit Advanced Encryption Standard (AES) encryption algorithms. |
||
Hostname inclusion in the option 12 field of DHCPDISCOVER packets. |
||
DHCP Snooping enhancement to support the circuit-id sub-option of the Option 82 DHCP field. |
||
LLPD-MED enhancements to allow the switch to grant power to the power device (PD), based on the power policy TLV request. |
||
QoS marking of CPU-generated traffic and queue CPU-generated traffic on egress ports. |
||
NEAT with 802.1X switch supplicant, host authorization with CISP, and auto enablement. |
||
802.1x authentication with downloadable ACLs and redirect URLs. |
||
Flexible-authentication sequencing to configure the order of authentication methods tried by a port. |
||
Multiple-user authentication to allow more than one host to authenticate on an 802.1x-enabled port. |
||
Supports the LLPD-MED MIB and the CISCO-ADMISSION-POLICY MIB. |
||
Smart Install to allow a single point of management (director) in a network. |
||
Cisco Medianet to enable intelligent services in the network infrastructure for a wide variety of video applications. |
||
Support for up to 32 10 Gigabit Ethernet DWDM X2 optical modules. |
||
Intermediate System-to-Intermediate System (IS-IS) routing for Connectionless Network Service (CLNS) networks |
||
Support for the Cisco IOS Configuration Engine (previously the Cisco IOS CNS agent) |
||
Support for these MIBs: SCP attribute in the CONFIG_COPY MIB, CISCO-AUTH-FRAMEWORK, CISCO-MAC-AUTH-BYPASS, LLDP |
||
IPv6 features supported in the IP services and IP base software images: ACLs; DHCPv6 for the DCHP server, client, and relay device; EIGRPv6; HSRPv6; OSPFv3; RIP; Static routes |
||
Generic message authentication support with the SSH Protocol and compliance with RFC 4256 |
||
Voice aware 802.1x and mac authentication bypass (MAB) security violation |
||
The ability to exclude a port in a VLAN from the SVI line-state calculation |
||
PAgP Interaction with Virtual Switches and Dual-Active Detection |
||
Rehosting a software license and using an embedded evaluation software license |
||
DHCP for IPv6 relay, client, server address assignment and prefix delegation (IP services image) |
||
Embedded event manager (EEM) for device and system management |
||
Automatic quality of service (QoS) Voice over IP (VoIP) enhancement |
||
Dynamic voice virtual LAN (VLAN) for multidomain authentication (MDA) |
||
Support for the Link Layer Discovery Protocol Media Extensions (LLDP-MED) location TLV |
||
Link Layer Discovery Protocol (LLDP) and LLDP Media Endpoint Discovery (LLDP-MED) |
||
Support for auto-rendezvous point (auto-RP) for IP multicast |
||
You should review this section before you begin working with the switch. These are known limitations that will not be fixed, and there is not always a workaround. Some features might not work as documented, and some features could be affected by recent changes to the switch hardware or software.
There is no workaround. (CSCse33114)
The workaround is to block traffic from the specific MAC address by using the mac address-table static mac-addr vlan vlan-id drop global configuration command. (CSCse73823)
The workaround is to set the burst interval to more than 1 second. We recommend setting the burst interval to 3 seconds even if you are not experiencing this problem.(CSCse06827))
PLATFORM_ENV-1-RPS_ACCESS: RPS is not responding
No workaround is required because the problem corrects itself. (CSCsf15170)
The workaround is to use modules with serial numbers that are not in the specified range. (CSCsh59585)
– Allow space between the switches when installing them.
– In a switch stack, plan the SFP module and cable installation so that uplinks in adjacent stack members are not all in use.
– Use long, small screwdriver to access the latch then remove the SFP module and cable. (CSCsd57938)
The workaround is to configure aggressive UDLD. (CSCsh70244).
There is no workaround. (CSCec74610) (Catalyst 3750-X switches)
PLATFORM_RPC-3-MSG_THROTTLED: RPC Msg Dropped by throttle mechanism: type 0, class 51, max_msg 128, total throttled 984323
-Traceback= 6625EC 5DB4C0 5DAA98 55CA80 A2F2E0 A268D8
No workaround is necessary. Under normal conditions, the switch generates this notification when snooping the next ARP packet. (CSCse47548)
The workaround is to not configure VLANs with protected ports as part of a fallback bridge group. (CSCsg40322)
When a switch port configuration is set at 10 Mb/s half duplex, sometimes the port does not send in one direction until the port traffic is stopped and then restarted. You can detect the condition by using the show controller ethernet-controller or the show interfaces privileged EXEC commands.
The workaround is to stop the traffic in the direction in which it is not being forwarded, and then restart it after 2 seconds. You can also use the shutdown interface configuration command followed by the no shutdown command on the interface. (CSCsh04301)
The workaround is to enter the switchport access vlan dynamic interface configuration command separately on each port. (CSCsi26392)
The workaround is to use the session stack-member-number privileged EXEC command. (CSCsz38090)
The workaround is to delete any unnecessary files in flash memory, delete the temporary files created as part of the failed upgrade, and try the MCU upgrade again. (CSCtd75400)
The workaround to verify the cable length is to enter the commands when a Gigabit link is active on the interface or after disconnecting the far end of the cable. (CSCte43869)
– The EtherChannel is a cross-stack EtherChannel with a switch stack at one or both ends.
– The switch stack partitions because a member reloads. The EtherChannel is divided between the two partitioned stacks, each with a stack master.
The EtherChannel ports are put in the suspended state because each partitioned stack sends LACP packets with different LACP Link Aggregation IDs (the system IDs are different). The ports that receive the packets detect the incompatibility and shut down some of the ports. Use one of these workarounds for ports in this error-disabled state:
– Enable the switch to recover from the error-disabled state.
– Enter the shutdown and the no shutdown interface configuration commands to enable the port.
The EtherChannel ports are put in the error-disabled state because the switches in the partitioned stacks send STP BPDUs. The switch or stack at the other end of the EtherChannel receiving the multiple BPDUs with different source MAC addresses detects an EtherChannel misconfiguration.
After the partitioned stacks merge, ports in the suspended state should automatically recover. (CSCse33842)
No workaround is necessary. The problem corrects itself after the link-up or link-down event. (CSCse75508)
15:50:11: %COMMON_FIB-4-FIBNULLHWIDB: Missing hwidb for fibhwidb Port-channel1 (ifindex 1632) -Traceback= A585C B881B8 B891CC 2F4F70 5550E8 564EAC 851338 84AF0C 4CEB50 859DF4 A7BF28 A98260 882658 879A58
Use one of these workarounds (CSCsd90495):
– Configure the port for single-host mode to prevent the extra MAC address from appearing in the MAC address table.
– Replace the NIC card with a new card.
– If the connected device is supposed to be unauthorized, the connected device might be authorized on the VLAN that is assigned to the critical port instead of to a guest VLAN.
– If the device is supposed to be authorized, it is authorized on the VLAN that is assigned to the critical port.
Use one of these workarounds (CSCse04534):
– Configure MAC authentication bypass to not use EAP.
– Define your network access profiles to not use MAC authentication bypass. For more information, see the Cisco Access Control Server (ACS) documentation.
The workaround is not use the VLAN assignment option. (CSCse22791)
– Multicast routing is enabled in the VLAN.
– The source IP address of the packet belongs to the directly connected network.
– The TTL value is either 0 or 1.
The workaround is to not generate multicast packets with a TTL value of 0 or 1, or disable multicast routing in the VLAN. (CSCeh21660)
– Multicast routing is enabled in the VLAN.
– The source IP address of the multicast packet belongs to a directly connected network.
– The packet is denied by the IP multicast boundary access-list configured on the VLAN.
There is no workaround. (CSCei08359)
The workaround is to not send RPF-failed multicast traffic, or make sure that the source IP address of the RPF-failed packet is reachable. (CSCsd28944)
There is no workaround. (CSCsd45753)
– The port-channel is configured with member ports across different switches in the stack.
– When one of the member switches reloads.
– The member switch that is reloading has a high rate of IP IGMP joins arriving on the port-channel member port.
The workaround is to disable the IGMP snooping throttle limit by using the no ip igmp max-groups number interface configuration command and then to reconfigure the same limit again. (CSCse39909)
There is no workaround. (CSCsd60647)
The workaround is to enable PoE and to configure the switch to recover from the PoE error-disabled state. (CSCsf32300)
There is no workaround. (CSCsg20629)
The workaround is to turn the powered device off and then on again.
There is no workaround. (CSCeh18677)
There is no workaround. (CSCsc63334)
The workaround is to use a different name for the interface-level policy map. (CSCsd84001)
There is no workaround. (CSCsd72001)
There is no workaround. (CSCsg79627)
– Use the default buffer size.
– Use the mls qos queue-set output qset-id buffers allocation1... allocation4 global configuration command to allocate the buffer size. The buffer space for each queue must be at least 10 percent. (CSCsx69718) (Catalyst 3750-X switches)
– The switch has 400 Open Shortest Path First (OSPF) neighbors.
– The switch has thousands of OSPF routes.
The workaround is to reduce the number of OSPF neighbors to 200 or less. (CSCse65252)
The workaround is to not send traffic to unknown destinations. (CSCse97660)
The workaround is to use an on-demand upgrade to upgrade switches in a stack by entering the vstack download config and vstack download image commands. (CSCta64962)
When you upgrade the director to Cisco IOS Release 12.2(55)SE, the workaround is to also modify the configuration to include all built-in, custom, and default groups. You should also configure the tar image name instead of the image-list file name in the stored images. (CSCte07949)
The workaround is to use the TFTP utility of another server instead of a Windows server or to manually delete the existing backup file before backing up again. (CSCte53737)
The workaround, if you need to configure a switch in a stack with the backup configuration, is to use the vstack download config privileged EXEC command so that the director performs an on-demand upgrade on the client.
– When the backup configuration is stored in a remote repository, enter the location of the repository.
– When the backup file is stored in the director flash memory, you must manually set the permissions for the file before you enter the vstack download config command. (CSCtf18775)
There is no workaround. (CSCtg98656)
– When you select the NONE option in the director CLI, the upgrade should be allowed and is successful on client switches running Cisco IOS Release 12.2(25)SE through 12.2(46)SE, but fails on clients running Cisco IOS Release 12.2(50)SE through 12.2(50)SEx.
– When you enter any password in the director CLI, the upgrade should not be allowed, but it is successful on client switches running Cisco IOS Release 12.2(25)SE through 12.2(46)SE, but fails on clients running Cisco IOS Release 12.2(50)SE through 12.2(50)SEx.
This is a hardware limitation. The workaround is to disable CDP on all interfaces carrying the RSPAN VLAN on the device connected to the switch. (CSCeb32326)
There is no workaround. This is a hardware limitation. (CSCei10129)
The workaround is to configure aggressive UDLD. (CSCsh70244).
This is a cosmetic issue and the workaround is to use the show platform monitor session privileged EXEC command to display the correct source ports. (CSCtn67868)
When a switch or switch stack running Multiple Spanning Tree (MST) is connected to a switch running Rapid Spanning Tree Protocol (RSTP), the MST switch acts as the root bridge and runs per-VLAN spanning tree (PVST) simulation mode on boundary ports connected to the RST switch. If the allowed VLAN on all trunk ports connecting these switches is changed to a VLAN other than VLAN 1 and the root port of the RSTP switch is shut down and then enabled, the boundary ports connected to the root port move immediately to the forward state without going through the PVST+ slow transition.
The Root port gets stuck into BLK state when the secondary root bridge priority is decreased to less than the current root bridge priority under RSTP mode.
Below are the scale numbers for n -number of stacks to avoid “CSCuz14346”
– For 8 member stack: Maximum number of active vlan that can be configured without seeing any SPT issue is 46.
– For 7 member stack: Maximum number of active vlan that can be configured without seeing any SPT issue is 60.
– For 6 member stack: Maximum number of active vlan that can be configured without seeing any SPT issue is 70.
– For 5 member stack: Maximum number of active vlan that can be configured without seeing any SPT issue is 80.
– Shut/No shut the effected port.
– For vlan numbers beyond the scale number mentioned above, please use the MST mode.
The workaround it to enter a shutdown and then a no shutdown interface configuration command on the interface. (CSCsx70643)
unable to read config
message appears.The workaround is to wait a few seconds and then to reenter the write memory privileged EXEC command. (CSCsd66272)
The workaround is to use the logging monitor global configuration command to set the severity level to block the low-level messages on the stack member consoles. (CSCsd79037)
The workaround is to avoid traffic congestion on the stack ring. (CSCsd87538)
The workaround is to reboot the new member switch. Use the remote command all show run privileged EXEC command to compare the running configurations of the stack members. (CSCsf31301)
The workaround is to delete files in the flash memory to create more free space. (CSCsg30073)
The workaround is to check the flash. If it contains many files, remove the unnecessary ones. Check the lost and found directory in flash and if there are many files, delete them. To check the number of files use the fsck flash: command. (CSCsi69447)
1. You configure a Layer 2 protocol tunnel port on the master switch.
2. You configure a Layer 2 protocol tunnel port on the member switch.
3. You add the port channel to the Layer 2 protocol tunnel port on the master switch.
4. You add the port channel to the Layer 2 protocol tunnel port on the member switch.
After this sequence of steps, the member port might stay suspended.
The workaround is to configure the port on the member switch as a Layer 2 protocol tunnel and at the same time also as a port channel. For example:
The workaround is to enter a shutdown interface configuration command followed by a no shutdown command on the port in the blocked state. (CSCsl64124)
There is no workaround. (CSCth00938)
The workaround is to reload the switch stack after the VRF configuration is changed. (CSCtn71151)
The workaround when you are forming power stack topologies if the power stack mode is not the default (power sharing), you should also configure the power stack mode on the new power stacks by entering the mode redundant power-stack configuration command. (CSCte33875)
The workaround is to reduce the number of VLANs or trunks. (CSCeb31087)
The workaround is to enter the shut and no shut interface configuration commands on the port to reset the authentication status. (CSCsf98557)
– A supplicant is authenticated on at least one port.
– A new member joins a switch stack.
You can use one of these workarounds:
– Enter the shutdown and the no shutdown interface configuration commands to reset the port.
– Remove and reconfigure the VLAN. (CSCsi26444)
The workaround is to always enter a non zero value for the timeout value when you enter the boot host retry timeout timeout-value command. (CSCsk65142)
The workaround is to remove unnecessary VLANs to reduce CPU utilization when many links are flapping. (CSCtl04815)
The following guidelines and limitations apply to configuring Cisco TrustSec SGT and SGACL on the Catalyst 3750-X3560-X switch:
When port-to-SGT mapping is configured on a port, an SGT is assigned to all ingress traffic on that port. There is no SGACL enforcement for egress traffic on the port.
The workaround is to click Yes when you are prompted to accept the certificate. (CSCef45718)
Catalyst 3750-X, 3750-E, 3560-X and 3560-E switches internally support up to 16 different control plane queues. Each queue is dedicated to handling specific protocol packets and is assigned a priority level. For example, STP, routed, and logged packets are sent to three different control plane queues, which are prioritized in corresponding order, with STP having the highest priority. Each queue is allocated a certain amount of processing time based on its priority. The processing-time ratio between low-level functions and high-level functions is allocated as 1-to-2. Therefore, the control plane logic dynamically adjusts the CPU utilization to handle high-level management functions as well as punted traffic (up to the maximum CPU processing capacity). Basic control plane functions, such as the CLI, are not overwhelmed by functions such logging or forwarding of packets.
If this message appears, make sure that there is network connectivity between the switch and the ACS. You should also make sure that the switch has been properly configured as an AAA client on the ACS.
If this happens, enter the no auto qos voip cisco-phone interface command on all interface with this configuration to delete it. Then enter the auto qos voip cisco-phone command on each of these interfaces to reapply the configuration.
From Microsoft Internet Explorer:
1. Choose Tools > Internet Options.
2. Click Settings in the “Temporary Internet files” area.
3. From the Settings window, choose Automatically.
5. Click OK to exit the Internet Options window.
If you are not using the default method of authentication (the enable password), you need to configure the HTTP server interface with the method of authentication used on the switch
Beginning in privileged EXEC mode, follow these steps to configure the HTTP server interface:
The device manager uses the HTTP protocol (the default is port 80) and the default method of authentication (the enable password) to communicate with the switch through any of its Ethernet ports and to allow switch management from a standard web browser.
If you change the HTTP port, you must include the new port number when you enter the IP address in the browser Location or Address field (for example, http://10.1.126.45:184 where 184 is the new HTTP port number). You should write down the port number through which you are connected. Use care when changing the switch IP information.
The Bug Search Tool (BST), which is the online successor to Bug Toolkit, is designed to improve the effectiveness in network risk management and device troubleshooting. The BST allows partners and customers to search for software bugs based on product, release, and keyword, and aggregates key data such as bug details, product, and version. The tool has a provision to filter bugs based on credentials to provide external and internal bug views for the search input.
To view the details of a caveat listed in this document:
1. Access the BST (use your Cisco user ID and password) at https://tools.cisco.com/bugsearch/.
Unless otherwise noted, these caveats apply to Catalyst 3750-X, 3750-E, 3560-X, and 3560-E switches
When Catalyst 3k switch stack is not configured as rep edge and is just part of the ring, it causes convergence of about 4 to 8 seconds for some streams.
In a Smart Install network, when the director is connected between the client and the DHCP server and the server has options configured for image and configuration, then the client does not receive the image and configuration files sent by the DHCP server during an automatic upgrade. Instead the files are overwritten by the director and the client receives the image and configuration that the director sends.
– If client needs to upgrade using an image and configuration file configured in the DHCP server options, you should remove the client from the Smart Install network during the upgrade.
– In a network using Smart Install, you should not configure options for image and configuration in the DHCP server. For clients to upgrade using Smart Install, you should configure product-id specific image and configuration files in the director.
If you install 10/100/1000BASE-TX or 100BASE-FX SFPs in the SFP+ module ports (port 2 or port 4), the ports are put in an error disabled state. These SFPs are not supported in the SFP+ ports.
Cisco Network Assistant displays the LED ports with a light blue color for all switches in a stack that have the Catalyst 3750G-48PS switch as part of the stack.
Mediatrace does not report statistics on the initiator under these conditions:
– The responder is a mixed switch stack with a Catalyst 3750 as the master switch
– The ingress interface on the responder from the initiator is on a member switch.
The workaround is to ensure that the mediatrace ingress and egress connections are on the stack master or to configure a Catalyst 3750-E or 3750-X as the stack master and then reload the switch stack.
When you enter the copy running-config startup config privileged EXEC command on the switch, the running configuration is not always saved to the startup configuration on the first attempt.
There is no workaround. If you wait for a few minutes, the configuration is saved when the switch attempts it again.
On a switch stack, when an IP phone connected to a member switch has its MAC address authorized using the critical voice VLAN feature, if a master changeover occurs, the voice traffic is dropped. Drop entries for the IP phone appear in the MAC address table management (MATM) table. This occurs because the switch initially drops the voice traffic before reauthenticating critical voice VLAN traffic. The dropped entries are removed when critical voice VLAN authentication occurs.
There is no workaround. The dropped entries are removed when the IP phone is reauthenticated.
A seed switch is connected to a RADIUS server either directly or through a trunk port. A non-seed switch authenticates with the RADIUS server through the seed switch, based on the credential information defined in the RADIUS server. Cisco TrustSec (CTS) parameters must be configured on both the seed switch and the non-seed switch trunk interfaces.
Although the non-seed switch is authenticated and authorized to connect to the network, supplicant devices connected to the non-seed switch might be unable to connect to the network, under these circumstances:
– CTS caching is enabled on the seed switch and not enabled on the non-seed switch.
– The seed switch reported the 802.1x role of the non-seed switch CTS trunk as authenticator in multi-host mode.
– The non-seed switch reported this CTS trunk as the 802.1x authenticator role in single host mode and as supplicant.
The workaround is to reduce the reauthentication time on the seed switch, or enter the shutdown interface configuration command, followed by the no shutdown interface configuration command on the seed switch CTS trunk interface.
ASP now uses a device classifier, which determines the type of device that is connected to the switch. As a result, ASP has no control over the protocol type that is used to detect the device. Therefore, the protocol detection controls are deprecated. When you enter the macro auto global control detection command, the protocol does not show up in the running configuration; however, the filter-spec command is shown in the output.
There is no workaround. To see the deprecated commands, enter the show running config deprecated global and interface configuration command.
Monitored SPAN traffic is not sent to the SPAN destination when TrustSec MACsec is enabled on the SPAN source interface.
A stack power member switch that does not have a PSU connected in Slot A or Slot B might fail during a Cisco IOS upgrade.
– The workaround is to ensure that each stack member has at least one PSU connected. Alternatively, you can download and install the Cisco IOS image using the archive download-sw /force-ucode-reload privileged EXEC command.
The following message may be erroneously displayed during the boot up process.
The global power inline consumption default 15400 command fails to restrict the power consumption of a PoE+ port 15.4 W.
The workaround is to use the power inline consumption 15400 command in interface configuration mode.
In a switch stack, multicast traffic can be lost for up to 60 seconds when the master switch is reloaded. Because the platform does not support multicast non-stop-forwarding (NSF), the time before traffic reconvergence after a switchover can vary.
Catalyst 3560E switches crash frequently on the latest Cisco releases IOS 12.2(58)SE2 and 15.0(2)SE.
When the show sdm prefer command is run on the switch, The template displays the number of indirect IPv4 routes as 7.875K instead of 8K compared to Cisco IOS Release 15.0(2)SE2. There is a reduction of 0.125K in the desktop routing template.
When sampled NetFlow is configured with the command ip flow monitor fm-3 in, the sampler tables are not exported to the collector.
The workaround is to use the configuration command ip flow monitor fm-3 sampler s-1 in.
While configuring VLAN load balancing using Resilient Ethernet Protocol (REP) on ether channel interface where bundled interfaces are spread across member stack switches, the MAC address flaps when the ether channel state changes from open to alternate.
Inline POE-3K: 'oper police' shows 'n/a' instead 'ok' in police errdisable
Use the Bug Search Toolkit to view the details of a caveat listed in this section. For more information about the BST, go to https://tools.cisco.com/bugsearch/.
Use the Bug Search Toolkit to view the details of a caveat listed in this section. For more information about the BST, go to https://tools.cisco.com/bugsearch/.
Use the Bug Search Toolkit to view the details of a caveat listed in this section. For more information about the BST, go to https://tools.cisco.com/bugsearch/.
Use the Bug Search Toolkit to view the details of a caveat listed in this section. For more information about the BST, go to https://tools.cisco.com/bugsearch/.
Use the Bug Search Toolkit to view the details of a caveat listed in this section. For more information about the BST, go to https://tools.cisco.com/bugsearch/.
Use the Bug Search Toolkit to view the details of a caveat listed in this section. For more information about the BST, go to https://tools.cisco.com/bugsearch/
Use the Bug Search Toolkit to view the details of a caveat listed in this section. For more information about the BST, go to https://tools.cisco.com/bugsearch/.
Telnet sessions that are incompletely established may not time out after a period of inactivity, leading to eventual exhaustion of available VTY lines.
When the telnet client initiates a telnet session to IOS Server with a small TCP window size (<2) ( rcvwnd in the client tcp, sndwnd in the server side), the target lines are hung for ever. It needs to be manually cleared via clear tcp only (clear line does not work). This issue happens for both VTY/TTY sessions.
The workaround is that it needs to be manually cleared via clear tcp tcb 0xXXXX only (clear line does not work).
0xXXXX corresponds to hung line.
The process Kron CLI Process show tech-support password | redirect tftp.. crashes because of memory corruption. The configuration is as show below:
kron occurrence Daily-writeNet at 11:50 recurring
kron occurrence Daily-showtech at 13:50 recurring
cli show tech-support password | redirect tftp://194.25.4.197/tech/ms1-ag9!
cli copy running-config rcp://c@194.25.4.197/ms1-ag9
The cli copy running-config rcp://c@194.25.4.197/ms1-ag9 command works, but the cli show tech-support password | redirect tftp://194.25.4.197/tech/ms1-ag9 command crashes.
GLC-BX-D/U, CWDM, DWDM SFP inserted in ports 2 or 4 of the Gazerbeam 10G uplink module LEDs do not light up and it shows 'notconnect' even though port is physically connected.
When rsh command constructs are used within Tclscript, Tcl fails to send the router hostname which causes the rsh command constructs to fail authorization to a remote router.
An EEM script that executes on a syslog event causes the Cisco router to fail with the following error message.
000199: *Aug 23 16:49:32 GMT: %BGP-5-ADJCHANGE: neighbor x.x.x.x Up
Frame pointer 0x30CF1428, PC = 0x148FDF84
UNIX-EXT-SIGNAL: Segmentation fault(11), Process = EEM ED Syslog
1#07279b80de945124c720ef5414c32a90 :10000000+48FDF84 :10000000+48FE400 :10000
000+4B819C8 :10000000+4B81964 :10000000+F5FAD8 :10000000+F5FD10 :10000000+F5FE
F0 :10000000+F5FF94 :10000000+F60608
When running the command show snmp engineID on a switch with WS-X45-SUP7-E running cat4500e-universalk9.SPA.03.01.00.SG.150-1.XO.bin, it shows same engineID 800000090300000000000000 from different switches. It seems that the switch has picked up interface Fa1 macaddress as its engineID.
Local SNMP engineID: 800000090300000000000000
FastEthernet1 is down, line protocol is down
Hardware is RP management port, address is 0000.0000.0000 (bia 0000.0000.0000)
The workaround is to manually configure snmp engineID from cli.
The Privilege commands are not appearing in the configuration of a Catalyst switch.
When you enter the privilege interface level 3 switchport port-security mac-address sticky command and save the configuration, the command is not visible in neither the startup configuration nor the running configuration. However, privilege level 3 users can view the command and can use it. If you reload the switch, the command is still is not visible in the configuration and also becomes unavailable to the privilege level 3 users.
The workaround is to use the aaa authorization global configuration command to access the commands available for a particular user from the AAA server.
A Cisco Catalyst 3750X switch experiences a memory leak when trying use applications like webauth, web_exec and so on over secure communication (https).
The workaround is to disable https (secure communication) and use http for HTTP requests.
On the Cisco enhanced EtherSwitch service module (SM-ES2-24P), running the logging source-interface # command, does not set the source interface for syslog messages sent to a syslog server.
In a Catalyst 3750X switch stack, the switches experience a slow performance with the following message. Sometimes the switch stops responding and is not recovered until power cycling.
%SUPQ-4-CPUHB_RECV_STARVE: Still seeing receive queue stuck after throttling
You may also observe the following messages when the problem occurs.
%PLATFORM_RPC-3-MSG_THROTTLED: RPC Msg Dropped by throttle mechanism
%XDR-6-XDRIPCNOTIFY: Message not sent to slot X because of IPC error timeout. Disabling linecard. (Expected during linecard OIR)
The issue is observed in switches running 12.2(58)SE or later. It also includes 15.0SE releases and 15.2E releases.
The workaround is to configure a longer logging interval. For example,
ip access-list logging interval <value>
If the issue persists after setting a longer logging interval, you must power cycle the switch.
In a switch stack consisting of Catalyst 2960S switches running 15.0(2)SE4, the MAC address tables on all the stack members are not synchronized with the master switch. This issue is observed when the number of member ports is higher than 4.
The workaround is to configure the missing MAC addresses manually.
When configuring VLANs on 3750X stacked switches, the CLI experiences a delayed or slow response.
The workaround is to configure the VTP domain name with VTP enabled.
A change in the behaviour of DHCP client is observed between 15.0(2)SE2 and 15.0(2)SE4 releases.
On a stack of four WS-C3750X-48PF-S switches running IOS "c3750e-universalk9-mz.150-2.SE5.bin", the CPU Utilization is 99%, majorly due to the process " ASP Process Crea ". The output is as shown:
b-la1-013-sw-01#sho proc cpu sort
CPU utilization for five seconds: 99%/0%; one minute: 99%; five minutes: 84%
--More-- PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
363 99416 3304 30089 50.39% 43.54% 22.12% 0 ASP Process Crea
10 843481803 98980536 8521 18.55% 18.03% 18.08% 0 Hulc LED Process
When trying to remove the macros by running the command " no macro auto global processing ", the CPU comes back to normal but the master switch crashes.
The workaround is to reload the stack. The CPU remains low for a while. Removing the macros at this time does not cause the master switch to crash.
After system reload, ip ssh source-interface shows in startup-config but disappears from
running-config. This is seen in both the scenarios as mentioned below.
1. Configure ip ssh source-interface <interface> CLI
(config)#ip ssh source-interface gi0/3
2. In show run output, it will show ip ssh source-interface <interface> CLI
3. Configure same <interface> (which is configured in ip ssh source-interface CLI) from switch-port to routed-port.
4. Step 4: In show run output, it will not show ip ssh source-interface <interface> CLI
1. Configure some <interface> from switch-port to routed-port.
2. Configure “ip ssh source-interface <interface>” CLI with same interface mentioned in step 1
i.e. (config)#ip ssh source-interface gi0/3
3. In show run ” output, it will show “ ip ssh source-interface <interface> ” CLI configured
4. Save the configuration and reload
5. After reload, in show run output, it will not show “ ip ssh source-interface <interface> ” CLI
The workaround is to re-configure ip ssh source-interface <interface> CLI.
When around 500 Vlans are configured on a switch running IOS 15.0(2)SE5, and then if the interface is moved down or up, the switch shows high CPU Utilization, with maximum usage by 802.1x switch process for 3 minutes.
The issue is not seen on switches running IOS 15.0(2)SE4
The workaround is to disable the device sensor as no macro auto monitor.
When 802.1x authentication is running on the port along with ip device tracking, there is a memory leak bug in epm code resulting in depletion if IDs and tracebacks similar to this:
-Traceback= 4FCA14z 51FAFCz 14B902Cz 14BA198z 14BA4A8z 14BAA28z 14BAB34z 264AB94z 264DB98z 264EA0Cz 264EC00z 26BF904z 26BA058z
Mar 10 04:14:24.140 CET: %IDMGR-3-INVALID_ID: bad id in id_get (Out of IDs!) (id: 0x0)
When running show epm session sum, it shows one session cloned multiple times, for example:
GigabitEthernet0/9 10.1.10.108 0050.56ac.0930 10 0000-0000-0000-0000-0000
GigabitEthernet0/9 10.1.10.108 0050.56ac.0930 10 0000-0000-0000-0000-0000
Then the number of cloned sessions increases with the time.
This issue is seen on stacked 3650X and stacked 3750X switches, running IOS 15.0.2-SE5 and 15.2.1E1.
Designated port on the Root Bridge experiences a block forward for 30 seconds. This issue occurs because the message-time (the period of time a packet is alive in the network) is almost equal to max-age (the period of time a packet is allowed to stay in the network). When message-time >= max-age, the switch receives an agedMsg on the forwarding port which moves the port to a blocking state.
The lightweight wireless access point macro applied to an interface which has both CDP and LLDP enabled flaps continuously. The CDP neighbor devices are discovered initially on the Gi0 interface of the AP and then after a few seconds, the neighbour devices are discovered on the main interface and the sub-interface (Gi0 and Gi0.1) of the AP. After some time, CDP neighborship times out for the Gi0 interface and the macro configuration for $LINKUP == "NO" event is applied on the switch interface.
The workaround is to disable LLDP on the switch interface.
When port-security is configured on all ports and when the end host is moved, the mac address table is out of sync.
The workaround is to clear the mac address table.
When Resilient Ethernet Protocol (REP) is running, CPU usage is high during a failover.
Cisco TrustSec crashes while assigning new Source Security Tags (SGTs) and then applying the corresponding Role-Based Access Control Lists (RBACLs).
The workaround is to limit the number of RBACL entries.
When a PC with 802.1x capability is connected to the IP phone, and the PC boots up, the IP Phone sends CDP port UP to the switch, which restarts 802.1x authentication process. The Switch deletes running 802.1x authentication process and starts over upon receiving CDP port UP from the IP phone. It makes authentication process fail on the machines which can only complete it in first run.
On Cisco IOS Release 15.0(2)SE6, the PS-FAN falls to FAUTY status after upgrading the IOS software from Cisco IOS Release 15.0(2)SE5. The show env stack command displays the following output:
Temperature Value: 35 Degree Celsius
Yellow Threshold : 46 Degree Celsius
Red Threshold : 60 Degree Celsius
Temperature Value: 34 Degree Celsius
Yellow Threshold : 46 Degree Celsius
Red Threshold : 60 Degree Celsius
The workaround is to downgrade to Cisco IOS Release 15.0(2)SE5 or to use the latest release which has fix for this issue.
The following syslog message should be removed or it should not be generated by default:
May 20 04:44:33 CEST: %CTS-6-SAP_REKEY_TIMER_EXPIRED: SAP Rekey Timer Expired for interface(Te2/1/1) after 169 sec.
The message should be removed because it is seen only if the switch being used is an initiator of a rekey. Also on high speed links the messages appears very often which affects logging buffer.
The default rekey intervals are:
The other option would be to modify the behaviour and generate such syslog each time when a rekey happens no matter which ends initiate it.
With EX90/EX60 is configured to communicate over the data vlan, EX cannot get ip via DHCP over the data Vlan. This is because switch expects the packet to arrive on voice vlan from EX, but EX is sending packets on data vlan. All DHCP requests get dropped at the switch. Hence EX is not able to get the ip address.
The workaround is to disable one of the following:
– Voice Vlan on the interface (remove voice vlan config from the interface)
Due to a timing issue, the port channel member port on the slave switch of the stack loops during boot up. The issue occurs only on the member port that is configured as the first port in a cross-stack EtherChannel configuration and when Nexus devices are connected to Cisco devices. Due to Link Aggregation Control Protocol (LACP) graceful convergence, when both the devices are up and in sync (S) state, Cisco devices start transmitting even before the devices get onto collecting (C) state. This causes the port to be pulled down by the Nexus devices. When this happens during boot up, the EtherChannel hardware programming for the port is cleared even when the port is bundled in the port-channel.
The workaround is to enter the shutdown/no shutdown command on the port-channel interface or disable lacp graceful-convergence on the port-channel on peer devices.
When a switch stack is configured in VTP client mode with VTP password, the show command for the stack master displays the VTP operating mode as client, whereas the member switches display the VTP operating mode as server.
The workaround is to remove the VTP password.
10G link convergence is better than 1G convergence during link pull or link down. When the interface is lost in a port channel the flow switch over to the backup link is faster for 10G uplink when compared to a 1G uplink. This is because interface state polling is faster for 10G uplink than 1G uplink.
Unless otherwise noted, these caveats apply to Catalyst 3750-X, 3750-E, 3560-X, and 3560-E switches
On stack switches, the first switch is configured as client and the other switch is configured as DHCP server and TFTP server. When you reload the first switch, the auto configuration does not start.
In a network that consists of two DHCP clients with same client id and different mac addresses, the DHCP server reloads when one of the clients releases its DHCP address.
Switch fails when a secondary IP address is configured on a VLAN interface.
The CPU usage increases when you configure the local proxy Address Resolution Protocol (ARP) feature on a Switch Virtual Interface (SVI).
The workaround is after you configure the SVI, remove the local proxy ARP configuration by entering the no ip local-proxy-arp command, and reconfigure it by entering the ip local-proxy-arp command.
A switch configured with login quiet-mode resets when you enter the login block-for or no login block-for commands.
There is no workaround. Nevertheless, to avoid a reset, do not enter the login block or no login block-for commands.
The TCP stack of Cisco IOS Software impose a vulnerability caused by terminating the TCP connections incorrectly. This vulnerability can be exploited by allowing an unauthenticated, remote attacker to send a crafted sequence of TCP ACK and FIN packets to an affected device thereby causing an ACK storm which results in excessive network utilization and high CPU usage.
The workaround is to use the clear tcp tcb 0x<tcb_num>, where the hexadecimal value is the address of the TCB with a connection state of LASTACK in show tcp brief command.
When you configure Flex Link on stacks containing interfaces from different switches, the interfaces start flapping continuously.
The workaround is to remove the Flex Link configuration from the interfaces.
Port-channel interface flaps while adding or removing a VLAN from the trunk on a port-channel interface if one or more port members are not in P or D states.
The workaround is to shut down the port members which are not in P or D states and make the VLAN changes.
When the traffic rate on a CTS-enabled interface connecting Catalyst C3750X switch and Integrated Services Router (ISR) is higher than 950 Mbps, the interface wedges and blocks all the traffic.
The workaround is to reload the switch and reduce the traffic rate to less than 950 Mbps.
When you upgrade a device to a Cisco IOS or Cisco IOS XE release that supports Type 4 passwords, enable secret passwords are stored using a Type 4 hash which can be more easily compromised than a Type 5 password.
The workaround is to configure enable secret command on an IOS device without Type 4 support, copy the resulting Type 5 password, and paste it into the appropriate command on the upgraded IOS device.
In a stack of Catalyst 3750x switches, port security enabled ports block all the network traffic through them. Using the sh mac address-table command shows that the mac address is learned as static on the master switch, whereas the member switches do not have this mac address on their mac address table.
Memory leak occurs when you map the Entity MIB API, and configure clustering on the switch.
The workaround is to perform any one of the following steps:
– Remove the clustering configuration from the switch.
– Reload the switch to release the memory occupied by the Entity MIB API process.
During the SNMP walk, the vlanTrunkPortDynamicStatus object in the CISCO-VTP-MIB module shows “notTrunking(2)” for the members of Port-channel trunk ports.
The workaround is to use the CLI to get the correct values.
Memory leak occurs when the show macsec interface command is entered on the inactive Wall-E interfaces.
The workaround is to not to enter the show macsec interface command on the inactive Wall-E interfaces.
The switch port goes in to the err-disabled state due to port security violations.
The workaround is to run the no switchport command on the interface.
Device under test (DUT) fails with traceback when you enter the configure replace target-url command. The issue occurs when the following message is forwarded to forward_formatted_msg_to_logger() API.
% eula should be accepted for non-interactive management for license-level = ipservices (stack3-1-3I-1-2)
In a switch stack, if a stack member is connected to a Meru access point that requires 802.3at or 29.5W POE+ inline power, the connection over 802.3at POE+ fails.
The workaround is to move all the affected POE+ devices to the stack master.
The stacked switch setup fails when you change or remove an existing password while the relayed console waits for the authentication prompt.
The workaround is to reduce the number of changes to the password in the console or VTY when the relayed console waits for the authentication prompt.
CSCui20519 (Catalyst Switches 3750-X and 3560-E)
In a Cisco Catalyst Switch stack of 8 member switches, a memory leak is observed in the HRPC pm request handler process. The issue occurs after reloading the stack members or after online insertion and removal (OIR) of the transceivers that are DOM capable.
TheI2C failure occurs when reading the payload from Microcontroller Unit (MCU) to CPU and writing the payload from CPU to MCU. During the 12C read and write operations, CPU and MCU go out-of-sync and the communication between them stops, and the CPU declares that the FRONT-END is inactive.
The sh env fan command does not detect faulty power supply fans on a switch.
When you enable the Address Resolution Protocol (ARP) retry feature on the switch, the CPU usage increases.
When VLAN Trunk Protocol (VTP) version 3 is configured on stacked switches, the inconsistency in VTP mode is observed between the master switch and the member switch. When you run the show vtp status command, the master switch shows the status as Server for VLAN and Transparent for Multiple Spanning Tree (MST), and the member switch shows the status as Primary Server for both VLAN and MST.
The workaround is to configure the switch to VTP version 2 and then reconfigure the switch to VTP version 3.
The Web Cache Communication Protocol (WCCP) traffic drops when you reload the master switch with the stack switch.
In a topology in which a Catalyst 3750X switch acts as the multicast router, a receiver constantly sends join messages to a multicast group (*,G) before the source starts sending the multicast traffic. When the source starts sending traffic to the multicast group, an (S,G) is created and some of the initial packets sent by the source are lost. Once the (S,G) is programmed for the traffic sent by the source, all the subsequent multicast traffic reaches the receiver.
A switch reboots unexpectedly while using dot1x authentication with IP Device Tracking (IPDT) enabled. If ip device tracking probe { delay delay } is configured and the switch is operating near the maximum IPDT limit of 2048 hosts, there is a probability that a host may have its delay timer started, but released before it expires.
Use one of the following workarounds:
– Keep the number of hosts less than 2048.
– Disable dot1x authentication, which in turn disables IP HOST TRACK process.
When you configure per-VRF on a AAA TACACS+ server group, the ip vrf forwarding command does not appear in the running configuration after reloading the stack master. This issue takes place only in stack configurations.
The workaround is to use vrf definition command instead of ip vrf command to configure per-VRF.
After performing a shut or no shut on the ports of a Catalyst Switch, the status of some of the ports are displayed as Not Connected, even if they are connected to a remote device.
The workaround is to perform a shut or no shut on the affected ports.
Access Control List (ACL) configured on guest VLAN interface for 802.1X unauthenticated clients do not get applied.
The workaround is to configure the ACL on the dot1x port itself instead of the guest VLAN interface.
Memory leak occurs in the Service Module (SM) when handling the HRPC message.
The switch reboots if the shutdown and no shutdown commands are repeatedly entered for the alternating ports in an 8-node Resilient Ethernet Protocol (REP) ring segment. The following error message is displayed:
On a switch stack, when Resilient Ethernet Protocol (REP) and Open Shortest Path First (OSPF) are configured, the OSPF fails at Exstart during the master switch-over.
The workaround is to bounce the forwarding REP port on the switch stack.
In response to an NTP control request, the offset value in the reply packet received from a Catalyst 3560X/E switch running on 12.2(58)SE or later is different from the offset value in a packet received from a switch running on 12.2(55)SE or earlier.
The workaround is to downgrade the switch to 12.2(55)SE or earlier.
When you repeatedly run the shut and no shut command in the alternating ports on a 8 node REP ring, the stack member with REP secondary edge port drops the multicast traffic for 20 to 50 seconds.
The Webauth leak occurs during the Webauth authentication process, and the Enterprise Policy Management (EPM) leak occurs when authentication policies are applied through EPM.
When IPV6 MLD Snooping is enabled on a switch and the switch is restarted, the packets that are destined to Solicited-Node multicast address are not forwarded in some rare instances.
The workaround is to disable the IPv6 MLD Snooping, and then enable the IPv6 MLD Snooping.
When you apply ACL to an interface or anVLAN and if there is a shortage of Ternary Content-Addressable Memory (TCAM), the Flow-Based Switch Port Analyzer (FSPAN) does not work as expected when reloading the FSPAN session.
The workaround is to reconfigure the VLAN -based FSPAN session.
CSCum78626 (Catalyst Switches 3750-X and 3750-E)
When a new switch is added to the stack, and if the stack has the Hot Standby Router Protocol (HSRP) configured, the newly added member switch fails.
After continuously sending 1000 packets/second on C3KX-SM-10G service module's 10G interface for more than 1 hour, the C3KX-SM-10G service module could go down and all the Netflow flow records cannot be created.
In Policy Based Routing (PBR), if the first match clause is removed, the packets are forwarded to the next hop IP address of the second match clause. This feature, which previously showed errors, is now functioning properly.
There is no workaround needed.
(LAN Base) ACLs applied to outbound traffic on the switch virtual interface (SVI) do not work.
On a switch stack, IPDT (Cisco IP Telephony Design) on the master switch does not update a new VLAN ID after authentication with 802.1x is successful. As a result, connectivity is not possible even though the client machine has a valid IP address, and dACLs (downloadable ACLs) are not applied on the interface.
The workaround is to configure authentication as open so that traffic is allowed only after authentication is successful. Alternatively, add a short lease DHCP server on the default access VLAN so that clients are assigned different IP addresses on the default access VLAN and dynamic VLAN.
If a Catalyst 3750-X switch stack that runs Cisco IOS Release 15.0(2)SE1 is connected to a Catalyst Switch 2960 using cross-stack etherchannel, and if the master switch is power cycled, the line protocol of the member interfaces and channels flap. If the channel goes down, there is no message output displayed on the stack switch.
Netflow cache is not created after applying a flow monitor to the interface on the member switch.
CPU usage goes above 90% when Internet Group Management Protocol (IGMP) version 3 report packets are sent to the switch which has IGMP version 2 configured on the switch virtual interface.
The workaround is to either disable multicast fast convergence or configure IGMP version 3 on switch virtual interface.
TACACS+ single connect authentication request from a switch stack takes around 10 to 12 minutes to failover to secondary server after the primary TACACS server is unreachable.
The workaround is to disable TACACS+ single connect configuration on the switch.
When the master switch in a switch stack is reloaded, the Cisco TrustSec (CTS) link configured on the CK3X-SM-10G port of the member switch goes down.
The workaround is to enter a shutdown command followed by the no shutdown command on the ports of the service module.
On configuring Cisco TrustSec (CTS) in manual mode with the no switchport command, the CTS link does not come up if the link is on member switch.
The workaround is to enter a shutdown command followed by the no shutdown command on the port.
Switch runs out of memory within few seconds of configuring the level <n> show spanning-tree active/detail privilege EXEC command.
On configuring Cisco TrustSec (CTS) on LACP port-channel of the switch, where the peer port-channel is any switch other than a Catalyst 3750-X or 3560-X, the port-channel goes to suspend state.
Web authentication does not work.
MACsec link traffic drops periodically.
In a switch stack where EnergyWise is enabled, memory leak is observed when the show energy wise children privileged EXEC command is entered or when the cewEntEnergyUsage
object ID is polled.
CTS environment-data download failed on non-seed device after reboot.
The workaround is to remove the Protected Access Credential (PAC) encryption key ( no pac key RADIUS server configuration command) and then configure the key again ( pac key command).
When the switch is started using TACACS+ configurations, the CPU utilization increases to 100% and the VTY device does not work.
The workaround is to remove the TACACS+ configurations and restart the switch.
The ipAddrEntry value in the IP Address Table shows an interface index that is not exposed by the ifEntry Object ID.
Internal VLANs are displayed when the show snmp mib ifmib ifindex command is entered or the SNMP is queried for the ipMIB object.
The workaround is to check if the displayed VLANs are internal and then to hide them.
CPU usage is high when an SNMP Walk of the Address Resolution Protocol (ARP) table is performed.
The workaround is to implement SNMP view using the following commands:
snmp-server view cutdown iso included
snmp-server view cutdown at excluded
snmp-server view cutdown ip.22 excluded
snmp-server community public view cutdown ro
snmp-server community private view cutdown rw
If an ACL is configured on a router VTY line for ingress traffic, the ACL is applied for egress traffic also. As a result, egress traffic to another router on an SSH connection is blocked.
The workaround is to permit egress traffic to the specific destination router using the permit tcp host <destination router IP address> eq 0 any interface configuration command.
The device connected to the switch crashes when a CDP data frame is processed. The SYS-2-FREEFREE
and SYS-6-MTRACE
messages are displayed.
The workaround is to disable CDP using the no cdp run global configuration command. This workaround is not applicable if the connected device relies on or supports a phone or voice network.
Memory leak is seen in the switch when it sends CDP, LLDP or DHCP traffic and when the link flaps.
The workaround is to apply protocol filters to the device sensor output by entering the following global configuration commands:
device-sensor filter-spec dhcp exclude all
device-sensor filter-spec lldp exclude all
device-sensor filter-spec cdp exclude all
If the memory leak continues in the "DHCPD Receive" process, disable the built-in DHCP server by entering the no service dhcp global configuration command.
Spurious traps observed periodically on removal of power to RPS.
STP loop occurs on Flexstack connected by parallel links when a link state is changed on Flexlink port.
The workaround is to change the switch to root bridge.
Policy Based Routing (PBR) entry on the switch does not become inactive even after the PBR route's next hop is lost. The traffic continues to take failed PBR path instead of the next available best path.
On running show interface command, incorrect value is displayed in input error counter.
PortASIC's TCAM test fails when you execute on-demand diagnostics through diagnostics start command.
You can ignore the results of on-demand diagnostics if POST succeeds on boot up.
LSG Downlink port flaps when SFP+ is used as an uplink port. This issue also appears if SFP+ is configured in a flexlink configuration.
There is no workaround. The configuration recovers automatically.
If a policy map attached to the switch interface is modified then the corresponding QoS policy works incorrectly.
The workaround is to delete the policy map, create a new policy map and then attach it to the interface.
The switch blackholes traffic redirected by Web Cache Communication Protocol (WCCP). This issue occurs when the WCCP cache engine is shut down and the cache is not cleared.
The workaround is to use Cisco IOS Release 12.2(55) or later.
When native VLAN is configured on the trunk or when switchport trunk native vlan 99 is configured on the interface, spanning-tree instance is not created for native VLAN.
The workaround is to keep VLAN1 as a native on the trunk. In Cisco IOS Release15.0(2) SE, dot1.x is enabled by default and causes authentication fail in the native VLAN. This results in pm_vp_statemachine not triggering any event to spanning tree. To disable dot1x internally, run the no macro auto monitor command. The stp instance is created for native vlan 99 after running the show and no show command on the interface.
The Web Cache Communication Protocol (WCCP) traffics are not redirected after reloading the switch.
The workaround is to remove the WCCP redirects command from the interface and then add them back on the interface.
On the Catalyst 2960S switch stack, when the login block command is configured and the running config is saved using the wr command on the master, it makes the master down. When the running config is saved on the new master, the following lines are displayed on entering the show running-config command.
ip access-list extended sl_def_acl
When the secret password is configured, the password is not saved. The default password is used as the secret password.
The workaround is to use the default password to login and then change the password.
A vulnerability in the Service Module could allow an authenticated, local attacker to gain root access to the kernel running on the Service Module. The attacker can use the default credentials to log on to the Service Module and take complete control of the operating system running on the Service Module.
The device sensor related memory leak is still visible in DHCPD Receive, CDP Protocol, and Net Background processes even after disabling the device sensor feature by entering the no macro auto monitor command. This symptom is observed in Cisco IOS 15.0(2)SE1 Release, 2960S, dhcp, cdp traffic, and link flapping.
The known workaround is to enter the no service dhcp command if the switch is not a DHCP server and configure the device sensor as follows:
device-sensor filter-spec cdp exclude all
device-sensor filter-spec dhcp exclude all
device-sensor filter-spec lldp exclude all
In the module with 1Gb/10s SFPs interface, the traffic from the active port gets dropped when MACsec is configured on the inactive interface and the switch or module is reloaded.
The work around is to perform any of the following action:
– Enter the macsec command on the active interface always and not on the inactive interface.
– Enter the no macsec command on the inactive 10-Gigabit link and then reload the switch or reload the wall-emodule (frulink reload).
– Enter the macsec and no macsec commands on the active interface to restore the traffic
– When a one Gigabit SFP is connected to the port and the show macsec int command is entered on the ten Gigabit interface.
– When a ten Gigabit SFP is connected to the port and the show macsec int command is entered on the one Gigabit interface.
– When show macsec int command is executed on a inactive/operationally down interface.
There is no workaround. The suggestion is to make less use of the show macsec int command on the interfaces when SFP is not present.
When reloading a switch in a stack that contains a service module inside a member switch, the links on the service module does not show up after reloading the member switch.
The known workaround is to restore the link by entering shut and no shut commands on the ports in the service module.
When a client fails to authenticate in the multi-auth mode, the session continues to be active indefinitely.
The workaround is to enter the clear authentication sessions privileged EXEC command to clear information for all authentication manager sessions.
The down-when-looped interface configuration command is not supported with default speed or with 1000BaseT advertisements on the gigabit medium independent interface (GMII interface). This is because the down-when-looped feature and 1000BaseT advertisements both make use of the "next page" function as defined in IEEE 802.3, clause 28 and may result in the link staying down.
If the switch is upgraded from Cisco IOS Release 15.0(2)SE or 15.0(2)SE1 by using the archive download-sw /allow-feature-upgrade /upgrade-ucode <tar_Image> command, the ucode upgrade is performed twice, once at the time of archive download and another at IOS boot up. This delays the switch boot time. This behavior is also seen when using the force-ucode-reload option.
The following message is seen intermittently:
FRU Power Supply is not responding
There is no workaround. This message does not indicate a hardware failure of any kind.
When using SNMP v3, the switch unexpectedly reloads when it encounters the snmp_free_variable_element.
The Resource Reservation Protocol (RSVP) feature in Cisco IOS Software and Cisco IOS XE Software contains a DoS vulnerability.
Cisco has released free software updates that address this vulnerability. There are no workarounds available to mitigate this vulnerability.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-rsvp
Note The March 27, 2013, Cisco IOS Software Security Advisory bundled publication includes seven Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2013 bundled publication.
Individual publication links are in “Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar13.html
The Cisco IOS Software implementation of the virtual routing and forwarding (VRF) aware network address translation (NAT) feature contains a vulnerability when translating IP packets that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-nat
Note The March 27, 2013, Cisco IOS Software Security Advisory bundled publication includes seven Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2013 bundled publication.
Individual publication links are in “Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar13.html
When two traps are generated by two separate processes, the switch fails if one process is suspended while the other process updates variables used by the first process.
The workaround is to disable all SNMP traps.
If a redundant power supply (RSP) switchover occurs during a bulk configuration synchronization, some of the line configurations might disappear.
The workaround is to reapply the line configurations.
Beginning with Cisco IOS Release 12.2(52)SE, the device tracking table could map only one IP address to a single MAC address. This restriction has been removed, and several IP addresses can now be mapped to a single MAC address.
The show ip dhcp pool command displays a large number of leased addresses.
The workaround is to turn off ip dhcp remember and reload the switch.
The following warning messages might be displayed during the boot process even when a RADIUS or a TACACS server have been defined:
The secure copy feature (copy: source-filename scp: destination-filename command) does not work.
NetFlow Data Export (NDE) packets might be dropped when virtual routing and forwarding (VRF) is configured on the switch and the exported traffic has conflicting information from the VRF tables and the routing information base.
This problem occurs when the Enterprise Policy Manager (EPM) for a device connected to an interface is authorized in closed mode and no policies are configured or downloaded. If no port ACL is configured, the auth-default access control list (ACL) is applied to the switch. If another device is connected to this device, restricted VLAN (authentication event interface configuration command) is enabled on the port. The Application Control Engine (ACE) is not configured to permit traffic originating from the connected device, and IP packets are dropped.
The workaround is to configure a port ACL to allow IP traffic for the specific IP range for the connected devices on the interface.
If a Catalyst 2960 switch boots with Cisco IOS Release 12.2(50)SE5 or later, a Catalyst 3750 switch that is connected by a trunk port to the Catalyst 2960 switch cannot receive the Generic Attribution Registration Protocol (GARP) data packets from the Catalyst 2960 switch.
The workaround is to perform the following actions:
- Run the Catalyst 2960 switch on Cisco IOS Release 12.2(25)SEE or 12.2(53)SE2.
- Clear the Address Resolution Protocol (ARP) on the connected device.
- Enter the switchport noneg command to specify that Dynamic Trunking Protocol (DTP) negotiation packets are not sent to the Layer 2 interface.
- Ping from the Catalyst 2960 switch to the connected device.
- Use the line-proto-delay command to control Switch Virtual Interface (SVI) timing.
When ipl=5, the Catalyst 2960 switch receives the malloc failure message of 20 bytes, and traceback occurs due to interrupt level.
When the ip rsvp snooping command is enabled on a Layer 2 environment, the switch stops forwarding the metadata packets.
When the master switch (Switch A) is reloaded or loses power and rejoins the stack as a member switch, any traffic stream that exits Switch A is dropped because the newly joined member is not able to establish an Address Resolution Protocol (ARP) entry for the next hop router or switch. Debugs confirm that Switch A does not send a GARP or ARP for the next hop, though traffic continues to be sent to the switch.
The workaround is to add a static ARP. Ping the destination from Switch A to force the ARP to respond.
Local web authorization and HTTP services on the switch do not respond because of a web authorization resource limitation in the system. The resource limitation is normally caused by incorrectly terminated HTTP or TCP sessions.
These are possible workarounds and are not guaranteed to solve the problem:
– Enter the ip admission max-login-attempts privileged EXEC command to increase the number of maximum login attempts allowed per user.
– If the web authorization module is intercepting HTTP sessions from web clients in an attempt to authorize them, try using a different browser.
– Eliminate background processes that use HTTP transport.
After reconfiguring the flow monitor in the switch interface, the show flow monitor shows that NAM3 is active.
The workaround is to reconfigure the flow monitor in the switch interface.
The CISCO_LAST_RESORT_AUTO_SMARTPORT macro is applied to any device for which there is no built-in or user-defined macro, regardless of whether the device supports CDP, Link Layer Discovery Protocol (LLDP), or DHCP. To ensure that a device is not running a discovery protocol that matches the device to a built-in or user-defined macro, the switch waits about 120 seconds before applying the CISCO_LAST_RESORT_AUTO_SMARTPORT macro. The macro is applied to devices such as PCs, laptops, and printers. You do not need to configure MAC operationally unique identifier (OUI)-based triggers and map these triggers to a macro for these devices.
The Smart Install client feature in Cisco IOS Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
Affected devices that are configured as Smart Install clients are vulnerable.
Cisco has released free software updates that address this vulnerability. There are no workarounds for devices that have the Smart Install client feature enabled.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-smartinstall
The SAP preshared key configured for Cisco TrustSec manual mode is saved and displayed in the configuration file as clear text.
Heavy traffic load conditions may cause the loop guard protection function to be automatically activated and almost immediately deactivated. These conditions can be caused by entering the shutdown and no shutdown interface configuration commands or by interface link flaps on more than forty ports. These log messages appear:
When quality of service (QoS) is disabled on the switch, fragmented IP packets that are sent to the switch are queued in the wrong egress queue (Queue 1). This situation causes a high number of output drops since the default buffers for Queue 1 do not have the capacity to handle data traffic.
The workaround is to enable QoS and modify queue buffers.
When a peer switch sends inferior Bridge Protocol Data Units (BPDUs) on the blocking port of the Cisco switch (with the proposal bit ON), the Cisco switch waits for three such BPDUs before responding with a better BPDU. This leads to a convergence time of more than 5 seconds. The problem appears under these conditions:
– The Cisco switch is not configured as the root switch.
– The Cisco switch uses Multiple Spanning-Tree Protocol (MSTP) and the peer switch uses Rapid Spanning Tree Protocol (RSTP) or rapid per-VLAN spanning-tree plus (rapid PVST+).
With switches running Cisco IOS Release 15.0(2)SE, there was a problem when port-based address allocation was configured. The DHCP client did not receive IP addresses from the server if the client ID was configured as an ASCII string or if the subscriber ID was used as the client ID.
This problem has been fixed now. No action is required.
When you configure and save the monitor session source interface, the configuration is not saved after reboot.
A bidirectional port on a stack member returns an incorrect status.
The Cisco TrustSec link is down.
The workaround is to reconfigure the Cisco TrustSec link layer security. You can do this in the 802.1x mode by using the cts dot1x interface configuration command or in the manual mode by using the cts manual interface configuration command.
When traffic is routed between two VLANS, multicast packets on the switch are lost for a few seconds. This happens only when the multicast source routes traffic to a group that already has a receiver on it.
When you configure FlexLinks on the service modules and you plug the link into the port, the following syslog error message appears repeatedly:
If an interface is configured with the switchport port-security maximum 1 vlan command, the following error message is displayed:
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address XXXX.XXXX.XXXX on port <interface>
The flash memory is corrupted when you format the flash manually.
The workaround is to reload the switch. (Note that this will erase the flash memory, and you will need to reload the software image using TFTP, a USB drive, or a serial cable.
If the Performance Monitor cache is displayed (using the show performance monitor cache command) and you attempt to stop the command output display by entering the q keyword, there is an unusually long delay before the output is stopped.
The workaround is to enter the term len 0 privileged EXEC command so that all command outputs are displayed without any breaks.
There is a memory loss when routing entries are updated in the table, because the switch is not releasing previously allocated memory when system resource allocation fails.
After a master switchover on a switch stack, IPV6 multicast routing fails.
The workaround is to avoid configuring IPv6 multicast routing on larger stacks. We recommend enabling IPv6 multicast routing on stacks with five or fewer members.
When the show epm session summary or show epm command is entered from an SSH or telnet session and another command is entered from the console, the switch might unexpectedly reset and generate crash information.
The workaround is to enter both commands from the same session, either SSH/telnet or console.
The switch might occasionally reload after experiencing a CPU overload, regardless of what process is overloading the CPU.
A Catalyst 3560-X or 3750-X switch port might stop forwarding traffic. The packet counters increment for sent packets, but not for received packets.
The workaround, to bring up the port, is to save the configuration and to restart the switch.
The switch downloads the running IOS image from the TFTP server and reboots even though the same image is currently loaded and running.
Cisco IOS Software and Cisco IOS XE Software contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. An attacker could exploit this vulnerability by sending a crafted request to an affected device that has the DHCP version 6 (DHCPv6) server feature enabled, causing a reload.
Cisco has released free software updates that address this vulnerability. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-dhcpv6
When an interface is configured with the mls qos command, traffic is not matched by port-based QoS ACLs that use the range option.
The workaround is to is to configure the switch using the single port eq keyword. Alternatively, you can configure the trust under class-default setting for the same policy-map that uses the acl-range option.
In a switch stack, you cannot establish a console session with a member switch when an ACL is applied to the VTY lines.
The workaround is to use the following procedure when you apply an ACL to line vty 0 4 and line vty 5 15:
1. Create the vty ACL and permit the 127 network.
2. Append the vrf-also keyword to the configured access-class inbound.
In a switch stack, the show interface command shows incorrect values for output drops.
The workaround is to use the show platform port-asic stats drops command to see the correct values.
The archive download feature does not work if the flash contains an “update” directory. This situation is likely to occur if a previous download failed or was interrupted and the “update” directory is still left in the flash.
The workaround is to delete the “update” directory in the flash before starting the archive download.
A static route that has the next hop set to null0 is removed when the master switch is changed in a switch stack configuration. This situation occurs when the switch is stacked and the static route is advertised by the network 0.0.0.0 command.
The workaround is to use the ip summary-address eigrp as-number ip-address mask command to set the IP summary aggregate address for the interface through which the next hop can be found.
When a device is moved from one port to another in a switch stack, the SNMP data generated for the move event is incorrect.
The workaround is to ensure that the uplink to the core network is configured on the master switch (for example, a 1/0/x port).
OSPFv3 neighbors might flap because of the way the switch handles IPv6 traffic destined for well-known IPv6 multicast addresses.
Users connecting to the network through a device configured for web proxy authentication may experience a web authentication failure.
There is no workaround. Use the clear tcp tcb command to release the HTTP Proxy Server process.
Using the dot1x default command on a port disables access control on the port and resets the values of the authentication host-mode and authentication timer reauthenticate commands to the default values.
The workaround is to avoid using the dot1x default command and set various dot1x parameters individually. You can also reconfigure the parameters that were changed after you entered the dot1x default command.
The switch drops Layer 3 multicast traffic received from a Layer 2 port channel on a switch virtual interface (SVI) that is associated with a VPN Routing and Forwarding (VRF) instance.
The workaround is to flap the ingress physical interface, the SVI, or the port channel.
In a switch stack setup after you reload a member switch, a multilayer switching (MLS) class of service (CoS) configuration command with a specified value such as mls qos cos 7 on the slave switch does not function anymore. This situation impacts untagged IP and Layer 2 packets.
The workaround is to ensure that when you configure a service policy on an interface, an interface default level CoS is also configured. You can use mls trust qos cos command in interface configuration mode.
When using the switchport port-security maximum 1 vlan access command, if an IP-phone with a personal computer connected to it is connected to an access port with port security, a security violation will occur on the interface. This type of message is displayed on the console:
Here is a sample configuration:
The workaround is to remove the line switchport port-security maximum 1 vlan access.
The switch does not correctly detect a loopback when the switch port on an authenticated IP phone is looped to a port configured and authenticated with dot1x security, even when bpduguard is configured on the interface. This situation can result in 100 percent CPU utilization and degraded switch performance.
The workaround is to configure the interface with the authentication open command or to configure authentication mac-move permit on the switch.
The Catalyst 4500E series switch with Supervisor Engine 7L-E contains a denial of service (DoS) vulnerability when processing specially crafted packets that can cause a reload of the device.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are not available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-ecc
If a new port is added to an etherchannel on a switch using DAI or IPDT, ARP packets that ingress the port are lost.
The workaround is to save the configuration and reload the switch. Alternatively, configure the switch by entering the no macro auto monitor command followed by the macro auto monitor command after the port is bundled for the first time.
User documentation in HTML format includes the latest documentation updates and might be more current than the complete book PDF available on Cisco.com.
with complete information about the switch are available from these Cisco.com sites:
Catalyst 3750-X
http://www.cisco.com/en/US/products/ps10745/tsd_products_support_series_home.html
Catalyst 3560-X
http://www.cisco.com/en/US/products/ps10744/tsd_products_support_series_home.html
Catalyst 3750-E
http://www.cisco.com/en/US/products/ps7077/tsd_products_support_series_home.html
Catalyst 3560-E
http://www.cisco.com/en/US/products/ps7078/tsd_products_support_series_home.html
These documents provide complete information about the switches:
SFP compatibility matrix documents are available from this Cisco.com site:
http://www.cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list.html
For other information about related products, see these documents:
These documents have information about the Cisco enhanced EtherSwitch service modules:
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.