Release Notes for Cisco IOS Release 15.0SY for Supervisor Engine 2T-10GE
Available Languages
Table of Contents
Release Notes for Cisco IOS Release 15.0SY
Chronological List of Releases
Policy Feature Card Guidelines and Restrictions
Distributed and Centralized Forwarding Cards
Distributed Forwarding Card 4XL
Centralized Forwarding Card (WS-F6700-CFC)
40-Gigabit Ethernet Switching Modules
WS-X6904-40G-2T 4-Port 40-Gigabit Ethernet Switching Module
10-Gigabit Ethernet Switching Modules
WS-X6908-10GE 8-Port 10-Gigabit Ethernet X2 Switching Module
WS-X6816-10T-2T, WS-X6716-10T 16-Port 10-Gigabit Ethernet Copper Switching Module
WS-X6816-10G-2T, WS-X6716-10GE 16-Port 10-Gigabit Ethernet X2 Switching Module
WS-X6704-10GE 4-Port 10-Gigabit Ethernet XENPAK Switching Module
Gigabit Ethernet Switching Modules
WS-X6848-SFP-2T, WS-X6748-SFP 48-Port Gigabit Ethernet SFP Switching Module
WS-X6824-SFP-2T, WS-X6724-SFP 24-Port Gigabit Ethernet SFP Switching Module
10/100/1000 Ethernet Switching Modules
WS-X6848-TX-2T, WS-X6748-GE-TX
WS-X6148A-GE-TX, WS-X6148A-GE-45AF
100MB Ethernet Switching Modules
10/100MB Ethernet Switching Modules
WS-X6148A-RJ-45, WS-X6148A-45AF
Power over Ethernet Daughtercards
Small Form-Factor Pluggable (SFP) Modules
Application Control Engine (ACE) Module
Firewall Services Module (FWSM)
Network Analysis Modules (NAMs)
Wireless Services Modules (WiSMs)
New Features in Release15.0(1)SY10
New Hardware Features in Release15.0(1)SY10
New Software Features in Release15.0(1)SY10
New Features in Release15.0(1)SY9
New Hardware Features in Release15.0(1)SY9
New Software Features in Release15.0(1)SY9
New Features in Release15.0(1)SY8
New Hardware Features in Release15.0(1)SY8
New Software Features in Release15.0(1)SY8
New Features in Release 15.0(1)SY7a
New Hardware Features in Release15.0(1)SY7a
New Software Features in Release15.0(1)SY7a
New Features in Release 15.0(1)SY7
New Hardware Features in Release15.0(1)SY7
New Software Features in Release15.0(1)SY7
New Features in Release15.0(1)SY6
New Hardware Features in Release15.0(1)SY6
New Software Features in Release15.0(1)SY6
New Features in Release15.0(1)SY5
New Hardware Features in Release15.0(1)SY5
New Software Features in Release15.0(1)SY5
New Features in Release15.0(1)SY4
New Hardware Features in Release15.0(1)SY4
New Software Features in Release15.0(1)SY4
New Features in Release15.0(1)SY3
New Hardware Features in Release15.0(1)SY3
New Software Features in Release15.0(1)SY3
New Features in Release15.0(1)SY2
New Hardware Features in Release15.0(1)SY2
New Software Features in Release15.0(1)SY2
New Features in Release15.0(1)SY1
New Hardware Features in Release15.0(1)SY1
New Software Features in Release15.0(1)SY1
New Features in Release15.0(1)SY
New Hardware Features in Release15.0(1)SY
New Software Features in Release15.0(1)SY
Software Features from Earlier Releases
Caveats Resolved in Release 15.0(1)SY10
Caveats Resolved in Release 15.0(1)SY9
Caveats Resolved in Release 15.0(1)SY8
Caveats Resolved in Release 15.0(1)SY7a
Caveats Resolved in Release 15.0(1)SY7
Caveats Resolved in Release 15.0(1)SY6
Caveats Resolved in Release 15.0(1)SY5
Caveats Resolved in Release 15.0(1)SY4
Caveats Resolved in Release 15.0(1)SY3
Caveats Resolved in Release 15.0(1)SY2
Caveats Resolved in Release 15.0(1)SY1
Caveats Resolved in Release 15.0(1)SY
Additional Troubleshooting Information
System Software Upgrade Instructions
Obtaining Documentation and Submitting a Service Request
Release Notes for Cisco IOS Release 15.0SY
Note ●
This publication applies to the Supervisor Engine 2T-10GE (CAT6000-VS-S2T-10G/MSFC5) platform.
- See this product bulletin for information about the standard maintenance and extended maintenance 15.0SY releases:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps11821/ps11845/product_bulletin_c25-687567_ps708_Products_Bulletin.html
- For general product information about the Catalyst 6500 series switches, refer to these product bulletins:
http://www.cisco.com/en/US/products/hw/switches/ps708/prod_literature.html
The most current version of this document is available on Cisco.com at this URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.0SY/release_notes.html
Contents
This publication consists of these sections:
- Chronological List of Releases
- Hierarchical List of Releases
- FPD-Image Dependant Modules
- Supported Hardware
- Unsupported Hardware
- Images and Feature Sets
- Universal Boot Loader Image
- EFSU Compatibility
- Cisco IOS Behavior Changes
- New Features in Release 15.0(1)SY10
- New Features in Release 15.0(1)SY9
- New Features in Release 15.0(1)SY8
- New Features in Release 15.0(1)SY6
- New Features in Release 15.0(1)SY5
- New Features in Release 15.0(1)SY4
- New Features in Release 15.0(1)SY3
- New Features in Release 15.0(1)SY2
- New Features in Release 15.0(1)SY1
- New Features in Release 15.0(1)SY
- Unsupported Commands
- Unsupported Features
- Restrictions
- Caveats in Release 15.0SY
- Troubleshooting
Chronological List of Releases
Note ● See the “Images and Feature Sets” section for information about which releases are deferred.
- See the “Hierarchical List of Releases” section for information about parent releases.
This is a chronological list of the 15.0SY releases:
- Release 15.0(1)SY10—12 Feb 2016
- Release 15.0(1)SY9—11 Aug 2015
- Release 15.0(1)SY8—20 Feb 2015
- Release 15.0(1)SY7a—01 Oct 2014
- Release 15.0(1)SY7—01 Aug 2014
- Release 15.0(1)SY6—07 Feb 2014
- Release 15.0(1)SY5—23 Aug 2013
- Release 15.0(1)SY4—21 Mar 2013
- Release 15.0(1)SY3—26 Nov 2012
- Release 15.0(1)SY2—16 Jul 2012
- Release 15.0(1)SY1—24 Feb 2012
- Release 15.0(1)SY—27 Sep 2011
Hierarchical List of Releases
These releases support the hardware listed in the “Supported Hardware” section:
– Date of release: 12 Feb 2016
– Date of release: 11 Aug 2015
– Date of release: 20 Feb 2015
– Based on Release 15.0(1)SY7a
– Date of release: 01 Oct 2014
– Date of release: 01 Aug 2014
– Date of release: 07 Feb 2014
– Date of release: 23 Aug 2013
– Date of release: 21 Mar 2013
– Date of release: 26 Nov 2012
– Date of release: 16 Jul 2012
– Date of release: 24 Feb 2012
– Date of release: 27 Sep 2011
Note Release 15.0(1)SY and rebuilds support only Ethernet ports. Release 15.0(1)SY and rebuilds do not support any WAN features or commands.
FPD-Image Dependant Modules
FPD image packages update FPD images. If a discrepancy exists between an FPD image and the Cisco IOS image, the module that has the FPD discrepancy is deactivated until the discrepancy is resolved. These modules use FPD images:
http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn85.html#Upgrading_the_FPD_Image
http://www.cisco.com/en/US/products/sw/cscowork/ps5401/prod_release_notes_list.html
Supported Hardware
These sections describe the hardware supported in Release 15.0(1)SY and later releases:
- Supervisor Engine 2T-10GE
- Policy Feature Cards
- Distributed and Centralized Forwarding Cards
- 40-Gigabit Ethernet Switching Modules
- 10-Gigabit Ethernet Switching Modules
- Gigabit Ethernet Switching Modules
- 10/100/1000 Ethernet Switching Modules
- 100MB Ethernet Switching Modules
- 10/100MB Ethernet Switching Modules
- Transceivers
- Power over Ethernet Daughtercards
- Service Modules
- Power Supplies
- Chassis
Note Enter the show power command to display current system power usage.
Supervisor Engine 2T-10GE
Note For information about DRAM requirements on all supervisor engines, see this publication:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/qa_c67_457347.html
– Policy Feature Card 4XL (PFC4XL).
– Policy Feature Card 4 (PFC4).
See the “Policy Feature Cards” section.
- Supports 2-Tbps switch fabric connectivity.
- 2-GB DRAM.
- Internal 1-GB bootflash (bootdisk:).
- One external slot:
– For CompactFlash Type II flash PC cards sold by Cisco Systems, Inc., for use in Supervisor Engine 2T-10GE.
– QoS architecture: 2q4t / 1p3q4t
– Ports 1, 2, and 3: Gigabit Ethernet SFP (fiber or 1000 Mbps RJ-45)
– Support for 10-Gigabit Ethernet X2 tranceivers
• With ports 1, 2, and 3 enabled: 2q4t / 1p3q4t
• With ports 1, 2, and 3 disabled: 8q4t / 1p7q4t
Note See the Supervisor Engine 2T-10GE Connectivity Management Processor Configuration Guide for information about the 10/100/1000 Mbps RJ-45 port.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/cmp_configuration/guide/sup2T_10GEcmp.html
Supervisor Engine 2T-10GE Restrictions
- The 1-Gigabit Ethernet ports and the 10-Gigabit Ethernet ports have the same QoS port architecture (2q4t / 1p3q4t) unless you disable the 1-Gigabit Ethernet ports with the platform qos 10g-only global configuration command. With the 1-Gigabit Ethernet ports disabled, the QoS port architecture of the 10-Gigabit Ethernet ports is 8q4t / 1p7q4t.
- In RPR redundancy mode, the ports on a Supervisor Engine 2T-10GE in standby mode are disabled.
Policy Feature Card Guidelines and Restrictions
- The PFC4 supports a theoretical maximum of 131,072 (128K) MAC addresses with 118,000 (115.2K) MAC addresses as the recommended maximum.
- The PFC4 partitions the hardware FIB table to route IPv4 unicast, IPv4 multicast, MPLS, and IPv6 unicast and multicast traffic in hardware. Traffic for routes that do not have entries in the hardware FIB table are processed by the route processor in software.
The defaults for XL mode are:
– IPv4 unicast and MPLS: 512,000 routes
– IPv4 multicast and IPv6 unicast and multicast: 256,000 routes
The defaults for Non-XL mode are:
– IPv4 unicast and MPLS: 192,000 routes
– IPv4 multicast and IPv6 unicast and multicast: 32,000 routes
Note The size of the global internet routing table plus any local routes might exceed the non-XL mode default partition sizes.
These are the theoretical maximum numbers of routes for the supported protocols (the maximums are not supported simultaneously):
– XL mode :
• IPv4 and MPLS: Up to 1,007,000 routes
• IPv4 multicast and IPv6 unicast and multicast: Up to 503,000 routes
– Non-XL mode :
• IPv4 and MPLS: Up to 239,000 routes
• IPv4 multicast and IPv6 unicast and multicast: Up to 119,000 routes
Enter the platform cef maximum-routes command to repartition the hardware FIB table. IPv4 unicast and MPLS require one hardware FIB table entry per route. IPv4 multicast and IPv6 unicast and multicast require two hardware FIB table entries per route. Changing the partition for one protocol makes corresponding changes in the partitions of the other protocols. You must enter the reload command to put configuration changes made with the platform cef maximum-routes command into effect.
Note With a non-XL-mode system, if your requirements cannot be met by repartitioning the hardware FIB table, upgrade components as necessary to operate in XL mode.
- You cannot use one type of PFC on one supervisor engine and a different type on the other supervisor engine for redundancy. You must use identical policy feature cards for redundancy.
- PFC4—These restrictions apply to a configuration with a PFC4 and these DFCs:
– PFC4 and DFC4—No restrictions (PFC4 mode).
– PFC4 and DFC4XL—The PFC4 restricts DFC4XL functionality: the DFC4XL functions as a DFC4 (PFC4 mode).
– PFC4XL and DFC4—PFC4XL functionality is restricted by the DFC4: after a reload with a DFC4-equipped module installed, the PFC4XL functions as a PFC4 (PFC4 mode).
– PFC4XL and DFC4XL—No restrictions (PFC4XL mode).
- Switching modules that you install after bootup that are equipped with a DFC that imposes a more restricted PFC mode than the current PFC mode remain powered down.
- You must reboot to use a switching module equipped with a DFC that imposes a more restricted PFC mode than the current PFC mode.
- Enter the show platform hardware pfc mode command to display the PFC mode.
- FIB TCAM exception may be thrown in case of a route churn where TCAM utilization is more than 80% of the total utilization. This limitation is applicable to DFC TCAM on XL line cards. If FIB TCAM exception is thrown for a transit route for IPv4 or IPv6 or MPLS traffic, the route does not get installed in FIB and connectivity gets affected. This can result in elevated CPU usage due to software switching.
Distributed and Centralized Forwarding Cards
- Distributed Forwarding Card 4XL
- Distributed Forwarding Card 4
- Centralized Forwarding Card (WS-F6700-CFC)
Note ● See the “Policy Feature Cards” section for Policy Feature Cards (PFC) and Distributed Forwarding Card (DFC) restrictions.
- The DFC4 uses memory that is installed on the switching module.
- For more information about the DFCs, see these documents:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Config_Notes/OL_24918.html
http://www.cisco.com/en/US/prod/collateral/modules/ps2797/ps11878/data_sheet_c78-648214.html
WS-X6904-40G-2T 4-Port 40-Gigabit Ethernet Switching Module
- WS-X6904-40G-2T and WS-X6904-40G-2TXL are the orderable product IDs.
- The front panel is labeled WS-X6904-40G.
- Cisco IOS software commands display WS-X6904-40G with either WS-F6K-DFC4-E or WS-F6K-DFC4-EXL.
- Has hardware abstraction layer (HAL) support.
- QoS port architecture (Rx/Tx): 1p7q4t/1p7q4t
- Dual switch-fabric connections:
– Fabric Channel #1: Ports 1 and 2 or 5 through 12
– Fabric Channel #2: Ports 3 and 4 or 13 through 20
- Number of ports: 4 or 16
Number of port groups: 2
Port per port group:
–Ports 1 and 2 or 5 through 12
–Ports 3 and 4 or 13 through 20 - dCEF2T.
- In a 3-slot chassis, supported only with WS-C6503-E hardware revision 1.3 or higher.
- Upgrade to Release15.0(1)SY1 or later before installing WS-X6904-40G (see the “EFSU Compatibility” section).
- Each bay can support a CFP transceiver (supports one 40 Gigabit Ethernet port) or a FourX adapter (supports four 10 Gigabit Ethernet SFP+ transceivers).
- WS-X6904-40G supported modes (default mode is oversubscribed):
– 40 Gigabit Ethernet oversubscribed mode:
—Four 40 Gigabit Ethernet ports
—Ports 1 through 4
– 10 Gigabit Ethernet oversubscribed mode:
—Sixteen 10 Gigabit Ethernet ports
—Ports 5 through 20
– Mixed 10/40 Gigabit Ethernet oversubscribed mode:
–Either two 40 Gigabit Ethernet ports (1 and 2)
–Or eight 10 Gigabit Ethernet ports (5 through 12)
–Either two 40 Gigabit Ethernet ports (3 and 4)
–Or eight 10 Gigabit Ethernet ports (13 through 20)
—Configurable per module or per bay:
—Supported in the top left bay and top right bay.
–40 Gigabit Ethernet port 1 (top left bay) and port 3 (top right bay)
–10 Gigabit Ethernet ports 5 through 9 (top left bay) and ports 13 through 16 (top right bay)
–Top left bay: 40 Gigabit Ethernet port 1 or 10 Gigabit Ethernet ports 5 through 9
Top right bay: 40 Gigabit Ethernet port 3 or 10 Gigabit Ethernet ports 13 through 16
– 40 Gigabit Ethernet performance mode, 10 Gigabit Ethernet oversubscribed mode:
—Either of these combinations:
–Top left bay: 40 Gigabit Ethernet port 1
Right bays: eight 10 Gigabit Ethernet ports (13 through 20)
–Left bays: eight 10 Gigabit Ethernet ports (5 through 13)
Top right bay: 40 Gigabit Ethernet port 3
– 40 Gigabit Ethernet oversubscribed mode, 10 Gigabit Ethernet performance mode:
—Either of these combinations:
–Top left bay: four 10 Gigabit Ethernet ports (5 through 9)
Right bays: two 40 Gigabit Ethernet ports (3 and 4)
–Left bays: two 40 Gigabit Ethernet ports (1 and 2)
Top right bay: four 10 Gigabit Ethernet ports (13 through 16)
40 Gigabit Ethernet on Cisco Catalyst 6500 Series Switches: How It Works
Note: Some features described in the whitepaper will be supported in future releases.
40 Gigabit Ethernet Interface Module for Cisco Catalyst 6500 Series Switches Data Sheet
WS-X6908-10GE 8-Port 10-Gigabit Ethernet X2 Switching Module
| 8-port 10-Gigabit Ethernet X2 module |
||
- WS-X6908-10G and WS-X6908-10G-XL are the orderable product IDs.
- The front panel is labeled WS-X6908-10GE.
- Cisco IOS software commands display WS-X6908-10GE with either WS-F6K-DFC4-E or WS-F6K-DFC4-EXL.
- dCEF2T
- QoS port architecture (Rx/Tx): 8q4t/1p7q4t
- Dual switch-fabric connections
Fabric Channel #1: Ports 2, 3, 6, 8
Fabric Channel #2: Ports 1, 4, 5, 7 - Number of ports: 8
Number of port groups: 8
Port ranges per port group: 1 port in each group - In a 3-slot chassis, supported only with WS-C6503-E hardware revision 1.3 or higher.
WS-X6816-10T-2T, WS-X6716-10T 16-Port 10-Gigabit Ethernet Copper Switching Module
- The front panel is labeled WS-X6716-10T.
- Cisco IOS software commands display WS-X6716-10T with either WS-F6K-DFC4-E or WS-F6K-DFC4-EXL.
- dCEF720
- QoS port architecture (Rx/Tx):
– Oversubscription mode : 1p7q2t/1p7q4t
– Performance mode: 8q4t/1p7q4t
- Dual switch-fabric connections
Fabric Channel #1: ports 1–8
Fabric Channel #2: ports 9–16 - Number of ports: 16
Number of port groups: 4
Port ranges per port group: 1–4, 5–8, 9–12, 13–16 - When not configured in oversubscription mode, supported in virtual switch links.
- To configure port oversubscription, use the hw-module slot command.
WS-X6816-10G-2T, WS-X6716-10GE 16-Port 10-Gigabit Ethernet X2 Switching Module
| 16-port 10-Gigabit Ethernet X2 module |
||
- The front panel is labeled WS-X6716-10GE.
- Cisco IOS software commands display WS-X6716-10GE with either WS-F6K-DFC4-E or WS-F6K-DFC4-EXL.
- dCEF720
- QoS port architecture (Rx/Tx):
– Oversubscription mode : 1p7q2t/1p7q4t
– Performance mode: 8q4t/1p7q4t
- Dual switch-fabric connections
Fabric Channel #1: ports 1–8
Fabric Channel #2: ports 9–16 - Number of ports: 16
Number of port groups: 4
Port ranges per port group: 1–4, 5–8, 9–12, 13–16 - When not configured in oversubscription mode, supported in virtual switch links.
- To configure port oversubscription, use the hw-module slot command.
WS-X6704-10GE 4-Port 10-Gigabit Ethernet XENPAK Switching Module
| 4-port 10-Gigabit Ethernet XENPAK |
||
- Unless equipped with a WS-F6700-CFC, must be upgraded with WS-F6K-DFC4-AXL or WS-F6K-DFC4-A.
- dCEF720 with a DFC or CEF720 with a WS-F6700-CFC.
- Requires 512-MB DRAM with a WS-F6700-CFC ( CSCtk82279). See this publication:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_12409.html
- QoS port architecture (Rx/Tx): 8q8t/1p7q8t
- Dual switch-fabric connections:
Fabric Channel #1: Ports 3 and 4
Fabric Channel #2: Ports 1 and 2 - Number of ports: 4
Number of port groups: 4
Port ranges per port group: 1 port in each group - WS-X6704-10G is the orderable product ID.
- The front panel is labeled WS-X6704-10GE.
- Cisco IOS software commands display WS-X6704-10GE with either WS-F6K-DFC4-A or WS-F6K-DFC4-AXL.
- On WS-X6704-10GE ports, STP BPDUs are not exempt from Traffic Storm Control multicast suppression. Do not configure multicast suppression on STP-protected WS-X6704-10GE ports that interconnect network devices. ( CSCsg86315)
WS-X6848-SFP-2T, WS-X6748-SFP 48-Port Gigabit Ethernet SFP Switching Module
| 48-port Gigabit Ethernet SFP |
||
- dCEF720 with a DFC or CEF720 with a WS-F6700-CFC.
- Unless equipped with a WS-F6700-CFC, WS-X6748-SFP must be upgraded with WS-F6K-DFC4-AXL or WS-F6K-DFC4-A.
- QoS architecture: 2q8t/1p3q8t
- Dual switch-fabric connections
Fabric Channel #1: Ports 2, 4, 6, 8, 10, 12,
14, 16, 18, 20, 22, 24, 26, 28, 30, 32, 34,
36, 38, 40, 42, 44, 46, 48
Fabric Channel #2: Ports 1, 3, 5, 7, 9, 11,
13, 15, 17, 19, 21, 23, 25, 27, 29, 31, 33,
35, 37, 39, 41, 43, 45, 47 - Number of ports: 48
Number of port groups: 4
Port ranges per port group:
1, 3, 5, 7, 9, 11, 13, 15, 17, 19, 21, 23
2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24
25, 27, 29, 31, 33, 35, 37, 39, 41, 43, 45, 47
26, 28, 30, 32, 34, 36, 38, 40, 42, 44, 46, 48 - On WS-X6848-SFP-2T and WS-X6748-SFP ports, STP BPDUs are not exempt from Traffic Storm Control multicast suppression. Do not configure multicast suppression on STP-protected WS-X6848-SFP-2T or WS-X6748-SFP ports that interconnect network devices.
WS-X6824-SFP-2T, WS-X6724-SFP 24-Port Gigabit Ethernet SFP Switching Module
| 24-port Gigabit Mbps Ethernet SFP |
||
- dCEF720 with a DFC or CEF720 with a WS-F6700-CFC.
- Unless equipped with a WS-F6700-CFC, WS-X6724-SFP must be upgraded with WS-F6K-DFC4-AXL or WS-F6K-DFC4-A.
- QoS architecture: 2q8t/1p3q8t
- Number of ports: 24
Number of port groups: 2
Port ranges per port group: 1–12, 13–24 - On WS-X6824-SFP-2T and WS-X6724-SFP ports, STP BPDUs are not exempt from Traffic Storm Control multicast suppression. Do not configure multicast suppression on STP-protected WS-X6824-SFP-2T or WS-X6724-SFP ports that interconnect network devices.
10/100/1000 Ethernet Switching Modules
These sections descibe the supported 10/100/1000 Ethernet switching modules:
WS-X6848-TX-2T, WS-X6748-GE-TX
- dCEF720 with a DFC or CEF720 with a WS-F6700-CFC.
- Unless equipped with a WS-F6700-CFC, WS-X6748-GE-TX must be upgraded with WS-F6K-DFC4-AXL or WS-F6K-DFC4-A.
- QoS architecture: 2q8t/1p3q8t
- Dual switch-fabric connections
Fabric Channel #1: Ports 25–48
Fabric Channel #2: Ports 1–24 - Number of ports: 48
Number of port groups: 4
Port ranges per port group: 1–12, 13–24, 25–36, 37–48 - On WS-X6848-TX-2T and WS-X6748-GE-TX ports, STP BPDUs are not exempt from Traffic Storm Control multicast suppression. Do not configure multicast suppression on STP-protected WS-X6848-TX-2T or WS-X6748-GE-TX ports that interconnect network devices.
WS-X6148E-GE-45AT
- RJ-45
- WS-X6148E-GE-45AT with WS-F6K-48-AT supports up to 48 ports of Class 4 PoE+ (30.0W).
- QoS port architecture (Rx/Tx): 1q2t/1p3q8t
- Number of ports: 48
Number of port groups: 6
Port ranges per port group: 1–8, 9–16, 17–24, 25–32, 33–40, 41–48 - The aggregate bandwidth of each set of 8 ports (1–8, 9–16, 17–24, 25–32, 33–40, and 41–48) is 1 Gbps.
- Not supported in virtual switch mode.
- Does not support traffic storm control.
WS-X6148A-GE-TX, WS-X6148A-GE-45AF
- RJ-45
- WS-X6148A-GE-TX supports WS-F6K-GE48-AF or WS-F6K-48-AF
- WS-X6148A-GE-45AF has WS-F6K-GE48-AF or WS-F6K-48-AF
- With WS-F6K-GE48-AF, supports up to 45 ports of ePoE (16.8W).
- QoS port architecture (Rx/Tx): 1q2t/1p3q8t
- Number of ports: 48
Number of port groups: 6
Port ranges per port group: 1–8, 9–16, 17–24, 25–32, 33–40, 41–48 - The aggregate bandwidth of each port group is 1 Gbps.
- Not supported in virtual switch mode.
- Does not support traffic storm control.
WS-X6148-FE-SFP
- Requires Fast Ethernet SFPs
- QoS port architecture (Rx/Tx): 1p1q4t/1p3q8t
- Number of ports: 48
Number of port groups: 3
Port ranges per port group: 1–16, 17–32, and 33–48 - Not supported in virtual switch mode.
- Does not support traffic storm control.
WS-X6148A-RJ-45, WS-X6148A-45AF
- 5.3-MB per-port packet buffers
- QoS port architecture (Rx/Tx): 1p1q4t/1p3q8t
- WS-X6148A-RJ-45 supports WS-F6K-GE48-AF or WS-F6K-48-AF
- WS-X6148A-45AF has WS-F6K-GE48-AF or WS-F6K-48-AF
- Number of ports: 48
Number of port groups: 6
Port ranges per port group: 1–8, 9–16, 17–24, 25–32, 33–40, 41–48 - Not supported in virtual switch mode.
WS-X6196-RJ-21, WS-X6196-21AF
- Not supported in VSS mode.
- Upgrade to Release15.0(1)SY1 or later before installing WS-X6196-21AF (see the “EFSU Compatibility” section).
- QoS port architecture (Rx/Tx): 1p1q0t/1p3q1t
- WS-X6196-RJ-21 supports WS-F6K-FE48X2-AF
- WS-X6196-21AF has WS-F6K-FE48X2-AF
Power over Ethernet Daughtercards
CFP Modules
FourX coverter to convert each 40GE port into 4 10GE SFP+ ports |
X2 Modules
Note ● WS-X6716-10GE does not support X2 modules that are labeled with a number that ends with -01. (This restriction does not apply to X2-10GB-LRM.)
- All X2 modules shipped since WS-X6716-10GE became available provide EMI compliance with WS-X6816-10G and WS-X6716-10G.
- Some X2 modules shipped before WS-X6716-10GE became available might not provide EMI compliance with WS-X6816-10G and WS-X6716-10G. See the information listed for each type of X2 module in the following table.
- For information about X2 modules, see the Cisco 10GBASE X2 Modules data sheet:
http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6574/product_data_sheet0900aecd801f92aa.html
| 10G X2 to SFP+ Converter |
|||
| 10GBASE-ER Serial 1550-nm extended-reach, single-mode fiber (SMF), dispersion-shifted fiber (DSF) Note X2-10GB-ER modules labeled with a number that ends with -02 do not provide EMI compliance with WS-X6716-10GE. |
|||
| 10GBASE-LR Serial 1310-nm long-reach, single-mode fiber (SMF), dispersion-shifted fiber (DSF) Note X2-10GB-LR modules labeled with a number that ends with -02 or -03 do not provide EMI compliance with WS-X6716-10GE. |
|||
| 10GBASE-LX4 Serial 1310-nm multimode (MMF) http://www.cisco.com/en/US/ts/fn/misc/FN62840.html
|
|||
XENPAKs
Note ● For information about DWDM XENPAKs, see the Cisco 10GBase DWDM XENPAK Modules data sheet:
http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6576/product_data_sheet0900aecd801f9333.html
http://www.cisco.com/en/US/prod/collateral/modules/ps2797/ps5138/product_data_sheet09186a008007cd00_ps5251_Products_Data_Sheet.html
Gigabit Ethernet SFPs
Note ● For information about coarse wavelength-division multiplexing (CWDM) SFPs, see the Cisco CWDM GBIC and SFP Solutions data sheet:
http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6575/product_data_sheet09186a00801a557c_ps4999_Products_Data_Sheet.html
http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6576/product_data_sheet0900aecd80582763.html
- See the “Unsupported Hardware” section for information about unsupported DWDM-SFPs.
- For information about other SFPs, see the Cisco SFP Optics For Gigabit Ethernet Applications data sheet:
http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6577/product_data_sheet0900aecd8033f885.html
Fast Ethernet SFPs
Note ● The WS-X6148-FE-SFP supports Fast Ethernet SFPs.
- For information about Fast Ethernet SFPs, see the Cisco 100BASE-X SFP For Fast Ethernet SFP Ports data sheet:
http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6578/product_data_sheet0900aecd801f931c.html
Note GLC-GE-100FX Fast Ethernet SFPs are not supported.
Service Modules
Note ● For service modules that run their own software, see the service module software release notes for information about the minimum required service module software version.
- With SPAN configured to include a port-channel interface to support a service module, be aware of CSCth03423 and CSCsx46323.
- EtherChannel configuration can impact some service modules. In particular, distributed EtherChannels (DECs) can interfere with service module traffic. See this field notice for more information:
http://www.cisco.com/en/US/ts/fn/610/fn61935.html
Application Control Engine (ACE) Module
ASA Services Module
| Note Upgrade to Release15.0(1)SY1 or later before installing WS-SVC-ASA-SM1-K9 (see the “EFSU Compatibility” section). |
||
Firewall Services Module (FWSM)
http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/tsd_products_support_model_home.html See the WS-SVC-FWM-1-K9 software release notes for information about the minimum required WS-SVC-FWM-1-K9 software version. |
||
Network Analysis Modules (NAMs)
– – See the software release notes for information about the minimum required NAM software version. |
||
Wireless Services Modules (WiSMs)
| Wireless services modules run their own software—See these publications: http://www.cisco.com/en/US/products/ps6526/tsd_products_support_eol_model_home.html See the wireless services modules software release notes for information about the minimum required wireless services module software version. |
||
All Other Power Supplies
Note The power supplies in this section are not supported in these chassis:
Chassis
Note Chassis with 64 MAC addresses automatically enable the Extended System ID feature, which is enabled with the spanning-tree extend system-id command. You cannot disable the extended-system ID in chassis that support 64 MAC addresses. The Extended System ID feature might already be enabled in your network, because it is required to support both extended-range VLANs and any chassis with 64 MAC addresses. Enabling the extended system ID feature for the first time updates the bridge IDs of all active STP instances, which might change the spanning tree topology.
9-Slot Chassis
|
– – Note Chassis with 64 MAC addresses automatically enable the Extended System ID feature, which is enabled with the spanning-tree extend system-id command. You cannot disable the extended-system ID in chassis that support 64 MAC addresses. The Extended System ID feature might already be enabled in your network, because it is required to support both extended-range VLANs and any chassis with 64 MAC addresses. Enabling the extended system ID feature for the first time updates the bridge IDs of all active STP instances, which might change the spanning tree topology. |
||
6-Slot Chassis
|
– – Note Chassis with 64 MAC addresses automatically enable the Extended System ID feature, which is enabled with the spanning-tree extend system-id command. You cannot disable the extended-system ID in chassis that support 64 MAC addresses. The Extended System ID feature might already be enabled in your network, because it is required to support both extended-range VLANs and any chassis with 64 MAC addresses. Enabling the extended system ID feature for the first time updates the bridge IDs of all active STP instances, which might change the spanning tree topology. |
||
3-Slot Chassis
|
||
Unsupported Hardware
Release 15.0SY supports only the hardware listed in the “Supported Hardware” section. Unsupported modules remain powered down if detected and do not affect system behavior.
Release 12.2SX supported these modules, which are not supported in Release 15.0SY:
- Supervisor Engine 720-10GE (CAT6000-VS-S720-10G/MSFC3)
- Supervisor Engine 720 (CAT6000-SUP720/MSFC3)
- Supervisor Engine 32 (CAT6000-SUP32/MSFC2A)
- ME 6500 Series Ethernet Switches (ME6524)
- Policy Feature Card 3A and Distributed Forwarding Card 3A
- 76-ES+XT-4TG3CXL, 76-ES+XT-4TG3C
- 76-ES+XT-2TG3CXL, 76-ES+XT-2TG3C
- 7600-ES+4TG3CXL, 7600-ES+4TG3C
- 7600-ES+2TG3CXL, 7600-ES+2TG3C
- Shared Port Adapter (SPA) Interface Processors (SIPs) and Shared Port Adapters (SPAs)
- Services SPA Carrier (SSC) and Services SPAs
- Enhanced FlexWAN Module
- Anomaly Guard Module(AGM)
- Traffic Anomaly Detector Module (ADM)
- Communication Media Module (CMM)
- Content Switching Module (CSM)
- Content Switching Module with SSL (CSM-S)
- Secure Sockets Layer (SSL) Services Module
Images and Feature Sets
Use Cisco Feature Navigator to display information about the images and feature sets in Release 15.0(1)SY.
The releases includes strong encryption images. Strong encryption images are subject to U.S. and local country export, import, and use laws. The country and class of end users eligible to receive and use Cisco encryption solutions are limited. See this publication for more information:
http://www.cisco.com/web/about/doing_business/legal/global_export_trade/general_export/contract_compliance.html
Universal Boot Loader Image
The Universal Boot Loader (UBL) image is a minimal network-aware image that can download and install a Cisco IOS image from a running active supervisor engine in the same chassis. When newly installed as a standby supervisor engine in a redundant configuration, a supervisor engine running the UBL image automatically attempts to copy the image of the running active supervisor engine in the same chassis.
EFSU Compatibility
SX SY EFSU Compatibility Matrix (XLSX - Opens with Microsoft Excel)
Release 15.0(1)SY1 provides initial Release 15.0SY support for these modules:
Do not install these modules before an EFSU upgrade to Release 15.0(1)SY1. These modules should not be installed if EFSU downgrade to Release 15.0(1)SY is required.
If any of the listed modules were installed in a non-VSS system prior to an EFSU upgrade to Release 15.0(1)SY1, perform these steps:
If any of the listed modules were installed in (or were installed and then removed from) a VSS system prior to an EFSU upgrade to Release 15.0(1)SY1, perform these steps:
2. For each chassis where the modules were, enter the no module provision switch [ 1 | 2 ] global configuration mode command (provision information for the modules will be lost).
If any of the listed modules were installed in (or were installed and then removed from) a non-VSS system prior to an EFSU downgrade to Release 15.0(1)SY, perform these steps:
1. Ensure that the modules are present (or reinstalled, if necessary).
2. Enter the module clear-config global configuration mode command.
3. Remove the modules from the chassis.
4. Verify that no configuration information remains for any of the modules.
6. Perform the EFSU downgrade.
If any of the listed modules were installed in (or were installed and then removed from) a VSS system prior to an EFSU downgrade to Release 15.0(1)SY, perform these steps:
1. Remove any remaining modules.
2. Enter the show running-config | begin provision command to display the module provisioning information. For example:
3. Enter the module provision switch [ 1|2 ] global configuration mode command to remove the provisioning information for the modules. For example:
4. Verify that no configuration information remains for any of the modules.
Cisco IOS Behavior Changes
Behavior changes describe the minor modifications that are sometimes introduced in a software release. When behavior changes are introduced, existing documentation is updated.
- Release 15.0(1)SY10
- Release 15.0(1)SY9
- Release 15.0(1)SY8
- Release 15.0(1)SY7a
- Release 15.0(1)SY7
- Release 15.0(1)SY6
- Release 15.0(1)SY5
- Release 15.0(1)SY4
- Release 15.0(1)SY3
- Release 15.0(1)SY2
Release 15.0(1)SY4
- CLI associated with the Services SPA Carrier (SSC) and IPsec SPA ( CSCty04467)
Old Behavior: Release 12.2(50)SY and rebuilds, Release 15.0(1)SY and rebuilds, and Release 15.1(1)SY and later releases do not support the Services SPA Carrier (SSC) and IPsec SPA, but the associated CLI is present and can cause problems if entered.
New Behavior: The CLI associated with the Services SPA Carrier (SSC) and IPsec SPA is not present.
Release 15.0(1)SY3
Old Behavior: When the neighbor remove-private-as command is configured and a route-map without a continue clause is configured, the processing order is:
1. neighbor remove-private-as processing
2. set as-path prepend or set as-path prepend last-as
If the route-map contains a continue clause, the processing order is reversed.
New Behavior: When the neighbor remove-private-as command is configured and a route-map is configured (whether it has a continue clause or not), the processing order is always:
1. neighbor remove-private-as processing
2. set as-path prepend or set as-path prepend last-as
Old Behavior: You must shut down 1-Gigabit Ethernet ports before you enter the platform qos 10g-only command.
New Behavior: You must shut down 1-Gigabit Ethernet ports and ensure that no trust state and the default class of service (CoS) are configured before you enter the platform qos 10g-only command.
Release 15.0(1)SY2
Old Behavior: When using the no form of the exec-timeout command, the EXEC command interpreter is reconfigured to wait for user input for the configuration default period of 10 min 0 sec.
New Behavior: The no form of the exec-timeout command configures a wait period of 0 min 0 sec before timeout.
http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-76805E6F-9E89-4457-A9DC-5944C8FE5419
Old Behavior: For WS-SVC-NAM3-6G-K9, the show module command displays “Trifecta NAM Module”. For WS-SVC-WISM2, the show module command displays “WiSM Jian Service Module”.
New Behavior: For WS-SVC-NAM3-6G-K9, the show module command displays “Network Analysis Module 3”. For WS-SVC-WISM2, the show module command displays “WiSM 2 WLAN Service Module”.
Old Behavior: On WS-X6904-40G-2T ports, the bandwidth command is required if you configure any nondefault values for any other queueing commands on the port, but the CLI does not enforce the requirnment.
New Behavior: On WS-X6904-40G-2T ports, the CLI enforces the requirement for the bandwidth command if you configure any nondefault values for any other queueing commands on the port.
Old Behavior: The unsupported energywise management configuration mode command was present in the CLI.
New Behavior: The unsupported energywise management configuration mode command is not present in the CLI.
New Features in Release 15.0(1)SY10
These sections describe the new features in Release 15.0(1)SY10, 12 Feb 2016:
New Features in Release 15.0(1)SY9
These sections describe the new features in Release 15.0(1)SY9, 11 Aug 2015:
New Features in Release 15.0(1)SY8
These sections describe the new features in Release 15.0(1)SY8, 20 Feb 2015:
New Features in Release 15.0(1)SY7a
These sections describe the new features in Release 15.0(1)SY7a, 01 Oct 2014:
New Features in Release 15.0(1)SY7
These sections describe the new features in Release 15.0(1)SY7, 01 Aug 2013:
New Features in Release 15.0(1)SY6
These sections describe the new features in Release 15.0(1)SY6, 07 Feb 2013:
New Features in Release 15.0(1)SY5
These sections describe the new features in Release 15.0(1)SY5, 23 Aug 2013:
New Software Features in Release 15.0(1)SY5
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/12-2sx/sec-acl-seq-num-persistent.html
New Features in Release 15.0(1)SY4
These sections describe the new features in Release 15.0(1)SY4, 21 Mar 2013:
New Features in Release 15.0(1)SY3
These sections describe the new features in Release 15.0(1)SY3, 26 Nov2012:
New Software Features in Release 15.0(1)SY3
http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_dhcp/configuration/15-sy/dhcp-relay-agent.html
New Features in Release 15.0(1)SY2
These sections describe the new features in Release 15.0(1)SY2, 16 Jul 2012:
New Features in Release 15.0(1)SY1
These sections describe the new features in Release 15.0(1)SY1, 24 Feb 2012:
New Hardware Features in Release 15.0(1)SY1
- 4-Port 40-Gigabit Ethernet Switching Module (WS-X6904-40G-2T; Cisco SFP-10G-LR)
- 96-port 10/100TX RJ-21 Ethernet Switching Module (WS-X6196-RJ-21, WS-X6196-21AF)
- ASA services module (WS-SVC-ASA-SM1-K9)
- Network Analysis Module 3 (WS-SVC-NAM3-6G-K9)
- Cisco 7609-S chassis (CISCO7609-S)
Note Upgrade to Release15.0(1)SY1 or later before installing any of these modules (see the “EFSU Compatibility” section).
New Software Features in Release 15.0(1)SY1
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bfd/configuration/15-sy/irb-bi-fwd-det.html
http://www.cisco.com/en/US/docs/ios/iproute_bfd/configuration/guide/irb_bfd.html
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/ident-conn_config.html#Manually_Configuring_IP-Address-to-SGT_Mapping
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/ident-conn_config.html#Manually_Configuring_IP-Address-to-SGT_Mapping
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/ident-conn_config.html#Manually_Configuring_IP-Address-to-SGT_Mapping
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.0SY/configuration/guide/qos_restrictions.html#General_Guidelines
http://www.cisco.com/en/US/docs/ios/iproute_eigrp/configuration/guide/ire_cfg_eigrp.html
http://www.cisco.com/en/US/docs/switches/lan/energywise/phase2/ios/configuration/guide/ew_v2.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/12-2sx/ip6-addrg-bsc-con.html
http://www.cisco.com/en/US/docs/ios-xml/ios/evn/configuration/15-sy/evn-confg.html
http://www.cisco.com/en/US/docs/ios-xml/ios/evn/configuration/15-sy/evn-overview.html
http://www.cisco.com/en/US/docs/ios-xml/ios/evn/configuration/15-sy/evn-confg.html
http://www.cisco.com/en/US/docs/ios-xml/ios/evn/configuration/15-sy/evn-overview.html
http://www.cisco.com/en/US/docs/ios-xml/ios/evn/configuration/15-sy/evn-shared-svcs.html
http://www.cisco.com/en/US/docs/ios-xml/ios/evn/configuration/15-sy/evn-shared-svcs.html
http://www.cisco.com/en/US/docs/ios-xml/ios/evn/configuration/15-sy/evn-15-sy-book.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.0SY/configuration/guide/udld.html#Fast_UDLD
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.0SY/configuration/guide/udld.html#Configuring_Fast_UDLD
- Flexible NetFlow: 32 bit AS Number Support—With Release 15.0(1)SY1 and later releases, Flexible NetFlow supports 32-bit autonomous system (AS) numbers. Flexible NetFlow can capture and export 32-bit numbers as well as 16-bit numbers. If you specify the 4-octet keyword in the collect routing or match routing command, you configure the 32-bit autonomous system number as a nonkey or key field; otherwise, you configure the 16-bit version. If you configure both a 32-bit version and a 16-bit version within a record, only the 32-bit version applies. The 32-bit AS numbers have a different v9 export type than that used for 16-bit AS numbers. Your collector and analysis infrastructure should be able to process values for 32-bit AS numbers.
The following commands have been added in this release to support this feature:
For more information on export types, see the NetFlow Layer 2 and Security Monitoring Exports document:
http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/nf_lay2_sec_mon_exp.html
Note With Release 15.0(1)SY1 and later releases, Flexible Netflow is supported in the IP base image.
- IPv6 Route Health Injection (IPv6 RHI) on ACE-30—Release 15.0(1)SY1 and later releases provide support on the switch for the IPv6 RHI feature implemented on the ACE30-MOD-K9.
- IPv6 Routing: OSPF for IPv6 (OSPFv3) Authentication Support with IPsec—See this publication:
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/15-2mt/ip6-ospf.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.0SY/configuration/guide/vlan_acls.html#IPV6_VACL_(Vlan_Access_Control_List)
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.0SY/configuration/guide/ipv4_multicast_vpn.html#Information_About_mVPN_with_L3VPN_over_mGRE
http://www.cisco.com/en/US/docs/ios/iproute_ospf/configuration/guide/iro_snmp_ifindex.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/15-2mt/ip6-ospf.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/15-2mt/ip6-bfd.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.0SY/configuration/guide/diagnostic_tests.html#TestNVRAMBatteryMonitor
http://www.cisco.com/en/US/docs/switches/lan/trustsec/release/notes/rn_cts_crossplat.html
http://www.cisco.com/en/US/docs/ios-xml/ios/evn/configuration/15-sy/evn-overview.html
http://www.cisco.com/en/US/docs/ios-xml/ios/evn/configuration/15-sy/evn-confg.html
http://www.cisco.com/en/US/docs/ios-xml/ios/evn/configuration/15-sy/evn-shared-svcs.html
http://www.cisco.com/en/US/docs/ios-xml/ios/evn/configuration/15-sy/evn-mgt-ts.html
Note NAT VRF-lite is supported only with nonoverlapping IP addresses.
The following is an example of the supported configuration:
ip nat outside source static real_ip_address nat_ip_address interface vlan vlan_ID_X
ip nat insideip vrf forwarding vrf_name ip address vrf_ip_add mask_value
interface vlan vlan_ID_Y
ip nat outsideip vrf forwarding vrf_name ip address vrf_ip_add mask_value
! Configuration of up to 248 interfaces supported.
!
ip nat inside source static local_ip1 global_ip1 vrf vrf_name ip nat inside source static local_ip2 global_ip2 vrf vrf_name !
! Up to 124 of these statements
Note ● This feature is not supported if there are overlaping IP address ranges among the VRF-lite domains. Support for this feature is limited to VRF-lite configurations with non-overlapping IP addresses.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.0SY/configuration/guide/virtual_switching_systems.html#VSS_VSL_Multicast_Fast_Redirect
New Features in Release 15.0(1)SY
These sections describe the new features in Release 15.0(1)SY, 27 Sep 2011:
New Hardware Features in Release 15.0(1)SY
– WS-SVC-WISM2-1-K9—Wireless Services Module 2 with 100 AP Support License
– WS-SVC-WISM2-3-K9—Wireless Services Module 2 with 300 AP Support License
– WS-SVC-WISM2-5-K9—Wireless Services Module 2 with 500 AP Support License
These hardware products are also supported in Release 12.2SY:
- Supervisor Engine 2T-10GE with PFC4XL (VS-S2T-10G-XL)
- Supervisor Engine 2T-10GE with PFC4 (VS-S2T-10G)
- Policy Feature Card 4XL (PFC4XL; VS-F6K-PFC4XL)
- Policy Feature Card 4 (PFC4; VS-F6K-PFC4)
- Distributed Forwarding Card 4XL (DFC4XL: WS-F6K-DFC4-EXL and WS-F6K-DFC4-AXL)
- Distributed Forwarding Card 4 (DFC4: WS-F6K-DFC4-E and WS-F6K-DFC4-A)
- 8-port 10-Gigabit Ethernet X2 module:
– WS-X6908-10G-XL (has WS-F6K-DFC4-EXL)
– WS-X6908-10G (has WS-F6K-DFC4-E)
Note ● Release 15.0(1)SY supports the hardware listed in the “Supported Hardware” section.
– WS-X6816-10T-2T, WS-X6716-10T 16-Port 10-Gigabit Ethernet Copper Switching Module
– WS-X6816-10G-2T, WS-X6716-10GE 16-Port 10-Gigabit Ethernet X2 Switching Module
– WS-X6848-SFP-2T, WS-X6748-SFP 48-Port Gigabit Ethernet SFP Switching Module
– WS-X6848-TX-2T, WS-X6748-GE-TX
New Software Features in Release 15.0(1)SY
Note Release 15.0(1)SY and later releases Advanced Enterprise images support FIPS encryption.
- Enter the fips global configuration mode command to enable FIPS encryption.
- Enter the no fips global configuration mode command to disable FIPS encryption.
- Enter the show fips command to display the enable state of FIPS encryption.
- In VSS mode, you cannot configure the FIPS encryption mode without VSL encryption. To avoid a system shutdown, enable VSL encryption before you enable FIPS encryption mode. ( CSCts96040, CSCtx58304)
You can support management connections with FIPS encryption.
– Use the AES or TDES encryption algorithms
– Use TLSv1.0 or SSLv3.1 or later versions
– Use the AES or TDES encryption algorithms
- Airdam requirement message for NEBS compliance—The software displays messages if the hardware configuration of the switch is changed in a way that might impact NEBS compliance.
- BFD IPv6 Encaps Support—See this publication:
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-bfd.html
http://www.cisco.com/en/US/docs/ios/iproute_bgp/configuration/guide/irg_event_vpn_import.html
http://www.cisco.com/en/US/docs/ios/iproute_bgp/configuration/guide/irg_basic_net.html
http://www.cisco.com/en/US/docs/ios/iproute_bgp/configuration/guide/irg_neighbor_soo.html
http://www.cisco.com/en/US/docs/ios/iproute_bgp/configuration/guide/irg_event_vpn_import.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/issu_efsu.html
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-imode-ospfv2.html
http://www.cisco.com/en/US/docs/ios-xml/ios/fnetflow/configuration/15-sy/support-issu-sso-xe.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.0SY/configuration/guide/diagnostic_tests.html#TestMediaLoopback
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/12-2sx/ip6-fhrp.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_igmp/configuration/15-sy/imc_customizing_igmp.html
- IP Multicast Load Splitting - Equal Cost Multipath (ECMP) using S, G and Next-hop—See this publication:
http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_optim/configuration/15-sy/imc_load_splt_ecmp.html
http://www.cisco.com/en/US/docs/ios/iproute_rip/command/reference/irr_rip.html#ip_rip_initial-delay
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/12-2sy/ip6-mptcl-bgp.html
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_isis/configuration/15-sy/irs-instance-vrf.html
http://www.cisco.com/en/US/docs/ios/ipmulti/configuration/guide/imc_high_availability.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/12-2sy/ip6-multicast.html
http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_6vpe_6pe_issu_sso.html
http://www.cisco.com/en/US/docs/ios/media_monitoring/configuration/guide/mm_mediatrace.html
http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_vpn_ias_optab.html
http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_vpn_ias_optab.html
http://www.cisco.com/en/US/docs/ios/interface/configuration/guide/ir_mplsvpnomgre.html
Note In releases earlier than Release 15.0(1)SY1, the MPLS VPN over mGRE feature does not support multicast traffic (CSCto95014).
- MVPN - Data MDT Enhancements—Multicast distribution tree (MDT) groups were selected at random when the traffic passed the threshold and there was a limit of 255 MDTs before they were reused. The MVPN - Data MDT Enhancements feature provides the ability to deterministically map the groups from inside the VPN routing and forwarding (S,G) entry to particular data MDT groups, through an access control list (ACL). The user can now map a set of VPN routing and forwarding (S,G) to a data MDT group in one of the following ways:
– 1:1 mapping (1 permit in ACL)
– Many to 1 mapping (many permits in ACL)
– Many to many mapping (multiple permits in ACL and a nonzero mask data MDT)
Because the total number of configurable data MDTs is 1024, the user can use this maximum number of mappings in any of the described combinations.
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/12-2sy/ip6-multicast.html
http://www.cisco.com/en/US/docs/ios/iproute_ospf/configuration/guide/iro_cfg.html
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-ttl.html
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-cfg.html
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-ttl.html
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-local-rib.html
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-bfd.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/15-2mt/ip6-ospf.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/15-2mt/ip6-ospf.html
http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_config-lock.html
http://www.cisco.com/en/US/docs/ios/media_monitoring/configuration/guide/mm_pasv_mon.html
http://www.cisco.com/en/US/docs/ios-xml/ios/qos_rsvp/configuration/15-0sy/rsvp_prvs_hop_overwrt.html
http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/config_rsvp.html
http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/config_rsvp.html
http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/config_rsvp.html
http://www.cisco.com/en/US/docs/ios-xml/ios/qos_rsvp/configuration/15-0sy/rsvp_vrf_lite_adm_ctrl.html
http://www.cisco.com/en/US/docs/ios/saf/configuration/guide/saf_cg.html
http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_6vpe_6pe_issu_sso.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.0SY/configuration/guide/vpls.html#VPLS_Integrated_Routing_and_Bridging
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.0SY/configuration/guide/virtual_switching_systems.html#Configuring_VSL_Encryption
Note In VSS mode, you cannot configure the FIPS encryption mode without VSL encryption. To avoid a system shutdown, enable VSL encryption before you enable FIPS encryption mode.
Software Features from Earlier Releases
Use Cisco Feature Navigator to display supported features that were introduced in earlier releases.
Unsupported Commands
Release 15.0(1)SY does not support mls commands or mls as a keyword. If you are copying Sup720 running configuration to Sup2T, the packets per burst in mls rate-limit command overrides the current burst value and sets the burst value to 1. You need to manually configure packets per burst using the platform rate-limit command.
See this document for a list of some of the mls commands that have been replaced:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/replacement_commands.html
Note Some of the replacement commands implemented in Release 15.0(1)SY support different keyword and parameter values than those supported by the Release 12.2SX commands.
Unsupported Features
Note The IPsec Network Security feature (configured with the crypto ipsec command) is not supported.
These features are not supported in Release 15.0(1)SY:
- WAN features
- Performance Routing (PfR)
- OER Border Router Only Functionality
- IOS Server Load Balancing (SLB)
Note Release 15.0(1)SY supports server load balancing (SLB) as implemented on the Application Control Engine (ACE) module (ACE20-MOD-K9).
- AppleTalk
- Cisco Group Management Protocol (CGMP)
- Distance Vector Multicast Routing Protocol (DVMRP)
- Dynamic creation of L2 entries for Multicast source-only traffic
- IDS Copy
Note Release 15.0(1)SY supports the SPAN and VACL redirect features, which have equivalent functionality.
Note Release 15.0(1)SY supports IEEE 802.1Q trunking.
- NAC - L2 IP NAC LAN Port IP
- NetWare Link-Services Protocol (NLSP)
- Network Based Application Recognition (NBAR)
- IPX Access Control List Violation Logging
- IPX Access List Plain English Filters
- IPX Control Protocol
- IPX Encapsulation for 802.10 VLAN
- IPX Multilayer Switching (IPX MLS)
- IPX Named Access Lists
- IPX SAP-after-RIP
- Per-VLAN Spanning Tree (PVST) mode (spanning-tree mode pvst global configuration mode command)
Note Release 15.0(1)SY supports these spanning tree protocols:
—Rapid Spanning Tree Protocol (RSTP):
• spanning-tree mode rapid-pvst global configuration mode command
• Enabled by default
—Multiple Spanning Tree Protocol (MSTP):
• spanning-tree mode mst global configuration mode command
• Can be enabled
Note Release 15.0(1)SY supports the Firewall Services Module (WS-SVC-FWM-1-K9).
Restrictions
Caveats in Release 15.0SY
- Open Caveats in Release 15.0SY
- Caveats Resolved in Release 15.0(1)SY10
- Caveats Resolved in Release 15.0(1)SY9
- Caveats Resolved in Release 15.0(1)SY8
- Caveats Resolved in Release 15.0(1)SY7a
- Caveats Resolved in Release 15.0(1)SY7
- Caveats Resolved in Release 15.0(1)SY6
- Caveats Resolved in Release 15.0(1)SY5
- Caveats Resolved in Release 15.0(1)SY4
- Caveats Resolved in Release 15.0(1)SY3
- Caveats Resolved in Release 15.0(1)SY2
- Caveats Resolved in Release 15.0(1)SY1
- Caveats Resolved in Release 15.0(1)SY
Open Caveats in Release 15.0SY
Caveats Resolved in Release 15.0(1)SY10
- CSCuq24202 —Resolved in 15.0(1)SY10
Symptom: A vulnerability in the TCL script interpreter of Cisco IOS Software might allow an authenticated, local attacker to escalate its privileges from those of a non-privileged user to a privileged (level 15) user, allowing a non-privileged user to execute privileged commands.
The vulnerability is caused due to an error on resetting VTY privileges after running a TCL script. An attacker could exploit this vulnerability by establishing a session to an affected device immediately after a TCL script has been run.
Conditions: This behavior is timing dependent because the attacker needs to log-in to the device immediately after the TCL script finishes execution.
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.6/5.5:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:U/RC:C&version=2.0
CVE ID CVE-2015-4185 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
- CSCuv71155 —Resolved in 15.0(1)SY10
Symptom: For dynamic ACL, the l4op programmed for user1 will change if an attempt is made to program user2 without any LOU.
Conditions: User1 has been programmed which is issuing an LOU register.
Caveats Resolved in Release 15.0(1)SY9
- CSCur70505 —Resolved in 15.0(1)SY9
Symptom: A 6500 reloads after negotiating an IPSec tunnel with ASR9000.
Conditions: The 6500 needs to run 12.2(33)SXJ8 and the IPsec engine must be a WS-SSC-600 WS-IPSEC-3 combination.
This crash does not happen with 7600-SSC-400 IPSEC-2 combination.
More Info: A vulnerability in the IKE subsystem of Cisco WS-IPSEC-3 service module could allow an authenticated, remote attacker to cause a reload of the Catalyst switch. The vulnerability is due to insufficient bounds checks on a specific message during the establishment of an IPSEC tunnel. An attacker could exploit this vulnerability by successfully establishing an IKE session and sending the offending packet during subsequent negotiations. An exploit could allow the attacker to cause a denial of service by forcibly reloading the switch.
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.9/4.9:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:U/RC:C&version=2.0
CVE ID CVE-2015-0771 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
- CSCuu18788 —Resolved in 15.0(1)SY9
Symptom: An error similar to the following may be observed in the syslogs of a Cisco IOS device:
*May 4 13:40:46.760: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error, -PC= :200CD000+1502CF4
-Traceback= 1#e06f72c62c6bef347348f23bdccc4b7f :200CD000+30D51C0 :200CD000+30D5588 :200CD000+3103724 :200CD000+6F2FD4C :200CD000+1502CF4 :200CD000+15033E0 :200CD000+446FF08 :200CD000+446E0B0 :200CD000+443DA40 :200CD000+442D158 :200CD000+445C0F8
No functional impact is observed.
Conditions: This is currently believed to affect all released versions of IOS code which support the CISCO-ENTITY-EXT-MIB.
This may occur when polling the ceExtSysBootImageList object in CISCO-ENTITY-EXT-MIB. This object returns a semicolon-separated list of boot statements on the device, similar to the following:
CISCO-ENTITY-EXT-MIB::ceExtSysBootImageList.5000 = STRING: "flash bootflash:cat4500e-universalk9.SPA.03.04.05.SG.151-2.SG5.bin;flash bootflash:cat4500e-universalk9.SPA.03.04.02.SG.151-2.SG2.bin"
The DATACORRUPTION error will occur under a specific corner case, where the total length of one or more complete boot variables (counted starting after the 'boot system' token) is less than 255 bytes, BUT when semicolons are added (one per boot statement) meets or exceeds this number.
Consider the following example:
boot system bootflash:this_is_a_128_character_long_boot_statement_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
boot system bootflash:this_is_a_125_character_long_boot_statement_yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
128 + 125 + 2 semicolons = 255 characters (bytes)
If another boot statement is added after this, the DATACORRUPTION error will be seen and the SNMP query will return invalid data.
Workaround: Reduce the quantity/length of configured boot variables.
More Info: This is not known to have any functional impact outside of the (potentially alarming) error message. The error will only be printed once, but subsequent occurrences of this condition can be seen via the 'show data-corruption' command.
- CSCum94811 —Resolved in 15.0(1)SY9
Symptom: A vulnerability in the TCP input module of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a memory leak and eventual reload of the affected device.
Conditions: The vulnerability is due to improper handling of certain crafted packet sequences used in establishing a TCP three-way handshake. An attacker could exploit this
vulnerability by sending a crafted sequence of TCP packets while establishing a thee-way handshake. A successful exploit could allow the attacker to cause a
memory leak and eventual reload of the affected device.
More Info: Cisco has released free software updates that address this vulnerability. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-tcpleak
Note The March 25, 2015, Cisco IOS Software Security Advisory bundled publication includes seven Cisco Security Advisories. The advisories address vulnerabilities in Cisco IOS Software and Cisco IOS XE Software. Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar15.html
- CSCuo04400 —Resolved in 15.0(1)SY9
Conditions: Crash on receiving a malformed packet via codenomican tool.
- CSCus19794 —Resolved in 15.0(1)SY9
Symptom: Cisco IOS and IOS-XE IPv6 FHS Send Denial of Service Vulnerability.
| TCL: ungraceful exit from tclsh can leave the Tcl Server running |
||
| temperature crossed threshold #1(=0C) on a Ringar and powers down |
Caveats Resolved in Release 15.0(1)SY8
Caveats Resolved in Release 15.0(1)SY7
Caveats Resolved in Release 15.0(1)SY6
Caveats Resolved in Release 15.0(1)SY5
- CSCsv74508 —Resolved in 15.0(1)SY5
Symptom: If a linecard is reset (either due to error or a command such as hw-module slot reload) at the precise time an SNMP query is trying to communicate with that LC, the RP could reset due to a CPU vector 400 error.
Conditions: In order to experience these symptoms the linecard is reset (either due to error or a command such as hw-module slot reload) at the precise time an SNMP query is received.
- CSCtx56174 —Resolved in 15.0(1)SY5
Symptoms: Cisco router hangs until a manual power cycle is done. If the scheduler isr-watchdog command is configured, the device will crash and recover instead of hanging until a power cycle is done.
Conditions: This is seen with websense URL filtering enabled and with zone based firewalls.
Workaround: Disable URL-based filtering.
- CSCug34485 —Resolved in 15.0(1)SY5
Summary: Multiple Cisco products are affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA) database. This vulnerability could allow an unauthenticated attacker to take full control of the OSPF Autonomous System (AS) domain routing table, blackhole traffic, and intercept traffic.
The attacker could trigger this vulnerability by injecting crafted OSPF packets. Successful exploitation could cause flushing of the routing table on a targeted router, as well as propagation of the crafted OSPF LSA type 1 update throughout the OSPF AS domain.
To exploit this vulnerability, an attacker must accurately determine certain parameters within the LSA database on the target router. This vulnerability can only be triggered by sending crafted unicast or multicast LSA type 1 packets. No other LSA type packets can trigger this vulnerability.
OSPFv3 is not affected by this vulnerability. Fabric Shortest Path First (FSPF) protocol is not affected by this vulnerability.
Cisco has released free software updates that address this vulnerability.
Workaround : Workarounds that mitigate this vulnerability are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130801-lsaospf.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.8/5.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:P/E:H/RL:U/RC:C CVE ID CVE-2013-0149 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Other Caveats Resolved in Release 15.0(1)SY5
Caveats Resolved in Release 15.0(1)SY4
- CSCtg47129 —Resolved in 15.0(1)SY4
The Cisco IOS Software implementation of the virtual routing and forwarding (VRF) aware network address translation (NAT) feature contains a vulnerability when translating IP packets that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-nat
Note: The March 27, 2013, Cisco IOS Software Security Advisory bundled publication includes seven Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2013 bundled publication.
Individual publication links are in “Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar13.html
Other Caveats Resolved in Release 15.0(1)SY4
Caveats Resolved in Release 15.0(1)SY3
Caveats Resolved in Release 15.0(1)SY2
- CSCts12366 —Resolved in 15.0(1)SY2
Symptoms: Memory may not properly be freed when malformed SIP packets are received on the NAT interface.
Further Problem Description: None.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C CVE ID CVE-2011-2578 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Other Resolved Caveats in Release 15.0(1)SY2
Caveats Resolved in Release 15.0(1)SY1
Resolved Infrastructure Caveats
- CSCtd72456 —Resolved in 15.0(1)SY1
Symptoms: Entering the show snmp pending command may cause a Cisco switch to crash.
1. Do not configure v3 informs.
2. Do not enter the show snmp pending if the v3 informs are pending.
- CSCtr91106 —Resolved in 15.0(1)SY1
Summary: A vulnerability exists in the Cisco IOS software that may allow a remote application or device to exceed its authorization level when authentication, authorization, and accounting (AAA) authorization is used. This vulnerability requires that the HTTP or HTTPS server is enabled on the Cisco IOS device.
Products that are not running Cisco IOS software are not vulnerable.
Cisco has released free software updates that address these vulnerabilities.
The HTTP server may be disabled as a workaround for the vulnerability described in this advisory.
This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-pai
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 8.5/7: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-0384 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCta98734 —Resolved in 15.0(1)SY1
Symptom: DNS Memory Leak in DNS queries
Conditions: DNS server configured: ‘ip dns server’
This bug can only possibly surface if the “ip dns-server” is configured, and then only when specific malformed datagrams are received on the DNS udp port 53. This specific datagram malfrmation is that the udp length field indicates a zero-length payload. This should never happen during normal DNS operation.
Workaround: No Workaround at this time
- CSCtr28857 —Resolved in 15.0(1)SY1
Summary: A vulnerability in the Multicast Source Discovery Protocol (MSDP) implementation of Cisco IOS Software and Cisco IOS XE Software could allow a remote, unauthenticated attacker to cause a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial of service (DoS) condition.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp
Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication.
Individual publication links are in “Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-0382 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCts80643 —Resolved in 15.0(1)SY1
Cisco IOS Software and Cisco IOS XE Software contain a vulnerability in the RSVP feature when used on a device configured with VPN routing and forwarding (VRF) instances. This vulnerability could allow an unauthenticated, remote attacker to cause an interface wedge, which can lead to loss of connectivity, loss of routing protocol adjacency, and other denial of service (DoS) conditions. This vulnerability could be exploited repeatedly to cause an extended DoS condition.
A workaround is available to mitigate this vulnerability.
Cisco has released free software updates that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-rsvp
- CSCef01541 —Resolved in 15.0(1)SY1
A router processes a packet that is sent to the network address of an interface, if the layer-2 frame that is encapsulating that packet is specifically crafted to target the layer-2 adress of the interface or a broadcast layer-2 address.
This happens only in the process switching path and does not happen in Cisco Express Forwarding (CEF) path.
- CSCts38429 —Resolved in 15.0(1)SY1
The Cisco IOS Software Internet Key Exchange (IKE) feature contains a denial of service (DoS) vulnerability.
Cisco has released free software updates that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-ike
Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication.
Individual publication links are in “Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html
Other Resolved Caveats in Release 15.0(1)SY1
Caveats Resolved in Release 15.0(1)SY
- CSCsg21398 —Resolved in 15.0(1)SY
Symptoms: The Cisco IOS software image may unexpectedly restart when a crafted “msg-auth-response-get-user” TACACS+ packet is received.
Conditions: This symptom is observed after the Cisco platform had send an initial “recv-auth-start” TACACS+ packet.
Workaround: There is no workaround.
- CSCtd81458 —Resolved in 15.0(1)SY
Symptom: Spurious memory access and/or crash when configuring a TACACS/AAA server connection.
Conditions: From internal review, this issue has been seen when a physical connection to the TACACS server isn’t present or the server isn’t online. If the server is connected and available, this issue may not happen.
Workaround: Ensure that a connection to the server is present on the device in question and the server is active to try and avoid this crash.
- CSCth25634 —Resolved in 15.0(1)SY
Symptoms: Password is prompted for twice for authentication.
Conditions: This issue occurs when login authentication has the line password as fallback and RADIUS as primary. For example: aaa authentication login default group radius line
Workaround: Change the login authentication to fall back to the enable password that is configured on the UUT. For example: enable password <keyword> aaa authentication login default group radius enable
Further Information: The fix for this bug also fixes an unrelated problem that may allow unauthorized users access to EXEC mode if the ‘’line‘’ authentication method is configured with fallback to the “none” authentication method. In other words, if the following is configured:
then users providing the wrong password at the password prompt will be granted access.
This issue was originally introduced by Cisco Bug ID CSCee85053, and fixed in some Cisco IOS releases via Cisco Bug IDs CSCsb26389 (“Failover for aaa authentication method LINE is broken”) and CSCsv06823 (“Authentication request doesnt failover to any method after enable”). However, the fix for this problem was not integrated into some Cisco IOS releases and this bug (CSCth25634) takes care of that.
Note that Cisco Bug ID CSCti82605 (“AAA line password failed and access to switch still passed”) is a recent bug that was filed once it was determined that the fix for CSCee85053 was still missing from some Cisco IOS releases. CSCti82605 was then made a duplicate of this bug (CSCth25634) since the fix for this bug also fixes CSCti82605.
Resolved Infrastructure Caveats
- CSCsv05154 —Resolved in 15.0(1)SY
Symptom: Three separate Cisco IOS Hypertext Transfer Protocol (HTTP) cross-site scripting (XSS) vulnerabilities and a cross-site request forgery (CSRF) vulnerability have been reported to Cisco by three independent researchers.
The Cisco Security Response is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090114-http
Conditions: See “Additional Information” section in the posted response for further details.
Workarounds: See “Workaround” section in the posted response for further details.
- CSCti25339 —Resolved in 15.0(1)SY
Symptoms: Cisco IOS device may experience a device reload.
Conditions: This issue occurs when the Cisco IOS device is configured for SNMP and receives certain SNMP packets from an authenticated user. Successful exploitation causes the affected device to reload. This vulnerability could be exploited repeatedly to cause an extended DoS condition.
Workaround: There is no workaround.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2010-3050 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCti92164 —Resolved in 15.0(1)SY
Symptom: Standby Route Processor reloads, with trace backs indicating NAT Port allocations with high availability.
Conditions: If the device is configured for:
a) High Availability - SSO via the configuration command mode sso under redundancy
b) Is configured with NAT Interface Overload.
c) Is configured with IP SLA (or SNMP -- See Cisco Bug ID CSCtj44746) and a lot of NAT traffic is flowing through the active route processor while the standby route processor is booting up.
- CSCtk67073 —Resolved in 15.0(1)SY
The Cisco IOS IP Service Level Agreement (IP SLA) feature contains a denial of service (DoS) vulnerability. The vulnerability is triggered when malformed UDP packets are sent to a vulnerable device. The vulnerable UDP port numbers depend on the device configuration. Default ports are not used for the vulnerable UDP IP SLA operation or for the UDP responder ports.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110928-ipsla.
- CSCsl39986 —Resolved in 15.0(1)SY
Symptom: The changes introduced by Cisco bug ID CSCsi73899 introduced some performance impact.
Conditions: Only IOS versions with CSCsi73899 integrated and not CSCsl39986 are affected. These images are only interim images and should not be available on Cisco.com for general download purposes.
- CSCsv87997 —Resolved in 15.0(1)SY
Symptom: DHCPv6 relay process crash on Actice RP.
Conditions: Unknown at this time.
Workaround: Unknown at this time.
- CSCsx16152 —Resolved in 15.0(1)SY
Symptom: Under unique circumstances erroneous routing prefixes may be added to the routing table.
Conditions: When the DHCPv6 relay feature is enabled and a router receives a normal DHCPv6 relay reply packet, this may lead to an erroneous route being added to the routing table.
Workaround: No workaround except turning off DHCPv6 relay.
- CSCta98734 —Resolved in 15.0(1)SY
Symptom: DNS Memory Leak in DNS queries
Conditions: DNS server configured: ‘ip dns server’
This bug can only possibly surface if the “ip dns-server” is configured, and then only when specific malformed datagrams are received on the DNS udp port 53. This specific datagram malfrmation is that the udp length field indicates a zero-length payload. This should never happen during normal DNS operation.
Workaround: No Workaround at this time
- CSCtd10712 —Resolved in 15.0(1)SY
The Cisco IOS Software network address translation (NAT) feature contains multiple denial of service (DoS) vulnerabilities in the translation of the following protocols:
NetMeeting Directory (Lightweight Directory Access Protocol, LDAP)
Session Initiation Protocol (Multiple vulnerabilities)
H.323 protocol
All the vulnerabilities described in this document are caused by packets in transit on the affected devices when those packets require application layer translation.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110928-nat
- CSCte14603 —Resolved in 15.0(1)SY
A vulnerability in the Internet Group Management Protocol (IGMP) version 3 implementation of Cisco IOS Software and Cisco IOS XE Software allows a remote unauthenticated attacker to cause a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial of service (DoS) condition. Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100922-igmp.
Note: The September 22, 2010, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. Five of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory. The table at the following URL lists releases that correct all Cisco IOS Software vulnerabilities that have been published on September 22, 2010, or earlier:
http://www.cisco.com/en/US/products/products_security_advisory09186a0080b4a315.shtml
Individual publication links are in “Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep10.html
- CSCtj57173 —Resolved in 15.0(1)SY
Symptom: Cisco IOS Software crashes when processing a specially crafted DNS reply packet.
Conditions: Router is configured to request DNS server lookups via the command ip name-server a.b.c.d and has domain look up enabled (enabled by default).
Affects all versions of Cisco IOS Software prior to first fixed software.
Workaround: Disable the IP Name server look up functionality on Cisco IOS Software, with the command no ip domain-lookup.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2011-0958 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCtr28857 —Resolved in 15.0(1)SY
Summary A vulnerability in the Multicast Source Discovery Protocol (MSDP) implementation of Cisco IOS Software and Cisco IOS XE Software could allow a remote, unauthenticated attacker to cause a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial of service (DoS) condition.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp
Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication.
Individual publication links are in ‘’Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication‘’ at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-0382 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Resolved LegacyProtocols Caveats
- CSCtf74999 —Resolved in 15.0(1)SY
Summary A router configured for DLSw might crash when it receives a series of certain malformed packets. This issue requires a number of conditions and a narrow timing window.
Conditions: Cisco IOS devices configured for DLSw.
Workaround: The only workaround in the device is to disable DLSw if not needed.
Additional mitigations can be found in the following Applied Mitigation Bulletin: http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20080326-dlsw
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2011-1625 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCth69364 —Resolved in 15.0(1)SY
Cisco IOS Software contains a memory leak vulnerability in the Data-Link Switching (DLSw) feature that could result in a device reload when processing crafted IP Protocol 91 packets.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110928-dlsw.
- CSCsz45567 —Resolved in 15.0(1)SY
A device running Cisco IOS Software, Cisco IOS XE Software, or Cisco IOS XR Software is vulnerable to a remote denial of service condition if it is configured for Multiprotocol Label Switching (MPLS) and has support for Label Distribution Protocol (LDP).
A crafted LDP UDP packet can cause an affected device running Cisco IOS Software or Cisco IOS XE Software to reload. On devices running affected versions of Cisco IOS XR Software, such packets can cause the device to restart the mpls_ldp process.
A system is vulnerable if configured with either LDP or Tag Distribution Protocol (TDP).
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available.
This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100324-ldp.shtml
- CSCtc68037 —Resolved in 15.0(1)SY
Symptom: A Cisco IOS device may experience an unexpected reload as a result of mtrace packet processing.
Workaround: None other than avoiding the use of mtrace functionality.
- CSCtc61584 —Resolved in 15.0(1)SY
Symptom: Device may experience memory leak when receiving a flood of ICMPv6 messages. The memory leak will recover (ie., memory will be released successfully in about 4 hours).
Conditions: Device configured for IPv6 and PMTUD.
Workaround: PMTUD is enabled by default when using TCP over IPv6, and it is not possible to disable it. For this reason a possible workaround is to use an ACL to block the ICMPv6 “packet too big” message.
Please note that filtering out ICMPv6 “packet too big” messages means that the Layer 3 (IPv6) PMTUD is being shut down as well. Therefore, it is necessary to make sure that the MTU is set on the end host to the lowest possible IPv6 MTU - 1280 bytes. Otherwise, since the device is not seeing the “packet too big” message, the device will not know that an intermediate system has dropped a packet because it was too big.
ICMPv6 “packet too big” messages are the IPv6 equivalent to the ICMPv4 “fragmentation needed and DF bit set” message.
- CSCsz32366 —Resolved in 15.0(1)SY
Symptoms: A Cisco router that is running Cisco IOS Release 12.4(25) may crash due to SSH.
Conditions: This symptom occurs when SSH is enabled on the router. An attempt to access the router via SSH is made.
Workaround: Do not use SSH. Disable SSH on the router by removing the RSA keys:
Further Problem Description: This issue has not been seen in Cisco IOS Release 12.4(23) and earlier releases. It also has not been seen in Cisco IOS Release 12.4T images.
- CSCth45540 —Resolved in 15.0(1)SY
Symptom: Device crashes in SSH Process
Conditions: SSH process has to fail to allocate memory for the new connection. This would only occur in extremely low memory conditions.
- CSCta57436 —Resolved in 15.0(1)SY
Symptoms: Router may experience reload after certain corrupted packets are injected into MPLS path.
Conditions: Certain corrupted packets are injected into MPLS path.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCtc41760 —Resolved in 15.0(1)SY
Symptom: 6500 may experience redzone crash at UDLD process. Message may appear %SYS-SP-3-OVERRUN: Block overrun at 44456570 (red zone 6D000700) -Traceback= 40291448 402938DC 40D74570 40D763A0
Traceback will vary from code to code.
- CSCth87458 —Resolved in 15.0(1)SY
Symptoms: Memory leak detected in SSH process during internal testing. Authentication is required in order for a user to cause the memory leak.
Conditions: This was experienced during internal protocol robustness testing.
Workaround: Allow SSH connections only from trusted hosts.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2011-2568 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCtj22354 —Resolved in 15.0(1)SY
Symptom: System may crash when receiving LLDPDUs.
Conditions: Incoming LLDPDUs with more than 10 LLDP MA(Management Address) TLVs
Workaround: Disable LLDP MA TLV sending on the peers.
Further Problem Description: Currently LLDP supports 10 MA TLVs per LLDP neighbor entry, however, it is not processed properly when more than 10 MA TLVs are received.
- CSCtj30155 —Resolved in 15.0(1)SY
Symptom: Cisco IOS Software is affected by two vulnerabilities that cause a Cisco IOS device to reload when processing IP version 6 (IPv6) packets over a Multiprotocol Label Switching (MPLS) domain. These vulnerabilities are:
– Crafted IPv6 Packet May Cause MPLS-Configured Device to Reload
– ICMPv6 Packet May Cause MPLS-Configured Device to Reload
Cisco has released free software updates that address these vulnerabilities.
Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110928-ipv6mpls
- CSCtn76183 —Resolved in 15.0(1)SY
The Cisco IOS Software Network Address Translation (NAT) feature contains two denial of service (DoS) vulnerabilities in the translation of IP packets.
The vulnerabilities are caused when packets in transit on the vulnerable device require translation.
Cisco has released free software updates that address these vulnerabilities. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-nat
Note: The September 26, 2012, Cisco IOS Software Security Advisory bundled publication includes 9 Cisco Security Advisories. Eight of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses a vulnerability in Cisco Unified Communications Manager. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the September 2012 bundled publication.
Individual publication links are in the “Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep12.html
- CSCto07919 —Resolved in 15.0(1)SY
Symptom: Cisco IOS Software is affected by two vulnerabilities that cause a Cisco IOS device to reload when processing IP version 6 (IPv6) packets over a Multiprotocol Label Switching (MPLS) domain. These vulnerabilities are:
– Crafted IPv6 Packet May Cause MPLS-Configured Device to Reload - ICMPv6 Packet May Cause MPLS-Configured Device to Reload
Cisco has released free software updates that address these vulnerabilities.
Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110928-ipv6mpls
- CSCtq36336 —Resolved in 15.0(1)SY
Symptom: An external loop between 2 dot1x enabled ports can cause a storm of unicast EAPoL pdus in the network.
Workaround: Avoid creating a loop.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C CVE ID CVE-2011-2058 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCtc71597 —Resolved in 15.0(1)SY
Symptom: Currently in EARL7 system, For an IPv6 packet the 96 bytes cover DBUS header (22), Ether header (14), IPv6 harder (40), IPv6 extension headers, and L4 header. That means only 20 bytes (96 - 22 - 14 - 40) are for extension header(s) and L4 header. So even packet with small extension header(s) can use up to 20 bytes that would cause l4_hdr_vld = 0. When that happens, all L4 features cannot be applied and packet would be hardware forwarded based on L3 forwarding result.
Conditions: This issue is present from day one but would cause threat only when ipv6 access-list is configured on any interface and that access-list is containing L4 options.
- CSCtb73450 —Resolved in 15.0(1)SY
Symptom: Start-Control-Connection-Request (SCCRQ) packets may cause tunnel to reset after digest failure.
Conditions: This issue is observed when the SCCRQ packets are sent with an incorrect hash.
Workaround: There is no workaround.
- CSCsh61458 —Resolved in 15.0(1)SY
Symptoms: A Cat4k switch may reload after receiving a malformed packet on one specific specific port.
Conditions: This symptom may be observed on a Cat4k switch that enables DNSIX audit trail and recieves crafted IP packets on a specific port.
Workaround: Do not enable the DNSIX audit trail.
- CSCth27791 —Resolved in 15.0(1)SY
Symptoms: This bug has been filed to enhance the code to follow secure best practices and enhance resiliency of the product.
PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCsw41041 —Resolved in 15.0(1)SY
Symptom: Cisco ASR1000 routers running Cisco IOS software may experience a crash when PPTP packets are sent under certain conditions to a router with VPN features configured.
Conditions: Normal Conditions.
Workaround: CoPP may be configured on the device to protect the management and control planes and to workaround this risk by explicitly permitting only authorized traffic sent to the route processor in accordance with existing security policies and configurations. The following example can be adapted to your network.
- CSCtd75033 —Resolved in 15.0(1)SY
Symptom: Cisco IOS Software is affected by NTP mode 7 denial-of-service vulnerability. Note: The fix for this vulnerability has a behavior change affect on Cisco IOS Operations for Mode 7 packets. See the section Further Description of this release note enclosure.
Conditions: Cisco IOS Software with support for Network Time Protocol (NTP) contains a vulnerability processing specific NTP Control Mode 7 packets. This results in increased CPU on the device and increased traffic on the network segments.
This is the same as the vulnerability which is described in http://www.kb.cert.org/vuls/id/568372
Cisco has release a public facing vulnerability alert at the following link: http://tools.cisco.com/security/center/viewAlert.x?alertId=19540
Cisco IOS Software that has support for NTPv4 is NOT affected. NTPv4 was introduced into Cisco IOS Software: 12.4(15)XZ, 12.4(20)MR, 12.4(20)T, 12.4(20)YA, 12.4(22)GC1, 12.4(22)MD, 12.4(22)YB, 12.4(22)YD, 12.4(22)YE and 15.0(1)M.
All other versions of Cisco IOS and Cisco IOS XE Software are affected.
To see if a device is configured with NTP, log into the device and issue the CLI command show running-config | include ntp. If the output returns either of the following commands listed then the device is vulnerable:
The following example identifies a Cisco device that is configured with NTP:
The following example identifies a Cisco device that is not configured with NTP:
To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to “Cisco Internetwork Operating System Software” or “Cisco IOS Software.” The image name displays in parentheses, followed by “Version” and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output.
The following example identifies a Cisco product that is running Cisco IOS Software Release 12.3(26) with an installed image name of C2500-IS-L:
The following example shows a product that is running Cisco IOS Software release 12.4(20)T with an image name of C1841-ADVENTERPRISEK9-M:
Additional information about Cisco IOS Software release naming conventions is available in “White Paper: Cisco IOS and NX-OS Software Reference Guide” at the following link: http://www.cisco.com/web/about/security/intelligence/ios-ref.html
Workaround: There are no workarounds other than disabling NTP on the device. The following mitigations have been identified for this vulnerability; only packets destined for any configured IP address on the device can exploit this vulnerability. Transit traffic will not exploit this vulnerability.
Note NTP peer authentication is not a workaround and is still a vulnerable configuration.
Warning: Because the feature in this vulnerability utilizes UDP as a transport, it is possible to spoof the sender’s IP address, which may defeat access control lists (ACLs) that permit communication to these ports from trusted IP addresses. Unicast Reverse Path Forwarding (Unicast RPF) should be considered to be used in conjunction to offer a better mitigation solution.
For additional information on NTP access control groups, consult the document titled “Performing Basic System Management” at the following link:
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_basic_sys_manage.html#wp1034942
– Infrastructure Access Control Lists
Warning: Because the feature in this vulnerability utilizes UDP as a transport, it is possible to spoof the sender’s IP address, which may defeat ACLs that permit communication to these ports from trusted IP addresses. Unicast RPF should be considered to be used in conjunction to offer a better mitigation solution.
Although it is often difficult to block traffic that transits a network, it is possible to identify traffic that should never be allowed to target infrastructure devices and block that traffic at the border of networks.
Infrastructure ACLs (iACLs) are a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The iACL example below should be included as part of the deployed infrastructure access-list, which will help protect all devices with IP addresses in the infrastructure IP address range:
The white paper entitled “Protecting Your Core: Infrastructure Protection Access Control Lists” presents guidelines and recommended deployment techniques for infrastructure protection access lists and is available at the following link
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
Provided under Control Plane Policing there are two examples. The first aims at preventing the injection of malicious traffic from untrusted sources, whilst the second looks at rate limiting NTP traffic to the box.
– Filtering untrusted sources to the device.
Warning: Because the feature in this vulnerability utilizes UDP as a transport, it is possible to spoof the sender’s IP address, which may defeat ACLs that permit communication to these ports from trusted IP addresses. Unicast RPF should be considered to be used in conjunction to offer a better mitigation solution.
Control Plane Policing (CoPP) can be used to block untrusted UDP traffic to the device. Cisco IOS software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP can be configured on a device to help protect the management and control planes and minimize the risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic that is sent to infrastructure devices in accordance with existing security policies and configurations. The CoPP example below should be included as part of the deployed CoPP, which will help protect all devices with IP addresses in the infrastructure IP address range.
In the above CoPP example, the access control list entries (ACEs) that match the potential exploit packets with the “permit” action result in these packets being discarded by the policy-map “drop” function, while packets that match the “deny” action (not shown) are not affected by the policy-map drop function.
– Rate Limiting the traffic to the device The CoPP example below could be included as part of the deployed CoPP, which will help protect targeted devices from processing large amounts of NTP traffic.
Warning: If the rate-limits are exceeded valid NTP traffic may also be dropped.
Additional information on the configuration and use of the CoPP feature can be found in the documents, “Control Plane Policing Implementation Best Practices” and “Cisco IOS Software Releases 12.2 S - Control Plane Policing” at the following links: http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
Cisco IOS Software releases that have the fix for this Cisco bug ID, have a behavior change for mode 7 private mode packets.
Cisco IOS Software release with the fix for this Cisco bug ID, will not process NTP mode 7 packets, and will display a message “NTP: Receive: dropping message: Received NTP private mode packet. 7” if debugs for NTP are enabled.
To have Cisco IOS Software process mode 7 packets, the CLI command ntp allow mode private should be configured. This is disabled by default.
Troubleshooting
These sections describes troubleshooting guidelines for the Catalyst 6500 series switch configuration:
- System Troubleshooting
- Module Troubleshooting
- VLAN Troubleshooting
- Spanning Tree Troubleshooting
- Additional Troubleshooting Information
System Troubleshooting
This section contains troubleshooting guidelines for system-level problems:
- When the system is booting and running power-on diagnostics, do not reset the switch.
- After you initiate a switchover from the active supervisor engine to the redundant supervisor engine, or when you insert a redundant supervisor engine in an operating switch, always wait until the supervisor engines have synchronized and all modules are online before you remove or insert modules or supervisor engines or perform another switchover.
- If you have an interface whose speed is set to auto connected to another interface whose speed is set to a fixed value, configure the interface whose speed is set to a fixed value for half duplex. Alternately, you can configure both interfaces to a fixed-value speed and full duplex.
- If you apply both ACL and FnF with sampler on the SVI interface, the operational state of the Feature Manager gets reduced which causes the traffic to get software switched. In this state, if incoming traffic rate is high, CPU utilization will also go high. Therefore, apply ACL and FnF without sampler on the SVI interface. Otherwise, apply ACL and FnF with sampler on the physical interface.
Module Troubleshooting
This section contains troubleshooting guidelines for module problems:
- When you hot insert a module into a chassis, be sure to use the ejector levers on the front of the module to seat the backplane pins properly. Inserting a module without using the ejector levers might cause the supervisor engine to display incorrect messages about the module. For module installation instructions, refer to the Catalyst 6500 Series Module Installation Guide.
- Whenever you connect an interface that has duplex set to autonegotiate to an end station or another networking device, make sure that the other device is configured for autonegotiation as well. If the other device is not set to autonegotiate, the autonegotiating port will remain in half-duplex mode, which can cause a duplex mismatch resulting in packet loss, late collisions, and line errors on the link.
VLAN Troubleshooting
Note Catalyst 6500 series switches do not support ISL-encapsulated Token Ring frames. To support trunked Token Ring traffic in your network, make trunk connections directly between switches that support ISL-encapsulated Token Ring frames. When a Catalyst 6500 series switch is configured as a VTP server, you can configure Token Ring VLANs from the switch.
Although DTP is a point-to-point protocol, some internetworking devices might forward DTP frames. To avoid connectivity problems that might be caused by a switch acting on these forwarded DTP frames, do the following:
- For interfaces connected to devices that do not support DTP, in which trunking is not currently being used, configure interfaces with the switchport mode access command, which puts the interface into access mode and sends no DTP frames.
- When manually enabling trunking on a link to devices that do not support DTP, use the switchport nonegotiate and switchport mode trunk commands, which puts the interface into trunking mode without sending DTP frames.
Spanning Tree Troubleshooting
The Spanning Tree Protocol (STP) blocks certain ports to prevent physical loops in a redundant topology. On a blocked port, switches receive spanning tree bridge protocol data units (BPDUs) periodically from neighboring switches. You can configure the frequency with which BPDUs are received by entering the spanning-tree vlan vlan_ID hello-time command (the default frequency is set to 2 seconds). If a switch does not receive a BPDU in the time period defined by the spanning-tree vlan vlan_ID max-age command (20 seconds by default), the blocked port transitions to the listening state, the learning state, and to the forwarding state. As it transitions, the switch waits for the time period specified by the spanning-tree vlan vlan_ID forward-time command (15 seconds by default) in each of these intermediate states. If a blocked spanning tree interface does not receive BPDUs from its neighbor within 50 seconds, it moves into the forwarding state.
Note We do not recommend using the UplinkFast feature on switches with more than 20 active VLANs. The convergence time might be unacceptably long with more than 20 active VLANs.
To debug STP problems, follow these guidelines:
- The show vlan virtual-port command displays the number of virtual interfaces.
- These maximum numbers of virtual interfaces are supported:
Note Cisco IOS software displays a message if you exceed the maximum number of virtual interfaces.
- After a switchover from the active to the redundant supervisor engine, the ports on the redundant supervisor engine take longer to come up than other ports.
- Record all spanning tree-blocked ports in each switch in your network. For each of the spanning tree-blocked ports, record the output of the show interface command. Check to see if the port has registered many alignment, FCS, or any other type of line errors. If these errors are incrementing continuously, the port might drop input BPDUs. If the input queue counter is incrementing continuously, the port is losing input packets because of a lack of receive buffers. This problem can also cause the port to drop incoming BPDUs.
- On a blocked spanning tree port, check the duplex configuration to ensure that the port duplex is set to the same type as the port of its neighboring device.
- On trunks, make sure that the trunk configuration is set properly on both sides of the link.
- On trunks, if the neighboring device supports it, set duplex to full on both sides of the link to prevent any collisions under heavy traffic conditions.
Additional Troubleshooting Information
For additional troubleshooting information, refer to the publications at this URL:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_troubleshoot_and_alerts.html
System Software Upgrade Instructions
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080116ff0.shtml
Notices
The following notices pertain to this software license.
OpenSSL/Open SSL Project
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product includes software written by Tim Hudson (tjh@cryptsoft.com).
License Issues
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.
Copyright © 1998-2007 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/)”.
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/)”.
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS”' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).
Copyright © 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young’s, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”.
The word ‘cryptographic’ can be left out if the routines from the library being used are not cryptography-related.
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson (tjh@cryptsoft.com)”.
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html.
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
This document is to be used in conjunction with the Catalyst 6500 Series Cisco IOS Software Configuration Guide publication.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)