Release Notes for Cisco IOS Release 12.2ZY on the Supervisor Engine 32 PISA
Chronological List of Releases
Supervisor Engine 32 PISA (CAT6000-SUP32/PISA)
Supervisor Engine 32 PISA Restrictions
Supervisor Engine 32 PISA Features
Policy Feature Card Guidelines and Restrictions
Small Form-Factor Pluggable (SFP) Modules
Gigabit Interface Converters (GBICs)
10-Gigabit Ethernet Switching Modules
Gigabit Ethernet Switching Modules
Power over Ethernet Daughtercards
10/100/1000 Ethernet Switching Modules
Fast Ethernet Switching Modules
Ethernet/Fast Ethernet (10/100) Switching Modules
Shared Port Adapter (SPA) Interface Processors (SIPs)
SFPs for OC3 and OC12 POS and ATM SPAs
Enhanced FlexWAN Module Port Adapters
Intrusion Detection System Modules (IDSMs)
Network Analysis Modules (NAMs)
WS-C6504-E and CISCO7604 Power Supplies
WS-C6503 and WS-C6503-E Power Supplies
New Features in Release 12.2(18)ZYA3c
New Hardware Features in Release 12.2(18)ZYA3c
New Software Features in Release 12.2(18)ZYA3c
New Features in Release 12.2(18)ZYA3b
New Hardware Features in Release 12.2(18)ZYA3b
New Software Features in Release 12.2(18)ZYA3b
New Features in Release 12.2(18)ZYA3a
New Hardware Features in Release 12.2(18)ZYA3a
New Software Features in Release 12.2(18)ZYA3a
New Features in Release 12.2(18)ZYA3
New Hardware Features in Release 12.2(18)ZYA3
New Software Features in Release 12.2(18)ZYA3
New Features in Release 12.2(18)ZYA2
New Hardware Features in Release 12.2(18)ZYA2
New Software Features in Release 12.2(18)ZYA2
New Features in Release 12.2(18)ZYA1
New Hardware Features in Release 12.2(18)ZYA1
New Software Features in Release 12.2(18)ZYA1
New Features in Release 12.2(18)ZYA
New Hardware Features in Release 12.2(18)ZYA
New Software Features in Release 12.2(18)ZYA
New Features in Release 12.2(18)ZY2
New Hardware Features in Release 12.2(18)ZY2
New Software Features in Release 12.2(18)ZY2
New Features in Release 12.2(18)ZY1
New Hardware Features in Release 12.2(18)ZY1
New Software Features in Release 12.2(18)ZY1
Features in Release 12.2(18)ZY
Unsupported Features and Commands
Restrictions Removed by the PFC3B
General Limitations and Restrictions
FlexWAN Limitations and Restrictions
Service Module and IPsec SPA Limitations and Restrictions
Resolved Caveats in Release12.2(18)ZYA3b
Resolved Caveats in Release12.2(18)ZYA3b
Resolved Caveats in Release12.2(18)ZYA3a
Resolved Caveats in Release12.2(18)ZYA3
Resolved Caveats in Release12.2(18)ZYA2
Resolved Caveats in Release12.2(18)ZYA1
Resolved Caveats in Release12.2(18)ZYA
Resolved Caveats in Release12.2(18)ZY2
Resolved Caveats in Release12.2(18)ZY1
Resolved Caveats in Release12.2(18)ZY
Additional Troubleshooting Information
System Software Upgrade Instructions
Cisco IOS Software Documentation Set
Release 12.2 Documentation Set
Obtaining Documentation, Obtaining Support, and Security Guidelines
Note This publication applies to the CAT6000-SUP32/PISA platform.
The most current version of this document is available on Cisco.com at this URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/release/notes/ol_13011.html
This publication consists of these sections:
Note See the “Release Hierarchy” section for information about parent releases.
This is a chronological list of the 12.2ZY releases:
These releases support the hardware listed in the “Supported Hardware” section:
– Date of release: 12 Jan 2011
– Based on Release 12.2(18)ZYA3b
– Date of release: 25 Oct 2010
– Based on Release 12.2(18)ZYA3a
– Date of release: 11 May 2010
– Based on Release 12.2(18)ZYA3
– Date of release: 01 Dec 2009
– Based on Release 12.2(18)ZYA2 and Release 12.2(18)SXF17
– Date of release: 24 Jun 2009
– Based on Release 12.2(18)ZYA1 and Release 12.2(18)SXF16
– Date of release: 23 Dec 2008
– Based on Release 12.2(18)ZYA and Release 12.2(18)SXF15
– Date of release: 07 Aug 2008
– Based on Release 12.2(18)ZY2 and Release 12.2(18)SXF13
– Date of release: 30 Nov 2007
– Based on Release 12.2(18)ZY1 and Release 12.2(18)SXF10
– Date of release: 15 Jun 2007
– Based on Release 12.2(18)ZY and Release 12.2(18)SXF8
– Date of release: 09 May 2007
– Parent in Release 12.2S: 12.2(18)S (not all features in Release 12.2(18)S are supported)
– Based on Release 12.2(18)SXF7
This publication does not describe features that are available in Release 12.2, Release 12.2 T, Release 12.2 S, or other Release 12.2 early deployment releases.
For a list of the Release 12.2 caveats that apply to Release 12.2ZY, see the “Caveats” section and refer to this publication:
http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfmulti.html
For a list of the Release 12.2 S caveats that apply to Release 12.2ZY, see the “Caveats” section and refer to this publication:
http://www.cisco.com/en/US/docs/ios/12_2s/release/notes/122Srn.html
These sections describe the hardware supported in Release 12.2ZY:
Note ● Use the values in the “Power Required” column to determine the exact power requirements for your configuration to ensure that you are within the power budget.
|
|||
|
|||
Supervisor Engine 32 PISA common features:
|
– IPv4 unicast and MPLS—192,000 routes
– IPv4 multicast and IPv6 unicast and multicast—32,000 routes
Note The size of the global internet routing table plus any local routes might exceed the default partition sizes.
These are the theoretical maximum numbers of routes for the supported protocols (the maximums are not supported simultaneously):
– IPv4 and MPLS—Up to 239,000 routes
– IPv4 multicast and IPv6 unicast and multicast—Up to 119,000 routes
Enter the mls cef maximum-routes command to repartition the hardware FIB table. IPv4 unicast and MPLS require one hardware FIB table entry per route. IPv4 multicast and IPv6 unicast and multicast require two hardware FIB table entries per route. Changing the partition for one protocol makes corresponding changes in the partitions of the other protocols. You must enter the reload command to put configuration changes made with the mls cef maximum-routes command into effect.
Note See the “Unsupported Hardware” section for information about unsupported DWDM-SFPs.
Note The support listed in this section applies to all modules that use GBICs.
Note The power over Ethernet (PoE) daughtercard “Power Required” values do not include the power drawn by phones.
IEEE 802.3af PoE daughtercard for WS-X6148X2-RJ-45 and WS-X6196-RJ-21. |
|||
IEEE 802.3af PoE daughtercard for: WS-F6K-GE48-AF and WS-F6K-48-AF are not FRUs for these switching modules:
|
|||
PoE daughtercard for WS-X6548-GE-TX and WS-X6148-GE-TX |
|||
|
|||
|
|||
Note WS-X6148A-GE-TX and WS-X6148A-GE-45AF do not support traffic storm control. |
|||
|
|||
Note WS-X6148-GE-TX, WS-X6148V-GE-TX, and WS-X6148-GE-45AF do not support these features: |
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
Note See the “FPD Image Packages” section for information about additional procedures required to support SIPs.
Note 7600-SSC-400 does not maintain state when an NSF with SSO redundancy mode switchover occurs. |
Note See the “FPD Image Packages” section for information about additional procedures required to support SPA-IPSEC-2G.
Note PISA-accelerated features are not supported on FlexWAN module interfaces.
Note ● For any service module that runs its own software, see the service module software release notes for information about the minimum required service module software version.
WS-SVC-FWM-1-K9 runs its own software—See these publications: http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/tsd_products_support_model_home.html See the WS-SVC-FWM-1-K9 software release notes for information about the minimum required WS-SVC-FWM-1-K9 software version. Note With Firewall Services Module Software Release 2.3(1), WS-SVC-FWM-1-K9 maintains state when an NSF with SSO redundancy mode switchover occurs. |
WS-SVC-IDSM2-K9 runs its own software—See these publications: http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfmulti.html See the WS-SVC-IDSM2-K9 software release notes for information about the minimum required WS-SVC-IDSM2-K9 software version. |
WS-SVC-NAM-2 and WS-SVC-NAM-1 run their own software—See these publications for more information: http://www.cisco.com/en/US/products/sw/cscowork/ps5401/prod_release_notes_list.html http://www.cisco.com/en/US/products/sw/cscowork/ps5401/tsd_products_support_series_home.html See the WS-SVC-NAM-2 and WS-SVC-NAM-1 software release notes for information about the minimum required WS-SVC-NAM-2 and WS-SVC-NAM-1 software version. |
Note Enter the show environment status | include fan command or the show environment cooling command to display information about the installed fan trays.
These high-capacity fan trays require at least a 2,500 W power supply.
High-capacity fan tray for WS-C6503-E chassis |
|||
High-capacity fan tray for WS-C6503 chassis |
|||
High-capacity fan tray for CISCO7606 chassis |
|||
High-capacity fan tray for WS-C6506-E chassis |
|||
High-capacity fan tray for WS-C6506 chassis |
|||
High-capacity fan tray for WS-C6509-NEB-A and CISCO7609 chassis |
|||
High-capacity fan tray for WS-C6509-E chassis |
|||
High-capacity fan tray for WS-C6509 chassis |
|||
– WS-C6509 – WS-C6506 http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Chassis_Installation/Cat6500/6500_ins.html |
||
– WS-C6509 – WS-C6506 |
||
|
||
|
||
|
||
|
||
|
||
Release 12.2(18)ZY does not support this hardware:
– WS-X6704-10GE 4-port 10-Gigabit Ethernet XENPAK
– WS-X6748-SFP 48-port Gigabit Ethernet SFP
– WS-X6724-SFP 24-port Gigabit Ethernet SFP
– WS-X6816-GBIC 16-port Gigabit Ethernet GBIC
– WS-X6748-GE-TX 48-port 10/100/1000 RJ-45
– WS-SVC-SSL-1 Secure Sockets Layer (SSL) Services Module
– WS-SVC-WEBVPN-K9 WebVPN Services Module
– WS-SVC-WISM-1-K9 Wireless Services Module (WiSM)
– WS-SVC-AON-1-K9 Application-Oriented Networking (AON) Module
– WS-SVC-AGM-1-K9 Anomaly Guard Module
– WS-SVC-ADM-1-K9 Traffic Anomaly Detector Module
– WS-SVC-CSG-1 Content Services Gateway (CSG)
– WS-X6066-SLB-APC Content Switching Module (CSM)
– WS-X6066-SLB-S-K9 Content Switching Module with SSL (CSM-S)
– WS-SVC-PSD-1 Persistent Storage Device (PSD) Module
– WS-SVC-WLAN-1-K9 Wireless LAN service module
– WS-SVC-IPSEC-1 IPsec VPN acceleration services module
– WS-X6381-IDS Intrusion Detection System (IDS) Module
Note WS-SVC-IDSM2-K9 is supported.
– WS-X6380-NAM Network Analysis Module (NAM)
Note WS-SVC-NAM-2 and WS-SVC-NAM-1 are supported.
– DWDM-SFP-5817—1000BASE-DWDM 1558.17 nm SFP (100-GHz ITU grid) SFP module
– DWDM-SFP-5252—1000BASE-DWDM 1552.52 nm SFP (100-GHz ITU grid) SFP module
– DWDM-SFP-5172—1000BASE-DWDM 1551.72 nm SFP (100-GHz ITU grid) SFP module
– DWDM-SFP-5012—1000BASE-DWDM 1550.12 nm SFP (100-GHz ITU grid) SFP module
– DWDM-SFP-4692—1000BASE-DWDM 1546.92 nm SFP (100-GHz ITU grid) SFP module
– DWDM-SFP-4373—1000BASE-DWDM 1543.73 nm SFP (100-GHz ITU grid) SFP module
– DWDM-SFP-4214—1000BASE-DWDM 1542.14 nm SFP (100-GHz ITU grid) SFP module
– DWDM-SFP-3977—1000BASE-DWDM 1539.77 nm SFP (100-GHz ITU grid) SFP module
– DWDM-SFP-3898—1000BASE-DWDM 1538.98 nm SFP (100-GHz ITU grid) SFP module
– DWDM-SFP-3582—1000BASE-DWDM 1535.82 nm SFP (100-GHz ITU grid) SFP module
– DWDM-SFP-3504—1000BASE-DWDM 1535.04 nm SFP (100-GHz ITU grid) SFP module
Unsupported modules remain powered down if detected and do not affect system behavior.
Note FPD image packages update FPD images. If a discrepancy exists between an FPD image and the Cisco IOS image, the module that has the FPD discrepancy is deactivated until the discrepancy is resolved.
These sections describe FPD packages:
Note You do not need to do a separate FPD image upgrade for the Enhanced FlexWAN module, because the Cisco IOS software images contain the FPD image for the Enhanced FlexWAN module. The FPD image package also includes the FPD image for the Enhanced FlexWAN module. (CSCin90971)
Enter the show upgrade fpd file command to display the contents of the FPD package.
Note You do not need to do a separate FPD image upgrade for the Enhanced FlexWAN module, because the Cisco IOS software images contain the FPD image for the Enhanced FlexWAN module. The FPD image package also includes the FPD image for the Enhanced FlexWAN module. (CSCin90971)
http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/sipspasw.html
Use Cisco Feature Navigator to display information about the images and feature sets in Release 12.2ZY.
The releases includes strong encryption images. Strong encryption images are subject to U.S. and local country export, import, and use laws. The country and class of end users eligible to receive and use Cisco encryption solutions are limited. See this publication for more information:
http://www.cisco.com/web/about/doing_business/legal/global_export_trade/general_export/contract_compliance.html
These sections describe the new features in Release 12.2(18)ZYA3c:
These sections describe the new features in Release 12.2(18)ZYA3b:
These sections describe the new features in Release 12.2(18)ZYA3a:
These sections describe the new features in Release 12.2(18)ZYA3:
These sections describe the new features in Release 12.2(18)ZYA2:
http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/nf_lay2_sec_mon_exp.html
http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/autoqos_enterprise.html
http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffic_nbar.html
These sections describe the new features in Release 12.2(18)ZYA1:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_flex_pack_match.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/P1.html#platform_ip_features_pisa
http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffic_nbar.html
These sections describe the new features in Release 12.2(18)ZYA:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_flex_pack_match.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/voip.html#wpCisco_Enhanced_PoE_Support
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_fwall_websense.html
http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_trfc_nbar_map.html
http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/protct_f.html#Permitting_or_Denying_Application_Types_with_PISA_Integration
Note Application-aware NetFlow is being developed for release in a future rebuild of Release 12.2(18)ZYA.
These sections describe the new features in Release 12.2(18)ZY2:
1-Port OC-48 POS/RPR SPA ( SPA-1XOC48POS/RPR):
– http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/install_upgrade/6500series/sipspahw.html
– http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/sipspasw.html
NBAR URL Classification Scalable to 56 URLs—See this publication:
http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffic_nbar.html
These sections describe the new features in Release 12.2(18)ZY1:
Note 7600-SSC-400 does not maintain state when an NSF with SSO redundancy mode switchover occurs.
http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/install_upgrade/6500series/sipspahw.html
http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/sipspasw.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Chassis_Installation/Cat6500/6500_ins.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-cfg-auth-rev-cert.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/12-2sx/sec-crypto-debug-sup.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-cert-enroll-pki.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ikevpn/configuration/12-2sx/sec-dist-nm-cyrpto.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-s/sec-conn-dmvpn.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_esyvpn/configuration/12-2sx/sec-easy-vpn-12-2sx-book.html
http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/sipspasw.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ikevpn/configuration/12-2sx/sec-encrypt-preshare.html
http://www.cisco.com/en/US/products/hw/modules/ps2706/ps5058/tsd_products_support_model_home.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ikevpn/configuration/12-2sx/sec-aggr-mde-ike.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_imgmt/configuration/12-2sx/sec-ipsec-vpn-acctg.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_imgmt/configuration/12-2sx/sec-ip-security-vpn.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-cert-enroll-pki.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-deploy-rsa-pki.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-deploy-rsa-pki.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnav/configuration/12-2sx/sec-realtime-ipsec.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-cert-enroll-pki.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-sis-with-ca.html
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cfg_cert_auth_io_OBS.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-cert-enroll-pki.html
http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/76ovwvpn.html
These sections describe the features in Release 12.2(18)ZY:
Note ● See the following site for information about MIBs:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
These features are accelerated in hardware on the PISA:
http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffic_nbar.html
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_fpm.html
Note NBAR and FPM are features that can only be configured on Layer 3 interfaces and are applied only to Layer 3 traffic. You cannot apply NBAR and FPM to Layer 2 traffic.
These features are accelerated on the PFC3B or run in software on the PISA:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/vlans.html
Note We recommend that you configure a combined total of no more than 2,000 Layer 3 VLAN interfaces and Layer 3 ports.
– Frame Relay over MPLS (FRoMPLS)
– ATM Single Cell Relay over MPLS-VC Mode (CRoMPLS)
– ATM AAL5 over MPLS (AAL5oMPLS)
http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/mpls.html#Configuring_the_VFI_in_the_PE
http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/pwan.html#Configuring_Strict_Priority_Low_Latency_Queuing_(LLQ)_Support_on_the_OSM-24GE-WAN
http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/pwan.html#Configuring_Strict_Priority_Low_Latency_Queuing_(LLQ)_Support_on_the_OSM-24GE-WAN
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos.html
http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/features.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12satmpng.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12satmpng.html
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfipaov_ps1835_TSD_Products_Configuration_Guide_Chapter.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fsmu26s.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fsmu26s.html
http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/pwan.html#Configuring_Strict_Priority_Low_Latency_Queuing_(LLQ)_Support_on_the_OSM-24GE-WAN
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/s_bgpct.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/s_bgpcc.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/s_bgpcc.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/s_bgpcc.html
http://www.cisco.com/en/US/docs/ios/12_2sx/feature/guide/fsxeibmp.html
Note With the BGP multipath load sharing for both eBGP and iBGP in an MPLS-VPN feature configured, do not attach output service policies to VRF interfaces. (CSCsb25509)
For nonMPLS environments, see the Interior Border Gateway Protocol (iBGP) Multipath Load Sharing feature.
http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsbgppa.html
http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsbgppa.html
http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsbgppa.html
http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsbgppa.html
http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsbgppa.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fs_bfd.html
Note Catalyst 6500 switches support BFD only on Ethernet, Fast Ethernet (except PA-2FE and PA-1FE), Gigabit Ethernet, and 10-Gigabit Ethernet ports, including Ethernet SPAs. The Catalyst 6500 switches and Cisco 7600 routers do not support BFD on PA-2FE or PA-1FE Ethernet LAN ports, or on POS, ATM, or serial WAN ports.
Also see “Integrated IS-IS support for BFD over IPv4” and “OSPF support for BFD over IPv4.”
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/mcastv4.html
http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfdhcp.html
http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/features.html
http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/features.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/cdp.html
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_pi/configuration/12-2sx/iri-ip-event-damp.html
– Support for a high-powered phone to negotiate a low-power mode (dimmed screen) when powered by a pre-standard Cisco PoE daughtercard.
– Support for a high-powered phone to negotiate a high-power mode (full screen brightness) when powered by a IEEE 802.3af Cisco PoE daughtercard.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/voip.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/nsfsso.html
Note ● NSF with SSO supports multicast traffic.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/cmdref.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/cmdref.html
http://www.cisco.com/en/US/docs/ios-xml/ios/qos_rsvp/configuration/15-mt/rsvp-dscp-spt-for-rsvp.html
—Supervisor Engine 32 PISA
—WS-X6516-GE-TX
—WS-X6516A-GBIC
—WS-X6516-GBIC
Note The WS-X6516A-GBIC and WS-X6516-GBIC modules apply a configured custom EtherType field value to all ports supported by each port ASIC (1 through 8 and 9 through 16).
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/layer2.html
http://www.cisco.com/en/US/docs/ios/12_2/ibm/configuration/guide/bcfdlsw_support_TSD_Island_of_Content_Chapter.html
http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/mpls.html#Configuring_the_VFI_in_the_PE
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/snoodhcp.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/snoodhcp.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/cmdref.html
Note See this publication for additional information about DOM:
http://www.cisco.com/en/US/docs/interfaces_modules/transceiver_modules/compatibility/matrix/OL_8031.html
http://www.cisco.com/en/US/docs/ios-xml/ios/qos_latjit/configuration/15-mt/qos-mlppp-fr.html
http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/features.html
Note cRTP is not supported on dMLPPP bundled links.
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/dmfr.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/dmfr.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/M1.html
http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/mpls.html#Configuring_the_VFI_in_the_PE
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/dynarp.html
http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfdhcp.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/s_mvesoo.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/intro.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/s_mvesoo.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/span.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/I1.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/channel.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/channel.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/channel.html
http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/mpls.html#Configuring_the_VFI_in_the_PE
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/flexlink.html
– PA-A3-T3
– PA-A3-E3
– PA-A6-T3
– PA-A6-E3
http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/mpls.html#Configuring_the_VFI_in_the_PE
http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fs_glbp2.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/diags.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/pwr_envr.html
– With Cisco IOS 12.2ZY releases, the PFC3B supports CoPP.
– The PFC3B does not support CoPP output rate limiting (policing).
– The PFC3B does not support the CoPP silent operation mode.
– The PFC3B does not support the match protocol arp command.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/dos.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/show4.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/show4.html
http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/mpls.html#Configuring_the_VFI_in_the_PE
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/dot1qtnl.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/dot1qtnl.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/spantree.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/spantree.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/dot1x.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/channel.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/snooigmp.html
http://www.cisco.com/en/US/docs/ios/12_2sx/feature/guide/stgrpsxf.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos.html
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_isis/configuration/15-mt/irs-netd.html
http://www.cisco.com/en/US/docs/ios/iproute_isis/configuration/guide/irs_initcf.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fs_bfd.html
Note Also see “Bidirectional Forwarding Detection (BFD) standard implementation.”
http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsbgpls.html
Note For MPLS support, see BGP Multipath Load Sharing for Both eBGP and iBGP in an MPLS-VPN.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/snooigmp.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dplane/configuration/12-2sx/sec-invald-index-rec.html
http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/features.html
Other supported types of tunneling run in software on the PISA. The PFC3B does not provide hardware acceleration for tunnels configured with the tunnel key command.
The tunnel ttl command (default 255) sets the TTL of encapsulated packets.
The tunnel tos command, if present, sets the ToS byte of a packet when it is encapsulated. If the tunnel tos command is not present and QoS is not enabled, the ToS byte of a packet sets the ToS byte of the packet when it is encapsulated. If the tunnel tos command is not present and QoS is enabled, the ToS byte of a packet as modified by PFC QoS sets the ToS byte of the packet when it is encapsulated.
To configure GRE Tunneling and IP in IP Tunneling, refer to these publications:
http://www.cisco.com/en/US/docs/ios/12_2/interface/configuration/guide/icflogin.html
http://www.cisco.com/en/US/docs/ios/12_2/interface/command/reference/irfshoip.html
To configure the tunnel tos and tunnel ttl commands, refer to this publication:
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_tos.html
Note the following information about tunnels:
– Each hardware-assisted tunnel must have a unique source. Hardware-assisted tunnels cannot share a source even if the destinations are different. Use secondary addresses on loopback interfaces or create multiple loopback interfaces. (CSCdy72539)
– Each tunnel interface uses one internal VLAN.
– Each tunnel interface uses one additional router MAC address entry per router MAC address.
– The PFC3B supports PFC QoS features on tunnel interfaces.
– The PFC3B supports GRE tunnel encapsulation and de-encapsulation of multicast traffic.
– The PISA supports tunnels configured with egress features on the tunnel interface. Examples of egress features are output Cisco IOS ACLs, NAT and PAT (for inside to outside translation), TCP intercept, context-based access control (CBAC), and encryption.
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_tos.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/layer3.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dplane/configuration/12-2sx/sec-ipsec-antireplay.html
http://www.cisco.com/en/US/docs/ios/12_2/interface/configuration/guide/icflogin.html
Note The PFC3B does not provide hardware acceleration for tunnels configured with the tunnel key command.
– IPv6 standard access control lists (ACLs)
– Manually configured v6 tunnels
– ISATAP (ISATAP with 6-to-4 prefix is not supported in hardware)
– Automatically configured IPv4 compatible tunnels
– IPv6 over IPV4 IP in IP tunnels
– IPv6 addressing architecture
– IPv6 stateless autoconfiguration
– Configuring an IPv6 Multiprotocol BGP Peer using a link local address
– IPv6 MP-BGP distance command
For configuration information, refer to this publication:
http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_pim/configuration/15-mt/ip6-mcast-ssm-map.html
For command reference information, refer to this publication:
http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_pim/configuration/15-mt/ip6-mcast-ssm-map.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_pim/configuration/15-mt/ip6-mcast-ssm-map.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/mcastv6.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/redund.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/12-2sx/ipv6-12-2sx-book.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/12-2sx/ipv6-12-2sx-book.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos.html
http://www.cisco.com/en/US/tech/tk872/tech_white_papers_list.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/isredrib.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/isisispf.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fsiredis.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fsisiadv.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fslocrib.html
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_isis/configuration/15-mt/irs-isis-supp-route-tags.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-cert-enroll-pki.html
http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/sipspasw.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/cmdref.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/layer2.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/l2trace.html
http://www.cisco.com/en/US/docs/ios-xml/ios/qos_latjit/configuration/15-mt/qos-mlppp-fr.html
Note To use the local proxy ARP feature, you must enable the IP proxy ARP feature. The IP proxy ARP feature is enabled by default. See this publication:
http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfipadr.html#Enabling_Proxy_ARP
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/fqos_c.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/secure.html
http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/sipspasw.html
http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/sipspasw.html
http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/pwan.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/snoopmld.html
http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfmobip_ps1835_TSD_Products_Configuration_Guide_Chapter.html
Note These redundancy modes support MultiProtocol Label Switching (MPLS):
http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/pwan.html
http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/mpls.html#Configuring_the_VFI_in_the_PE
http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsinbd4.html
http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsinbd4.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fsfrr24.html
Note Also see MPLS Traffic Engineering DiffServ Aware (DS-TE).
MPLS TE FRR Link and Node Protection is not supported on these interface types:
—Port channel interfaces
—Switch virtual interfaces (SVIs)
—Multiple link point-to-point protocol (MLPPP) interfaces
—Multilink Frame Relay (MLFR or MFR)
http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsiarea3.html
http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsdserv3.html
Note Also see MPLS Traffic Engineering (TE) Fast Reroute (FRR) Link and Node Protection.
MPLS DS-TE is not supported on these interface types:
—Port channel interfaces
—Switch virtual interfaces (SVIs)
—Multiple link point-to-point protocol (MLPPP) interfaces
—Multilink Frame Relay (MLFR or MFR)
http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsmvpns.html
http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fs2scsc.html
http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fscsclbl.html
http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/vpnid2.html
http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsiaslbl.html
http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsiaslbl.html
Note The MPLS VPN support for EIGRP between Provider Edge (PE) and Customer Edge (CE) feature also provides EIGRP support for VRF Lite.
http://www.cisco.com/en/US/docs/ios/iproute_ospf/configuration/guide/iro_sham_link.html
The bandwidth remaining percent command allows you to configure the remaining bandwidth for output queues. The aggregate of all user-configured EIR bandwidth percentages cannot exceed 100 percent. If the aggregate of all remaining bandwidth is less than 100 percent, the remainder is evenly split among user queues (including the default queue) that do not have a remaining bandwidth percentage configured. The minimum EIR value of each output queue is 1.
This example shows how to use the bandwidth remaining percent command to distribute percentages of remaining bandwidth to various traffic classes in a policy map:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/mvpn.html
http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/mpls.html#Configuring_the_VFI_in_the_PE
Note Multi-VRF for CE Routers (VRF Lite) with the PFC3B supports multi-VRF CE functionality with EIGRP, OSPF, BGP and RIPv2 routing protocols running on a per VRF basis. Static routes are also supported. Supported on LAN and WAN ports.
http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfip.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/secure.html
http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/features.html
http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/mpls.html#Configuring_the_VFI_in_the_PE
http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/atm.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/nac.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/nde.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/nde.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/nde.html
– Allows entry of a second ip flow-export destination command
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/nde.html
http://www.cisco.com/en/US/docs/ios-xml/ios/netflow/configuration/12-2sx/cfg-nflow-data-expt.html
– Supported only with NetFlow v9 export format.
http://www.cisco.com/en/US/docs/ios-xml/ios/netflow/configuration/12-2sx/cfg-nf-multi-acctg.html
– The NetFlow Multicast Support document contains a prerequisite that does not apply when configuring NetFlow multicast support with Release 12.2(18)ZY and later 12.2ZY releases:
You do not need to configure multicast fast switching or multicast distributed fast switching (MDFS); multicast CEF switching is supported with Release 12.2(18)ZY and later 12.2ZY releases.
– PFC3B mode supports NAT and PAT for UDP traffic.
– The PFC3B does not support NAT or PAT for multicast traffic.
– The PFC3B does not support NAT or PAT configured with a route map that specifies length.
– The PFC3B does not support NAT or PAT configured with a route map that specifies static translations.
– When you configure NAT or PAT and NDE on an interface, the PFC3B sends all traffic in fragmented packets to the PISA to be processed in software. (CSCdz51590)
To configure NAT or PAT, refer to the Cisco IOS IP Configuration Guide, Release 12.2, “IP Addressing and Services,” “Configuring IP Addressing,” “Configuring Network Address Translation,” at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfipadr.html
For information about configuring NAT or PAT with route maps, refer to this publication:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml
To prevent a significant volume of NAT or PAT traffic from being sent to the PISA, due to either a DoS attack or a misconfiguration, enter the mls rate-limit unicast acl { ingress | egress } command described in this publication:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/M1.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/acl.html
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/12-2sx/iro-for-add-sup.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/routmap.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/ospfispf.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fsoredis.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/ospfopro.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/ospflls.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/ospflls.html
http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fs_spftrl.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fs_bfd.html
Note Also see “Bidirectional Forwarding Detection (BFD) standard implementation.”
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fasthelo.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/ospffa.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fsolsath.html
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/12-2sx/iro-un-sw-vrfs.html
http://www.cisco.com/en/US/docs/ios-xml/ios/qos_classn/configuration/12-2sx/qos-classn-ntwk-trfc.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/dos.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/cmdref.html
http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/pwan.html#Configuring_Strict_Priority_Low_Latency_Queuing_(LLQ)_Support_on_the_OSM-24GE-WAN
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/snooppim.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/snooppim.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-cfg-auth-rev-cert.html
To configure PBR, refer to the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2, “Classification,” “Configuring Policy-Based Routing,” at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html
When configuring PBR, follow these guidelines and restrictions:
– The PFC provides hardware support for PBR configured on a tunnel interface.
– The PFC does not provides hardware support for PBR configured with the set ip next-hop keywords if the next hop is a tunnel interface.
– If the PISA address falls within the range of a PBR ACL, traffic addressed to the PISA is policy routed in hardware instead of being forwarded to the PISA. To prevent policy routing of traffic addressed to the PISA, configure PBR ACLs to deny traffic addressed to the PISA. (CSCse86399)
– Any options in Cisco IOS ACLs that provide filtering in a PBR route map that would cause flows to be sent to the PISA to be switched in software are ignored. For example, logging is not supported in ACEs in Cisco IOS ACLs that provide filtering in PBR route maps.
– PBR traffic through switching module ports where PBR is configured is routed in software if the switching module resets. (CSCee92191)
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/port_sec.html
– Port security on 802.1Q tunnel ports
– Port security on private VLAN ports
– Port security on trunk ports
– Port security with 4096 secure MAC addresses
– Port security with sticky MAC addresses
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/port_sec.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/stp_enha.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/pvlans.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos.html
– Per-VLAN and CoS-based QoS filtering in MAC ACLs
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos_sde.html
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12spctpg.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-cfg-auth-rev-cert.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-cfg-auth-rev-cert.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/12-2sx/sec-cfg-auth-rev-cert.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/spantree.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/span.html
http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/atm.html
http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/features.html
http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/features.html
http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/features.html
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfcrtp.html
Note cRTP is not supported on MLPPP bundled links.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/rgmp.html
http://www.cisco.com/en/US/docs/ios/12_2sx/feature/guide/rsvpprox.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fsrelmsg.html
http://www.cisco.com/en/US/docs/ios-xml/ios/qos_rsvp/configuration/12-2sx/rsvp-scalability.html
http://www.cisco.com/en/US/docs/ios-xml/ios/qos_rsvp/configuration/12-2sx/rsvp-scalability.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/12-2sx/sec-safenet-suppt.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ssh/configuration/12-2sx/sec-secure-copy.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ssh/configuration/12-2sx/sec-usr-ssh-12-2sx-book.html
For information about SSHv1 client support, refer to the following publication:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ssh/configuration/12-2sx/sec-usr-ssh-12-2sx-book.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ssh/configuration/12-2sx/sec-usr-ssh-12-2sx-book.html
– SLB: stateful failover within single chassis
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ssh/configuration/12-2sx/sec-usr-ssh-12-2sx-book.html
Note Web Cache Control Protocol (WCCP) Layer 2 PFC redirection is supported with Cisco IOS SLB. Other WCCP configurations are not compatible with Cisco IOS SLB.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/diags.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/topn.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/ifindx.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_igmp/configuration/12-2sx/imc_ssm_mapping.html
Note Do not configure SSM mapping in a VLAN that supports IGMPv3 multicast receivers.
http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfssm.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/span.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/stp_enha.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/spantree.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_pim/configuration/15-mt/ip6-mcast-ssm-map.html
http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfipadr.html
http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/pwan.html#Configuring_Strict_Priority_Low_Latency_Queuing_(LLQ)_Support_on_the_OSM-24GE-WAN
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/layer3.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/span.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/ifindx.html
Note TDR can test cables up to a maximum length of 115 meters.
– The “Checking the Cable Status Using the TDR” section of the “Configuring Interfaces” chapter at this URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/intrface.html
– The test cable-diagnostics command in the command reference at this URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/cmdref.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/storm.html
http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/configuration/12-2sx/Unique_Device_Identifier_Retrieval.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/blocking.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/udld.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/ude_udlr.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/qos.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/vacl.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/secure.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp_fhrp/configuration/12-2sx/fhp-vrrp.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-i4.html#GUID-833D9D25-1E04-4430-84D8-1AA836DE4745
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/configuration/guide/vlans.html
http://www.cisco.com/en/US/docs/ios/12_2/voice/configuration/guide/vvfvofr.html
Note Because the Catalyst 6500 series switches do not support voice modules, they can act only as a VoFR tandem switch when FRF.11 or FRF.12 is configured on the FlexWAN module.
– WCCP Layer 2 PFC Redirection
– WCCP Redirection on Inbound Interfaces
http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp/configuration/12-2sx/iap-wccp.html
Note Release 12.2ZY does not support these WCCP features:
—WCCP L2 Return
—WCCP Layer 2 Redirection/Forwarding
—WCCP Mask Assignment
—WCCP VRF Support
– Exterior Gateway Protocol (EGP)
– Netware Asynchronous Services Interface (NASI)
– Next Hop Resolution Protocol (NHRP) for IPX
– Novell Link-State Protocol (NLSP)
– Simple Multicast Routing Protocol (SMRP) for Appletalk
These sections list limitations and restrictions for the Cisco IOS for the Catalyst 6500 series switches and Cisco 7600 series routers:
The PFC3B removes these restrictions that were present with other policy feature cards:
This section describes general limitations and restrictions:
The ports on all other modules support ISL VLAN trunking.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/I1.html
Workaround : If you enable LDP globally, a TE tunnel rewrite is created for each prefix. The hardware programming code receives an update for each prefix and will be able to program the TCAM entries correctly. (CSCee77417)
Workaround : None. (CSCek23592)
Workaround: Use AutoRP or static RP. (CSCeg29898)
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/I1.html
Workaround: Use 0.0.0.0/0 as the default route or avoid entering the ip default-network command. Clear the EIGRP neighbors to recover. (CSCea70203)
When MAC address reduction is enabled, the root bridge priority becomes a multiple of 4096 plus the VLAN ID. With MAC address reduction enabled, a switch bridge ID (used by the spanning-tree algorithm to determine the identity of the root bridge, the lowest being preferred) can only be specified as a multiple of 4096. Only the following values are possible: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440.
If another bridge in the same spanning-tree domain does not run the MAC address reduction feature, it could win root bridge ownership because of the finer granularity in the selection of its bridge ID.
The PFC does not provide QoS for flows that match an ACE in a Cisco IOS ACL configured with options that cause the flows to be sent to the PISA to be switched in software, except when the Cisco IOS ACL provides filtering in a QoS policy-map class. For example, the PFC does not provide QoS for flows that match an ACE in a Cisco IOS ACL with logging configured. (CSCds72804)
Workaround : Configure the same MTU size on both the input and output interfaces. (CSCds42685)
– Integrated routing and bridging (IRB)
– Concurrent routing and bridging (CRB)
– Remote source-route bridging (RSRB)
If the last-hop multicast router is a Catalyst 6500 series switch, traffic is forwarded in hardware. In most cases, RPF-MFD is installed for the (S,G) entries. The PISA does not see the multicast traffic flowing down the SPT and does not send any traffic-triggered (S,G) prunes to stop the flow of traffic down the SPT. This situation does not have any adverse effect on the PISA because the PFC processes and drops the unwanted (S,G) traffic.
With the ip unreachables command enabled (which is the default), the supervisor engine drops most of the denied packets in hardware and sends only a small number of packets (10 packets per second, maximum) to the PISA to be dropped, which generates ICMP-unreachable messages.
To eliminate the load imposed on the PISA CPU by the task of dropping denied packets and generating ICMP-unreachable messages, you can enter the no ip unreachables interface configuration command to disable ICMP unreachable messages, which allows all access-group denied packets to be dropped in hardware.
– Command-line interface (CLI) method—Enter the show module command to identify the hardware version of the WS-X6224-100FX-MT module.
– Physical inspection method—The part number is printed on a label on the outer edge of the component side of the module. Versions 73-3245-04 or lower do not support ISL trunking.
Workaround: Perform VLAN configuration on a switch running Catalyst software or enter VLAN configuration commands to correct all VLAN configuration errors reported in the messages. (CSCdp47622)
Workaround : The MTU failure packets are rate-limited when you enter the global configuration command mls rate-limit all mtu-failure. (CSCsd55182)
Workaround: Use a higher modulo value. (CSCec49861)
Workaround: Clear the NDE configuration for the NAM or enter the clear arp-cache command. (CSCdy55261)
Workaround : None. (CSCec04627)
Additional Limitations and Restrictions
Note ● All caveats in Release 12.2(18)S also apply to Release 12.2(18)ZY. See the “Caveats” section in the Cross-Platform Release Notes for Cisco IOS Release 12.2S publication:
http://www.cisco.com/en/US/docs/ios/12_2s/release/notes/122Srn.html
http://www.cisco.com/en/US/docs/ios/12_2s/release/notes/122Srn.html
http://www.cisco.com/en/US/docs/ios/12_2s/release/notes/122Srn.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/release/notes/OL_4164.html#Caveats_in_Release_12.2(18)SXF_and_Rebuilds
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
Select “Catalyst 6000 Series Switches” and then select a 12.2ZY release.
Resolved Infrastructure Caveats
Symptoms: Cisco IOS device may experience a device reload.
Conditions: This issue occurs when the Cisco IOS device is configured for SNMP and receives certain SNMP packets from an authenticated user. Successful exploitation causes the affected device to reload. This vulnerability could be exploited repeatedly to cause an extended DoS condition.
Workaround: There is no workaround.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2010-3050 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
The Cisco IOS Software network address translation (NAT) feature contains multiple denial of service (DoS) vulnerabilities in the translation of the following protocols:
NetMeeting Directory (Lightweight Directory Access Protocol, LDAP)
Session Initiation Protocol (Multiple vulnerabilities)
H.323 protocol
All the vulnerabilities described in this document are caused by packets in transit on the affected devices when those packets require application layer translation.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110928-nat
Resolved LegacyProtocols Caveats
Cisco IOS Software contains a memory leak vulnerability in the Data-Link Switching (DLSw) feature that could result in a device reload when processing crafted IP Protocol 91 packets.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110928-dlsw.
Other Caveats Resolved in Release 12.2(18)ZYA3c
Symptom: Cisco IOS Software is affected by NTP mode 7 denial-of-service vulnerability. Note: The fix for this vulnerability has a behavior change affect on Cisco IOS Operations for Mode 7 packets. See the section Further Description of this release note enclosure.
Conditions: Cisco IOS Software with support for Network Time Protocol (NTP) contains a vulnerability processing specific NTP Control Mode 7 packets. This results in increased CPU on the device and increased traffic on the network segments.
This is the same as the vulnerability which is described in http://www.kb.cert.org/vuls/id/568372
Cisco has release a public facing vulnerability alert at the following link: http://tools.cisco.com/security/center/viewAlert.x?alertId=19540
Cisco IOS Software that has support for NTPv4 is NOT affected. NTPv4 was introduced into Cisco IOS Software: 12.4(15)XZ, 12.4(20)MR, 12.4(20)T, 12.4(20)YA, 12.4(22)GC1, 12.4(22)MD, 12.4(22)YB, 12.4(22)YD, 12.4(22)YE and 15.0(1)M.
All other versions of Cisco IOS and Cisco IOS XE Software are affected.
To see if a device is configured with NTP, log into the device and issue the CLI command show running-config | include ntp. If the output returns either of the following commands listed then the device is vulnerable:
The following example identifies a Cisco device that is configured with NTP:
The following example identifies a Cisco device that is not configured with NTP:
To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to “Cisco Internetwork Operating System Software” or “Cisco IOS Software.” The image name displays in parentheses, followed by “Version” and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output.
The following example identifies a Cisco product that is running Cisco IOS Software Release 12.3(26) with an installed image name of C2500-IS-L:
The following example shows a product that is running Cisco IOS Software release 12.4(20)T with an image name of C1841-ADVENTERPRISEK9-M:
Additional information about Cisco IOS Software release naming conventions is available in “White Paper: Cisco IOS and NX-OS Software Reference Guide” at the following link: http://www.cisco.com/web/about/security/intelligence/ios-ref.html
Workaround: There are no workarounds other than disabling NTP on the device. The following mitigations have been identified for this vulnerability; only packets destined for any configured IP address on the device can exploit this vulnerability. Transit traffic will not exploit this vulnerability.
Note NTP peer authentication is not a workaround and is still a vulnerable configuration.
Warning: Because the feature in this vulnerability utilizes UDP as a transport, it is possible to spoof the sender’s IP address, which may defeat access control lists (ACLs) that permit communication to these ports from trusted IP addresses. Unicast Reverse Path Forwarding (Unicast RPF) should be considered to be used in conjunction to offer a better mitigation solution.
For additional information on NTP access control groups, consult the document titled “Performing Basic System Management” at the following link:
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_basic_sys_manage.html#wp1034942
– Infrastructure Access Control Lists
Warning: Because the feature in this vulnerability utilizes UDP as a transport, it is possible to spoof the sender’s IP address, which may defeat ACLs that permit communication to these ports from trusted IP addresses. Unicast RPF should be considered to be used in conjunction to offer a better mitigation solution.
Although it is often difficult to block traffic that transits a network, it is possible to identify traffic that should never be allowed to target infrastructure devices and block that traffic at the border of networks.
Infrastructure ACLs (iACLs) are a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The iACL example below should be included as part of the deployed infrastructure access-list, which will help protect all devices with IP addresses in the infrastructure IP address range:
The white paper entitled “Protecting Your Core: Infrastructure Protection Access Control Lists” presents guidelines and recommended deployment techniques for infrastructure protection access lists and is available at the following link
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
Provided under Control Plane Policing there are two examples. The first aims at preventing the injection of malicious traffic from untrusted sources, whilst the second looks at rate limiting NTP traffic to the box.
– Filtering untrusted sources to the device.
Warning: Because the feature in this vulnerability utilizes UDP as a transport, it is possible to spoof the sender’s IP address, which may defeat ACLs that permit communication to these ports from trusted IP addresses. Unicast RPF should be considered to be used in conjunction to offer a better mitigation solution.
Control Plane Policing (CoPP) can be used to block untrusted UDP traffic to the device. Cisco IOS software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP can be configured on a device to help protect the management and control planes and minimize the risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic that is sent to infrastructure devices in accordance with existing security policies and configurations. The CoPP example below should be included as part of the deployed CoPP, which will help protect all devices with IP addresses in the infrastructure IP address range.
In the above CoPP example, the access control list entries (ACEs) that match the potential exploit packets with the “permit” action result in these packets being discarded by the policy-map “drop” function, while packets that match the “deny” action (not shown) are not affected by the policy-map drop function.
– Rate Limiting the traffic to the device The CoPP example below could be included as part of the deployed CoPP, which will help protect targeted devices from processing large amounts of NTP traffic.
Warning: If the rate-limits are exceeded valid NTP traffic may also be dropped.
Additional information on the configuration and use of the CoPP feature can be found in the documents, “Control Plane Policing Implementation Best Practices” and “Cisco IOS Software Releases 12.2 S - Control Plane Policing” at: http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
Cisco IOS Software releases that have the fix for this Cisco bug ID, have a behavior change for mode 7 private mode packets.
Cisco IOS Software release with the fix for this Cisco bug ID, will not process NTP mode 7 packets, and will display a message “NTP: Receive: dropping message: Received NTP private mode packet. 7” if debugs for NTP are enabled.
To have Cisco IOS Software process mode 7 packets, the CLI command ntp allow mode private should be configured. This is disabled by default.
A device running Cisco IOS Software, Cisco IOS XE Software, or Cisco IOS XR Software is vulnerable to a remote denial of service condition if it is configured for Multiprotocol Label Switching (MPLS) and has support for Label Distribution Protocol (LDP).
A crafted LDP UDP packet can cause an affected device running Cisco IOS Software or Cisco IOS XE Software to reload. On devices running affected versions of Cisco IOS XR Software, such packets can cause the device to restart the mpls_ldp process.
A system is vulnerable if configured with either LDP or Tag Distribution Protocol (TDP).
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available.
This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100324-ldp.shtml
Symptom: A Cisco IOS device may experience an unexpected reload as a result of mtrace packet processing.
Workaround: None other than avoiding the use of mtrace functionality.
Symptoms: Cisco IOS device may crash.
Conditions: A Cisco IOS device may crash upon receiving a malformed OSPF message.
Before the issue can be triggered, the Cisco IOS device must be able to establish adjacency with an OSPF peer. The issue will then occur when the processing an OSPF message sent by the peer.
Workaround: There is no workaround. Using OSPF authentication can reduce/minimize the chance of hitting this issue.
Symptom: A Cisco IOS device that receives a BGP update message and as a result of AS prepending needs to send an update downstream that would have over 255 AS hops will send an invalid formatted update. This update when received by a downstream BGP speaker triggers a NOTIFICATION back to the sender which results in the BGP session being reset.
Conditions: This problem is seen when a Cisco IOS device receives a BGP update and due to a combination of either inbound, outbound, or both AS prepending it needs to send an update downstream that has more than 255 AS hops.
Workaround: The workaround is to implement bgp maxas-limit X on the device that after prepending would need to send an update with over 255 AS hops. Since IOS limits the route-map prepending value to 10 the most that could be added is 21 AS hops (10 on ingress, 10 on egress, and 1 for normal eBGP AS hop addition). Therefore, a conservative value to configure would be 200 to prevent this condition.
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090923-tunnels.
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090923-tunnels
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090923-tunnels
Cisco IOS Software configured with Authentication Proxy for HTTP(S), Web Authentication or the consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the authentication proxy server or bypass the consent webpage.
There are no workarounds that mitigate this vulnerability.
This advisory is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090923-auth-proxy
Other Caveats Resolved in Release 12.2(18)ZYA3
Symptoms: When “no aaa new-model” is configured, authentication happens through the local even when tacacs is configured. This happens for the exec users under vty configuration.
Conditions: Configure “no aaa new-model”, configure login local under line vty 0 4 and configure login tacacs under line vty 0 4.
Workaround: There is no workaround.
Resolved Infrastructure Caveats
Symptom: The Cisco IOS HTTP server and the Cisco IOS HTTPS server provide web server functionality to be used by other Cisco IOS features that require it to function. For example, embedded device managers available for some Cisco IOS devices need the Cisco IOS HTTP server or the Cisco IOS HTTPS server to be enabled as a prerequisite.
One of the functionalities provided by the Cisco IOS HTTP server and the Cisco IOS HTTPS server is the WEB_EXEC module, which is the HTTP-based IOS EXEC Server. The WEB_EXEC module allows for both “show” and “configure” commands to be executed on the device through requests sent over the HTTP protocol.
Both the Cisco IOS HTTP server and the Cisco IOS HTTPS server use the locally configured enable password (configured by using the enable password or enable secret commands) as the default authentication mechanism for any request received. Other mechanisms can also be configured to authenticate requests to the HTTP or HTTPS interface. Some of those mechanisms are the local user database, an external RADIUS server or an external TACACS+ server.
If an enable password is not present in the device configuration, and no other mechanism has been configured to authenticate requests to the HTTP interface, the Cisco IOS HTTP server and the Cisco IOS HTTPS server may execute any command received without requiring authentication. Any commands up to and including commands that require privilege level 15 might then be executed on the device. Privilege level 15 is the highest privilege level on Cisco IOS devices.
Conditions: For a Cisco IOS device to be affected by this issue all of the following conditions must be met:
– An enable password is not present in the device configuration
– Either the Cisco IOS HTTP server or the Cisco IOS HTTPS server is enabled
– No other authentication mechanism has been configured for access to the Cisco IOS HTTP server or Cisco IOS HTTPS server. Such mechanisms might include the local user database, RADIUS (Remote Authentication Dial In User Service), or TACACS+ (Terminal Access Controller Access-Control System)
The Cisco IOS HTTP server is enabled by default on some Cisco IOS releases.
Workaround: Any of the following workarounds can be implemented:
– Enabling authentication of requests to the Cisco IOS HTTP Server or the Cisco IOS HTTPS server by configuring an enable password
Customers requiring the functionality provided by the Cisco IOS HTTP server or the Cisco IOS HTTPS server must configure an authentication mechanism for any requests received. One option is to use the enable password or enable secret commands to configure an enable password. The enable password is the default authentication mechanism used by both the Cisco IOS HTTP server and the Cisco IOS HTTPS server if no other method has been configured.
In order to configure an enable password by using the enable secret command, add the following line to the device configuration:
Replace mypassword with a strong password of your choosing. For guidance on selecting strong passwords, please refer to your site security policy. The document entitled “Cisco IOS Password Encryption Facts” explains the differences between using the enable secret and the enable password commands to configure an enable password. This document is available at the following link: http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00809d38a7.shtml
– Enabling authentication of requests to the Cisco IOS HTTP Server or the Cisco IOS HTTPS server by configuring an authentication mechanism other than the default
Configure an authentication mechanism for access to the Cisco IOS HTTP server or the Cisco IOS HTTPS server other than the default. Such authentication mechanism can be the local user database, an external RADIUS server, an external TACACS+ server or a previously defined AAA (Authentication, Authorization and Accounting) method. As the procedure to enable an authentication mechanism for the Cisco IOS HTTP server and the Cisco IOS HTTPS server varies across Cisco IOS releases and considering other additional factors, no example will be provided. Customers looking for information about how to configure an authentication mechanism for the Cisco IOS HTTP server and for the Cisco IOS HTTPS server are encouraged to read the document entitled “AAA Control of the IOS HTTP Server”, which is available at the following link: http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml
– Disabling the Cisco IOS HTTP Server and/or the Cisco IOS HTTPS server functionality
Customers who do not require the functionality provided by the Cisco IOS HTTP server or the Cisco IOS HTTPS server can disable it by adding the following commands to the device configuration:
The second command might return an error message if the Cisco IOS version installed and running on the device does not support the HTTPS server feature. This error message is harmless and can safely be ignored.
Please be aware that disabling the Cisco IOS HTTP server or the Cisco IOS HTTPS server may impact other features that rely on it. As an example, disabling the Cisco IOS HTTP server or the Cisco IOS HTTPS server will disable access to any embedded device manager installed on the device.
Further Problem Description: In addition to the explicit workarounds detailed above it is highly recommended that customers limit access to Cisco IOS HTTP server and the Cisco IOS HTTPS server to only trusted management hosts. Information on how to restrict access to the Cisco IOS HTTP server and the Cisco IOS HTTPS server based on IP addresses is available at the following link:
http://www.cisco.com/en/US/docs/ios-xml/ios/https/configuration/12-4/nm-http-web.html#GUID-BB57C0D5-71DB-47C5-9C11-8146773D1127
Customers are also advised to review the “Management Plane” section of the document entitled “Cisco Guide to Harden Cisco IOS Devices” for additional recommendations to secure management connections to Cisco IOS devices. This document is available at the following link: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
Symptom: Three separate Cisco IOS Hypertext Transfer Protocol (HTTP) cross-site scripting (XSS) vulnerabilities and a cross-site request forgery (CSRF) vulnerability have been reported to Cisco by three independent researchers.
The Cisco Security Response is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090114-http
Conditions: See “Additional Information” section in the posted response for further details.
Workarounds: See “Workaround” section in the posted response for further details.
Symptom: Three separate Cisco IOS Hypertext Transfer Protocol (HTTP) cross-site scripting (XSS) vulnerabilities and a cross-site request forgery (CSRF) vulnerability have been reported to Cisco by three independent researchers.
The Cisco Security Response is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090114-http
Conditions: See “Additional Information” section in the posted response for further details.
Workarounds: See “Workaround” section in the posted response for further details.
Several features within Cisco IOS Software are affected by a crafted UDP packet vulnerability. If any of the affected features are enabled, a successful attack will result in a blocked input queue on the inbound interface. Only crafted UDP packets destined for the device could result in the interface being blocked, transit traffic will not block the interface.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the workarounds section of the advisory.
This advisory is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-udp
A vulnerability in the handling of IP sockets can cause devices to be vulnerable to a denial of service attack when any of several features of Cisco IOS Software are enabled. A sequence of specially crafted TCP/IP packets could cause any of the following results:
– The configured feature may stop accepting new connections or sessions.
– The memory of the device may be consumed.
– The device may experience prolonged high CPU utilization.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the “workarounds” section of the advisory.
The advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-ip
Multiple Cisco products are vulnerable to DNS cache poisoning attacks due to their use of insufficiently randomized DNS transaction IDs and UDP source ports in the DNS queries that they produce, which may allow an attacker to more easily forge DNS answers that can poison DNS caches.
To exploit this vulnerability an attacker must be able to cause a vulnerable DNS server to perform recursive DNS queries. Therefore, DNS servers that are only authoritative, or servers where recursion is not allowed, are not affected.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080708-dns
This security advisory is being published simultaneously with announcements from other affected organizations.
Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system.
In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.
Cisco has released free software updates for download from the Cisco website that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090908-tcp24.
Symptoms: High CPU utilization occurs after device receives a ARP packet with protocol type as 0x1000.
Conditions: This problem occurs on Supervisor 32 running Cisco IOS Release 12.2(33)SXI. This problem may also occur on Supervisor 720. The problem is only seen when you have bridge-group CLI being used, which leads to ARP packets with protocol types as 0x1000 being bridged. The problem does not apply for IP ARP packets.
Workaround: Filter the ARP packet. The device configuration should have bridge-group creation first, followed by interface-specific bridge-group options.
Cisco IOS Software contains a vulnerability in multiple features that could allow an attacker to cause a denial of service (DoS) condition on the affected device. A sequence of specially crafted TCP packets can cause the vulnerable device to reload.
Cisco has released free software updates that address this vulnerability.
Several mitigation strategies are outlined in the workarounds section of this advisory.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-tcp
Summary: Cisco’s VTP protocol implementation in some versions of Cisco IOS and CatOS may be vulnerable to a DoS attack via a specially crafted VTP packet sent from the local network segment when operating in either server or client VTP mode. When the device receives the specially crafted VTP packet, the switch may crash (and reload/hang). The crafted packet must be received on a switch interface configured to operate as a trunk port.
Workarounds: There are no workarounds available for this vulnerability.
This response is posted at http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20081105-vtp
Symptoms: MSFC crashes with Red Zone memory corruption.
Conditions: This problem is seen when processing an Auto-RP packet and NAT is enabled.
Workaround: There is no workaround.
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090923-tunnels.
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090923-tunnels
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090923-tunnels
Symptoms: The Cisco IOS may experience high CPU utilization.
Conditions: ISAKMP is enabled.
Further Information: This issue can occur if the Cisco IOS device processes a malformed IKE message.
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
– Session Initiation Protocol (SIP)
– Media Gateway Control Protocol (MGCP)
– Signaling protocols H.323, H.254
– Real-time Transport Protocol (RTP)
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
http://www.cisco.com/en/US/products/csa/cisco-sa-20070808-IOS-voice.html.
Other Caveats Resolved in Release 12.2(18)ZYA2
Resolved Infrastructure Caveats
Symptom: The Cisco IOS HTTP server and the Cisco IOS HTTPS server provide web server functionality to be used by other Cisco IOS features that require it to function. For example, embedded device managers available for some Cisco IOS devices need the Cisco IOS HTTP server or the Cisco IOS HTTPS server to be enabled as a prerequisite.
One of the functionalities provided by the Cisco IOS HTTP server and the Cisco IOS HTTPS server is the WEB_EXEC module, which is the HTTP-based IOS EXEC Server. The WEB_EXEC module allows for both “show” and “configure” commands to be executed on the device through requests sent over the HTTP protocol.
Both the Cisco IOS HTTP server and the Cisco IOS HTTPS server use the locally configured enable password (configured by using the enable password or enable secret commands) as the default authentication mechanism for any request received. Other mechanisms can also be configured to authenticate requests to the HTTP or HTTPS interface. Some of those mechanisms are the local user database, an external RADIUS server or an external TACACS+ server.
If an enable password is not present in the device configuration, and no other mechanism has been configured to authenticate requests to the HTTP interface, the Cisco IOS HTTP server and the Cisco IOS HTTPS server may execute any command received without requiring authentication. Any commands up to and including commands that require privilege level 15 might then be executed on the device. Privilege level 15 is the highest privilege level on Cisco IOS devices.
Conditions: For a Cisco IOS device to be affected by this issue all of the following conditions must be met:
– An enable password is not present in the device configuration
– Either the Cisco IOS HTTP server or the Cisco IOS HTTPS server is enabled
– No other authentication mechanism has been configured for access to the Cisco IOS HTTP server or Cisco IOS HTTPS server. Such mechanisms might include the local user database, RADIUS (Remote Authentication Dial In User Service), or TACACS+ (Terminal Access Controller Access-Control System)
The Cisco IOS HTTP server is enabled by default on some Cisco IOS releases.
Workaround: Any of the following workarounds can be implemented:
– Enabling authentication of requests to the Cisco IOS HTTP Server or the Cisco IOS HTTPS server by configuring an enable password
Customers requiring the functionality provided by the Cisco IOS HTTP server or the Cisco IOS HTTPS server must configure an authentication mechanism for any requests received. One option is to use the enable password or enable secret commands to configure an enable password. The enable password is the default authentication mechanism used by both the Cisco IOS HTTP server and the Cisco IOS HTTPS server if no other method has been configured.
In order to configure an enable password by using the enable secret command, add the following line to the device configuration:
Replace mypassword with a strong password of your choosing. For guidance on selecting strong passwords, please refer to your site security policy. The document entitled “Cisco IOS Password Encryption Facts” explains the differences between using the enable secret and the enable password commands to configure an enable password. This document is available at the following link:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00809d38a7.shtml
– Enabling authentication of requests to the Cisco IOS HTTP Server or the Cisco IOS HTTPS server by configuring an authentication mechanism other than the default
Configure an authentication mechanism for access to the Cisco IOS HTTP server or the Cisco IOS HTTPS server other than the default. Such authentication mechanism can be the local user database, an external RADIUS server, an external TACACS+ server or a previously defined AAA (Authentication, Authorization and Accounting) method. As the procedure to enable an authentication mechanism for the Cisco IOS HTTP server and the Cisco IOS HTTPS server varies across Cisco IOS releases and considering other additional factors, no example will be provided. Customers looking for information about how to configure an authentication mechanism for the Cisco IOS HTTP server and for the Cisco IOS HTTPS server are encouraged to read the document entitled “AAA Control of the IOS HTTP Server”, which is available at the following link:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml
– Disabling the Cisco IOS HTTP Server and/or the Cisco IOS HTTPS server functionality
Customers who do not require the functionality provided by the Cisco IOS HTTP server or the Cisco IOS HTTPS server can disable it by adding the following commands to the device configuration:
The second command might return an error message if the Cisco IOS version installed and running on the device does not support the HTTPS server feature. This error message is harmless and can safely be ignored.
Please be aware that disabling the Cisco IOS HTTP server or the Cisco IOS HTTPS server may impact other features that rely on it. As an example, disabling the Cisco IOS HTTP server or the Cisco IOS HTTPS server will disable access to any embedded device manager installed on the device.
Further Problem Description: In addition to the explicit workarounds detailed above it is highly recommended that customers limit access to Cisco IOS HTTP server and the Cisco IOS HTTPS server to only trusted management hosts. Information on how to restrict access to the Cisco IOS HTTP server and the Cisco IOS HTTPS server based on IP addresses is available at the following link:
http://www.cisco.com/en/US/docs/ios-xml/ios/https/configuration/12-4/nm-http-web.html#GUID-BB57C0D5-71DB-47C5-9C11-8146773D1127
Customers are also advised to review the “Management Plane” section of the document entitled “Cisco Guide to Harden Cisco IOS Devices” for additional recommendations to secure management connections to Cisco IOS devices. This document is available at the following link:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
Several features within Cisco IOS Software are affected by a crafted UDP packet vulnerability. If any of the affected features are enabled, a successful attack will result in a blocked input queue on the inbound interface. Only crafted UDP packets destined for the device could result in the interface being blocked, transit traffic will not block the interface.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the workarounds section of the advisory.
This advisory is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-udp
A vulnerability in the handling of IP sockets can cause devices to be vulnerable to a denial of service attack when any of several features of Cisco IOS Software are enabled. A sequence of specially crafted TCP/IP packets could cause any of the following results:
– The configured feature may stop accepting new connections or sessions.
– The memory of the device may be consumed.
– The device may experience prolonged high CPU utilization.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the “workarounds” section of the advisory.
The advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-ip
Cisco IOS Software contains a vulnerability in multiple features that could allow an attacker to cause a denial of service (DoS) condition on the affected device. A sequence of specially crafted TCP packets can cause the vulnerable device to reload.
Cisco has released free software updates that address this vulnerability.
Several mitigation strategies are outlined in the workarounds section of this advisory.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-tcp
Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system.
In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.
Cisco has released free software updates for download from the Cisco website that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090908-tcp24.
Summary: Cisco’s VTP protocol implementation in some versions of Cisco IOS and CatOS may be vulnerable to a DoS attack via a specially crafted VTP packet sent from the local network segment when operating in either server or client VTP mode. When the device receives the specially crafted VTP packet, the switch may crash (and reload/hang). The crafted packet must be received on a switch interface configured to operate as a trunk port.
Workarounds: There are no workarounds available for this vulnerability.
This response is posted at http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20081105-vtp
Symptoms: A memory leak may occur in the “Multilink Events” process, which can be seen in the output of the show memory summary command:
Conditions: This symptom is observed when two interfaces are configured in the same multilink group or are bound to the same dialer profile.
Workaround: There is no workaround.
A Cisco IOS device may crash while processing an SSL packet. This can happen during the termination of an SSL-based session. The offending packet is not malformed and is normally received as part of the packet exchange.
Cisco has released free software updates that address this vulnerability. Aside from disabling affected services, there are no available workarounds to mitigate an exploit of this vulnerability.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-ssl.
Symptoms: Cisco Catalyst 6500 and Cisco 7600 modules are reachable via 127.0.0.x addresses.
Conditions: Cisco Catalyst 6500 and Cisco 7600 series devices use addresses from the 127.0.0.0/8 (loopback) range in the Ethernet Out-of-Band Channel (EOBC) for internal communication.
Addresses from this range that are used in the EOBC on Cisco Catalyst 6500 and Cisco 7600 series devices are accessible from outside of the system. The Supervisor module, Multilayer Switch Feature Card (MSFC), or any other intelligent module may receive and process packets that are destined for the 127.0.0.0/8 network. An attacker can exploit this behavior to bypass existing access control lists; however, an exploit will not allow an attacker to bypass authentication or authorization. Valid authentication credentials are still required to access the module in question.
Per RFC 3330, a packet that is sent to an address anywhere within the 127.0.0.0/8 address range should loop back inside the host and should never reach the physical network. However, some host implementations send packets to addresses in the 127.0.0.0/8 range outside their Network Interface Card (NIC) and to the network. Certain implementations that normally do not send packets to addresses in the 127.0.0.0/8 range may also be configured to do so..
Destination addresses in the 127.0.0.0/8 range are not routed on the Internet. This factor limits the exposure of this issue.
This issue is applicable to systems that run Hybrid Mode (Catalyst OS (CatOS) software on the Supervisor Engine and IOS Software on the MSFC) and Native Mode (IOS Software on both the Supervisor Engine and the MSFC).
Workaround: Administrators can apply an access control list that filters packets to the 127.0.0.0/8 address range to interfaces where attacks may be launched.
Control Plane Policing (CoPP) can be used to block traffic with a destination IP address in the 127.0.0.0/8 address range sent to the device. Cisco IOS Software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP may be configured on a device to protect the management and control planes to minimize the risk and effectiveness of direct infrastructure attacks. CoPP protects the management and control planes by explicitly permitting only authorized traffic that is sent to infrastructure devices in accordance with existing security policies and configurations.
Additional information on the configuration and use of the CoPP feature is available at the following links:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html
Infrastructure Access Control Lists (iACLs) are also considered a network security best practice and should be considered as, long-term additions to effective network security as well as a workaround for this specific issue. The white paper entitled “Protecting Your Core: Infrastructure Protection Access Control Lists” presents guidelines and recommended deployment techniques for infrastructure protection ACLs. The white paper is available at the following link:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
Other Caveats Resolved in Release 12.2(18)ZYA1
Resolved Caveats for Product ‘all’ and Component ‘aaa’
Symptoms: Router reloads after authentication attempt fails on console.
Conditions: Occurs while performing AAA accounting. The accounting structure was freed twice, which results in crash. Occurs when the aaa accounting send stop-record authentication failure command is configured, which sends a stop record for authentication failure.
Workaround: Remove the aaa accounting send stop-record authentication failure command.
Resolved Caveats for Product ‘all’ and Component ‘dlsw’
Cisco IOS contains multiple vulnerabilities in the Data-link Switching (DLSw) feature that may result in a reload or memory leaks when processing specially crafted UDP or IP Protocol 91 packets.
Cisco has released free software updates that address these vulnerabilities. Workarounds are available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20080326-dlsw.html
Resolved Caveats for Product ‘all’ and Component ‘ifs’
Symptoms: Syslog displays password when copying the configuration via FTP.
Conditions: This symptom occurs when copying via FTP. The Syslog message displays the password given by the user as part of syntax of FTP copy.
Workaround: There is no workaround.
Resolved Caveats for Product ‘all’ and Component ‘ipsec-isakmp’
Symptoms: A device that is running Cisco IOS software may crash during processing of an Internet Key Exchange (IKE) message.
Conditions: The device must have a valid and complete configuration for IPsec. IPsec VPN features in Cisco IOS software that use IKE include Site-to- Site VPN tunnels, EzVPN (server and remote), DMVPN, IPsec over GRE, and GET VPN.
Workaround: Customers that do not require IPsec functionality on their devices can use the no crypto isakmp enable command in global configuration mode to disable the processing of IKE messages and eliminate device exposure.
If IPsec is configured, this bug may be mitigated by applying access control lists that limit the hosts or IP networks that are allowed to establish IPsec sessions with affected devices. This assumes that IPsec peers are known. This workaround may not be feasible for remote access VPN gateways where the source IP addresses of VPN clients are not known in advance. ISAKMP uses port UDP/500 and can also use UDP/848 (the GDOI port) when GDOI is in use.
Further Problem Description: This bug is triggered deep into the IKE negotiation, and an exchange of messages between IKE peers is necessary.
If IPsec is not configured, it is not possible to reach the point in the IKE negotiation where the bug exists.
Resolved Caveats for Product ‘all’ and Component ‘os’
This is the Cisco Product Security Incident Response Team (PSIRT) response to a vulnerability that was reported on the Cisco NSP mailing list on August 17, 2007 regarding the crash and reload of devices running Cisco IOS after executing a command that uses, either directly or indirectly, a regular expression. The original post is available at the following link:
http://puck.nether.net/pipermail/cisco-nsp/2007-August/043002.html
The Cisco PSIRT posted a preliminary response on the same day and is available at the following link:
http://puck.nether.net/pipermail/cisco-nsp/2007-August/043010.html
Preliminary research pointed to a previously known issue that was documented as Cisco bug ID CSCsb08386 (registered customers only), and entitled “PRP crash by show ip bgp regexp”, which was already resolved. Further research indicates that the current issue is a different but related vulnerability.
There are no workarounds available for this vulnerability. Cisco will update this document in the event of any changes.
The full text of this response is available at http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070912-regexp
Resolved Caveats for Product ‘all’ and Component ‘ssh’
Symptoms: Devices running Cisco IOS may reload with the error message “System returned to ROM by abort at PC 0x0” when processing SSHv2 sessions. A switch crashes. We have a script running that will continuously ssh-v2 into the 3560 then close the session normally. If the vty line that is being used by SSHv2 sessions to the device is cleared while the SSH session is being processed, the next time an ssh into the device is done, the device will crash.
Conditions: This problem is platform independent, but it has been seen on Cisco Catalyst 3560, Cisco Catalyst 3750 and Cisco Catalyst 4948 series switches. The issue is specific to SSH version 2, and its seen only when the box is under brute force attack. This crash is not seen under normal conditions.
Workaround: There are mitigations to this vulnerability: For Cisco IOS, the SSH server can be disabled by applying the command crypto key zeroize rsa while in configuration mode. The SSH server is enabled automatically upon generating an RSA key pair. Zeroing the RSA keys is the only way to completely disable the SSH server.
Access to the SSH server on Cisco IOS may also be disabled via removing SSH as a valid transport protocol. This can be done by reapplying the transport input command with ’ssh' removed from the list of permitted transports on VTY lines while in configuration mode. For example: line vty 0 4 transport input telnet end
If SSH server functionality is desired, access to the server can be restricted to specific source IP addresses or blocked entirely using Access Control Lists (ACLs) on the VTY lines as shown in the following URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swacl.html#Applying_the_ACL_to_an_Interface_or_Terminal_Line
More information on configuring ACLs can be found on Cisco’s public website: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
Resolved Caveats for Product ‘all’ and Component ‘ssl’
A Cisco IOS device may crash while processing an SSL packet. This can happen during the termination of an SSL-based session. The offending packet is not malformed and is normally received as part of the packet exchange.
Cisco has released free software updates that address this vulnerability. Aside from disabling affected services, there are no available workarounds to mitigate an exploit of this vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-ssl.
Resolved Caveats for Product ‘all’ and Component ‘ts’
This DDTS addresses the issue in the Cisco Product Security Incident Response Team (PSIRT) response to an issue discovered and reported to Cisco by Andy Davis from IRM, Inc. regarding a stack overflow in the Cisco IOS Line Printer Daemon (LPD) Protocol feature.
This security response is posted at: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20071010-lpd
Other Caveats Resolved in Release 12.2(18)ZYA
Resolved Caveats for Product ‘all’ and Component ‘cat6000-l2-infra’
Symptoms: Two subinterfaces may have the same CEF interface index.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router when the following configuration sequence occurs:
1) Create subinterface 1, 2, and 3.
In this situation, subinterface 1 and 4 may have the same CEF IDB.
Workaround: There is no workaround. You must reload the platform to clear the symptoms.
Resolved Caveats for Product ‘all’ and Component ‘dlsw’
Cisco IOS contains multiple vulnerabilities in the Data-link Switching (DLSw) feature that may result in a reload or memory leaks when processing specially crafted UDP or IP Protocol 91 packets.
Cisco has released free software updates that address these vulnerabilities. Workarounds are available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20080326-dlsw.html
Resolved Caveats for Product ‘all’ and Component ‘ios-firewall-aic’
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
Session Initiation Protocol (SIP)
Media Gateway Control Protocol (MGCP)
Signaling protocols H.323, H.254
Real-time Transport Protocol (RTP)
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20070808-IOS-voice.html.
Resolved Caveats for Product ‘all’ and Component ‘mcast-vpn’
A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.
This advisory is posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20080326-mvpn.html.
Resolved Caveats for Product `all' and Component `snmp'
Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.
The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.
This advisory will be posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20080610-snmpv3.html
Resolved Caveats for Product ‘all’ and Component ‘ssl’
Issue has been discovered in processing SSL handshake. Fixes are integrated as advised in http://www.cisco.com/en/US/products/csa/cisco-sa-20070522-SSL.html
Workaround is to disable SSL-based services.
Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.
Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.
Workaround: Disable the ip http secure server command.
Resolved Caveats for Product ‘all’ and Component ‘tcp’
Symptoms: With X.25 over TCP (XOT) enabled on a router or Catalyst switch, malformed traffic that is sent to TCP port 1998 causes the device to reload. This symptom was first observed in Cisco IOS Release 12.2(31)SB2.
Conditions: This symptom is observed only when X.25 routing is enabled on the device.
Workaround: Use IPsec or other tunneling mechanisms to protect XOT traffic. Also, apply ACLs on affected devices so that traffic is accepted only from trusted tunnel endpoints.
Symptom: Devices may reload upon receiving multiple short lived TCP sessions to the telnet port. Conditions: Devices that run IOS and support IOS Software Modularity are affected. Images that support IOS Software Modularity will have “-vz” in their image name.
Resolved Caveats for Product ‘cat6000’ and Component ‘cat6000-mcast’
Bus error crash (signal 10) seen after the following error message:
%MCAST-SP-6-GC_LIMIT_EXCEEDED: MLD snooping was trying to allocate more Layer 2 entries than what allowed (7744)
This has been observed on a Catalyst6500 running IOS version 12.2(18)SXF1.
A workaround exist to disable ipv6 mld snooping via the command no ipv6 mld snooping.
There is no negative impact of implementing the workaround as long as there is no IPV6 multicast traffic in the network.
Symptom: A Cisco IOS device supporting IPv6 MLD may crash with a data bus error exception and stack trace PC = 0xA0000100
Conditions: Device is running normal production traffic. Presence of malformed MLD packet in this network caused the issue.
Workaround: Disabling MLD snooping on the VLAN or globally on the box will stop the crash.
Other Caveats Resolved in Release 12.2(18)ZY2
Resolved Caveats for Product ‘all’ and Component ‘mcast-vpn’
A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.
This advisory is posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20080326-mvpn.html.
Resolved Caveats for Product ‘all’ and Component ‘pim’
Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-multicast.
Resolved Caveats for Product ‘all’ and Component ‘socket’
A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled may be subject to a denial of service (DoS) attack. For the device to be affected by this vulnerability the device also has to have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. To exploit this vulnerability an offending IPv6 packet must be targeted to the device. Packets that are routed throughout the router can not trigger this vulnerability. Successful exploitation will prevent the interface from receiving any additional traffic. The only exception is Resource Reservation Protocol (RSVP) service, which if exploited, will cause the device to crash. Only the interface on which the vulnerability was exploited will be affected.
Cisco is providing fixed software to address this issue. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080326-IPv4IPv6
Resolved Caveats for Product ‘3750’ and Component ‘802.1x’
Symptoms: A platform may reload in response to malformed 802.1x EAP traffic.
Conditions: This symptom is observed on a Cisco Catalyst 3750 that runs Cisco IOS Release 12.2(25)SEC. However, the symptom is both platform- and release-independent.
Workaround: There is no workaround.
Resolved Caveats for Product ‘all’ and Component ‘aaa’
Symptoms: When you enter the no tacacs-server administration command, the router may crash because of processor memory corruption.
Conditions: This symptom is observed when you enter the no tacacs-server administration command while the tacacs-server administration command was not previously configured.
Workaround: Do not enter the no tacacs-server administration command while the tacacs-server administration command was not previously configured.
Symptoms: When you attempt to configure an authentication, authorization, and accounting (AAA) list for a network, the following error message may be generated:
AAA: No free accounting lists for “network”.
Condition: This symptom is observed on a Cisco router that has not yet reached its maximum of 1024 authentication lists, 1024 authorization lists, and 1024 accounting lists.
Workaround: There is no workaround.
Resolved Caveats for Product ‘all’ and Component ‘ata-filesystem’
Symptoms: The running configuration may not be accessible after you have copied a small file to the running configuration.
Conditions: This symptom is observed on a Cisco router that has an ATA file system after you have rebooted the router.
Workaround: Reboot the router once more.
Resolved Caveats for Product ‘all’ and Component ‘bgp’
Symptoms: A Cisco router that runs BGP may crash because of a bus error at a low address when you enter the show bgp ipv6 network command.
Conditions: This symptom is observed on a Cisco 7505 router that runs Cisco IOS 12.2(15)T8 after BGP configuration changes. The symptom may also occur in other releases.
Workaround: There is no workaround.
Symptoms: Multipath load-balancing may not function for internal BGP (iBGP) paths, and routes are not learned through multipath routing, even after you have cleared BGP.
Conditions: This symptom is observed after an RP switchover has occurred.
Workaround: There is no workaround.
Symptoms: The BGP table version remains stuck at 1, and the router may crash.
Conditions: This symptom is observed when you enter the clear bgp ipv4 uni * command for IPv4 or the clear bgp ipv6 uni * command for IPv6. The symptom may also occur when you enter the clear bgp nsap uni * command for a network service access point (NSAP) address family.
Workaround: Enter the clear ip bgp * command to clear the sessions, purge the BGP table, and prevent the router from crashing.
Symptoms: A default route that is defined by the neighbor default-originate command may be ignored by the BGP neighbor.
Conditions: This symptom is observed on a Cisco router after a route flap in the network causes the default route to be relearned.
Workaround: Manually clear the BGP neighbor to enable the router to correctly relearn the default route.
Symptoms: When BGP updates are received, stale paths are not removed from the BGP table, causing the number of paths for a prefix to increase. When the number of BGP paths reaches the upper limit of 255 paths, the router resets.
Conditions: This symptom is observed on a Cisco router when the neighbor soft-reconfiguration inbound command is enabled for each BGP peer.
Workaround: Remove the neighbor soft-reconfiguration inbound command. A router that runs a Cisco IOS software image that has a route refresh capability, storing BGP updates is usually not necessary.
Symptoms: A switch or router may crash because of a bus error after a BGP dampening-related command is entered.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch that has a Supervisor Engine 720 that runs Cisco IOS Release 12.2(18)SXF7 but may also affect other platforms and releases.
Workaround: There is no workaround.
Resolved Caveats for Product ‘all’ and Component ‘cat6000-dot1x’
Symptoms: When a dot1x port is authenticated and assigned a VLAN by an AAA server and then the line card for the port is reset, the assigned VLAN becomes the configured access VLAN for the port. You can see this situation in the running configuration for the port.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router.
Workaround: There is no workaround to prevent the symptom from occurring. After the symptom has occurred, reconfigure the access VLAN for the port to the old value.
Further Problem Description: If, at a later time, you unconfigure dot1x on the port but do not unconfigure the access VLAN, the configuration for the assigned VLAN remains in place, causing the port to have access to whatever VLAN was previously assigned.
Resolved Caveats for Product ‘all’ and Component ‘cat6000-env’
Symptoms: When you enter the show tech command with long a regular expression, the platform may crash during the display of the command output. For example, this situation may occur when you enter the following command:
show tech | e (0.00% 0.00% 0.00%|cmd_sts|0 0|ast clearing|packets input|packets output|SESs|LMI enq|cast queue|Last input|OAM cells input|reliability 255)
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router that are configured with a Supervisor Engine 720.
Workaround: Do not use a long regular expression when you enter the show tech command.
Symptoms: The output of the show snmp mib ifmib ifindex command does not show the SNMP Interface Index identification numbers (ifIndex values) for 802.1Q VLAN subinterfaces.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router after you have performed an OIR of a Gigabit Ethernet module.
Workaround: Reload the platform.
Resolved Caveats for Product ‘all’ and Component ‘cat6000-hw-fwding’
Symptoms: An active supervisor engine may crash because of memory corruption in the SP processor pool, and the following error message may be generated:
%SYS-SP-3-BADFREEMAGIC: Corrupt free block at [...] (magic [...])
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router that are configured with a Supervisor Engine 32 when a periodic SNMP query is made to the L2 MAC table. Because of a race condition, freed memory may be written by another thread, causing memory corruption.
Note that the symptom does not occur with a Supervisor Engine 1 and Supervisor Engine 2.
Workaround: Disable the SNMP query to the L2 MAC table.
Resolved Caveats for Product ‘all’ and Component ‘dlsw’
A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device.
There are workarounds available for this vulnerability.
This advisory is posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20070110-dlsw.html
Resolved Caveats for Product ‘all’ and Component ‘fib’
Symptoms: Adding a /31 netmask route on a Cisco router may not overwrite an existing /32 CEF entry.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.1(13)E4, Release 12.2, other 12.1 E releases, or Release 12.3.
Workaround: There is no workaround.
Further Problem Description: The fix for this caveat enables prefixes that are derived from adjacencies in the FIB to be periodically validated against covering prefixes that originate from the RIB. Validation ensures that an adjacency prefix is only active when it points out of the same interface as a covering attached prefix. To enable this validation, enter the ip cef table adjacency-prefix validate global configuration command.
Note that because validation is periodic, there could be a time lag between RIB changes and subsequent validation or withdrawal of covered adjacencies in the FIB.
Symptoms: CEF may not work over different tunnels.
Conditions: This symptom has been observed when both GRE and IPIP tunnels are configured and the packet traverses both.
Workaround: There is no workaround.
Resolved Caveats for Product ‘all’ and Component ‘ftp’
Multiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device’s filesystem, including the device’s saved configuration, which may include passwords or other sensitive information.
The IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the IOS FTP Server service are unaffected by these vulnerabilities.
This vulnerability does not apply to the IOS FTP Client feature.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070509-iosftp.
Resolved Caveats for Product ‘all’ and Component ‘high-ipqos’
Symptoms: The police drop rate counter in the output of the show policy-map interface command does not increment.
Conditions: This symptom is observed only for the interface of a SPA that is installed in a SIP-400.
Workaround: There is no workaround.
Resolved Caveats for Product ‘all’ and Component ‘ifs’
Symptoms: A router may crash when you enter the dir /recursive command.
Conditions: This symptom is observed on a router that has a Cisco IOS File System (IFS) and occurs only when 40 subdirectories are created. The symptom does not occur when you enter the dir command without the /recursive keyword.
Workaround: When more than 40 subdirectories are created, do not use the dir /recursive command. Rather, use the show disk command.
Symptoms: An error message indicating memory leak and pending transmission for IPC messages is displayed as follows:
*Dec 3 01:31:31.792: %IPC-5-WATERMARK: 25642 messages pending in xmt for the port Primary RFS Server Port(10000.C) from source seat 2150000
*Dec 3 01:32:01.489: %SYS-2-MALLOCFAIL: Memory allocation of 4268 bytes failed from 0x9F32944, alignment 32
Conditions: This issue is triggered by CSCeb05456 and is applicable only if your Cisco IOS image has integrated the fix of CSCeb05456.
Workaround: Periodically, reload the router so that the IPC buffer pool will be reinitialized.
Resolved Caveats for Product ‘all’ and Component ‘ios-authproxy’
Symptoms: A Cisco router that is configured with an HTTP authentication proxy may reload because of a bus error.
Conditions: This symptom is observed on a Cisco router that runs a crypto image of Cisco IOS Release 12.3(9) or Release 12.3(10). Note that the symptom is not release-specific.
Workaround: Disable the HTTP authentication proxy. If this is not an option, there is no workaround.
Resolved Caveats for Product ‘all’ and Component ‘ios-firewall-aic’
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
Session Initiation Protocol (SIP)
Media Gateway Control Protocol (MGCP)
Signaling protocols H.323, H.254
Real-time Transport Protocol (RTP)
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20070808-IOS-voice.html.
Resolved Caveats for Product ‘all’ and Component ‘ip-acl’
Symptoms: When you configure an extended access control list (ACL) with the maximum sequence number and check the configuration with the show access-list command, the output does not show the maximum sequence number but a number that has one digit less than the configured maximum sequence number.
Conditions: This symptom is observed on a Cisco 7500 series that has an RSP. However, the symptom is platform-independent.
Workaround: There is no workaround.
Resolved Caveats for Product ‘all’ and Component ‘ip-rip’
Symptoms: High CPU use may occur in the “IP Background” process, and the router may reload unexpectedly.
Conditions: This symptom is observed on a Cisco router that is configured for RIP and that receives a RIP host route that is subsequently replaced by a route that is dynamically assigned to an interface. For example, this situation may occur on a PPP interface that has the ip address negotiated command enabled.
Workaround: Use a route map to block the advertised route.
Resolved Caveats for Product ‘all’ and Component ‘ip-tunnels’
Symptoms: A tunnel interface cannot ping the other end of an IP tunnel.
Conditions: This symptom is observed when ATM is configured and when the tunnel interface is up.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the tunnel interface.
Symptoms: A router that is configured with at least one multipoint GRE tunnel may crash with an address error.
Conditions: This symptom is observed when a T3 interface bounces while the CPU usage of the router is at 100 percent.
Workaround: There is no workaround.
Resolved Caveats for Product ‘all’ and Component ‘ip’
Symptoms: The interface-type and interface-number arguments in the distribute-list address family configuration command do not function.
Conditions: This symptom is observed on a Cisco platform that integrates the fix for caveat CSCea59206. A list of the affected releases can be found at http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCea59206. Cisco IOS software releases that are not listed in the “First Fixed-in Version” field at this location are not affected.
Workaround: There is no workaround.
Further Problem Description: The fix for CSCed84633 re-enables the interface-type and interface-number arguments in the distribute-list address family configuration command for both VRF interfaces and non-VRF interfaces.
Symptoms: ARP entries that are associated with the default interface (of the default route or network) are refreshed when they should not be refreshed.
Conditions: This symptom is observed on a Cisco router when other interfaces change their state or when the IP configuration of other interfaces is changed.
Workaround: There is no workaround.
Resolved Caveats for Product ‘all’ and Component ‘ipc’
Symptoms: During an HA switchover while IPC traffic is sent between the standby RP and standby SP, the newly active RP may crash.
Conditions: This symptom is observed on Cisco Catalyst 6500 series switches and Cisco 7600 series routers. For Cisco Catalyst 6500 series switches, the symptom occurs in Release 12.2SX and Release 12.2SXF, in which ISSU is not supported. For Cisco 7600 series router, the symptom occurs in Release 12.2(33)SRB, in which ISSU is supported.
Workaround: There is no workaround.
Resolved Caveats for Product ‘all’ and Component ‘ipsec-isakmp’
Symptoms: A memory leak may occur in the “Crypto IKMP” process.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router that are configured with an IPSec VPN SPA (SPA-IPSEC-2G).
Workaround: There is no workaround.
Resolved Caveats for Product ‘all’ and Component ‘isis’
Symptoms: When an IPv4 prefix list is used in a redistribution command for the IS-IS router process, a change in the prefix list is not immediately reflected in the routing tables of a router and its neighbor. The change may take up to 15 minutes to take effect.
Workaround: To have a change take effect immediately, enter the “no redistribute route-map” command followed by the “redistribute route-map” command for the IS-IS router process.
Symptoms: A router may reload unexpectedly when you remove the IS-IS configuration at the interface or router level.
Conditions: This symptom is observed when the following conditions are present:
– The isis protocol shutdown interface configuration command is enabled on the interface.
– You enter an interface configuration command that enables IS-IS such as an isis command, a clns command, or the ipv6 router isis command before you enter a router configuration command such as the net command.
When you remove the IS-IS configuration at the interface or router level, the router may reload.
Workaround: Remove the isis protocol shutdown interface configuration command before you remove IS-IS from the interface or router level.
Symptoms: The “MT IPv6 IP Reach 237” information (for a Multi-Topology Reachable IPv6 Prefixes TLV) may not be found in the IS-IS database, even though the information was previously learned from a peer. Expected behavior is that the following type of information is listed in the IS-IS database, however, this information is not present:
Metric: 10 IPv6 (MT-IPv6) 22:1:2:2:2:2:2:2/128
Conditions: This symptom is observed under the following conditions:
1) You change the IS-IS IPv6 process by replacing the multi-topology command by the multi-topology transition command.
2) You now enter the isis metric command with a non-default value on one of interfaces that are part of the IS-IS configuration.
3) The isis metric command remains enabled on the interface when you change the IS-IS IPv6 process again by entering the multi-topology command.
Workaround: Correct the state of the database by disabling the isis metric command.
Symptoms: IS-IS may not advertise a passive interface when it should do so, or IS-IS may advertise a passive interface when it should not do so.
Conditions: This symptom is observed on a Cisco router when IS-IS misinterprets an interface “shutdown” event as an UP event.
Workaround: Enable IS-IS on the interface by entering the ip router isis command and then make the interface passive by entering the no ip router isis command followed by the passive-interface interface-type interface-number command.
Symptoms: IS-IS protocol packets may not be classified as high-priority. When this situation occurs during stress conditions and when the IS-IS protocol packets are mixed with other packets, the IS-IS protocol packets may be dropped because of their low-priority.
Conditions: This symptom is observed on a Cisco platform that is configured for Selective Packet Discard (SPD).
Workaround: Ensure that DSCP rewrite is enabled and then enter the following command:
Symptoms: After redistribution-related configuration changes have been made, a CPUHOG condition may occur in the Virtual Exec process, causing loss of IS-IS adjacencies.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch that runs Cisco IOS Release 12.2(18)SXF when the redistribute maximum-prefix command is configured under the router isis command and when BGP is configured to be redistributed into IS-IS. The symptom could also affect a Cisco 7600 series router that runs Release 12.2SR.
Workaround: There is no workaround.
Resolved Caveats for Product ‘all’ and Component ‘mpls-ldp’
Symptoms: An ASBR has “No Label” as its outgoing label for a peer ASBR interface address.
Conditions: This symptom is observed when the following conditions occur:
– An ISP network (ISP network A) has two ASBRs that peer with one ASBR in another ISP network (ISP network B).
– IGP routing (OSPF or any other IGP) is configured between the ASBRs in ISP network A.
– A BGP session between one ASBR in ISP network A and the ASBR in ISP network B flaps.
After about 5 minutes, all routes that are reachable via the ASBRs in ISP network A and the ASBR in ISP network B have “No Label” as their outgoing label.
Workaround: Enter the clear ip route network command.
Symptoms: An MPLS LDP peer on a default VRF resets when a VRF interface goes down.
Conditions: This symptom is observed on a Cisco router when the VRF interface is configured with a subnetwork address that overlaps with the default router ID.
Workaround: Reconfigure the VRF interface address so it does not overlap with the default router ID.
Resolved Caveats for Product ‘all’ and Component ‘mpls-lfib’
Symptoms: A router that is configured for MPLS FRR may crash.
Conditions: This symptom is observed on a Cisco 7600 series but is platform-independent.
Workaround: There is no workaround.
Resolved Caveats for Product ‘all’ and Component ‘os’
Symptoms: When you enter the show memory detailed command, memory leaks in the process that this command is applied to.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series and Cisco 7600 series that are configured for Cisco IOS Software Modularity.
Workaround: There is no workaround.
Resolved Caveats for Product ‘all’ and Component ‘osm-qos’
Symptoms: An Optical Services Module (OSM) may crash because of a memory corruption.
Conditions: This symptom is observed when you apply a QoS configuration with WRED.
Workaround: There is no workaround.
Resolved Caveats for Product ‘all’ and Component ‘pas-chstm1’
Symptoms: You may not be able to configure the clock source line command during the configuration of the SONET controller on a Cisco router in which a PA-MC-STM1 port adapter is installed.
When you enter the clock source line command during the configuration of the SONET controller, the output of the show running-config command indicates that the clock source is set to line. However, the output of the show controllers sonet command indicates that the clock is set to internal, and when you enter the show running-config command again, the output indicates this time that the clock source is set to internal.
Conditions: This symptom is observed when the PA-MC-STM1 port adapter is connected back-to-back via dark fiber to another PA-MC-STM1 port adapter.
Workaround: Enter the overhead s1byte ignore command on the SONET controller before you configure the clock source.
Resolved Caveats for Product ‘all’ and Component ‘pim’
Symptoms: A Cisco IOS platform that is configured for Auto-RP in a multicast environment may periodically lose the RP to group mappings.
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.3(17) when the RP drops the Auto-RP announce messages, which is shown in the output of the debug ip pim auto-rp command. This situation may cause a loss of multicast connectivity while the RP mappings are purged from the cache. See the following output example:
Note that the symptom may also affect Cisco IOS Release 12.4 and Release 12.4T.
Workaround: Create a dummy loopback interface (do not use the configured IP address in the whole network) and use the ip mtu to configure the size of the MTU for the RP interface to 1500 and the size of the MTU for the dummy loopback interface to 570, as in the following examples:
(This example assumes that the Auto-RP interface is loopback 0.)
Resolved Caveats for Product ‘all’ and Component ‘pki’
A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
The vulnerable cryptographic library is used in the following Cisco products:
– Cisco IOS, documented as Cisco bug ID CSCsd85587
– Cisco IOS XR, documented as Cisco bug ID CSCsg41084
– Cisco PIX and ASA Security Appliances, documented as Cisco bug ID CSCse91999
– Cisco Unified CallManager, documented as Cisco bug ID CSCsg44348
– Cisco Firewall Service Module (FWSM) CSCsi97695
This vulnerability is also being tracked by CERT/CC as VU#754281.
Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20070522-crypto.html.
Note: Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070522-crypto and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at http://www.cisco.com/en/US/products/csa/cisco-sa-20070522-SSL.html
Resolved Caveats for Product ‘all’ and Component ‘qos’
Symptoms: A SIP-200 that is configured with distributed Multilink Point-to-Point (dMLP) bundles and that has some of the bundles interleaved may crash.
Conditions: This symptom is observed when you send traffic at line rate through all of the bundles.
Workaround: There is no workaround.
Symptoms: Frame Relay traffic shaping in a configuration with a child policy and hierarchical QoS does not function. Traffic does not respond to BECN or FECN marking.
Conditions: This symptom is observed on a Cisco 7600 series when a service policy is configured under a Frame Relay map class. Note that the symptom is platform-independent.
Workaround: There is no workaround.
Resolved Caveats for Product ‘all’ and Component ‘remote-registry’
Symptoms: A Cisco Catalyst 6500 series switch may leak memory in the IP Input task in the Cisco IOS-BASE process. The memory is leaked in a small amount per packet that is process switched over a VRF on the switch. Non-VRF traffic is not affected.
Conditions: This symptom is seen on a Cisco Catalyst 6500 series switch that is running Cisco IOS Modularity. This can only happen if there are VRFs configured on the switch.
Resolved Caveats for Product ‘all’ and Component ‘snmp’
Symptoms: An SNMP Manager that uses SNMPv3 may not resynchronize the timer for the SNMP engine after the router has been reloaded.
Conditions: This symptom is observed on Cisco Catalyst 6500 series switch and Cisco 7600 series router that have been reloaded and occurs because a parameter is incorrectly set in the REPORT message, causing a mediation device to register an SNMP timeout instead of a reload.
Workaround: You may be able to restart the SNMP Manager to force the timer for the SNMP engine to resynchronize. Note, however, that doing so causes a 100-percent outage for all wiretaps that are served by the SNMP Manager. If you cannot restart the SNMP Manager, there is no workaround.
Further Problem Description: This issue is specifically tied to doing lawful intercept. If you are not directed by some higher authority to be capable of lawful intercept, then you are not using it.
The mediation device is what kicks off the lawful intercept process by doing snmp gets and sets using the following MIBs. The mediation device is a third party device designed specifically to be a mediation device.
Resolved Caveats for Product ‘all’ and Component ‘socket’
Symptoms: When two sockets are bound to the same port, the first File Descriptor always receives the requests.
Conditions: This symptom is observed on a Cisco router when two sockets such as one IPv4 socket and one IPv6 socket are connected to the same UDP port.
Workaround: Use different UDP ports for different sockets.
Resolved Caveats for Product ‘all’ and Component ‘ssh’
Symptoms: A router may reload due to software forced crash.
Conditions: This problem has been observed when initiating a Secure Shell (SSH) session from the router or when copying a file to/from the router via SCP.
Workaround: Do not initiate SSH or SCP sessions from the router.
Further Problem Description: This was observed on a Cisco 2811 router that was running Cisco IOS Release 12.4(4)T. Note that the symptom is not platform- or release-specific.
Prior to the crash, the router logs a series of %SYS-3-CPUHOG messages and will eventually crash with %SYS-2-WATCHDOG. See the following example:
%SYS-3-CPUHOG: Task is running for (128004)msecs, more than (2000)msecs (1426/5),process = Virtual Exec.
-Traceback= 0x41DC8E2C 0x41DC9098 0x41BAA6E0 0x41BA6990 0x41B96B4C 0x41BA6768 0x41BA7490 0x41BA7750 0x41BAC854 0x41BA120C 0x40C27024 0x40C26760 0x41BA203C 0x40C73E58 0x40C926E8 0x41834200
%SYS-2-WATCHDOG: Process aborted on watchdog timeout, process = Virtual Exec.
-Traceback= 0x41A23CC8 0x41BAA3D8 0x41BA6A08 0x41B96B4C 0x41BA6768 0x41BA7490 0x41BA7750 0x41BAC854 0x41BA120C 0x40C27024 0x40C26760 0x41BA203C 0x40C73E58 0x40C926E8 0x41834200 0x418341E4
Symptoms: A router may keep the vty lines busy after finishing a Telnet/Secure Shell (SSH) session from a client. When all vty lines are busy, no more Telnet/SSH sessions to the router are possible.
Conditions: This symptom is observed on a Cisco router that is configured to allow SSH sessions to other devices.
Workaround: Clear the SSH sessions that were initiated from the router to other devices.
The server side of the Secure Copy (SCP) implementation in Cisco Internetwork Operating System (IOS) contains a vulnerability that allows any valid user, regardless of privilege level, to transfer files to and from an IOS device that is configured to be a Secure Copy server. This vulnerability could allow valid users to retrieve or write to any file on the device’s filesystem, including the device’s saved configuration. This configuration file may include passwords or other sensitive information.
The IOS Secure Copy Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the IOS Secure Copy Server service are not affected by this vulnerability.
This vulnerability does not apply to the IOS Secure Copy Client feature.
This advisory is posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20070808-scp.html.
Symptoms: Malformed SSH version 2 packets may cause a memory leak, causing the platform to operate under a degraded condition. Under rare circumstances, the platform may reload to recover itself.
Conditions: This symptom is observed on a Cisco platform that is configured for SSH version 2 after it has received malformed SSHv2 packets.
Workaround: As an interim solution until the affected platform can be upgraded to a Cisco IOS software image that contains the fix for caveat CSCse24889, configure SSH version 1 from the global configuration mode, as in the following example:
Alternate Workaround: Permit only known trusted hosts and/or networks to connect to the router by creating a vty access list, as in the following example:
For information about configuring vty access lists, see the Controlling Access to a Virtual Terminal Line document:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cntrl_acc_vtl.html
For information about SSH, see the Configuring Secure Shell on Routers and Switches Running Cisco IOS document:
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml
Resolved Caveats for Product ‘all’ and Component ‘ssl’
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
* Processing ClientHello messages, documented as Cisco bug ID CSCsb12598 * Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304 * Processing Finished messages, documented as Cisco bug ID CSCsd92405
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20070522-SSL.html
Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/en/US/products/csa/cisco-sa-20070522-crypto.html
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070522-crypto.
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
– Processing ClientHello messages, documented as Cisco bug ID CSCsb12598
– Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304
– Processing Finished messages, documented as Cisco bug ID CSCsd92405
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20070522-SSL.html
Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/en/US/products/csa/cisco-sa-20070522-crypto.html
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070522-crypto.
Resolved Caveats for Product ‘all’ and Component ‘tcl-router’
Symptoms: A router may crash because of a bus error when several Telnet users simultaneously run Tcl scripts. The problem is exacerbated by using scripts that take a long time to complete such as the following Tcl script:
When two users connect to the router through Telnet sessions and run the above Tcl script at the same time, the router may crash.
Conditions: This symptom is observed when the Tcl scripts send text to the Telnet sessions simultaneously.
The symptom may also occur when a single user connects to the router through a Telnet session, then from this Telnet session establishes another Telnet session into the same router, and runs a Tcl script that produces text output.
Workaround: Prevent multiple users from connecting to the router through Telnet and running Tcl scripts. In such as situation, ensure that users do not enter commands in Tcl scripts that may take a long time to display their output such as the show tech-support command.
Further Problem Description: Router console connections and incoming SSH connections to the router are not affected.
Resolved Caveats for Product ‘all’ and Component ‘tcp’
Symptoms: RST packets may contain a non-randomized identification value on the IP header.
Conditions: This symptom is observed on a Cisco platform that receives a TCP SYN packet on a non-listening port.
Workaround: There is no workaround.
Further Problem Description: From RFC791, the description of the Identification field is as follows:
Identification—The choice of the Identifier for a datagram is based on the need to provide a way to uniquely identify the fragments of a particular datagram. The protocol module assembling fragments judges fragments to belong to the same datagram if they have the same source, destination, protocol, and Identifier. Thus, the sender must choose the Identifier to be unique for this source, destination pair and protocol for the time the datagram (or any fragment of it) could be alive in the internet.
It seems then that a sending protocol module needs to keep a table of Identifiers, one entry for each destination it has communicated with in the last maximum packet lifetime for the internet.
Also from RFC791, section 3.1. (Internet Header Format): The IP ID is before the flags and fragment offset fields.
Symptoms: When you enter the copy ftp disk command, the copy operation may fail and cannot be terminated, further copy commands may fail, and a TCP vty session for the purpose of troubleshooting the situation may fail and cannot be terminated.
Conditions: These symptoms are observed on a Cisco platform when the FIN flag is set in the initial ESTAB message from a neighbor. You must reload the router to recover from the symptoms.
Workaround: Do not enter the copy ftp disk command. Rather, enter the copy tftp disk command.
Resolved Caveats for Product ‘all’ and Component ‘telnet’
Symptoms: When a named ACL is used at a vty line on a PE router with an interface that is configured in a VPN VRF, making a Telnet connection from this VRF on the interface that is part of the VRF is accepted even though the vrf-also keyword is not configured in the access- class access-list-number command.
When a regular numbered ACL is used, an incoming Telnet connection from an interface that is part of a VRF is rejected without the vrf- also keyword being configured in the access- class access-list-number command.
Conditions: This symptom is observed on a Cisco router that functions as a PE router in an MPLS VPN environment and that has VPN VRFs configured.
Workaround: Use a numbered ACL instead of a named ACL on vty lines on a PE router.
Resolved Caveats for Product ‘all’ and Component ‘trans-bridging’
Symptoms: When a VLAN bridge is configured on two switches, both switches may function as the root bridge in a bridge group, preventing a blocking port from appearing in the Spanning Tree Protocol (STP) because neither of the switches can receive a Bridge Protocol Data Unit (BPDU). This situation may cause a bridging loop.
Conditions: This symptom is observed when two Cisco switches are connected through a trunk port and when you enter a sequence of commands such as the following one:
Workaround: Remove the VLAN bridge and then reconfigure it by entering a sequence of commands such as the following one:
Resolved Caveats for Product ‘all’ and Component ‘udp’
Symptom: A router interface stops forwarding traffic when it receives traffic to the UDP echo port (port 7) addressed to the interface iteself.
Condition: An input queue wedge condition exists in handling UDP traffic destined the echo service.
Workaround: Disable the UDP echo service with the configuration command:
Resolved Caveats for Product ‘all’ and Component ‘wccp’
Symptoms: CPU spikes may occur on a router that is configured for Web Cache Communication Protocol (WCCP) earlier than Release 4.0.7.
Conditions: This symptom is observed on a Cisco 7600 series when WCCP is in communication with a Cisco Wide Area Application Services (WAAS) appliance. Note that the symptom is platform-independent.
Workaround: There is no workaround.
Resolved Caveats for Product ‘c10000’ and Component ‘bgp’
Symptoms: When about a thousand eBGP connections are opened between two routers that are connected back-to-back, additional point-to-point eBGP connections between the routers are not established even if IP connectivity between the BGP next-hops is provided.
Conditions: This symptom is observed when one Cisco router functions as a PE router and the other Cisco router functions as a CE router that has VRF-lite configured.
Workaround: Reload the PE router to enable all sessions to become established, including the ones that previously were not established.
Resolved Caveats for Product ‘c10000’ and Component ‘qos’
This caveat consists of two symptoms, two conditions, and two workarounds:
Symptom 1: None of the policy classes after the first child policy of a hierarchical QoS policy take effect when you reload the router.
Condition 1: This symptom is observed on a Cisco 7304 that has hierarchical QoS policies with multiple child policies but may also occur on other platforms.
Workaround 1: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, enter the service-policy output interface configuration command to enable the child policies to take effect. Note that the symptom does not occur for a hierarchical QoS policy with only one child policy in the very last class of the parent policy.
Symptom 2: On a Cisco 10000 series that is configured with hierarchical queueing policies, when you remove the match vlan command for a VLAN that matches a dot1q subinterface, the queues that are allocated to the subinterface are not cleared, allowing traffic to continue to flow through these queues.
Condition 2: This symptom is observed on a Cisco 10000 series that has hierarchical QoS policies with multiple child policies but may also occur on other platforms.
Workaround 2: There is no workaround. Note that the symptom does not occur for a hierarchical QoS policy with only one child policy in the very last class of the parent policy.
Resolved Caveats for Product ‘c12000’ and Component ‘ip-pbr’
Symptoms: A Route Processor (RP) failover occurs.
Conditions: This symptom occurs when you enter the show route-map command in one session and remove several route maps in rapid succession in another session.
Workaround: Do not enter the show route-map command when you remove route maps in a concurrent vty session.
Resolved Caveats for Product ‘c2800’ and Component ‘voice-xgcp’
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
Session Initiation Protocol (SIP)
Media Gateway Control Protocol (MGCP)
Signaling protocols H.323, H.254
Real-time Transport Protocol (RTP)
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20070808-IOS-voice.html.
Resolved Caveats for Product ‘c3600’ and Component ‘voice-sip’
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
Session Initiation Protocol (SIP)
Media Gateway Control Protocol (MGCP)
Signaling protocols H.323, H.254
Real-time Transport Protocol (RTP)
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20070808-IOS-voice.html.
Resolved Caveats for Product ‘c6k-psd’ and Component ‘pstore’
Symptoms: Tracebacks and error messages may be generated on a Supervisor Engine 720.
Conditions: This symptom is observed when the PSD module in a Cisco 7600 series is reset to the AP mode.
Workaround: There is no workaround.
Resolved Caveats for Product ‘c7300’ and Component ‘netflow-switch’
Symptoms: A router that is configured for NetFlow v9 may reload unexpectedly because of a bus error.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2(25)S4 or Release 12.2(27)SBC1 when the configuration is modified while the router actively exports flows. The symptom may also occur in other releases.
Workaround: There is no workaround.
Resolved Caveats for Product ‘c7600’ and Component ‘c7600-sip-400’
Symptoms: The MPLS MTU is overruled by the IP MTU on an ATM interface.
Conditions: This symptom is observed on a Cisco 7600 series that functions in an MPLS core when the ATM interface has the tag-switching mtu 1508 command and the ip mtu 1500 command enabled. In this situation, packets that are larger than 1496 bytes are dropped.
Workaround: There is no workaround.
Resolved Caveats for Product ‘c7600’ and Component ‘c7600-sip-600’
This caveat consists of two symptoms, two conditions, and two workarounds:
Symptom 1: When frames require PXF punting to the RP (or SP), PPP LCP frames may not be forwarded to the RP (or SP), causing link negotiation to fail. Or, HDLC keepalives may not be forwarded to the RP (or SP), causing the link to remain down.
Condition 1: These symptoms are observed on a Cisco Catalyst 6503, Cisco Catalyst 6503-E, and Cisco 7604 that are configured with a SIP-600 in which a POS SPA is installed and occurs when the supervisor engine resides in slot 1 or slot 2 of the chassis.
Workaround 1: There is no workaround.
Symptom 2: When frames require PXF punting to the RP (or SP), CFM PDUs may not be properly forwarded to the RP (or RP).
Condition 2: This symptom is observed on a Cisco 7604 that is configured with a SIP-600 or Ethernet Services line card (ES20) and occurs when the supervisor engine resides in slot 1 or slot 2 of the chassis.
Workaround 2: There is no workaround.
Resolved Caveats for Product ‘c7600’ and Component ‘osm-pos’
Symptoms: The interface of an OSM-1OC48-POS-SI+ module may flap after you have entered the redundancy force-switchover command.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router that are configured with redundant Supervisor Engine 720-3BXL modules that function in RPR+ mode.
Workaround: Repeat the redundancy force-switchover command several times.
Resolved Caveats for Product ‘c7600’ and Component ‘osm-qos’
Symptoms: A “%SYS-2- CHUNKBADMAGIC” error may occur on an OSM module and the module may restart.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router when Weighted Random Early Detection (WRED) is configured with a maximum threshold of more than 2000 packets but without a queue limit.
Workaround: Configure a proper queue limit for the class with the WRED configuration. For example, when the random-detect precedence 3 32000 32000 1 command is configured, configure the queue limit by entering the queue-limit 32768 command.
Resolved Caveats for Product ‘c7600’ and Component ‘qos’
Symptoms: When the configuration of the shape average is changed, the rate is not applied, which can be shown in the output of the show policy interface command and detected by a traffic analyzer.
Conditions: This symptom is observed on a Cisco 7600 series that has a Supervisor Engine 720 and GE-WAN subinterfaces that are configured with an HQoS (LLQ) output policy when the shape average is changed on all GE-WAN subinterfaces at the same time.
Workaround: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, delete the output policy and then reconfigure it on the GE-WAN subinterfaces.
Resolved Caveats for Product ‘c7600’ and Component ‘vipmlp’
Symptoms: The RP may generate an “RX FIFO FULL” error message for a SPA, followed by a “VC_CONFIG” error message, and subsequently all interfaces on all SPAs that are processing traffic may go down.
Symptoms: This symptom is observed on a Cisco 7600 series that is configured with MLP or MFR bundles on a 1-port channelized STM1/OC3 to DS0 SPA (SPA-1XCHSTM1/OC3), 2-port channelized T3/DS0 SPA (SPA-2XCT3/DS0), or 4-port channelized T3/DS0 SPA (SPA-4XCT3/DS0) when traffic exceeds about 350 kpps on these bundles.
Workaround: After the symptom has occurred, reload the affected SPAs or the SIPs in which the affected SPAs are installed. There is no workaround to prevent the symptom from occurring. Therefore, configure the MLP or MFR bundles in such a manner that the 350 kpps threshold is not exceeded.
Resolved Caveats for Product ‘cat6000’ and Component ‘c7600-sip-600-vpls’
Symptoms: When a pseudowire VC that has negotiated to use of the Control Word (that is, Cbit = 1) is followed by another pseudowire VC) that has negotiated to not use the Control Word (i.e., Cbit = 0), the Control Word (CW) may still be prepended to the pseudowire VC that has negotiated to not use the CW. As a result, the disposition router (or tail endpoint) does not expect a CW and cannot decapsulate the VC packet; instead, the packet is dropped at the disposition router as a corrupted packet.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router that are configured with a SIP-600 and that function in a VPLS environment as egress PE routers.
Workaround: Ensure that VCs in a VPLS environment do not have a mixture of negotiated CWs (that is, Cbits). The output of the show mpls l2transport binding command shows the VCs and Cbits.
Further Problem Description: One scenario in which the symptom occurs is the following:
– A VPLS hub-spoke environment is created with a mixture of hardware-based and software-based EoMPLS VCs.
– When the SIP-600 detects the CW setting for one VC, it assumes that the VC that follows the first VC also has the CW, and inserts the CW.
– When a hardware-based EoMPLS VC is in the middle of the replication chain, ping failures may occur for CE routers that are located behind the hardware-based EoMPLS VC. A hardware-based EoMPLS VC does not support the CW and ping failures occur because the MAC address of the customer becomes corrupted.
Resolved Caveats for Product ‘cat6000’ and Component ‘cat6000-acl’
Symptoms: Traffic to a Cisco IOS SLB virtual server that is configured for UDP may be process-switched.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router that are configured with multiple virtual servers.
Workaround: Enter the mls ip slb search wildcard rp command.
Symptoms: A Cisco Catalyst 6500 series switch may crash because of memory corruption or a bus error.
Conditions: This symptom is observed when NAT is configured. The symptom may also affect a Cisco 7600 series router.
Workaround: There is no workaround.
Resolved Caveats for Product ‘cat6000’ and Component ‘cat6000-diag’
Symptoms: When you run the TestAclDeny diagnostic test, the output of the show diagnostic content module num command, with the num representing the active supervisor engine, shows the test as “N” to denote non-disruptive. This situation is shown in the following example:
18) TestAclDeny ---------------------> M**N****A*** 000 00:00:05.00 n/a
In reality, the TestAclDeny diagnostic test for the active supervisor engine is a disruptive test because the test may cause traffic forwarding issues and flapping of the first uplink port.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router.
Workaround: Do not run the TestAclDeny diagnostic test.
Further Problem Description: The fix for this caveat sets the flag to “D” to denote disruptive.
Symptoms: The bootup diagnostics for a line card may detect a major failure after an RPR switchover has occurred, and these line cards reset repeatedly and eventually power-down.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router and occurs only with a Supervisor Engine 720 that is configured with a PFC3BXL (WS-SUP720-3BXL) or with a DFC3BXL-equipped module.
Workaround: There is no workaround.
Further Problem Description: The symptom does not occur after an SSO or RPR+ switchover has occurred.
Symptoms: After an RPR switchover occurs, a major error occurs on the newly active RP.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router.
Workaround: Reload the platform. If this not an option, there is no workaround.
Symptoms: On an RPR switchover, the new active crashes during bootup diagnostics.
Conditions: This symptom occurs when bad SFPs are plugged into the SFP- capable ports. Bad SFP means incompatible/unsupported/faulty SFP.
Workaround: Remove incompatible/unsupported/faulty SFPs from the SFP port(s) and plug in a good one if needed.
Resolved Caveats for Product ‘cat6000’ and Component ‘cat6000-env’
Symptoms: Without the enforcement of a voice daughterboard connector rating, the number of IP phones that can be powered up may exceed the number that the voice daughterboard can handle, that is, the available allocated inline power can exceed the VDB connector rating.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router.
Workaround: There is no workaround.
Symptoms: When inline power ports can not be powered on, a command may be rejected with the following error message:
Command rejected: theres not enough system power to be allocated to Fa1/47, or the maximum power the backplane of this chassis can support has reached the limit.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router that are configured with a module with a voice daughtercard.
Workaround: There is no workaround.
Symptoms: There are two symptoms:
1) The threshold of the fan-fail sensor of the power supply may not be updated correctly, and the following error message may be generated:
power-supply incompatible with fan: N/A
The value should not be “N/A” but “OK”.
2) The threshold of the fan-fail sensor of the power supply may get be added when power supply is detected. For example, information about the fan-fail sensor of the power supply may not be shown in the output of the show environment alarm thresholds power-supply command.
Condition: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router.
Workaround: Initiate a Stateful Switchover (SSO). After the SSO, the symptom no longer occurs.
Resolved Caveats for Product ‘cat6000’ and Component ‘cat6000-firmware’
Symptoms: After a Gigabit Ethernet (GE) interface has flapped, a mismatch may occur on a port channel, preventing the GE interface from joining the port channel. This situation occurs when the default flow control operational mode on the GE interface is unexpectedly changed from “off/off” to “on” after the GE interface has flapped.
If the symptom occurs for the first interface of a group of interfaces that is supposed to join the port channel, none of the interfaces in the group can join the port channel, degrading the bandwidth and possibly causing severe packet drops on the channel.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router, and affects the following modules:
– WS-X6516-GBIC and WS-X6516A-GBIC
Note that the symptom does not occur with the WS-X6724-SFP and the WS-X6748-GE-TX.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected GE interface.
– Any operation that causes flow control negotiation triggers the symptom. For example. problem, entering the shutdown interface configuration command followed by the no shutdown interface configuration command, resetting the module, performing an OIR, an RPR switchover, and so on.
– The symptom tends to occur when many ports are brought up simultaneously.
Resolved Caveats for Product ‘cat6000’ and Component ‘cat6000-ha’
Symptoms: When an SSO switchover occurs for an RSP or supervisor engine, network traffic loss may occur or the active Firewall Services Module (FWSM) may unexpectedly failover to the standby FWSM in an unusual way in that both the active and the standby FWSMs become active (that is, the active FWSM remains active and the standby FWSM becomes active). This situation causes traffic loss to and from the FWSMs until the standby FWSM enters the standby state.
The symptom is not restricted to the FWSMs but may also occur with the following service modules:
Conditions: These symptoms are observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router that have service modules installed in slot 1 and slot 2. The symptoms occur when two power supplies are inserted in the chassis but only one power supply is turned on or one power supply fails during normal operation, and then a SSO switchover occurs. The symptoms do not occur when both power supplies are turned on or when there is only one power supply in the chassis.
Workaround: Ensure that both power supplies are turned on.
Alternate Workaround: Install the service modules in any slots other than slot 1 or slot 2.
Resolved Caveats for Product ‘cat6000’ and Component ‘cat6000-l2’
Symptoms: Packets such as DHCP packets may be dropped, and MAC addresses may not be learned on interfaces even though the interfaces are in the up/up state.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router when you first configure and then remove port security.
Workaround: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, manually configure the MAC addresses in the MAC-address table.
Alternate Workaround: Re-enable and then disable port security once more on the affected ports.
Resolved Caveats for Product ‘cat6000’ and Component ‘cat6000-mcast’
Symptoms: When a Layer 2 EtherChannel is load-balancing multicast traffic on multiple member ports of a local switch or router, one port may not transmit multicast packets but may drop them. When this situation occurs, the OutMcastPkts counter for this port does not increase.
Condition: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router when an OIR is performed on a line card of the remote switch or router, causing the local port that is a member of the EtherChannel to change its state to link down and then to link up.
Workaround: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, enter the shutdown interface configuration command followed by the no shutdown interface configuration command on affected member port of the local switch or router. Doing so re-enables multicast forwarding.
Symptoms: Egress multicast forwarding may not function when an outgoing interface (OIF) flaps very quickly.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router when Multicast MultiLayer Switching (MMLS) is configured (MMLS is configured by default).
Workaround: There is no workaround.
Further Problem Description: When an interface flaps very quickly, the module mask may not be allocated for the interface, causing the egress multicast functionality to be affected. In this situation, the interface may not function properly as an OIF.
Symptoms: After a change in the routing topology, a Bidirectional PIM Rendezvous Point is not updated correctly in the hardware tables, causing Bidirectional PIM multicast flows to be software-switched.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router and occurs only when the ACL that is used to statically configure the Rendezvous Point does not have any wildcard entries.
Workaround: Reinstall the Rendezvous Point.
Symptoms: When an L3 DEC PortChannel is used with a subinterface that is created before a member of an EtherChannel is created, the first port of entry (FPOE) is not programed correctly for the member of the EtherChannel, preventing multicast traffic from being forwarded over the member of the EtherChannel even when software and/or hardware entries do exist.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router only for members of an EtherChannel that are not up when the subinterface is created. This situation may occur after the platform has been reload during the boot process when subinterfaces are created while other interfaces are not yet up.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the subinterface that was created before the member of the EtherChannel was created.
Alternate Workaround: Configure ingress replication mode.
Symptoms: PIM Snooping causes duplicate multicast packets to be delivered in the network.
Conditions: This symptom is observed when the shared tree and SPT diverge in a VLAN on a Cisco Catalyst 6500 series switch or Cisco 7600 series router that have PIM Snooping configured. PIM Snooping may suppress the (S,G) RPT-bit prune message that is sent by the receiver from reaching the upstream router in the shared tree, causing a situation in which more than one upstream router forward the multicast traffic by using their respective (S,G)-join state, and, in turn, causing duplicate multicast packet to be delivered to the receivers. This situation lasts only for a brief moment because the PIM-ASSERT mechanism kicks in and stop the extraneous flow. However, this cycle repeats again when the next (*,G) join (S,G) RPT bit prune message is sent by one of the receivers.
Workaround: Disable PIM Snooping in the VLAN-interface configuration.
Alternate Workaround: If the command is available in the release that you are running, enter the no ip pim snooping suppress sgr-prune command to disable SGR-prune message suppression.
Resolved Caveats for Product ‘cat6000’ and Component ‘cat6000-netflow’
Symptoms: On a physical interface or subinterface on which a tunnel is configured and that encrypts or decrypts traffic, when you shut down and bring up the physical interface or subinterface multiple times, MAC entries for all VLANs that support the tunnel may be removed.
When this situation occurs, when the “RMac reference ” counter reaches 1, and when you shut down the physical interface or subinterface for the last time, packets are prevented from traversing the tunnel.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router that are configured with either a Supervisor Engine 32 or a Supervisor Engine 720 and with a SIP-400 in which an IPsec VPN SPA is installed.
Workaround: To prevent the symptom from occurring, do not shut down and bring up the physical interface or subinterface that supports the IPsec tunnel. When the symptom has occurred, reload the SIP-400 to reset the “RMac reference” counter to the original value.
Further Problem Description: To see if the symptom has occurred, check the “RMac reference” counter as follows:
You can check the counter each time after you have shut down and brought up the physical interface or subinterface. If, after every iteration, the reference count keeps decrementing towards 0, it means the symptom has occurred. A flapping link does not cause this problem. The “RMac reference” counter decreases each time that you shut down the physical interface or subinterface, perform and OIR of the SPA, or reset the SPA.
Symptoms: Incorrect NAT translation may occur for one or more faulty Multilayer Switching (MLS) flows. You can recognize a faulty MLS flow in the output of the show mls netflow ip command. If any two MLS flows show the same adjacency, one of the MLS flows is faulty.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router that are configured for NAT and occurs regardless of whether or not a Supervisor Engine 32 or Supervisor Engine 720 is configured for central or distributed forwarding.
Workaround: There is no workaround. Note that the symptom does not occur in Release 12.2(18)SXF8 and later releases.
Symptoms: NetFlow Data Export (NDE) may not export NetFlow entries for bridged flow packets.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router that are configured with a Supervisor Engine 720 that runs Cisco IOS Release 12.2(18)SXF6. This symptom occurs when you enter the ip flow ingress layer2-switched vlan vlan id command before you have configured an IP address for the specified VLAN ID. The symptom may also occur in Release 12.2SR.
Workaround: Enter the ip flow ingress layer2-switched vlan vlan id command after you have configured an IP address for the specified VLAN ID.
Resolved Caveats for Product ‘cat6000’ and Component ‘cat6000-qos’
Symptoms: The mls qos marking ignore port-trust command may not function.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch or Cisco 7600 series router that has a Supervisor Engine 32 or Supervisor Engine 720. When you enter the mls qos marking ignore port-trust command for an interface that is configured with several subinterfaces, each with a service policy, the service policies are supposed to match a unique ingress CoS value and change the corresponding egress MPLS EXP value for transfer across an MPLS cloud. However, after you have entered the mls qos marking ignore port-trust command, all egress EXP values show up as 0 because the command has no effect.
Workaround: There is no workaround.
Resolved Caveats for Product ‘cat6000’ and Component ‘cat6000-snmp’
Symptoms: The entPhysicalIndex object of the ENTITY-MIB may not remain the same after an SSO switchover has occurred on a Supervisor Engine 32.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series.
Workaround: There is no workaround.
Symptoms: A MIB walk on the CISCO-L2-CONTROL-MIB occurs very slowly.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router that do not have the mac-address-table limit vlan vlan command enabled.
Workaround: Enter the mac-address-table limit vlan vlan command.
Resolved Caveats for Product ‘cat6000’ and Component ‘loadbal’
Symptoms: A RADIUS virtual server drops RADIUS accounting on and off packets, instead of forwarding the packets to the real servers. The client never receives response packets for the RADIUS accounting on and off packets that were sent.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series and a Cisco 7600 series.
Workaround: There is no workaround.
Symptoms: A platform that is configured for GPRS Tunneling Protocol (GTP) Server Load Balancing (SLB) may reload unexpectedly.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router when the same International Mobile Subscriber Identity (IMSI) is sent in two or more Packet Data Protocol (PDP) requests to different virtual servers and occurs when the sticky table entries time-out.
Workaround: There is no workaround.
Symptoms: The output of the show ip slb reals command displays very large connection values (conns) for some real servers.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router that are configured for Cisco IOS Server Load Balancing (IOS SLB) with inter-firewall routing enabled via the ip slb route inter-firewall command. The symptom occurs only when the inter-firewall connections switch from one firewall real to other firewall real in the firewall farm.
Workaround: Remove and reconfigure the real server that is part of the server farm or firewall farm.
Further Problem Description: When the connection value for a real server becomes very large, the server may enter the “MAXCONNS” state. When this situation occurs, you can no longer clear the connections counter by entering the clear ip slb counters or clear ip slb connections command.
Resolved Caveats for Product ‘cat6000’ and Component ‘osm-ucode’
Symptoms: An Optical Services Module (OSM) may reset unexpectedly and generate the following error messages:
%POSLC-3-SOP: TxSOP-0 SOP. (source=0x18, halt_minor0=0x4000)
%CWANLC-3-FATAL: Fatal Management interrupt, gen_mgmt_intr_status 0x0, line_mgmt_intr_status 0x1, reloading
Conditions: This symptom is observed on a Cisco Catalyst 6500 series and Cisco 7600 series.
Workaround: There is no workaround.
Resolved Caveats for Product ‘cat6000’ and Component ‘spa-ipsec-2g’
Symptoms: A 7600-SSC-400 SPA services carrier may crash during the boot process of a SPA.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router when an IPsec VPN Shared Port Adapter (SPA-IPSEC-2G) that is installed in the 7600-SSC-400 boots.
Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-multicast.
The server side of the Secure Copy (SCP) implementation in Cisco Internetwork Operating System (IOS) contains a vulnerability that allows any valid user, regardless of privilege level, to transfer files to and from an IOS device that is configured to be a Secure Copy server. This vulnerability could allow valid users to retrieve or write to any file on the device’s filesystem, including the device’s saved configuration. This configuration file may include passwords or other sensitive information.
The IOS Secure Copy Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the IOS Secure Copy Server service are not affected by this vulnerability.
This vulnerability does not apply to the IOS Secure Copy Client feature.
This advisory is posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20070808-scp.html.
A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
The vulnerable cryptographic library is used in the following Cisco products:
– Cisco IOS, documented as Cisco bug ID CSCsd85587
– Cisco IOS XR, documented as Cisco bug ID CSCsg41084
– Cisco PIX and ASA Security Appliances, documented as Cisco bug ID CSCse91999
– Cisco Unified CallManager, documented as Cisco bug ID CSCsg44348
– Cisco Firewall Service Module (FWSM) CSCsi97695
This vulnerability is also being tracked by CERT/CC as VU#754281.
Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20070522-crypto.html.
Note: Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070522-crypto and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at http://www.cisco.com/en/US/products/csa/cisco-sa-20070522-SSL.html
These sections describes troubleshooting guidelines for the Catalyst 6500 series switch configuration:
Note To attempt recovery from PISA ROMMON, enter the confreg 0x2102 and reset ROMMON commands.
This section contains troubleshooting guidelines for system-level problems:
This section contains troubleshooting guidelines for module problems:
Note Catalyst 6500 series switches do not support ISL-encapsulated Token Ring frames. To support trunked Token Ring traffic in your network, make trunk connections directly between switches that support ISL-encapsulated Token Ring frames. When a Catalyst 6500 series switch is configured as a VTP server, you can configure Token Ring VLANs from the switch.
Although DTP is a point-to-point protocol, some internetworking devices might forward DTP frames. To avoid connectivity problems that might be caused by a switch acting on these forwarded DTP frames, do the following:
The Spanning Tree Protocol (STP) blocks certain ports to prevent physical loops in a redundant topology. On a blocked port, switches receive spanning tree bridge protocol data units (BPDUs) periodically from neighboring switches. You can configure the frequency with which BPDUs are received by entering the spanning-tree vlan vlan_ID hello-time command (the default frequency is set to 2 seconds). If a switch does not receive a BPDU in the time period defined by the spanning-tree vlan vlan_ID max-age command (20 seconds by default), the blocked port transitions to the listening state, the learning state, and to the forwarding state. As it transitions, the switch waits for the time period specified by the spanning-tree vlan vlan_ID forward-time command (15 seconds by default) in each of these intermediate states. If a blocked spanning tree interface does not receive BPDUs from its neighbor within 50 seconds, it moves into the forwarding state.
Note We do not recommend using the UplinkFast feature on switches with more than 20 active VLANs. The convergence time might be unacceptably long with more than 20 active VLANs.
To debug STP problems, follow these guidelines:
Note Cisco IOS software displays a message if you exceed the maximum number of logical interfaces.
For additional troubleshooting information, refer to the publications at this URL:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_troubleshoot_and_alerts.html
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080116ff0.shtml
The following sections describe the documentation available for Cisco IOS Release 12.2. These documents consist of software installation guides, Cisco IOS configuration and command references, system error messages, and other documents.
Documentation is available as printed manuals or electronic documents.
Use these release notes with the documents and tools described in the following sections:
The following document is specific to Cisco IOS Release 12.2 and is located on Cisco.com:
See Caveats for Cisco IOS Release 12.2 for caveats applicable to all platforms for all maintenance releases of Cisco IOS Release 12.2.
Technical Documents: Cisco IOS Software: Cisco IOS Release 12.2: Release Notes: Caveats
Note If you have an account on Cisco.com, you can also use the Bug Toolkit to find select caveats of any severity. To reach the Bug Toolkit, log in to Cisco.com and click Service & Support: Software Center: Cisco IOS Software: BUG TOOLKIT. Another option is to go to this URL:
http://tools.cisco.com/Support/BugToolKit/
These publications are available for the Catalyst 6500 series switches running Cisco IOS on the supervisor engine and PISA:
Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
http://tools.cisco.com/RPF/register/register.do
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS command references, and several other supporting documents.
Each module in the Cisco IOS documentation set consists of one or more configuration guides and one or more corresponding command references. Chapters in a configuration guide describe protocols, configuration tasks, and Cisco IOS software functionality, and contain comprehensive configuration examples. Chapters in a command reference provide complete command syntax information. Use each configuration guide with its corresponding command reference.
The Cisco IOS software documentation set is available on Cisco.com.
Technical Documents: Cisco IOS Software: Cisco IOS Release 12.2: Configuration Guides and Command References
Table 1 lists the contents of the Cisco IOS Release 12.2 software documentation set.
Note You can find the most current Cisco IOS documentation on Cisco.com.
Technical Documents: Cisco IOS Software: Cisco IOS Release 12.2
The following notices pertain to this software license.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product includes software written by Tim Hudson (tjh@cryptsoft.com).
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.
Copyright © 1998-2007 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/)”.
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/)”.
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS”' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).
Copyright © 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young’s, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”.
The word ‘cryptographic’ can be left out if the routines from the library being used are not cryptography-related.
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson (tjh@cryptsoft.com)”.
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html