Release Notes for Cisco IOS Release 15.1SY
Available Languages
Table of Contents
Release Notes for Cisco IOS Release 15.1SY
Chronological List of Releases
Supervisor Engines, PFCs, DFCs, and CFC
Policy Feature Cards Supported with Supervisor Engine 2T
Distributed Forwarding Cards Supported with Supervisor Engine 2T
Supervisor Engine 720-10GE (CAT6000-VS-S720-10G/MSFC3)
Supervisor Engine 720 (CAT6000-SUP720/MSFC3)
Policy Feature Cards Supported with Supervisor Engine 720
Distributed Forwarding Cards Supported with Supervisor Engine 720
Centralized Forwarding Card (WS-F6700-CFC)
40-Gigabit Ethernet Switching Modules
WS-X6904-40G-2T 4-Port 40-Gigabit Ethernet Switching Module
10-Gigabit Ethernet Switching Modules
WS-X6908-10GE 8-Port 10-Gigabit Ethernet X2 Switching Module
WS-X6816-10T-2T, WS-X6716-10T 16-Port 10-Gigabit Ethernet Copper Switching Module
WS-X6816-10G-2T, WS-X6716-10G 16-Port 10-Gigabit Ethernet X2 Switching Module
WS-X6708-10GE 8-port 10-Gigabit Ethernet X2 Switching Module
WS-X6704-10GE 4-Port 10-Gigabit Ethernet XENPAK Switching Module
WS-X6502-10GE 1-port 10-Gigabit Ethernet Switching Module
Cisco Catalyst 6880-X Series Extensible Fixed Aggregation Switches
Cisco Catalyst 6807-XL Modular Switch
Instant Access Catalyst 6800ia Series Switches
Gigabit Ethernet Switching Modules
WS-X6848-SFP-2T, WS-X6748-SFP 48-Port Gigabit Ethernet SFP Switching Module
WS-X6824-SFP-2T, WS-X6724-SFP 24-Port Gigabit Ethernet SFP Switching Module
WS-X6816-GBIC 16-port Gigabit Ethernet GBIC Switching Module
WS-X6516A-GBIC 16-Port Gigabit Ethernet GBIC Switching Module
WS-X6516-GBIC 16-Port Gigabit Ethernet GBIC Switching Module
WS-X6416-GBIC 16-port Gigabit Ethernet GBIC Switching Module
WS-X6408A-GBIC 8-port Gigabit Ethernet GBIC Switching Module
WS-X6408-GBIC 8-port Gigabit Ethernet GBIC Switching Module
10/100/1000 Ethernet Switching Modules
WS-X6848-TX-2T, WS-X6748-GE-TX
WS-X6548-GE-TX, WS-X6548V-GE-TX, WS-X6548-GE-45AF
WS-X6148A-GE-TX, WS-X6148A-GE-45AF
WS-X6148-GE-TX, WS-X6148V-GE-TX, WS-X6148-GE-45AF
100MB Ethernet Switching Modules
10/100MB Ethernet Switching Modules
WS-X6148X2-RJ-45, WS-X6148X2-45AF
WS-X6348-RJ-45, WS-X6348-RJ-45V
WS-X6148A-RJ-45, WS-X6148A-45AF
WS-X6148-RJ-45, WS-X6148-RJ45V, WS-X6148-45AF
WS-X6148-RJ-21, WS-X6148-RJ21V, WS-X6148-21AF
Power over Ethernet Daughtercards
Small Form-Factor Pluggable (SFP) Modules
Gigabit Interface Converters (GBICs)
Application Control Engine (ACE) Module
Firewall Services Module (FWSM)
Intrusion Detection System Modules (IDSMs)
Network Analysis Modules (NAMs)
Wireless Services Modules (WiSMs)
New Features in Release 15.1(2)SY16
New Hardware Features in Release 15.1(2)SY16
New Software Features in Release 15.1(2)SY16
New Features in Release 15.1(2)SY15
New Hardware Features in Release 15.1(2)SY15
New Software Features in Release 15.1(2)SY15
New Features in Release 15.1(2)SY14
New Hardware Features in Release 15.1(2)SY14
New Software Features in Release 15.1(2)SY14
New Features in Release 15.1(2)SY13
New Hardware Features in Release 15.1(2)SY13
New Software Features in Release 15.1(2)SY13
New Features in Release 15.1(2)SY12
New Hardware Features in Release 15.1(2)SY12
New Software Features in Release 15.1(2)SY12
New Features in Release15.1(2)SY11
New Hardware Features in Release15.1(2)SY11
New Software Features in Release15.1(2)SY11
New Features in Release15.1(2)SY10
New Hardware Features in Release15.1(2)SY10
New Software Features in Release15.1(2)SY10
New Features in Release15.1(2)SY9
New Hardware Features in Release15.1(2)SY9
New Software Features in Release15.1(2)SY9
New Features in Release15.1(2)SY8
New Hardware Features in Release15.1(2)SY8
New Software Features in Release15.1(2)SY8
New Features in Release15.1(2)SY7
New Hardware Features in Release15.1(2)SY7
New Software Features in Release15.1(2)SY7
New Features in Release15.1(1)SY6
New Hardware Features in Release15.1(1)SY6
New Software Features in Release15.1(1)SY6
New Features in Release15.1(2)SY6
New Hardware Features in Release15.1(2)SY6
New Software Features in Release15.1(2)SY6
New Features in Release15.1(2)SY5
New Hardware Features in Release15.1(2)SY5
New Software Features in Release15.1(2)SY5
New Features in Release15.1(1)SY5
New Hardware Features in Release15.1(1)SY5
New Software Features in Release15.1(1)SY5
New Features in Release15.1(2)SY4
New Hardware Features in Release15.1(2)SY4
New Software Features in Release15.1(2)SY4
New Features in Release15.1(1)SY4
New Hardware Features in Release15.1(1)SY4
New Software Features in Release15.1(1)SY4
New Features in Release15.1(2)SY3
New Hardware Features in Release 15.1(2)SY3
New Software Features in Release 15.1(2)SY3
New Features in Release15.1(2)SY2
New Hardware Features in Release15.1(2)SY2
New Software Features in Release15.1(2)SY2
New Features in Release15.1(2)SY1
New Hardware Features in Release15.1(2)SY1
New Software Features in Release15.1(2)SY1
New Features in Release15.1(2)SY
New Hardware Features in Release15.1(2)SY
New Software Features in Release15.1(2)SY
New Features in Release15.1(1)SY3
New Hardware Features in Release15.1(1)SY3
New Software Features in Release15.1(1)SY3
New Features in Release15.1(1)SY2
New Hardware Features in Release15.1(1)SY2
New Software Features in Release15.1(1)SY2
New Features in Release15.1(1)SY1
New Hardware Features in Release15.1(1)SY1
New Software Features in Release15.1(1)SY1
New Features in Release15.1(1)SY
New Hardware Features in Release15.1(1)SY
New Software Features in Release15.1(1)SY
Software Features from Earlier Releases
Open Caveats in Release 15.1(2)SY
Open Caveats in Release 15.1(1)SY
Caveats Resolved in Release 15.1(2)SY16
Caveats Resolved in Release 15.1(2)SY15
Caveats Resolved in Release 15.1(2)SY14
Caveats Resolved in Release 15.1(2)SY13
Caveats Resolved in Release 15.1(2)SY12
Caveats Resolved in Release 15.1(2)SY11
Caveats Resolved in Release 15.1(2)SY10
Caveats Resolved in Release 15.1(2)SY9
Caveats Resolved in Release 15.1(2)SY8
Caveats Resolved in Release 15.1(2)SY7
Caveats Resolved in Release 15.1(1)SY6
Caveats Resolved in Release 15.1(2)SY6
Caveats Resolved in Release 15.1(2)SY5
Caveats Resolved in Release 15.1(1)SY5
Caveats Resolved in Release 15.1(2)SY4a
Caveats Resolved in Release 15.1(2)SY4
Caveats Resolved in Release 15.1(1)SY4
Caveats Resolved in Release 15.1(2)SY3
Caveats Resolved in Release 15.1(2)SY2
Caveats Resolved in Release 15.1(2)SY1
Caveats Resolved in Release 15.1(2)SY
Caveats Resolved in Release 15.1(1)SY3
Caveats Resolved in Release 15.1(1)SY2
Caveats Resolved in Release 15.1(1)SY1
Caveats Resolved in Release 15.1(1)SY
Additional Troubleshooting Information
System Software Upgrade Instructions
Obtaining Documentation and Submitting a Service Request
Release Notes for Cisco IOS Release 15.1SY
Note ●
See this product bulletin for information about the standard maintenance and extended maintenance 15.1SY releases:
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-15-0sy/product_bulletin_c25-687567.html
- For general product information about the Catalyst 6500 series switches, refer to these product bulletins:
http://www.cisco.com/c/en/us/products/switches/catalyst-6500-series-switches/literature.html
The most current version of this document is available on Cisco.com at this URL:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/release_notes.html
Contents
This publication consists of these sections:
- Chronological List of Releases
- Hierarchical List of Releases
- FPD-Image Dependant Modules
- Supported Hardware
- Unsupported Hardware
- Images and Feature Sets
- Universal Boot Loader Image
- EFSU Compatibility
- Cisco IOS Behavior Changes
- New Features in Release 15.1(2)SY16
- New Features in Release 15.1(2)SY15
- New Features in Release 15.1(2)SY14
- New Features in Release 15.1(2)SY14
- New Features in Release 15.1(2)SY12
- New Features in Release 15.1(2)SY11
- New Features in Release 15.1(2)SY10
- New Features in Release 15.1(2)SY9
- New Features in Release 15.1(2)SY8
- New Features in Release 15.1(2)SY7
- New Features in Release 15.1(1)SY6
- New Features in Release 15.1(2)SY6
- New Features in Release 15.1(2)SY5
- New Features in Release 15.1(1)SY5
- New Features in Release 15.1(2)SY4
- New Features in Release 15.1(1)SY4
- New Features in Release 15.1(2)SY3
- New Features in Release 15.1(2)SY2
- New Features in Release 15.1(2)SY1
- New Features in Release 15.1(2)SY
- New Features in Release 15.1(1)SY3
- New Features in Release 15.1(1)SY2
- New Features in Release 15.1(1)SY1
- New Features in Release 15.1(1)SY
- Unsupported Commands
- Unsupported Features
- Restrictions
- Caveats in Release 15.1SY
- Troubleshooting
Chronological List of Releases
Note ● See the “Images and Feature Sets” section for information about which releases are deferred.
- See the “Hierarchical List of Releases” section for information about parent releases.
This is a chronological list of the 15.1SY releases:
- Release 15.1(2)SY16—20 February 2020
- Release 15.1(2)SY15—20 August 2019
- Release 15.1(2)SY14—14 February 2019
- Release 15.1(2)SY13—6 September 2018
- Release 15.1(2)SY12—30 April 2018
- Release 15.1(2)SY11—27 July 2017
- Release 15.1(2)SY10—24 Feb 2017
- Release 15.1(2)SY9—14 Oct 2016
- Release 15.1(2)SY8—01 Sept 2016
- Release 15.1(2)SY7—16 Mar 2016
- Release 15.1(1)SY6—12 Nov 2015
- Release 15.1(2)SY6—19 Sept 2015
- Release 15.1(2)SY5—21 May 2015
- Release 15.1(1)SY5—27 Mar 2015
- Release 15.1(2)SY4—08 Nov 2014
- Release 15.1(1)SY4—10 Oct 2014
- Release 15.1(2)SY3—23 Jun 2014
- Release 15.1(1)SY3—22 Mar 2014
- Release 15.1(2)SY2—03 Mar 2014
- Release 15.1(2)SY1—09 Dec 2013
- Release 15.1(1)SY2—04 Oct 2013
- Release 15.1(2)SY—07 Sep 2013
- Release 15.1(1)SY1—03 May 2013
- Release 15.1(1)SY—15 Oct 2012
Hierarchical List of Releases
These releases support the hardware listed in the “Supported Hardware” section:
– Date of release: 20 February 2020
– Based on Release: 15.1(2)SY15
– Date of release: 20 August 2019
– Based on Release: 15.1(2)SY14
– Date of release: 14 February 2019
– Based on Release: 15.1(2)SY13
– Date of release: 6 September 2018
– Based on Release: 15.1(2)SY12
– Date of release: 30 April 2018
– Based on Release: 15.1(2)SY11
– Date of release: 27 July 2017
– Based on Release 15.1(2)SY10
– Date of release: 24 Feb 2017
– Date of release: 14 Oct 2016
– Date of release: 01 Sept 2016
– Date of release: 16 Mar 2016
– Date of release: 12 Nov 2015
– Date of release: 19 Sept 2015
– Date of release: 21 May 2015
– Date of release: 27 Mar 2015
– Date of release: 08 Nov 2014
– Date of release: 10 Oct 2014
– Date of release: 23 Jun 2014
– Date of release: 03 Mar 2014
– Date of release: 09 Dec 2013
– Date of release: 22 Mar 2014
– Date of release: 04 Oct 2013
– Date of release: 07 Sep 2013
– Date of release: 03 May 2013
– Date of release: 15 Oct 2012
– Based on Release 15.0(1)SY2 and Release 12.2(33)SXJ3
Note Release 15.1SY supports only Ethernet ports. Release 15.1SY does not support any WAN features or commands.
FPD-Image Dependant Modules
FPD image packages update FPD images. If a discrepancy exists between an FPD image and the Cisco IOS image, the module that has the FPD discrepancy is deactivated until the discrepancy is resolved. These modules use FPD images:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn85.html
http://www.cisco.com/c/en/us/support/cloud-systems-management/prime-network-analysis-module-software/products-release-notes-list.html
Supported Hardware
These sections describe the hardware supported in Release 15.1(2)SY1 and later releases:
- Supervisor Engines, PFCs, DFCs, and CFC
- 40-Gigabit Ethernet Switching Modules
- 10-Gigabit Ethernet Switching Modules
- Cisco Catalyst 6880-X Series Extensible Fixed Aggregation Switches
- Cisco Catalyst 6807-XL Modular Switch
- Instant Access Catalyst 6800ia Series Switches
- Gigabit Ethernet Switching Modules
- 10/100/1000 Ethernet Switching Modules
- 100MB Ethernet Switching Modules
- 10/100MB Ethernet Switching Modules
- Transceivers
- Power over Ethernet Daughtercards
- Service Modules
- Power Supplies
- Chassis
Note Enter the show power command to display current system power usage.
Supervisor Engines, PFCs, DFCs, and CFC
- Supervisor Engine 2T-10GE
- Policy Feature Cards Supported with Supervisor Engine 2T
- Distributed Forwarding Cards Supported with Supervisor Engine 2T
- Supervisor Engine 720-10GE (CAT6000-VS-S720-10G/MSFC3)
- Supervisor Engine 720 (CAT6000-SUP720/MSFC3)
- Supervisor Engine 720 (CAT6000-SUP720/MSFC3)
- Policy Feature Cards Supported with Supervisor Engine 720
- Distributed Forwarding Cards Supported with Supervisor Engine 720
- Centralized Forwarding Card (WS-F6700-CFC)
Supervisor Engine 2T-10GE
Note For information about DRAM requirements on all supervisor engines, see this publication:
http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/qa_c67_457347.html
– Policy Feature Card 4XL (PFC4XL)
– Policy Feature Card 4 (PFC4)
See the “Policy Feature Cards Supported with Supervisor Engine 2T” section.
- Supports 2-Tbps switch fabric connectivity.
- 2-GB DRAM.
- Internal 1-GB bootflash (bootdisk:).
- One external slot:
– For CompactFlash Type II flash PC cards sold by Cisco Systems, Inc., for use in Supervisor Engine 2T-10GE.
– QoS architecture: 2q4t / 1p3q4t
– Ports 1, 2, and 3: Gigabit Ethernet SFP (fiber SFP or 1000 Mbps RJ-45 SFP)
– Support for 10-Gigabit Ethernet X2 tranceivers
• With ports 1, 2, and 3 enabled: 2q4t / 1p3q4t
• With ports 1, 2, and 3 disabled: 8q4t / 1p7q4t
Note See the Supervisor Engine 2T-10GE Connectivity Management Processor Configuration Guide for information about the 10/100/1000 Mbps RJ-45 port.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/cmp_configuration/guide/sup2T_10GEcmp.html
Supervisor Engine 2T-10GE Restrictions
- The 1-Gigabit Ethernet ports and the 10-Gigabit Ethernet ports have the same QoS port architecture (2q4t / 1p3q4t) unless you disable the 1-Gigabit Ethernet ports with the platform qos 10g-only global configuration command. With the 1-Gigabit Ethernet ports disabled, the QoS port architecture of the 10-Gigabit Ethernet ports is 8q4t / 1p7q4t.
- In RPR redundancy mode, the ports on a Supervisor Engine 2T-10GE in standby mode are disabled.
Policy Feature Card 4 Guidelines and Restrictions
- The PFC4 supports a theoretical maximum of 131,072 (128K) MAC addresses with 118,000 (115.2K) MAC addresses as the recommended maximum.
- The PFC4 partitions the hardware FIB table to route IPv4 unicast, IPv4 multicast, MPLS, and IPv6 unicast and multicast traffic in hardware. Traffic for routes that do not have entries in the hardware FIB table are processed by the route processor in software.
The defaults for XL mode are:
– IPv4 unicast and MPLS: 512,000 routes
– IPv4 multicast and IPv6 unicast and multicast: 256,000 routes
The defaults for Non-XL mode are:
– IPv4 unicast and MPLS: 192,000 routes
– IPv4 multicast and IPv6 unicast and multicast: 32,000 routes
Note The size of the global internet routing table plus any local routes might exceed the non-XL mode default partition sizes.
These are the theoretical maximum numbers of routes for the supported protocols (the maximums are not supported simultaneously):
– XL mode :
• IPv4 and MPLS: Up to 1,007,000 routes
• IPv4 multicast and IPv6 unicast and multicast: Up to 503,000 routes
– Non-XL mode :
• IPv4 and MPLS: Up to 239,000 routes
• IPv4 multicast and IPv6 unicast and multicast: Up to 119,000 routes
Enter the platform cef maximum-routes command to repartition the hardware FIB table. IPv4 unicast and MPLS require one hardware FIB table entry per route. IPv4 multicast and IPv6 unicast and multicast require two hardware FIB table entries per route. Changing the partition for one protocol makes corresponding changes in the partitions of the other protocols. You must enter the reload command to put configuration changes made with the platform cef maximum-routes command into effect.
Note With a non-XL-mode system, if your requirements cannot be met by repartitioning the hardware FIB table, upgrade components as necessary to operate in XL mode.
- You cannot use one type of PFC on one supervisor engine and a different type on the other supervisor engine for redundancy. You must use identical policy feature cards for redundancy.
- PFC4—These restrictions apply to a configuration with a PFC4 and these DFCs:
– PFC4 and DFC4—No restrictions (PFC4 mode).
– PFC4 and DFC4XL—The PFC4 restricts DFC4XL functionality: the DFC4XL functions as a DFC4 (PFC4 mode).
– PFC4XL and DFC4—PFC4XL functionality is restricted by the DFC4: after a reload with a DFC4-equipped module installed, the PFC4XL functions as a PFC4 (PFC4 mode).
– PFC4XL and DFC4XL—No restrictions (PFC4XL mode).
- Switching modules that you install after bootup that are equipped with a DFC that imposes a more restricted PFC mode than the current PFC mode remain powered down.
- You must reboot to use a switching module equipped with a DFC that imposes a more restricted PFC mode than the current PFC mode.
- Enter the show platform hardware pfc mode command to display the PFC mode.
- FIB TCAM exception may be thrown in case of a route churn where TCAM utilization is more than 80% of the total utilization. This limitation is applicable to DFC TCAM on -XL line cards. If FIB TCAM exception is thrown for a transit route for IPv4 or IPv6 or MPLS traffic, the route does not get installed in FIB and connectivity gets affected. This can result in elevated CPU usage due to software switching.
Distributed Forwarding Cards Supported with Supervisor Engine 2T
Note ● See the “Policy Feature Cards Supported with Supervisor Engine 2T” section for Policy Feature Cards (PFC) and Distributed Forwarding Card (DFC) restrictions.
- The DFC4 uses memory that is installed on the switching module.
- For more information about the DFCs, see these documents:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/OL_24918.html
http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/catalyst-6500-series-supervisor-engine-2t/data_sheet_c78-648214.html
Supervisor Engine 720-10GE Common Features
– Internal 1-GB CompactFlash card (sup-bootdisk:).
– 1-GB DRAM.
– 1-GB DRAM.
– Policy Feature Card 3CXL (PFC3CXL).
– Policy Feature Card 3C (PFC3C).
– See the “Policy Feature Cards Supported with Supervisor Engine 2T” section.
– For CompactFlash Type II flash PC cards sold by Cisco Systems, Inc., for use in Supervisor Engine 720-10GE.
– QoS architecture: 2q4t / 1p3q4t
– Support for Gigabit Ethernet SFPs
– QoS architecture: 2q4t / 1p3q4t
– Support for 10-Gigabit Ethernet X2 tranceivers
– QoS architecture: 2q4t / 1p3q4t or 8q4t / 1p7q4t
Note The 1-Gigabit Ethernet ports and the 10-Gigabit Ethernet ports have the same QoS port architecture (2q4t/1p3q4t) unless you disable the 1-Gigabit Ethernet ports with the mls qos 10g-only global configuration command, which is required to configure DSCP-based queueing. With the 1-Gigabit Ethernet ports disabled, the QoS port architecture of the 10-Gigabit Ethernet ports is 8q4t/1p7q4t.
Supervisor Engine 720 Common Features
- Integrated 720-Gbps Switch Fabric
- Internal 64-MB bootflash device (sup-bootflash:) or CompactFlash card ( sup-bootdisk:), 512 MB or larger.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_17277.html
- Two external slots (disk0: and disk1:) for CompactFlash Type II flash PC cards sold by Cisco Systems, Inc., for use in Supervisor Engine 720.
Note Some Supervisor Engine 720 Release 12.2SX images are larger than the bootflash device and must be stored on a CompactFlash card (sup-bootdisk: or disk0: or disk1:).
– 512-KB packet buffer per port
– Port 1—Gigabit Interface Converter (GBIC)
– Port 2—Configurable as either:
Supervisor Engine 720 with PFC3BXL
Note If you install WS-SUP720-3BXL=, upgrade the memory on any DFC3-equipped switching modules. See this document for DFC3 memory upgrades:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_12409.html
Supervisor Engine 720 with PFC3BXL: – – –
|
Supervisor Engine 720 with PFC3B
Note ● See this document for DFC3 memory upgrades:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_12409.html
- Use WS-F6K-PFC3BXL= to upgrade a WS-SUP720-3B with a PFC3BXL. WS-F6K-PFC3BXL= includes 1 GB memory upgrades for the Supervisor Engine 720 and the MSFC3.
– If you install WS-F6K-PFC3BXL=, upgrade the memory on any DFC3-equipped switching modules.
– See this publication for more information about WS-F6K-PFC3BXL=:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_16220.html
Supervisor Engine 720 with PFC3B: – – –
|
Policy Feature Card 3 Guidelines and Restrictions
- The PFC3C supports a theoretical maximum of 96 K MAC addresses (64 K MAC addresses recommended maximum).
- The PFC3B and PFC3BXL support a theoretical maximum of 64 K MAC addresses (32 K MAC addresses recommended maximum).
- The PFC3 partitions the hardware FIB table to route IPv4 unicast, IPv4 multicast, MPLS, and IPv6 unicast and multicast traffic in hardware. Traffic for routes that do not have entries in the hardware FIB table are processed by the route processor in software.
– IPv4 unicast and MPLS—512,000 routes
– IPv4 multicast and IPv6 unicast and multicast—256,000 routes
The defaults for non-XL mode are:
– IPv4 unicast and MPLS—192,000 routes
– IPv4 multicast and IPv6 unicast and multicast—32,000 routes
Note The size of the global internet routing table plus any local routes might exceed the non-XL mode default partition sizes.
These are the theoretical maximum numbers of routes for the supported protocols (the maximums are not supported simultaneously):
• IPv4 and MPLS—Up to 1,007,000 routes
• IPv4 multicast and IPv6 unicast and multicast—Up to 503,000 routes
• IPv4 and MPLS—Up to 239,000 routes
• IPv4 multicast and IPv6 unicast and multicast—Up to 119,000 routes
Enter the mls cef maximum-routes command to repartition the hardware FIB table. IPv4 unicast and MPLS require one hardware FIB table entry per route. IPv4 multicast and IPv6 unicast and multicast require two hardware FIB table entries per route. Changing the partition for one protocol makes corresponding changes in the partitions of the other protocols. You must enter the reload command to put configuration changes made with the mls cef maximum-routes command into effect.
Note With a non-XL-mode system, if your requirements cannot be met by repartitioning the hardware FIB table, upgrade components as necessary to operate in XL mode.
- You cannot use one type of PFC3 on one supervisor engine and a different type on the other supervisor engine for redundancy. You must use identical policy feature cards for redundancy.
- PFC3B—These restrictions apply to a configuration with a PFC3B and these DFCs:
– PFC3B and DFC3B—No restrictions (PFC3B mode; does not support virtual switch mode).
– PFC3B and DFC3BXL—The PFC3B restricts DFC3BXL functionality: after a reload with a DFC3BXL-equipped module installed, the DFC3BXL functions as a DFC3B (PFC3B mode; does not support virtual switch mode).
– PFC3B and DFC3C—The PFC3B restricts DFC3C functionality: the DFC3C functions as a DFC3B (PFC3B mode; does not support virtual switch mode).
– PFC3B and DFC3CXL—The PFC3B restricts DFC3CXL functionality: the DFC3CXL functions as a DFC3B (PFC3B mode; does not support virtual switch mode).
– PFC3BXL and DFC3B—PFC3BXL functionality is restricted by the DFC3B: after a reload with a DFC3B-equipped module installed, the PFC3BXL functions as a PFC3B (PFC3B mode; does not support virtual switch mode).
– PFC3BXL and DFC3BXL—No restrictions (PFC3BXL mode; does not support virtual switch mode).
– PFC3BXL and DFC3C—Each restricts the functionality of the other: the PFC3BXL functions as a PFC3B and the DFC3C functions as a DFC3B (PFC3B mode; does not support virtual switch mode).
– PFC3BXL and DFC3CXL—The PFC3BXL restricts DFC3CXL functionality: the DFC3CXL functions as a DFC3BXL (PFC3BXL mode; does not support virtual switch mode).
– PFC3C and DFC3B—PFC3C functionality is restricted by the DFC3B: after a reload with a DFC3B-equipped module installed, the PFC3C functions as a PFC3B (PFC3B mode; does not support virtual switch mode).
– PFC3C and DFC3BXL—PFC3C functionality is restricted by the DFC3BXL: after a reload with a DFC3BXL-equipped module installed, the PFC3C functions as a PFC3BXL (PFC3BXL mode; does not support virtual switch mode).
– PFC3C and DFC3C—No restrictions (PFC3C mode).
– PFC3C and DFC3CXL—The PFC3C restricts DFC3CXL functionality: the DFC3CXL functions as a DFC3C (PFC3C mode).
– PFC3CXL and DFC3B—PFC3CXL functionality is restricted by the DFC3B: after a reload with a DFC3B-equipped module installed, the PFC3CXL functions as a PFC3B (PFC3B mode; does not support virtual switch mode).
– PFC3CXL and DFC3BXL—PFC3CXL functionality is restricted by the DFC3BXL: after a reload with a DFC3BXL-equipped module installed, the PFC3CXL functions as a PFC3BXL (PFC3BXL mode; does not support virtual switch mode).
– PFC3CXL and DFC3C—PFC3CXL functionality is restricted by the DFC3C: after a reload with a DFC3C-equipped module installed, the PFC3CXL functions as a PFC3C (PFC3C mode).
– PFC3CXL and DFC3CXL—No restrictions (PFC3CXL mode).
- Switching modules that you install after bootup that are equipped with a DFC that imposes a more restricted PFC mode than the current PFC mode remain powered down.
- You must reboot to use a switching module equipped with a DFC that imposes a more restricted PFC mode than the current PFC mode.
- Enter the show platform hardware pfc mode command to display the PFC mode.
- FIB TCAM exception may be thrown in case of a route churn where TCAM utilization is more than 80% of the total utilization. This limitation is applicable to DFC TCAM on XL line cards. If FIB TCAM exception is thrown for a transit route for IPv4 or IPv6 or MPLS traffic, the route does not get installed in FIB and connectivity gets affected. This can result in elevated CPU usage due to software switching.
Policy Feature Card 3CXL
Note Use VS-F6K-PFC3CXL= to upgrade a VS-S720-10G-3C with a PFC3CXL. See this publication for more information:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_16220.html
Policy Feature Card 3BXL
Note Use WS-F6K-PFC3BXL= to upgrade a WS-SUP720 or WS-SUP720-3B with a PFC3BXL. WS-F6K-PFC3BXL= includes 1 GB memory upgrades for the Supervisor Engine 720 and the MSFC3. See this publication for more information:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_16220.html
Policy Feature Card 3B
Note Use WS-F6K-PFC3B= to upgrade a WS-SUP720 with a PFC3B. See this publication for more information:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_16220.html
Distributed Forwarding Cards Supported with Supervisor Engine 720
- Distributed Forwarding Card 3CXL
- Distributed Forwarding Card 3C
- Distributed Forwarding Card 3BXL
- Distributed Forwarding Card 3B
Note See the “Policy Feature Cards Supported with Supervisor Engine 2T” section for Policy Feature Cards (PFC) and Distributed Forwarding Card (DFC) restrictions.
Distributed Forwarding Card 3CXL
Note ● WS-F6700-DFC3CXL uses memory that is installed on the switching module.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_15893.html
- Requires switching module ROMMON version 12.2(18r)S1 or later. To display the switching module ROMMON version, enter the remote command module module_slot_number show version | include ROM command. To upgrade the switching module ROMMON, see this document:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/rommon/OL_6143.html
Distributed Forwarding Card 3C
Note ● WS-F6700-DFC3C uses memory that is installed on the switching module.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_15893.html
- Requires switching module ROMMON version 12.2(18r)S1 or later. To display the switching module ROMMON version, enter the remote command module module_slot_number show version | include ROM command. To upgrade the switching module ROMMON, see this document:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/rommon/OL_6143.html
Distributed Forwarding Card 3BXL
Note ● Not supported in virtual switch mode.
- WS-F6700-DFC3BXL uses memory that is installed on the switching module.
- See this publication for information about WS-F6700-DFC3BXL upgrades:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_15893.html
- Requires switching module ROMMON version 12.2(18r)S1 or later. To display the switching module ROMMON version, enter the remote command module module_slot_number show version | include ROM command. To upgrade the switching module ROMMON, see this document:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/rommon/OL_6143.html
Note ● Not supported in virtual switch mode.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_12409.html
- Supervisor Engine 720 supports a WS-F6K-DFC3BXL on these WS-X6516-GBIC switching module hardware revisions:
- Requires DFC ROMMON version 12.2(18r)S1 or later. To display the switching module ROMMON version, enter the remote command module module_slot_number show version | include ROM command. To upgrade the switching module ROMMON, see this document:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/rommon/OL_6010.html
- Supervisor Engine 720 does not support a DFC3 on WS-X6516-GBIC switching module hardware revisions 5.0 through 5.4. With a Supervisor Engine 720 and with a DFC3 installed, WS-X6516-GBIC switching module hardware revisions 5.0 through 5.4 do not power up.
- With a Supervisor Engine 720 but without a DFC3, WS-X6516-GBIC switching module hardware revisions 5.0 through 5.4 operate in bus mode.
- See external field notice 24494 for more information about Supervisor Engine 720 and a DFC3 on WS-X6516-GBIC switching modules:
http://www.cisco.com/c/en/us/support/docs/field-notices/200/fn24494.html
Distributed Forwarding Card 3B
Note ● Not supported in virtual switch mode.
- WS-F6700-DFC3B uses memory that is installed on the switching module.
- See this publication for information about WS-F6700-DFC3B upgrades:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_15893.html
- Requires switching module ROMMON version 12.2(18r)S1 or later. To display the switching module ROMMON version, enter the remote command module module_slot_number show version | include ROM command. To upgrade the switching module ROMMON, see this document:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/rommon/OL_6143.html
Note ● Not supported in virtual switch mode.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_12409.html
- Requires DFC ROMMON version 12.2(18r)S1 or later. To display the switching module ROMMON version, enter the remote command module module_slot_number show version | include ROM command. To upgrade the switching module ROMMON, see this document:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/rommon/OL_6010.html
- Supervisor Engine 720 supports a WS-F6K-DFC3B on these WS-X6516-GBIC switching module hardware revisions:
- Supervisor Engine 720 does not support a DFC3 on WS-X6516-GBIC switching module hardware revisions 5.0 through 5.4. With a Supervisor Engine 720 and with a DFC3 installed, WS-X6516-GBIC switching module hardware revisions 5.0 through 5.4 do not power up.
- With a Supervisor Engine 720 but without a DFC3, WS-X6516-GBIC switching module hardware revisions 5.0 through 5.4 operate in bus mode.
- See external field notice 24494 for more information about Supervisor Engine 720 and a DFC3 on WS-X6516-GBIC switching modules:
http://www.cisco.com/c/en/us/support/docs/field-notices/200/fn24494.html
WS-X6904-40G-2T 4-Port 40-Gigabit Ethernet Switching Module
- WS-X6904-40G-2T and WS-X6904-40G-2TXL are the orderable product IDs.
- The front panel is labeled WS-X6904-40G.
- Cisco IOS software commands display WS-X6904-40G with either WS-F6K-DFC4-E or WS-F6K-DFC4-EXL.
- Has hardware abstraction layer (HAL) support.
- QoS port architecture (Rx/Tx): 1p7q4t or 2p6q4t/1p7q4t or 2p6q4t
- Dual switch-fabric connections:
– Fabric Channel #1: Ports 1 and 2 or 5 through 12
– Fabric Channel #2: Ports 3 and 4 or 13 through 20
- Number of ports: 4 or 16
Number of port groups: 2
Port per port group:
–Ports 1 and 2 or 5 through 12
–Ports 3 and 4 or 13 through 20 - dCEF2T.
- In a 3-slot chassis, supported only with WS-C6503-E hardware revision 1.3 or higher.
- Upgrade to Release15.0(1)SY1 or later before installing WS-X6904-40G (see the “EFSU Compatibility” section).
- Each bay can support a CFP transceiver (supports one 40 Gigabit Ethernet port) or a FourX adapter (supports four 10 Gigabit Ethernet SFP+ transceivers).
- WS-X6904-40G supported modes (default mode is oversubscribed):
– 40 Gigabit Ethernet oversubscribed mode:
—Four 40 Gigabit Ethernet ports
—Ports 1 through 4
– 10 Gigabit Ethernet oversubscribed mode:
—Sixteen 10 Gigabit Ethernet ports
—Ports 5 through 20
– Mixed 10/40 Gigabit Ethernet oversubscribed mode:
–Either two 40 Gigabit Ethernet ports (1 and 2)
–Or eight 10 Gigabit Ethernet ports (5 through 12)
–Either two 40 Gigabit Ethernet ports (3 and 4)
–Or eight 10 Gigabit Ethernet ports (13 through 20)
—Configurable per module or per bay:
—Supported in the top left bay and top right bay.
–40 Gigabit Ethernet port 1 (top left bay) and port 3 (top right bay)
–10 Gigabit Ethernet ports 5 through 9 (top left bay) and ports 13 through 16 (top right bay)
–Top left bay: 40 Gigabit Ethernet port 1 or 10 Gigabit Ethernet ports 5 through 9
Top right bay: 40 Gigabit Ethernet port 3 or 10 Gigabit Ethernet ports 13 through 16
– 40 Gigabit Ethernet performance mode, 10 Gigabit Ethernet oversubscribed mode:
—Either of these combinations:
–Top left bay: 40 Gigabit Ethernet port 1
Right bays: eight 10 Gigabit Ethernet ports (13 through 20)
–Left bays: eight 10 Gigabit Ethernet ports (5 through 13)
Top right bay: 40 Gigabit Ethernet port 3
– 40 Gigabit Ethernet oversubscribed mode, 10 Gigabit Ethernet performance mode:
—Either of these combinations:
–Top left bay: four 10 Gigabit Ethernet ports (5 through 9)
Right bays: two 40 Gigabit Ethernet ports (3 and 4)
–Left bays: two 40 Gigabit Ethernet ports (1 and 2)
Top right bay: four 10 Gigabit Ethernet ports (13 through 16)
40 Gigabit Ethernet on Cisco Catalyst 6500 Series Switches: How It Works
40 Gigabit Ethernet Interface Module for Cisco Catalyst 6500 Series Switches Data Sheet
10-Gigabit Ethernet Switching Modules
- WS-X6908-10GE 8-Port 10-Gigabit Ethernet X2 Switching Module
- WS-X6816-10T-2T, WS-X6716-10T 16-Port 10-Gigabit Ethernet Copper Switching Module
- WS-X6816-10G-2T, WS-X6716-10G 16-Port 10-Gigabit Ethernet X2 Switching Module
- WS-X6708-10GE 8-port 10-Gigabit Ethernet X2 Switching Module
- WS-X6704-10GE 4-Port 10-Gigabit Ethernet XENPAK Switching Module
WS-X6908-10GE 8-Port 10-Gigabit Ethernet X2 Switching Module
| 8-port 10-Gigabit Ethernet X2 module |
||
- Not supported with Supervisor Engine 720 or Supervisor Engine 720-10GE.
- WS-X6908-10G and WS-X6908-10G-XL are the orderable product IDs.
- The front panel is labeled WS-X6908-10GE.
- Cisco IOS software commands display WS-X6908-10GE with either WS-F6K-DFC4-E or WS-F6K-DFC4-EXL.
- dCEF2T
- QoS port architecture (Rx/Tx): 8q4t/1p7q4t
- Dual switch-fabric connections
Fabric Channel #1: Ports 2, 3, 6, 8
Fabric Channel #2: Ports 1, 4, 5, 7 - Number of ports: 8
Number of port groups: 8
Port ranges per port group: 1 port in each group - In a 3-slot chassis, supported only with WS-C6503-E hardware revision 1.3 or higher.
WS-X6816-10T-2T, WS-X6716-10T 16-Port 10-Gigabit Ethernet Copper Switching Module
- The front panel is labeled WS-X6716-10T.
- Cisco IOS software commands display WS-X6716-10T with any DFC.
- dCEF720
- QoS port architecture (Rx/Tx):
– Oversubscription mode : 1p7q2t/1p7q4t
– Performance mode: 8q4t/1p7q4t
- Dual switch-fabric connections
Fabric Channel #1: ports 1–8
Fabric Channel #2: ports 9–16 - Number of ports: 16
Number of port groups: 4
Port ranges per port group: 1–4, 5–8, 9–12, 13–16 - When not configured in oversubscription mode, supported in virtual switch links.
- To configure port oversubscription, use the hw-module slot command.
WS-X6816-10G-2T, WS-X6716-10G 16-Port 10-Gigabit Ethernet X2 Switching Module
| 16-port 10-Gigabit Ethernet X2 module |
||
- The front panel is labeled WS-X6716-10GE.
- Cisco IOS software commands display WS-X6716-10GE with any DFC.
- dCEF720
- QoS port architecture (Rx/Tx):
– Oversubscription mode : 1p7q2t/1p7q4t
– Performance mode: 8q4t/1p7q4t
- Dual switch-fabric connections
Fabric Channel #1: ports 1–8
Fabric Channel #2: ports 9–16 - Number of ports: 16
Number of port groups: 4
Port ranges per port group: 1–4, 5–8, 9–12, 13–16 - When not configured in oversubscription mode, supported in virtual switch links.
- To configure port oversubscription, use the hw-module slot command.
- With Supervisor Engine 720-10GE or Supervisor Engine 720 in a 13-slot chassis, supported only in slots 9 through 13 and does not power up in other slots.
WS-X6708-10GE 8-port 10-Gigabit Ethernet X2 Switching Module
| 8-port 10-Gigabit Ethernet X2 module |
||
- WS-X6708-10G-3C and WS-X6708-10G-3CXL are the orderable product IDs.
- The front panel is labeled WS-X6708-10GE.
- Cisco IOS software commands display WS-X6708-10GE with either WS-F6700-DFC3C or WS-F6700-DFC3CXL.
- dCEF720
- Supports egress multicast replication
- QoS port architecture (Rx/Tx):
– Oversubscription mode : 1p7q2t/1p7q4t
– Performance mode: 8q4t/1p7q4t
– Both modes support DSCP-based queueing
- Dual switch-fabric connections
Fabric Channel #1: Ports 2, 3, 6, 8
Fabric Channel #2: Ports 1, 4, 5, 7 - Number of ports: 8
Number of port groups: 8
Port ranges per port group: 1 port in each group - To configure WS-X6708-10GE port oversubscription, use the hw-module oversubscription command.
- WS-X6708-10GE ports do not support VACL capture. ( CSCsb59015)
- In a 13-slot chassis, supported only in slots 9 through 13 and does not power up in other slots.
WS-X6704-10GE 4-Port 10-Gigabit Ethernet XENPAK Switching Module
| 4-port 10-Gigabit Ethernet XENPAK |
||
– With Supervisor Engine 2T-10GE:
– With Supervisor Engine 720 or Supervisor Engine 720-10GE:
• WS-F6700-DFC3BXL (not supported in virtual switch mode)
• WS-F6700-DFC3B (not supported in virtual switch mode)
– With any supervisor engine, WS-F6700-CFC
- dCEF720 with a DFC or CEF720 with a WS-F6700-CFC.
- Requires 512-MB DRAM with a WS-F6700-CFC ( CSCtk82279). See this publication:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_12409.html
- QoS port architecture (Rx/Tx): 8q8t/1p7q8t
- Dual switch-fabric connections:
Fabric Channel #1: Ports 3 and 4
Fabric Channel #2: Ports 1 and 2 - Number of ports: 4
Number of port groups: 4
Port ranges per port group: 1 port in each group - WS-X6704-10G is the orderable product ID.
- The front panel is labeled WS-X6704-10GE.
- Cisco IOS software commands display WS-X6704-10GE with any DFC.
- On WS-X6704-10GE ports, STP BPDUs are not exempt from Traffic Storm Control multicast suppression. Do not configure multicast suppression on STP-protected WS-X6704-10GE ports that interconnect network devices. ( CSCsg86315)
- With Supervisor Engine 720-10GE or Supervisor Engine 720 in a 13-slot chassis, supported only in slots 9 through 13 and does not power up in other slots.
WS-X6502-10GE 1-port 10-Gigabit Ethernet Switching Module
- Not supported in virtual switch mode.
- dCEF256 with a DFC
- QoS port architecture (Rx/Tx): 1p1q8t/1p2q1t
- Number of ports: 1
Number of port groups: 1
Port ranges per port group: 1 port in 1 group - Use with a DFC requires DFC ROMMON version 12.2(18r)S1 or later. To display the switching module ROMMON version, enter the remote command module module_slot_number show version | include ROM command. To upgrade the switching module ROMMON, see this document:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/rommon/OL_6010.html
Cisco Catalyst 6880-X Series Extensible Fixed Aggregation Switches
16 10-Gigabit (SFP+)/1-Gigabit ports (SFP), four port card slots, two power supply slots. It supports standard FIB/ACL/NetFlow tables. |
||
16 10-Gigabit (SFP+)/1-Gigabit ports (SFP), four port card slots, two power supply slots. It supports large FIB/ACL/NetFlow tables. |
||
|
C6880-X-LE-16P10G
1
|
Multi rate port card with standard tables. This module has 16 10-Gigabit or 1-Gigabit module slots which support 1-Gigabit SFPs or 10-Gigabit SFP+ modules. Supported only on the Catalyst 6880-X-LE switch model. |
|
Multi rate port card with XL tables. This module has 16 10-Gigabit or 1-Gigabit module slots which support 1-Gigabit SFPs or 10-Gigabit SFP+s modules. Supported only on the Catalyst 6880-X switch model. |
||
| Note See these publications for more information: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6880-x-switch/data_sheet_c78-728228.html http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6880-x-switch/white_paper_c11-728540.html http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6880-x-switch/white_paper_c11-728541.html http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T.html |
||
Cisco Catalyst 6807-XL Modular Switch
| The switch supports redundant power supply modules (AC-input), redundant supervisor engines, fan-tray, power supply convertor modules, clock modules, and voltage termination enhanced (VTT-E) modules |
||
| Note See these publications for more information: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6807-xl-switch/data_sheet_c78-728229.html http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6807-xl-switch/white_paper_c11-728264.html http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T.html |
||
Instant Access Catalyst 6800ia Series Switches
| 48-port 10/100/1000 RJ-45 PoE-capable Ethernet |
||
48-port 10/100/1000 RJ-45 PoE-capable Ethernet |
||
| Note See these publications for more information: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6800ia-switch/data_sheet_c78-728230.html http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6800ia-switch/white_paper_c11-728265.html http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/instant_access.html http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6800ia/hardware/installation/guide/b_c6800ia_hig.html |
||
Gigabit Ethernet Switching Modules
- WS-X6848-SFP-2T, WS-X6748-SFP 48-Port Gigabit Ethernet SFP Switching Module
- WS-X6824-SFP-2T, WS-X6724-SFP 24-Port Gigabit Ethernet SFP Switching Module
- WS-X6816-GBIC 16-port Gigabit Ethernet GBIC Switching Module
- WS-X6516A-GBIC 16-Port Gigabit Ethernet GBIC Switching Module
- WS-X6416-GBIC 16-port Gigabit Ethernet GBIC Switching Module
- WS-X6408A-GBIC 8-port Gigabit Ethernet GBIC Switching Module
- WS-X6408-GBIC 8-port Gigabit Ethernet GBIC Switching Module
WS-X6848-SFP-2T, WS-X6748-SFP 48-Port Gigabit Ethernet SFP Switching Module
| 48-port Gigabit Ethernet SFP |
||
|
WS-X6748-SFP
(with WS-F6700-DFC3CXL , WS-F6700-DFC3C , WS-F6700-DFC3BXL (not supported in virtual switch mode) WS-F6700-DFC3B (not supported in virtual switch mode) or WS-F6700-CFC ) |
||
- dCEF720 with a DFC or CEF720 with a WS-F6700-CFC.
- QoS architecture: 2q8t/1p3q8t
- Dual switch-fabric connections
Fabric Channel #1: Ports 2, 4, 6, 8, 10, 12,
14, 16, 18, 20, 22, 24, 26, 28, 30, 32, 34,
36, 38, 40, 42, 44, 46, 48
Fabric Channel #2: Ports 1, 3, 5, 7, 9, 11,
13, 15, 17, 19, 21, 23, 25, 27, 29, 31, 33,
35, 37, 39, 41, 43, 45, 47 - Number of ports: 48
Number of port groups: 4
Port ranges per port group:
1, 3, 5, 7, 9, 11, 13, 15, 17, 19, 21, 23
2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24
25, 27, 29, 31, 33, 35, 37, 39, 41, 43, 45, 47
26, 28, 30, 32, 34, 36, 38, 40, 42, 44, 46, 48 - On WS-X6848-SFP-2T and WS-X6748-SFP ports, STP BPDUs are not exempt from Traffic Storm Control multicast suppression. Do not configure multicast suppression on STP-protected WS-X6848-SFP-2T or WS-X6748-SFP ports that interconnect network devices.
- With Supervisor Engine 720-10GE or Supervisor Engine 720 in a 13-slot chassis, supported only in slots 9 through 13 and does not power up in other slots.
WS-X6824-SFP-2T, WS-X6724-SFP 24-Port Gigabit Ethernet SFP Switching Module
| 24-port Gigabit Mbps Ethernet SFP |
||
|
WS-X6724-SFP
(with WS-F6700-DFC3CXL , WS-F6700-DFC3C , WS-F6700-DFC3BXL (not supported in virtual switch mode) WS-F6700-DFC3B (not supported in virtual switch mode) or WS-F6700-CFC ) |
||
- dCEF720 with a DFC or CEF720 with a WS-F6700-CFC.
- QoS architecture: 2q8t/1p3q8t
- Number of ports: 24
Number of port groups: 2
Port ranges per port group: 1–12, 13–24 - On WS-X6824-SFP-2T and WS-X6724-SFP ports, STP BPDUs are not exempt from Traffic Storm Control multicast suppression. Do not configure multicast suppression on STP-protected WS-X6824-SFP-2T or WS-X6724-SFP ports that interconnect network devices.
WS-X6816-GBIC 16-port Gigabit Ethernet GBIC Switching Module
- dCEF256
- QoS port architecture (Rx/Tx): 1p1q4t / 1p2q2t
- Dual switch-fabric connections
Fabric Channel #1: Ports 1–8
Fabric Channel #2: Ports 9–16 - Number of ports: 16
Number of port groups: 2
Port ranges per port group: 1–8, 9–16 - WS-X6816-GBIC requires one of these:
- Requires DFC ROMMON version 12.2(18r)S1 or later. To display the switching module ROMMON version, enter the remote command module module_slot_number show version | include ROM command. To upgrade the switching module ROMMON, see this document:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/rommon/OL_6010.html
- In a 13-slot chassis, supported only in slots 9 through 13 and does not power up in other slots.
WS-X6516A-GBIC 16-Port Gigabit Ethernet GBIC Switching Module
- dCEF256 with a DFC
- CEF256
- Supports egress multicast replication
- QoS port architecture (Rx/Tx): 1p1q4t / 1p2q2t
- Number of ports: 16
Number of port groups: 2
Port ranges per port group: 1–8, 9–16 - Requires DFC ROMMON version 12.2(18r)S1 or later. To display the switching module ROMMON version, enter the remote command module module_slot_number show version | include ROM command. To upgrade the switching module ROMMON, see this document:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/rommon/OL_6010.html
WS-X6516-GBIC 16-Port Gigabit Ethernet GBIC Switching Module
- dCEF256 with a DFC
- CEF256
- QoS port architecture (Rx/Tx): 1p1q4t / 1p2q2t
- Number of ports: 16
Number of port groups: 2
Port ranges per port group: 1–8, 9–16 - Requires DFC ROMMON version 12.2(18r)S1 or later. To display the switching module ROMMON version, enter the remote command module module_slot_number show version | include ROM command. To upgrade the switching module ROMMON, see this document:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/rommon/OL_6010.html
- Supervisor Engine 720 does not support a DFC3 on WS-X6516-GBIC hardware revisions 5.0 through 5.4. With a Supervisor Engine 720 and with a DFC3 installed, WS-X6516-GBIC hardware revisions 5.0 through 5.4 do not power up.
- With a Supervisor Engine 720 but without a DFC3, WS-X6516-GBIC hardware revisions 5.0 through 5.4 operate in bus mode.
- See external field notice 24494 for more information:
http://www.cisco.com/c/en/us/support/docs/field-notices/200/fn24494.html
10/100/1000 Ethernet Switching Modules
These sections descibe the supported 10/100/1000 Ethernet switching modules:
WS-X6848-TX-2T, WS-X6748-GE-TX
- dCEF720 with a DFC or CEF720 with a WS-F6700-CFC.
- WS-X6704-10GE requires one of the following:
– With Supervisor Engine 2T-10GE:
– With Supervisor Engine 720 or Supervisor Engine 720-10GE:
• WS-F6700-DFC3BXL (not supported in virtual switch mode)
• WS-F6700-DFC3B (not supported in virtual switch mode)
– With any supervisor engine, WS-F6700-CFC
- QoS architecture: 2q8t/1p3q8t
- Dual switch-fabric connections
Fabric Channel #1: Ports 25–48
Fabric Channel #2: Ports 1–24 - Number of ports: 48
Number of port groups: 4
Port ranges per port group: 1–12, 13–24, 25–36, 37–48 - On WS-X6848-TX-2T and WS-X6748-GE-TX ports, STP BPDUs are not exempt from Traffic Storm Control multicast suppression. Do not configure multicast suppression on STP-protected WS-X6848-TX-2T or WS-X6748-GE-TX ports that interconnect network devices.
- With Supervisor Engine 720-10GE or Supervisor Engine 720 in a 13-slot chassis, WS-X6748-GE-TX is supported only in slots 9 through 13 and does not power up in other slots.
WS-X6548-GE-TX, WS-X6548V-GE-TX, WS-X6548-GE-45AF
- Supports more than 1 Gbps of traffic per EtherChannel on the WS-X6548-GE-TX (and voice-power daughtercard equipped) switching modules.
- WS-X6548-GE-TX (and voice-power daughtercard equipped) switching modules do not support these features:
- WS-X6548V-GE-TX has WS-F6K-VPWR-GE
- WS-X6548-GE-45AF has WS-F6K-GE48-AF or WS-F6K-48-AF
- With WS-F6K-GE48-AF, supports up to 45 ports of ePoE (16.8W).
- QoS port architecture (Rx/Tx): 1q2t/1p2q2t
- Number of ports: 48
Number of port groups: 2
Port ranges per port group: 1–24, 25–48 - The aggregate bandwidth of each set of 8 ports (1–8, 9–16, 17–24, 25–32, 33–40, and 41–48) is 1 Gbps.
WS-X6148E-GE-45AT
- RJ-45
- WS-X6148E-GE-45AT with WS-F6K-48-AT supports up to 48 ports of Class 4 PoE+ (30.0W).
- QoS port architecture (Rx/Tx): 1q2t/1p3q8t
- Number of ports: 48
Number of port groups: 6
Port ranges per port group: 1–8, 9–16, 17–24, 25–32, 33–40, 41–48 - The aggregate bandwidth of each set of 8 ports (1–8, 9–16, 17–24, 25–32, 33–40, and 41–48) is 1 Gbps.
- WS-X6148E-GE-45AT does not support traffic storm control
WS-X6148A-GE-TX, WS-X6148A-GE-45AF
- RJ-45
- WS-X6148A-GE-TX supports WS-F6K-GE48-AF or WS-F6K-48-AF
- WS-X6148A-GE-45AF has WS-F6K-GE48-AF or WS-F6K-48-AF
- With WS-F6K-GE48-AF, supports up to 45 ports of ePoE (16.8W).
- QoS port architecture (Rx/Tx): 1q2t/1p3q8t
- Number of ports: 48
Number of port groups: 6
Port ranges per port group: 1–8, 9–16, 17–24, 25–32, 33–40, 41–48 - The aggregate bandwidth of each port group is 1 Gbps.
- Does not support traffic storm control.
WS-X6148-GE-TX, WS-X6148V-GE-TX, WS-X6148-GE-45AF
- WS-X6148V-GE-TX has WS-F6K-VPWR-GE
- WS-X6148-GE-45AF has WS-F6K-GE48-AF or WS-F6K-48-AF
- With WS-F6K-GE48-AF, supports up to 45 ports of ePoE (16.8W).
- QoS port architecture (Rx/Tx): 1q2t/1p2q2t
- Number of ports: 48
Number of port groups: 2
Port ranges per port group: 1–24, 25–48 - The aggregate bandwidth of each port group is 1 Gbps.
- WS-X6148-GE-TX, WS-X6148V-GE-TX, and WS-X6148-GE-45AF do not support these features:
WS-X6148-FE-SFP
- Requires Fast Ethernet SFPs
- QoS port architecture (Rx/Tx): 1p1q4t/1p3q8t
- Number of ports: 48
Number of port groups: 3
Port ranges per port group: 1–16, 17–32, and 33–48 - Does not support traffic storm control.
WS-X6148X2-RJ-45, WS-X6148X2-45AF
- QoS port architecture (Rx/Tx): 1p1q0t/1p3q1t
- WS-X6148X2-RJ-45 supports WS-F6K-FE48X2-AF
- WS-X6148X2-45AF has WS-F6K-FE48X2-AF
WS-X6196-RJ-21, WS-X6196-21AF
- Upgrade to Release15.0(1)SY1 or later before installing WS-X6196-21AF (see the “EFSU Compatibility” section).
- QoS port architecture (Rx/Tx): 1p1q0t/1p3q1t
- WS-X6196-RJ-21 supports WS-F6K-FE48X2-AF
- WS-X6196-21AF has WS-F6K-FE48X2-AF
WS-X6348-RJ-45, WS-X6348-RJ-45V
- Not supported in VSS mode.
- QoS port architecture (Rx/Tx): 1q4t / 2q2t
- WS-X6348-RJ-45 supports WS-F6K-VPWR
- WS-X6348-RJ-45V has WS-F6K-VPWR
- Number of ports: 48
Number of port groups: 4
Port ranges per port group: 1–12, 13–24, 25–36, 37–48
WS-X6348-RJ-21V
- Not supported in VSS mode.
- QoS port architecture (Rx/Tx): 1q4t / 2q2t
- Has WS-F6K-VPWR
- Number of ports: 48
Number of port groups: 4
Port ranges per port group: 1–12, 13–24, 25–36, 37–48
WS-X6148A-RJ-45, WS-X6148A-45AF
- QoS port architecture (Rx/Tx): 1p1q4t/1p3q8t
- WS-X6148A-RJ-45 supports WS-F6K-GE48-AF or WS-F6K-48-AF
- WS-X6148A-45AF has WS-F6K-GE48-AF or WS-F6K-48-AF
- Number of ports: 48
Number of port groups: 6
Port ranges per port group: 1–8, 9–16, 17–24, 25–32, 33–40, 41–48
WS-X6148-RJ-45, WS-X6148-RJ45V, WS-X6148-45AF
- QoS port architecture (Rx/Tx): 1q4t / 2q2t
- WS-X6148-RJ-45 supports WS-F6K-VPWR
- WS-X6148-RJ-45V has WS-F6K-VPWR
- WS-X6148-45AF has WS-F6K-48-AF
- Number of ports: 48
Number of port groups: 4
Port ranges per port group: 1–12, 13–24, 25–36, 37–48
WS-X6148-RJ-21, WS-X6148-RJ21V, WS-X6148-21AF
- QoS port architecture (Rx/Tx): 1q4t / 2q2t
- WS-X6148-RJ-21 supports WS-F6K-VPWR
- WS-X6148-RJ-21V has WS-F6K-VPWR
- WS-X6148-21AF has WS-F6K-48-AF
- Number of ports: 48
Number of port groups: 4
Port ranges per port group: 1–12, 13–24, 25–36, 37–48
WS-F6K-GE48-AF, WS-F6K-48-AF
– WS-X6148-RJ-45 or WS-X6148-RJ-45V (replace with WS-X6148-45AF-UG=).
– WS-X6148-RJ-21 or WS-X6148-RJ-21V (replace with WS-X6148-21AF-UG=).
WS-F6K-VPWR-GE
| Prestandard PoE daughtercard for WS-X6548-GE-TX and WS-X6148-GE-TX |
||
CFP Modules
FourX coverter to convert each 40GE port into 4 10GE SFP+ ports |
X2 Modules
Note ● WS-X6716-10G and WS-X6708-10GE do not support X2 modules that are labeled with a number that ends with -01. (This restriction does not apply to X2-10GB-LRM.)
- All X2 modules shipped since WS-X6716-10G became available provide EMI compliance with WS-X6816-10G and WS-X6716-10G.
- Some X2 modules shipped before WS-X6716-10G became available might not provide EMI compliance with WS-X6816-10G and WS-X6716-10G. See the information listed for each type of X2 module in the following table.
- For information about X2 modules, see the Cisco 10GBASE X2 Modules data sheet:
http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/10-gigabit-modules/product_data_sheet0900aecd801f92aa.html
| 10G X2 to SFP+ Converter |
|||
| 10GBASE-ER Serial 1550-nm extended-reach, single-mode fiber (SMF), dispersion-shifted fiber (DSF) Note X2-10GB-ER modules labeled with a number that ends with -02 do not provide EMI compliance with WS-X6716-10G. |
|||
| 10GBASE-LR Serial 1310-nm long-reach, single-mode fiber (SMF), dispersion-shifted fiber (DSF) Note X2-10GB-LR modules labeled with a number that ends with -02 or -03 do not provide EMI compliance with WS-X6716-10G. |
|||
| 10GBASE-LX4 Serial 1310-nm multimode (MMF) http://www.cisco.com/c/en/us/support/docs/field-notices/misc/FN62840.html
|
|||
XENPAKs
Note ● For information about DWDM XENPAKs, see the Cisco 10GBase DWDM XENPAK Modules data sheet:
http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/dwdm-transceiver-modules/product_data_sheet0900aecd801f9333.html
http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/catalyst-6500-series-supervisor-engine-720/product_data_sheet09186a008007cd00.html
10GBASE dense wavelength-division multiplexing (DWDM) 100-GHz ITU grid |
||
10GBASE-ER Serial 1550-nm extended-reach, single-mode fiber (SMF), dispersion-shifted fiber (DSF) Note XENPAK-10GB-ER units with Part No. 800-24557-01 are not supported, as described in this external field notice (CSCee47030): http://www.cisco.com/c/en/us/support/docs/field-notices/200/fn29736.html |
||
10GBASE-ER Serial 1550-nm extended-reach, single-mode fiber (SMF), dispersion-shifted fiber (DSF) |
||
10GBASE-LR Serial 1310-nm long-reach, single-mode fiber (SMF), dispersion-shifted fiber (DSF) |
||
10GBASE-LR Serial 1310-nm long-reach, single-mode fiber (SMF), dispersion-shifted fiber (DSF) |
||
10GBASE-LW XENPAK Module with WAN PHY for SMF Note XENPAK-10GB-LW operates at an interface speed compatible with SONET/SDH OC-192/STM-64. XENPAK-10GB-LW links might go up and down if the data rate exceeds 9Gbs. (CSCsi58211) |
||
Gigabit Ethernet SFPs
Note ● For information about coarse wavelength-division multiplexing (CWDM) SFPs, see the Cisco CWDM GBIC and SFP Solutions data sheet:
http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/cwdm-transceiver-modules/product_data_sheet09186a00801a557c.html
http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/dwdm-transceiver-modules/product_data_sheet0900aecd80582763.html
- See the “Unsupported Hardware” section for information about unsupported DWDM-SFPs.
- For information about other SFPs, see the Cisco SFP Optics For Gigabit Ethernet Applications data sheet:
http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/gigabit-ethernet-gbic-sfp-modules/product_data_sheet0900aecd8033f885.html
Fast Ethernet SFPs
Note ● The CAT6000-VS-S720-10G/MSFC3 and WS-X6148-FE-SFP supports Fast Ethernet SFPs.
- For information about Fast Ethernet SFPs, see the Cisco 100BASE-X SFP For Fast Ethernet SFP Ports data sheet:
http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/fast-ethernet-sfp-modules/product_data_sheet0900aecd801f931c.html
Gigabit Interface Converters (GBICs)
Note The support listed in this section applies to all modules that use GBICs.
Service Modules
Note ● For service modules that run their own software, see the service module software release notes for information about the minimum required service module software version.
- With SPAN configured to include a port-channel interface to support a service module, be aware of CSCth03423 and CSCsx46323.
- EtherChannel configuration can impact some service modules. In particular, distributed EtherChannels (DECs) can interfere with service module traffic. See this field notice for more information:
http://www.cisco.com/c/en/us/support/docs/field-notices/610/fn61935.html
Application Control Engine (ACE) Module
|
http://www.cisco.com/c/en/us/support/interfaces-modules/ace-application-control-engine-module/tsd-products-support-model-home.html See the ACE module software release notes for information about the minimum required service module software version. |
||
ASA Services Module
http://www.cisco.com/c/en/us/support/interfaces-modules/catalyst-6500-series-7600-series-asa-services-module/tsd-products-support-model-home.html See the module software release notes for information about the minimum required service module software version. |
||
Firewall Services Module (FWSM)
http://www.cisco.com/c/en/us/support/interfaces-modules/catalyst-6500-series-firewall-services-module/tsd-products-support-model-home.html See the WS-SVC-FWM-1-K9 software release notes for information about the minimum required WS-SVC-FWM-1-K9 software version. |
||
Intrusion Detection System Modules (IDSMs)
|
http://www.cisco.com/c/en/us/support/interfaces-modules/catalyst-6500-series-intrusion-detection-system-idsm-2-services-module/tsd-products-support-model-home.html See the IDSM software release notes for information about the minimum required IDSM software version. |
||
Network Analysis Modules (NAMs)
| Network Analysis Module 3 |
||
– – See the software release notes for information about the minimum required NAM software version. |
||
Wireless Services Modules (WiSMs)
| Wireless services modules run their own software—See these publications: http://www.cisco.com/c/en/us/support/interfaces-modules/services-modules/products-release-notes-list.html See the wireless services modules software release notes for information about the minimum required wireless services module software version. |
||
All Other Power Supplies
Note The power supplies in this section are not supported in these chassis:
Chassis
Note Chassis with 64 MAC addresses automatically enable the Extended System ID feature, which is enabled with the spanning-tree extend system-id command. You cannot disable the extended-system ID in chassis that support 64 MAC addresses. The Extended System ID feature might already be enabled in your network, because it is required to support both extended-range VLANs and any chassis with 64 MAC addresses. Enabling the extended system ID feature for the first time updates the bridge IDs of all active STP instances, which might change the spanning tree topology.
13-Slot Chassis
Note With Supervisor Engine 2T-10GE, the slot reserved for a redundant supervisor engine can be populated with one of these modules:
- WS-X6148E-GE-45AT
- WS-X6148A-GE-TX, WS-X6148A-GE-45AF
- WS-X6148-FE-SFP
- WS-X6148A-RJ-45, WS-X6148A-45AF
- WS-X6196-RJ-21, WS-X6196-21AF
9-Slot Chassis
|
– – Note Chassis with 64 MAC addresses automatically enable the Extended System ID feature, which is enabled with the spanning-tree extend system-id command. You cannot disable the extended-system ID in chassis that support 64 MAC addresses. The Extended System ID feature might already be enabled in your network, because it is required to support both extended-range VLANs and any chassis with 64 MAC addresses. Enabling the extended system ID feature for the first time updates the bridge IDs of all active STP instances, which might change the spanning tree topology. |
||
6-Slot Chassis
|
– – Note Chassis with 64 MAC addresses automatically enable the Extended System ID feature, which is enabled with the spanning-tree extend system-id command. You cannot disable the extended-system ID in chassis that support 64 MAC addresses. The Extended System ID feature might already be enabled in your network, because it is required to support both extended-range VLANs and any chassis with 64 MAC addresses. Enabling the extended system ID feature for the first time updates the bridge IDs of all active STP instances, which might change the spanning tree topology. |
||
3-Slot Chassis
|
||
Unsupported Hardware
Release 15.1SY supports only the hardware listed in the “Supported Hardware” section. Unsupported modules remain powered down if detected and do not affect system behavior.
Release 12.2SX supported these modules, which are not supported in Release 15.1SY:
- Supervisor Engine 32 (CAT6000-SUP32/MSFC2A)
- ME 6500 Series Ethernet Switches (ME6524)
- Policy Feature Card 3A and Distributed Forwarding Card 3A
- 76-ES+XT-4TG3CXL, 76-ES+XT-4TG3C
- 76-ES+XT-2TG3CXL, 76-ES+XT-2TG3C
- 7600-ES+4TG3CXL, 7600-ES+4TG3C
- 7600-ES+2TG3CXL, 7600-ES+2TG3C
- Shared Port Adapter (SPA) Interface Processors (SIPs) and Shared Port Adapters (SPAs)
- Services SPA Carrier (SSC) and Services SPAs
- Enhanced FlexWAN Module
- Anomaly Guard Module(AGM)
- Traffic Anomaly Detector Module (ADM)
- Communication Media Module (CMM)
- Content Switching Module (CSM)
- Content Switching Module with SSL (CSM-S)
- Secure Sockets Layer (SSL) Services Module
Images and Feature Sets
Use Cisco Feature Navigator to display information about the images and feature sets in Release 15.1SY.
The releases includes strong encryption images. Strong encryption images are subject to U.S. and local country export, import, and use laws. The country and class of end users eligible to receive and use Cisco encryption solutions are limited. See this publication for more information:
http://www.cisco.com/web/about/doing_business/legal/global_export_trade/general_export/contract_compliance.html
Universal Boot Loader Image
The Universal Boot Loader (UBL) image is a minimal network-aware image that can download and install a Cisco IOS image from a running active supervisor engine in the same chassis. When newly installed as a standby supervisor engine in a redundant configuration, a supervisor engine running the UBL image automatically attempts to copy the image of the running active supervisor engine in the same chassis.
EFSU Compatibility
SX SY EFSU Compatibility Matrix (XLSX - Opens with Microsoft Excel)
Cisco IOS Behavior Changes
Behavior changes describe the minor modifications that are sometimes introduced in a software release. When behavior changes are introduced, existing documentation is updated.
Release 15.1(2)SY16
- CSCvi48253 : Self-signed certificates expire on 00:00 1 Jan 2020 UTC, can't be created after that time
- CSCvq66030 : Cisco IOS and Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability
Release 15.1(2)SY8
- CSCuh97087 (Transport Input)
In previous Cisco IOS release versions, the default was the " transport input all" command and device allows all transport protocols and accepts the incoming network connections to tty lines by default. But Based on the CSDL's product Security Baseline Requirement (SEC-MGT-DEFT-2) transport input has been changed to NONE from ALL through CSCuh97087 and documented.
Now we must configure an incoming transport {protocol | all } command before the line will accept incoming connections, Otherwise default is NONE and cisco devices cannot accept the connections to tty lines.
Old behavior: transport input all
New behavior (After fix): transport input none
It has already documented and the command is available in this location.
http://www.cisco.com/c/en/us/td/docs/ios/termserv/command/reference/tsv_book/tsv_s1.html#pgfId-1069219 - CSCuu55288 (Mechanism to throttle NDE export)
Default behavior will be same.
Command flow hardware export priority low reduces the process priority from Critical to medium and because of this command flow export time may vary based on the CPU usage in the system. - CSCva39982 (IPv6 neighbor discovery packet processing behavior)
Before fix: To rate limit the ipv6 icmp nd type 13-137 packets, there is classmap in the default policy-map, which gets programmed on control plane
sh policy-map policy-default-autocopp | b ndv6
Class class-copp-match-ndv6
police rate 1000 pps, burst 1000 packets
conform-action set-discard-class-transmit 48
exceed-action drop
so for both valid ipv6 icmp nd type 13-137 packets (i.e with hop-limit 255) and invalid packets (with hop-limit < 255), there is single policy. So this allows attacker to send a crafted IPv6 ND packet that will cause dropping of valid CPU-bound ipv6 icmp nd traffic.
Fix: Added a class-map above "class-copp-match-ndv6" named as
class-copp-match-ndv6hl as follows
FM-NAT#sh policy-map policy-default-autocopp | b ndv6
police rate 10 pps, burst 1 packets
police rate 1000 pps, burst 1000 packets
conform-action set-discard-class-transmit 48
exceed-action drop
so that all ipv6 icmp nd type 133-137 packets having invalid hop-limit (!=255) will be dropped in hardware.
For this class-map to be effective, following points has to be considered:
– This new class-map doesn't get applied on reload only, as auto-copp gets saved in the start-up config, and on reload the saved policy reappears.
– to apply the policy-map with new class-map, user has to remove the default control plane policy using no policy-map policy-default-autocopp, the new class-map for policy-default-autocopp appears upon reload.
– In config-mode a cli is available no platform qos auto-copp, which when applied, removes the policy-map policy-default-autocopp
– and when platform qos auto-copp applied, regenerates the policy-map policy-default-autocopp along with new class-map "class-copp-match-ndv6hl" and add service-policy to control-plane.
- CSCub46031 (knob to turn off auto-copp)
This enhancement deals with following CLI creation : no platform qos auto-copp.
Initial Issue: If the user wishes to remove the default control plane policy using no policy-map
policy-default-autocopp, the same config for policy-default-autocopp reappears upon reload.
Fix/Enhancement: New CLI has been introduced in config mode : no platform qos auto-copp. Suppose the user issuesthis command prior to or after issuing no policy-map policy-default-autocopp, the config for policy-map policy-default-autocopp doesnt reappear after reload and thereby fixing the issue.
Also, if the user wants to reconfigure the policy-default-autocopp configs, they can issue platform qos auto-copp command which will immediately regenerate the config and add the service-policy to control plane if there was no policy there in the first place. In the case there was another policy
on the control plane, while the policy map will be regenerated it wont be attached to control-plane. - CSCva69133 : cli changes needed for fix in CSCva39982
Release 15.1(2)SY7
Old behavior: Running the CLI command “ show platform fex-debug status ” is no longer supported.
New behavior: Use the new CLI command “ show fex <fex-id> ” instead.
Additional Information: http://tools.cisco.com/bugsearch/bug/CSCux45230
Release 15.1(1)SY2
Old behavior: The RADIUS server does not have Point-to-Point Tunneling Protocol (PPTP) tunnel-specific information because the tunnel-client endpoint and tunnel-server endpoint attributes are missing in the access-request packets sent to the RADIUS server.
New behavior: The following commands are introduced to identify the hostname or address of the network access server (NAS) at the initiator and server end of the Point-to-Point Tunneling Protocol (PPTP) tunnel by sending the Tunnel-Client-Endpoint attribute and the Tunnel-Server-Endpoint attribute in access-request packets to the RADIUS server.
– radius-server attribute 66 include-in-access-req
– radius-server attribute 67 include-in-access-req
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/m1/sec-m1-cr-book/sec-cr-r1.html
New Features in Release 15.1(2)SY16
These sections describe the new features in Release 15.1(2)SY16, 20February 2020:
New Features in Release 15.1(2)SY15
These sections describe the new features in Release 15.1(2)SY15, 20 August 2019:
New Features in Release 15.1(2)SY14
These sections describe the new features in Release 15.1(2)SY14, 14 February 2019:
New Features in Release 15.1(2)SY13
These sections describe the new features in Release 15.1(2)SY13, 6 September 2018:
New Features in Release 15.1(2)SY12
These sections describe the new features in Release 15.1(2)SY12, 30April 2018:
New Features in Release 15.1(2)SY11
These sections describe the new features in Release 15.1(2)SY11, 27 July 2017:
New Features in Release 15.1(2)SY10
These sections describe the new features in Release 15.1(2)SY10, 24 Feb 2017:
New Features in Release 15.1(2)SY9
These sections describe the new features in Release 15.1(2)SY9, 14 Oct 2016:
New Features in Release 15.1(2)SY8
These sections describe the new features in Release 15.1(2)SY8, 01 Sept 2016:
New Features in Release 15.1(2)SY7
These sections describe the new features in Release 15.1(2)SY7, 16 Mar 2016:
New Features in Release 15.1(1)SY6
These sections describe the new features in Release 15.1(1)SY6, 12 Nov 2015:
New Features in Release 15.1(2)SY6
These sections describe the new features in Release 15.1(2)SY6, 19 Sept 2015:
New Features in Release 15.1(2)SY5
These sections describe the new features in Release 15.1(2)SY5, 21 May 2015:
New Features in Release 15.1(1)SY5
These sections describe the new features in Release 15.1(1)SY5, 27 Mar 2015:
New Features in Release 15.1(2)SY4
These sections describe the new features in Release 15.1(2)SY4, 08 Nov 2014:
New Features in Release 15.1(1)SY4
These sections describe the new features in Release 15.1(1)SY4, 10 Oct 2014:
New Features in Release 15.1(2)SY3
These sections describe the new features in Release 15.1(2)SY3, 23 Jun 2014:
New Hardware Features in Release 15.1(2)SY3
- Catalyst C6800IA-48FPDR Instant Access client with dual power supplies.
- WS-SVC-ASA-SM1-K7 ASA Services Module.
- SFP-10G-ZR support on WS-X6904-40G-2T—See this publication:
http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/transceiver-modules/data_sheet_c78-455693.html
New Features in Release 15.1(2)SY2
These sections describe the new features in Release 15.1(2)SY, 03 Mar 2014:
New Hardware Features in Release 15.1(2)SY2
- C6880-X-LE-16P10G port card support on the Cisco Catalyst 6880-X switch—See the “Cisco Catalyst 6880-X Series Extensible Fixed Aggregation Switches” section
- C6880-X-16P10G port card support on Cisco Catalyst 6880-X switch—See “Cisco Catalyst 6880-X Series Extensible Fixed Aggregation Switches” section
New Software Features in Release 15.1(2)SY2
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/instant_access.html
On Cisco Catalyst 6880-X switch, in performance mode, the disabled ports in 15.1(2)SY1 are ports 3-4, 7-8, 11-12 and 15-16, while the disabled ports in 15.1(2)SY2 are ports 5-8 and 13-16. Before you upgrade to 15.1(2)SY2, reconfigure to the available open ports (1-4 and 9-12) to prevent an outage.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/config_guide/sup2T/virtual_switching_systems.html#VSS_Quad-Sup_SSO_(VS4O)
New Features in Release 15.1(2)SY1
These sections describe the new features in Release 15.1(2)SY1, 09 Dec 2013:
New Features in Release 15.1(2)SY
These sections describe the new features in Release 15.1(2)SY, 07 Sep 2013:
New Hardware Features in Release 15.1(2)SY
- Instant Access Catalyst 6800ia Series Switches —See this publication:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/instant_access.html
- DWDM SFP10G Support on WS-X6904-40G-2T —See this publication:
http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/dwdm-transceiver-modules/data_sheet_c78-711186.html
New Software Features in Release 15.1(2)SY
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-mt/irg-15-mt-book/irg-prefix-export.html
- EIGRP IPv6 Graceful Restart (GR)—The EIGRP IPv6 Graceful Restart (GR) feature is enabled by default in EIGRP IPv6 configurations. GR is a way to rebuild forwarding information in routing protocols and resets router’s control plane without impacting (global) routing.
- Granular enablement of CTS SGACL at interface level—See this publication:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-sy/sec-cts-15-sy-book/cts_sgacl_int.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/instant_access.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_pim/configuration/15-sy/imc-pim-15-sy-book/imc_basic_ipv6.html
- ISIS Features in IP services—The IP services image supports ISIS features.
- ISIS MTR for multicast address family only—See this publication:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mtr/configuration/15-sy/mtr-15-sy-book/isis-mtr-multicast-address-family.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/instant_access.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mdata/configuration/15-sy/mdata-15sy-book/metadata-framework.html
http://www.cisco.com/c/en/us/td/docs/ios/media_monitoring/configuration/guide/15_1m_and_t/mm_15_1m_and_t/mm_mediatrace.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_serv/configuration/15-sy/imc-serv-15-sy-book/Multicast_only_Fast_Re-Route.html
http://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/guide/7600_15_0s_book/mvpn.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/iro-sup-vrf.html
http://www.cisco.com/c/en/us/td/docs/wireless/asr_901/mib/reference/asr_mib.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/iro-ospfv3-nsr.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/media_monitoring/configuration/15-sy/mm-15-sy-book/mm-pasv-mon.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dns/configuration/15-sy/dns-15-sy-book/dns-15-sy-book_chapter_0100.html
New Features in Release 15.1(1)SY3
These sections describe the new features in Release 15.1(1)SY3, 21 Mar 2014:
New Features in Release 15.1(1)SY2
These sections describe the new features in Release 15.1(1)SY2, 04 Oct 2013:
New Features in Release 15.1(1)SY1
These sections describe the new features in Release 15.1(1)SY1, 03 May 2013:
New Hardware Features in Release 15.1(1)SY1
– GLC-LH-SMD 1G SFP
– GLC-SX-MMD 1G SFP
– GLC-T 1G SFP
- Supervisor Engine 2T support with the 7606-S chassis
New Software Features in Release 15.1(1)SY1
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/15-sy/dhcp-15-sy-book/ip6-dhcp-rel-agent.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/qos_class_mark_police.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/denial_of_service.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup720/15_1_sy_swcg_720/denial_of_service.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_pim/configuration/15-sy/imc-pim-15-sy-book/imc_hsrp_aware.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/configuration/15-sy/snmp-15-sy-book/nm-snmp-vpn-context.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_lisp/configuration/15-sy/irl-15-sy-book.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_lisp/configuration/15-sy/irl-15-sy-book.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/media_monitoring/configuration/15-sy/mm-15-sy-book.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/media_monitoring/configuration/15-sy/mm-15-sy-book/mm-mediatrace.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_te_path_setup/configuration/15-sy/mp-te-path-setup-15-sy-book/mp-te-path-setup-15-sy-book_chapter_01100.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/release_notes.html#New_Software_Features_in_Release_15.1(1)SY1
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/appc_cat6k.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/command_sum.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/15-sy/iap-15-sy-book.html
http://www.cisco.com/c/en/us/td/docs/ios/15_0sy/system/messages/15sysmg.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/vpls.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/config_guide/sup2T/virtual_switching_systems.html#VSS_Quad-Sup_SSO_(VS4O)
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup720/15_1_sy_swcg_720/virtual_switching_systems.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/15-sy/iap-15-sy-book/iap-wccp.html
New Features in Release 15.1(1)SY
These sections describe the new features in Release 15.1(1)SY, 15 Oct 2012:
New Hardware Features in Release 15.1(1)SY
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/release_notes.html#10_GE_SFP+_Modules
New Software Features in Release 15.1(1)SY
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-domain-stripping.html
- Add support for the 61XX linecards in the 6513-E standby sup’s slot with sup2T—See this publication.
- Auto Interleaved Port priority for LACP—See this publication:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/etherchannel.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup720/15_1_sy_swcg_720/etherchannel.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/configuration/15-sy/irb-15-sy-book/irb-bi-fwd-det.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/configuration/15-sy/irb-15-sy-book/irb-bi-fwd-det.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/configuration/15-sy/irb-15-sy-book/ip6-route-bfd-encaps.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/configuration/15-sy/irb-15-sy-book/irb-bi-fwd-det.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/configuration/15-sy/irb-15-sy-book/irb-bi-fwd-det.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-sy/irg-15-sy-book/irg-remove-as.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-sy/irg-15-sy-book/irg-event-vpn-import.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-sy/irg-15-sy-book/irg-neighbor-policy.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-sy/irg-15-sy-book/irg-neighbor-soo.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-sy/irg-15-sy-book/irg-bgp-mp-pic.html
http://www.cisco.com/c/en/us/td/docs/ios/iproute_bgp/configuration/guide/12_2sr/irg_12_2sr_book/irg_event_vpn_import.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-sy/irg-15-sy-book/irg-rt-filter.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-sy/irg-15-sy-book/irg-consistency-check.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/callhome.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup720/15_1_sy_swcg_720/callhome.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/saf/configuration/15-sy/saf-15-sy-book/saf-capman.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-rad-coa.html
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-cfg-authentifcn.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipswitch_cef/configuration/15-sy/isw-cef-15-sy-book/isw-cef-snmp-mib.html
http://www.cisco.com/c/en/us/td/docs/ios/ipswitch/configuration/guide/12_4/isw_12_4_book/cef_snmp_mib.html
http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/configuration/guide/Convert/IOS_Shell/nm_ios_shell.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-sy/sec-cts-15-sy-book/sec-cts-id-port-map.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/ident-conn_config.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-sy/sec-cts-15-sy-book/sec-cts-ndac.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/ident-conn_config.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-sy/sec-cts-15-sy-book/cts-subnet-sgt-map.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/ident-conn_config.html
http://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/convert/sec_data_urpf_15_1_book/sec_urpf_mib.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/dot1x_port_based_authentication.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup720/15_1_sy_swcg_720/dot1x_port_based_authentication.html
- Configurable System Controller Reset Threshold—With a redundant supervisor engine, if a TM_DATA_PARITY_ERROR, TM_LINK_ERR_INBAND, or TM_NPP_PARITY_ERROR error occurs, the affected supervisor engine reloads.
Without a redundant supervisor engine, if a TM_DATA_PARITY_ERROR, TM_LINK_ERR_INBAND, or TM_NPP_PARITY_ERROR error occurs, one of the following happens:
– If the system controller reset threshold has not been reached, reset the system controller ASIC.
– If the system controller reset threshold has been reached, reload the supervisor engine.
The default system controller reset threshold value is 1, configurable with the platform system-controller reset-threshold threshold_value command. The value range is 1 through 100.
TM_DATA_PARITY_ERROR, TM_LINK_ERR_INBAND, and TM_NPP_PARITY_ERROR errors cause system messages.
– Before the threshold is reached, the errors cause the following system messages:
%SYSTEM_CONTROLLER-<>-THRESHOLD
%SYSTEM_CONTROLLER-<>-ERROR
%SYSTEM_CONTROLLER-<>-MISTRAL_RESET
– After the threshold is reached, the errors cause the following system messages:
%SYSTEM_CONTROLLER-<>-ERROR
%SYSTEM_CONTROLLER-<>-FATAL
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cether/configuration/15-sy/ce-15-sy-book/ce-cfm-ieee-y1731.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/commands/additional_commands/cmds1.html
Note This feature is enabled by default.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/control_plane_policing_copp.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_basic/configuration/15-sy/mp-basic-15-sy-book/mp-ip-aware-mpls-netflow.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cether/command/ce-cr-book.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cether/command/ce-cr-book/ce-e1.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/15-sy/dhcp-15-sy-book/dhcp-prt-bsd-aa.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/15-sy/dhcp-15-sy-book/dhcp-relay-svr-option-82.html
http://www.cisco.com/c/en/us/td/docs/ios/iproute_eigrp/configuration/guide/12_2sr/ire_12_2sr_book/ire_cfg_eigrp.html
http://www.cisco.com/c/en/us/td/docs/ios/iproute_eigrp/configuration/guide/12_2sr/ire_12_2sr_book/ire_mib.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-sy/ire-15-sy-book/ire-wid-met.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-sy/ire-15-sy-book/ire-sha-256.html
http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/configuration/guide/12_2sx/nm_12_2sx_book/nm_eem_overview.html
http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/configuration/guide/12_2sx/nm_12_2sx_book/nm_eem_policy_cli.html
http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/configuration/guide/12_2sx/nm_12_2sx_book/nm_eem_policy_tcl.html
http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/configuration/guide/nm_eem_3-2.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/eem/configuration/15-mt/eem-15-mt-book/eem-overview.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/energywise/phase2_5/ios/configuration/guide/2_5ewise.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/energywise/phase2/ios/release/notes/OL19810.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/15-sy/evn-15-sy-book/evn-confg.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/15-sy/evn-15-sy-book/evn-overview.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/15-sy/evn-15-sy-book/evn-confg.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/15-sy/evn-15-sy-book/evn-overview.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/15-sy/evn-15-sy-book/evn-shared-svcs.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/flexlinks.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup720/15_1_sy_swcg_720/flexlinks.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fnetflow/configuration/15-sy/fnf-15-sy-book/cfg-ipv6-brg.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_nman/configuration/15-sy/ip6n-15-sy-book/ip6-tftp-supp.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cether/command/ce-cr-book.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cether/command/ce-cr-book/ce-e1.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_lsm/configuration/15-sy/imc-lsm-15-sy-book/imc_ha_mldp.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/qos_policy_based_queueing.html
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-cfg-authentifcn.html
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a3.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_igmp/configuration/15-sy/imc-igmp-15-sy-book/imc_igmpv3_hoststack.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_basic/configuration/15-sy/mp-basic-15-sy-book/mp-ip-aware-mpls-netflow.html
- IP Multicast Load Splitting - Equal Cost Multipath (ECMP) using S, G and Next-hop—See this publication:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_optim/configuration/15-sy/imc-optim-15-sy-book/imc_load_splt_ecmp.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-sy/sla-15-sy-book/sla_lsp_mon_autodisc.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-sy/sla-15-sy-book/sla_tcp_conn.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-sy/sla-15-sy-book/sla_ftp.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-sy/sla-15-sy-book/sla_dns.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-sy/sla-15-sy-book/sla_http.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/interface/configuration/15-sy/ir-15-sy-book/ir-impl-tun.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_rip/command/irr-cr-book/irr-cr-rip.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_rip/configuration/15-sy/bsm-15-sy-book/irr-cfg-info-prot.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_nman/configuration/15-sy/ip6n-15-sy-book/ip6-emb-mgmt.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_nman/configuration/15-sy/ip6n-15-sy-book/ip6-emb-mgmt.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_basic/configuration/15-sy/ip6b-15-sy-book/ip6-nd-cache.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_nman/configuration/15-sy/ip6n-15-sy-book/ip6-emb-mgmt.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/15-sy/sec-data-acl-15-sy-book/ip6-sec-acl-ext.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_pim/configuration/15-sy/imc-pim-15-sy-book/imc_basic_ipv6.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/15-sy/ip6-dev-track.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_basic/configuration/15-sy/ip6b-15-sy-book/ip6-neighb-disc.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/15-sy/ip6-nd-inspect.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/15-sy/iri-15-sy-book/ip6-pbr.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/15-sy/ip6f-15-sy-book/ip6-ra-guard.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/ip6-route-ospfv3-auth-ipsec.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/15-sy/sec-sec-for-vpns-w-ipsec-15-sy-book/sec-cfg-vpn-ipsec.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/config_guide/sup2T/vlan_acls.html#IPV6_VACL_(Vlan_Access_Control_List)
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/config_guide/sup720/vlan_acls.html#IPV6_VACL_(Vlan_Access_Control_List)
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-sy/irg-15-sy-book/ip6-mbgp-nsf-gr-rest.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_ldp/configuration/15-sy/mp-ldp-15-sy-book/mp-ldp-igp-synch.html
- ISIS BFD TLV—The IS-IS Bidirectional Forwarding Detection (BFD) Tag Length Value (TLV) feature provides a faster method to detect a loss of an IS-IS adjacency. Before, when an IS-IS adjacency reached the UP state (and therefore could be used for forwarding), a BFD session needed to be established with that neighbor. Now, a BFD session is maintained as long as the hello holddown timer for the neighbor does not expire, which is new for BFD TLV. The BFD session is only deleted if the neighbor hello times out. If BFD signals to IS-IS that a session has gone DOWN, the adjacency associated with that session will transition to DOWN state. Once the BFD session goes back UP, the adjacency state can transition back to an UP state.
For a given IS-IS topology, IS-IS determines if BFD is usable for a given neighbor on that topology. BFD is not usable when BFD is enabled on both sides and the BFD session is down. When there are multiple BFD sessions enabled for different address families, such as IPv4 and IPv6, if BFD is not usable for any address family, then BFD is consider not usable for the entire adjacency on that topology. For example, if both IPv4 and IPv6 BFD are enabled for single topology, if either the IPv4 BFD session is down or IPv6 BFD session is down, the neighbor state will be set to DOWN state. If BFD is not enabled for a given address family, then BFD is considered usable for that address family.
For single topology mode, the neighbor state is down when either the IPv4 or IPv6 BFD session is not BFD usable, that is, if BFD is enabled on both sides and the BFD session is DOWN. If BFD is not enabled on either side, BFD will be set to TRUE. For multi-topology mode, IS-IS adjacency will be in UP state as long as any topology is UP. However, the neighbor for the topology where BFD is consider not usable is considered down for that specific topology. For example, if both IPv4 and IPv6 BFD are enabled, and the IPv4 session is DOWN and IPv6 session is UP, then the IS-IS adjacency is still UP. In this case, the IPv4 neighbor is considered DOWN and ipv6 neighbor is considered UP.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/configuration/xe-3s/irb-xe-3s-book/irb-bfd-isis-cbit.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/configuration/15-sy/irb-15-sy-book/ip6-bfd-isis-client.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mtr/configuration/15-sy/mtr-15-sy-book/isis-mtr-multicast-address-family.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_isis/configuration/15-sy/irs-15-sy-book/irs-instance-vrf.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_resil/configuration/15-sy/imc-resil-15-sy-book/imc_high_availability.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_ha/configuration/15-sy/mp-ha-15-sy-book/mp-6vpe-6pe-issu-sso.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_l2_vpns/configuration/15-sy/mp-l2-vpns-15-sy-book/mp-l2vpn-adv-vpls.html
- LACP 1:1 hotstandby dampening—See this publication:
- Linecards not supported in 15.1(1)SY—See this publication:
- LLDP Inline Power Negotiation for PoE+—See this publication:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/power_over_ethernet.html+
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup720/15_1_sy_swcg_720/power_over_ethernet.html+
- LLDP IPv6 address support—The release support IPv6 Link Layer Discovery Protocol (LLDP) and LLDP Media Endpoint Discovery (MED) addresses.
- Mac Move and Replace—See this publication:
- Manually configured IPv6 in IPv4 with IPSec—The Manually Configured IPv6 in IPv4 with IPsec feature complies with U.S. Government IPv6 (USGv6) guidelines by supporting the following IPsec features:
– IPv6 Support for IPsec and IKEv2. For more information about this feature, see the “Configuring Internet Key Exchange Version 2 (IKEv2) and FlexVPN Site-to-Site” module and the “Configuring Security for VPNs with IPsec” module at the following links:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-sy/sec-flex-vpn-15-sy-book/sec-cfg-ikev2-flex.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/15-sy/sec-sec-for-vpns-w-ipsec-15-sy-book/sec-cfg-vpn-ipsec.html
– OSPF for IPv6 (OSPFv3) Authentication Support with IPsec. For more information about this feature, see the “IPv6 Routing: OSPF for IPv6 Authentication Support with IPsec” module at the following link:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/ip6-route-ospfv3-auth-ipsec.html
– Call Home version 2 enhancements.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mdata/configuration/15-sy/mdata-15sy-book/metadata-framework.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_lsm/configuration/15-sy/imc-lsm-15-sy-book/ip6-mcast-mld-limits.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_lsm/configuration/15-sy/imc-lsm-15-sy-book/imc_mldp_filter.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_lsm/configuration/15-sy/imc-lsm-15-sy-book/imc_mldp-based_mvpn.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_ldp/configuration/15-sy/mp-ldp-15-sy-book/mp-ldp-igp-synch.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_l2_vpns/configuration/15-sy/mp-l2-vpns-15-sy-book/vpls-o-gre.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_l2_vpns/configuration/15-sy/mp-l2-vpns-15-sy-book/mp-pw-status.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_te_path_protect/configuration/15-sy/mp-te-path-protect-15-sy-book/mp-te-bfd-frr.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_te_path_protect/configuration/15-sy/mp-te-path-protect-15-sy-book/mp-te-path-prot.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_pim/configuration/15-sy/imc-pim-15-sy-book/imc_mtr.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mtr/configuration/15-sy/mtr-15-sy-book/isis-mtr-multicast-address-family.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/commands/additional_commands.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_serv/configuration/15-sy/imc-serv-15-sy-book/imc_service_reflect.html
- MVPN - Data MDT Enhancements—Multicast distribution tree (MDT) groups were selected at random when the traffic passed the threshold and there was a limit of 255 MDTs before they were reused. The MVPN - Data MDT Enhancements feature provides the ability to deterministically map the groups from inside the VPN routing and forwarding (S,G) entry to particular data MDT groups, through an access control list (ACL).
The user can now map a set of VPN routing and forwarding (S,G) to a data MDT group in one of the following ways:
– 1:1 mapping (1 permit in ACL)
– Many to 1 mapping (many permits in ACL)
– Many to many mapping (multiple permits in ACL and a nonzero mask data MDT)
Because the total number of configurable data MDTs is 1024, the user can use this maximum number of mappings in any of the described combinations.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/15-sy/nat-15-sy-book/iadnat-mpls-vpn.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/dot1x_port_based_authentication.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup720/15_1_sy_swcg_720/dot1x_port_based_authentication.html
http://www.cisco.com/c/en/us/td/docs/ios/netflow/command/reference/nf_book/nf_01.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup720/15_1_sy_swcg_720/netflow.html
- NHRP Reformation move to IP Services—The Next Hop Resolution Protocol (NHRP) is supported in the IP Services image.
- No Service Password-Recovery 15.1SY—See this publication:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/15-sy/sec-usr-cfg-15-sy-book/sec-no-svc-pw-recvry.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_resil/configuration/15-sy/imc-resil-15-sy-book/imc_high_availability.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/configuration/15-sy/bsm-15-sy-book/bsm-ntpv4-mib.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/configuration/15-sy/bsm-15-sy-book/bsm-time-calendar-set.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/configuration/15-sy/bsm-15-sy-book/ip6-ntpv4.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/iro-nsr-ospf.html
- OSPF for Routed Access—The OSPF for Routed Access feature allows users to extend layer 3 routing capabilities to the access or Wiring Closet. OSPF for Routed Access supports only one OSPFv2 and one OSPFv3 instance with a maximum number of 200 dynamically learned routes permitted.
With the typical hub and spoke topology in a campus environment, the Wiring Closets (spokes) are connected to the distribution switch (Hub) forwarding all non-local traffic to the distribution layer. There is no requirement to hold a complete routing table at the Wireless Closet switches. In best practices designs, the distribution switch sends a default route to the Wiring Closet switch for reaching inter- area and external routes (OSPF Stub area configuration). The OSPF for Routed Access feature supporst this type of topology.
The IP base image supports OSPF for Routed Access. The Enterprise services image continues to be required if multiple OSPFv2 and OSPFv3 instances with no route restrictions are required. Additionally, Enterprise Services is required to enable the VRF-lite feature.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/iro-ttl.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/iro-ttl.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/ip6-route-ospfv3-add-fam.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/configuration/15-sy/irb-15-sy-book/ip6-route-bfd-ospfv3.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/ip6-route-ospfv3-fastcon.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/ip6-route-ospfv3-gr-rest.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/ip6-route-ospfv3-esp.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/command/iro-cr-book.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-parse-improve.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-aaa-comm-criteria-pwd.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cether/configuration/15-sy/ce-15-sy-book/ce-per-port-loc-config.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_pim/configuration/15-sy/imc-pim-15-sy-book/imc_monitor_maint.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_pim/configuration/15-sy/imc-pim-15-sy-book/imc_basic_ipv6.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/config_guide/sup2T/power_over_ethernet.html#PoE_Plus_(PoE+,_PoEP)_support
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/config_guide/sup720/power_over_ethernet.html#PoE_Plus_(PoE+,_PoEP)_support
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/port_security.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup720/15_1_sy_swcg_720/port_security.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/15-sy/sec-usr-cfg-15-sy-book/sec-cfg-sec-4cli.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/ip6-aaa-support.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-per-vrf-aaa.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_rad/configuration/15-sy/sec-usr-rad-15-sy-book/sec-cfg-radius.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_rsvp/configuration/15-sy/qos-rsvp-15-sy-book/config-rsvp.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/saf/configuration/15-sy/saf-15-sy-book/saf-dyn-neigh.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/Cisco_IOS_Configuration_Fundamentals_Command_Reference.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15-sy/sec-usr-ssh-15-sy-book/sec-usr-ssh-sec-shell.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15-sy/sec-usr-ssh-15-sy-book/sec-secure-shell-v2.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15-sy/sec-usr-ssh-15-sy-book/sec-secure-shell-v2.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_ha/configuration/15-sy/mp-ha-15-sy-book/mp-6vpe-6pe-issu-sso.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/configuration/15-sy/irb-15-sy-book/ip6-bfd-static.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/traffic_storm_control.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup720/15_1_sy_swcg_720/traffic_storm_control.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cether/command/ce-cr-book.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cether/command/ce-cr-book/ce-e1.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/ip6-tacacs.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_nman/configuration/15-sy/ip6n-15-sy-book/ip6-tftp-supp.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-sy/sec-cts-15-sy-book/sec-cts-id-port-map.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-sy/sec-cts-15-sy-book/sec-cts-sg-download.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/iro-ttl-sec-ospfv3.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_l2_vpns/configuration/15-sy/mp-l2-vpns-15-sy-book/vpls-auto-bgp.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_l2_vpns/configuration/15-sy/mp-l2-vpns-15-sy-book/vpls-o-gre.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/configuration/15-sy/bsm-15-sy-book/bsm-time-calendar-set.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/esm/configuration/15-sy/esm-15-sy-book/esm-vrf.html
http://www.cisco.com/c/en/us/td/docs/ios/ipv6/command/reference/ipv6_book/ipv6_09.html
http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/command/reference/nm_book/nm_09.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/Cisco_IOS_Configuration_Fundamentals_Command_Reference.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_arp/configuration/15-sy/arp-15-sy-book/arp-vrfaware-arp.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-sy/fhp-15-sy-book/fhrp-vrrpv3.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/15-sy/iap-15-sy-book/iap-wccp-cfg-rtr-id.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/15-sy/iap-15-sy-book/iap-wccp-ftimers.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/wsma/configuration/15-sy/wsma-15-sy-book/wsma.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/wsma/configuration/15-sy/wsma-15-sy-book/wsma-tls.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/wsma/configuration/15-sy/wsma-15-sy-book/wsma.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/xmlpi/configuration/15-sy/xml-pi-15-sy-book/xml-pi.html
Software Features from Earlier Releases
Use Cisco Feature Navigator to display supported features that were introduced in earlier releases.
Unsupported Commands
Cisco IOS images for the Supervisor Engine 2T do not support mls commands or mls as a keyword. See this document for a list of some of the mls commands that have been replaced:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/replacement_commands.html
Note Some of the replacement commands support different keyword and parameter values than those supported by the Release 12.2SX commands.
Cisco IOS images for the Supervisor Engine 2T do not support these commands:
Unsupported Features
Note The IPsec Network Security feature (configured with the crypto ipsec command) is supported in software only for administrative connections to Catalyst 6500 series switches.
These features are not supported in Release 15.1SY:
- WAN features
- Performance Routing (PfR)
- OER Border Router Only Functionality
- Flexible NetFlow on Supervisor Engine 720-10GE and Supervisor Engine 720
- IOS Server Load Balancing (SLB)
Note Release 15.1SY supports server load balancing (SLB) as implemented on the Application Control Engine (ACE) module (ACE30-MOD-K9).
- AppleTalk
- Cisco Group Management Protocol (CGMP)
- Distance Vector Multicast Routing Protocol (DVMRP)
- Dynamic creation of L2 entries for Multicast source-only traffic
- IDS Copy
Note Release 15.1SY supports the SPAN and VACL redirect features, which have equivalent functionality.
Note Release 15.1SY supports IEEE 802.1Q trunking.
– Internetwork Packet Exchange (IPX)
– NetWare Link-Services Protocol (NLSP)
– Service Advertising Protocol (SAP)
– IPX Access Control List Violation Logging
– IPX Access List Plain English Filters
– IPX Encapsulation for 802.10 VLAN
– IPX Multilayer Switching (IPX MLS)
- Network Based Application Recognition (NBAR)
- Per-VLAN Spanning Tree (PVST) mode (spanning-tree mode pvst global configuration mode command) on Supervisor Engine 2T
Note Release 15.1SY supports these spanning tree protocols:
—Rapid Spanning Tree Protocol (RSTP):
• spanning-tree mode rapid-pvst global configuration mode command
• Enabled by default
—Multiple Spanning Tree Protocol (MSTP):
• spanning-tree mode mst global configuration mode command
• Can be enabled
Note Release 15.1SY supports the Firewall Services Module (WS-SVC-FWM-1-K9).
Restrictions
Caveats in Release 15.1SY
- Open Caveats in Release 15.1(2)SY
- Open Caveats in Release 15.1(1)SY
- Caveats Resolved in Release 15.1(2)SY16
- Caveats Resolved in Release 15.1(2)SY15
- Caveats Resolved in Release 15.1(2)SY14
- Caveats Resolved in Release 15.1(2)SY13
- Caveats Resolved in Release 15.1(2)SY12
- Caveats Resolved in Release 15.1(2)SY11
- Caveats Resolved in Release 15.1(2)SY10
- Caveats Resolved in Release 15.1(2)SY9
- Caveats Resolved in Release 15.1(2)SY8
- Caveats Resolved in Release 15.1(2)SY7
- Caveats Resolved in Release 15.1(1)SY6
- Caveats Resolved in Release 15.1(2)SY6
- Caveats Resolved in Release 15.1(2)SY5
- Caveats Resolved in Release 15.1(1)SY5
- Caveats Resolved in Release 15.1(2)SY4a
- Caveats Resolved in Release 15.1(2)SY4
- Caveats Resolved in Release 15.1(1)SY4
- Caveats Resolved in Release 15.1(2)SY3
- Caveats Resolved in Release 15.1(2)SY2
- Caveats Resolved in Release 15.1(2)SY1
- Caveats Resolved in Release 15.1(2)SY
- Caveats Resolved in Release 15.1(1)SY3
- Caveats Resolved in Release 15.1(1)SY2
- Caveats Resolved in Release 15.1(1)SY1
- Caveats Resolved in Release 15.1(1)SY
Open Caveats in Release 15.1(2)SY
Open Caveats in Release 15.1(1)SY
Caveats Resolved in Release 15.1(2)SY16
Caveats Resolved in Release 15.1(2)SY14
Caveats Resolved in Release 15.1(2)SY12
Caveats Resolved in Release 15.1(2)SY10
Caveats Resolved in Release 15.1(2)SY8
Caveats Resolved in Release 15.1(2)SY7
Caveats Resolved in Release 15.1(1)SY6
Symptom: An error similar to the following may be observed in the syslogs of a Cisco IOS device:
*May 4 13:40:46.760: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error, -PC= :200CD000+1502CF4 -Traceback= 1#e06f72c62c6bef347348f23bdccc4b7f :200CD000+30D51C0 :200CD000+30D5588 :200CD000+3103724 :200CD000+6F2FD4C :200CD000+1502CF4 :200CD000+15033E0 :200CD000+446FF08 :200CD000+446E0B0 :200CD000+443DA40 :200CD000+442D158 :200CD000+445C0F8
No functional impact is observed.
Conditions: This is currently believed to affect all released versions of IOS code which support the CISCO-ENTITY-EXT-MIB. This may occur when polling the ceExtSysBootImageList object in CISCO-ENTITY-EXT-MIB. This object returns a semicolon-separated list of boot statements on the device, similar to the following:
CISCO-ENTITY-EXT-MIB::ceExtSysBootImageList.5000 = STRING: "flash bootflash:cat4500e-universalk9.SPA.03.04.05.SG.151-2.SG5.bin;flash bootflash:cat4500e-universalk9.SPA.03.04.02.SG.151-2.SG2.bin"
The DATACORRUPTION error will occur under a specific corner case, where the total length of one or more complete boot variables (counted starting after the 'boot system' token) is less than 255 bytes, BUT when semicolons are added (one per boot statement) meets or exceeds this number.
Consider the following example:
boot system bootflash:this_is_a_128_character_long_boot_statement_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
boot system bootflash:this_is_a_125_character_long_boot_statement_yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
128 + 125 + 2 semicolons = 255 characters (bytes)
If another boot statement is added after this, the DATACORRUPTION error will be seen and the SNMP query will return invalid data.
Workaround: Reduce the quantity/length of configured boot variables.
Further Problem Description: This is not known to have any functional impact outside of the (potentially alarming) error message. The error will only be printed once, but subsequent occurrences of this condition can be seen via the 'show data-corruption' command.
Symptom: The HTTPS client only offer till SSLv3.0 which is vulnerable to poodle attack.
Conditions: Any Application is using HTTPS client with SSL3.0
Workaround: Disable app which use HTTPS client.
Further Problem Description: After fixing Poodle (CSCur23656) in the ssl component, this fix in the http component is required too. After the fix, TLS 1.0 will be used. After this fix HTTPS client will only offer TSL1.0.
Symptom: 7200 router crash during multiple session validations.
Conditions: When two certificate validations in progress, 7200 platform is crashing.
Further Problem Description: This defect more visible on 7200 platform than any other platform. This is not only limited to GetVPN configuration, but also with any configurations like IKEv2.
Symptom: Router may become unresponsive. Memory is all used up and no longer available for other processes. Router may eventually reload on its own OR would need to be reloaded manually, to restore services.
Conditions: Normal operations.
Workaround: Track Used memory and when it approaches 70-80% utilization levels, please schedule a reload.
Further Problem Description: Output of show process mem sorted will show signs of increase in Used. Memory held by processes Chunk Manager and CCSIP_TLS_SOCKET will show corresponding increase. show mem all totals will show increase for List Headers
Symptom: A vulnerability in the IPv6 snooping feature from the first-hop security features in Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to insufficient Control Plane Protection (CPPr) against specific IPv6 ND packets. An attacker could exploit this vulnerability by sending a flood of traffic consisting of specific IPv6 ND packets to an affected device where the IPv6 snooping feature is configured.
Conditions: See published Cisco Security Advisory
Workaround: See published Cisco Security Advisory
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2015-6278 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptom: A vulnerability in the IPv6 snooping feature from the first-hop security features in Cisco IOS and IOS XE Software could allow an
unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to insufficient validation of IPv6 ND packets that use the Cryptographically Generated Address (CGA) option. An attacker could exploit this vulnerability by sending a malformed packet to an affected device where the IPv6 Snooping feature is enabled. Cisco has released software updates that address these vulnerabilities. There are no workarounds to mitigate these vulnerabilities. This advisory
is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150923-fhs
Note The September 23, 2015, release of the Cisco IOS and IOS XE Software Security Advisory bundled publication includes three Cisco Security Advisories. All the advisories address vulnerabilities in Cisco IOS Software and Cisco IOS XE Software. Individual publication links are in Cisco
Event Response: September 2015 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep15.html
Conditions: See published Cisco Security Advisory
Workaround: See published Cisco Security Advisory
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2015-6279 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptom: This product includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2015-4000, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1792, CVE-2015-1791, CVE-2014-8176
This bug has been opened to address the potential impact on this product.
Conditions: Following Cisco IOS features may invoke the affected code and might be vulnerable
- SSLVPN feature (for any platform running IOS) ("webvpn gateway")
- SSLVPN feature (for CSR1000V running IOS-XE) ("crypto ssl profile")
- HTTPS client feature ("copy https://......", DynDNS client,...)
- Voice-XML HTTPS client feature
- HTTPS server feature ("ip http secure-server")
- Settlement for Packet Telephony feature
Workaround: See published Cisco Security Advisory
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the
time of evaluation are: 7.8/6.4
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: Cisco IOS and IOS-XE include a version of OpenSSL that may be affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-3505 - Double Free when processing DTLS packets
CVE-2014-3506 - DTLS memory exhaustion
CVE-2014-3507 - DTLS memory leak from zero-length fragments
CVE-2014-3508 - Information leak in pretty printing functions
CVE-2014-3509 - Race condition in ssl_parse_serverhello_tlsext
CVE-2014-3510 - OpenSSL DTLS anonymous EC(DH) denial of service
CVE-2014-3511 - OpenSSL TLS protocol downgrade attack
CVE-2014-3512 - SRP buffer overrun
CVE-2014-5139 - Crash with SRP ciphersuite in Server Hello message
This bug has been opened to address the potential impact on this product.
Conditions: See published Cisco Security Advisory
Further Problem Description: At this point the investigation is ongoing, this bug will be updated in the future to reflect better the real impact on the product.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:
https://intellishield.cisco.com/security/alertmanager/cvss?target=new&version=2.0&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: This product includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206
This bug has been opened to address the potential impact on this product.
Conditions: The following Cisco IOS features may invoke the affected code and may be vulnerable:
- SSLVPN feature (for any platform running IOS) ("webvpn gateway")
- SSLVPN feature (for CSR1000V running IOS-XE) ("crypto ssl profile")
- HTTPS client feature ("copy https://......", DynDNS client,...)
- Voice-XML HTTPS client feature
- HTTPS server feature ("ip http secure-server")
- Settlement for Packet Telephony feature
Affected Versions: One of more of these vulnerabilities affect all versions of IOS prior to the versions listed in the Integrated In field of this defect
Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 5.0/3.7
http://tools.cisco.com/security/center/cvssCalculator.x?version=2.0&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: This product includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0292, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288
This bug has been opened to address the potential impact on Cisco IOS and IOS-XE products.
Conditions: LIST SPECIFIC VULNERABLE CONFIGURATION INFORMATION. IF DEFAULT CONFIGURATION IS VULNERABLE, USE THE TEXT "Exposure is not configuration dependent."
Following Cisco IOS features may invoke the affected code and might be vulnerable:
- SSLVPN feature (for any platform running IOS) ("webvpn gateway")
- SSLVPN feature (for CSR1000V running IOS-XE) ("crypto ssl profile")
- HTTPS client feature ("copy https://......", DynDNS client,...)
- Voice-XML HTTPS client feature
- HTTPS server feature ("ip http secure-server")
- Settlement for Packet Telephony feature
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 7.1/6.9
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: A vulnerability in the TCL script interpreter of Cisco IOS Software could allow an authenticated, local attacker to escalate its privileges from those of a non-privileged user to a privileged (level 15) user. This would allow a non-privileged user to execute privileged commands
(those under privilege level 15). The vulnerability is due to an error on resetting VTY privileges after running a TCL script. An attacker could exploit this vulnerability by establishing a session to an affected device immediately after a TCL script has been run. An attacker would need to provide valid credentials and successfully pass authentication to the device.
Conditions: This behavior is timing dependent, as the attacker would need to log-in to the device immediately after the TCL script finishes execution.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.6/5.5:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C&version=2.
CVE ID CVE-2015-4185 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
A vulnerability in the TCP input module of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a memory leak and
eventual reload of the affected device. The vulnerability is due to improper handling of certain crafted packet sequences used in establishing a TCP three-way handshake. An attacker could exploit this vulnerability by sending a crafted sequence of TCP packets while establishing a thee-way handshake. A successful exploit could allow the attacker to cause a memory leak and eventual reload of the affected device.
There are no workarounds for this vulnerability.
Cisco has released free software updates that address this vulnerability. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-tcpleak
Note The March 25, 2015, Cisco IOS Software Security Advisory bundled publication includes seven Cisco Security Advisories. The advisories address vulnerabilities in Cisco IOS Software and Cisco IOS XE Software. Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security
Advisory Bundled Publication at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar15.html
Symptom: A 6500 reloads after negotiating an IPSec tunnel with ASR9000.
Conditions: The 6500 needs to run 12.2(33)SXJ8 and the IPsec engine must be a WS-SSC-600 WS-IPSEC-3 combination.This crash does not happen with 7600-SSC-400 IPSEC-2 combination.
Further Problem Description: A vulnerability in the IKE subsystem of Cisco WS-IPSEC-3 service module could allow an authenticated, remote attacker to cause a reload of the Catalyst switch. The vulnerability is due to insufficient bounds checks on a specific message during the establishment of an IPSEC tunnel. An attacker could exploit this vulnerability by successfully establishing an IKE session and sending the offending packet during subsequent negotiations. An exploit could allow the attacker to cause a denial of service by forcibly reloading the switch.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.9/4.9:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:U/RC:C&version=2.0
CVE ID CVE-2015-0771 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Caveats Resolved in Release 15.1(2)SY6
Caveats Resolved in Release 15.1(2)SY5
Caveats Resolved in Release 15.1(1)SY5
Caveats Resolved in Release 15.1(2)SY4
Caveats Resolved in Release 15.1(1)SY4
Caveats Resolved in Release 15.1(2)SY3
- CSCui59540 —Resolved in 15.1(2)SY3
Symptom: A vulnerability in the implementation of the IP version 6 (IPv6) protocol stack in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause I/O memory depletion on an affected device that has IPv6 enabled. The vulnerability is triggered when an affected device processes a malformed IPv6 packet.
Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ipv6
Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication.
Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html
Conditions: See published Cisco Security Advisory
Workaround: See published Cisco Security Advisory
Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-2113 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Other Resolved Caveats in Release 15.1(2)SY3
Caveats Resolved in Release 15.1(2)SY2
- CSCtz14399 —Resolved in 15.1(2)SY2
Symptom: A vulnerability in TCP stack of Cisco IOS Software could allow an unauthenticated, remote attacker to cause an ACK storm.
The vulnerability is due to improper closing of the established TCP connection. An attacker could exploit this vulnerability by sending a crafted sequence of TCP ACK and FIN packets to an affected device. An exploit could allow the attacker to cause an ACK storm resulting in excessive network utilization and high CPU.
Conditions: Multiple FIN/ACK packets are received.
Workaround: Do clear' tcp tcb 0x......' where the hex value is the address of the TCB stuck in LASTACK state in ’show tcp brief.'
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2013-5469 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5469
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Other Resolved Caveats in Release 15.1(2)SY2
Caveats Resolved in Release 15.1(2)SY1
Caveats Resolved in Release 15.1(2)SY
- CSCsv74508 —Resolved in 15.1(2)SY
Symptom: If a linecard is reset (either due to an error or a command such as hw-module slot reload) at the precise time an SNMP query is trying to communicate with that linecard, the RP could reset due to a CPU vector 400 error.
Conditions: This symptom occurs when the linecard is reset (either due to error or a command such as hw-module slot reload) at the precise time an SNMP query is received.
Workaround: There is no workaround.
Resolved ios-authproxy Caveats
- CSCtz99447 —Resolved in 15.1(2)SY
Symptom: Local webauth and HTTP services stop responding on the switch.
Conditions: A show processes | inc HTTP Proxy lists many instances of the “HTTP Proxy” service, and these do not disappear.
Workaround: The HTTP Proxy service may experience delay due to an incorrectly terminated HTTP or TCP session. In some cases, increasing the value of ip admission max-login-attempts works around this issue. In others, the stuck “HTTP Proxy” service will again become available after a TCP timeout.
Some browsers and background processes using HTTP transport can create incorrectly terminated HTTP/TCP sessions. If webauth clients are under control, changing web browsers or eliminating background processes that use HTTP transport may eliminate triggers for this issue.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C
CVE ID CVE-2012-4658 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCtx56174 —Resolved in 15.1(2)SY
Symptoms: Cisco router hangs until a manual power cycle is done. If the scheduler isr-watchdog command is configured, the device will crash and recover instead of hanging until a power cycle is done.
Conditions: This is seen with websense URL filtering enabled and with zone based firewalls.
Workaround: Disable URL-based filtering.
- CSCtw62695 —Resolved in 15.1(2)SY
Symptoms: Packets sent by the Cisco IOS NTP server will have the IP identification field set to zero, behavior which may be flagged as a vulnerability by some security scanners.
Conditions: NTP server configured on Cisco IOS
Workaround: There is no workaround
Further Problem Description: Other UDP-based services on IOS (SNMP and DHCP as two examples) set the IP ID field to a nonzero value. As CVE-2002-0510 was originally reported as a way to identify a device as running a Linux 2.4-based kernel, the actual value of using this as a method to identify the underlying OS is very low.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C
CVE ID CVE-2002-0510 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCto87436 —Resolved in 15.1(2)SY
Symptoms: In certain conditions, IOS device can crash, with the following error message printed on the console:
“%SYS-2-WATCHDOG: Process aborted on watchdog timeout, process = SSH Proc”
Conditions: In certain conditions, if an SSH connection to the IOS device is slow or idle, it may cause a box to crash with the error message printed on the console.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C CVE ID CVE-2012-5014 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Other Resolved Caveats in Release 15.1(2)SY
Caveats Resolved in Release 15.1(1)SY3
- CSCue95644 —Resolved in 15.1(1)SY3
Symptom: This is the Cisco response to research performed by Mr. Philipp Schmidt and Mr. Jens Steube from the Hashcat Project on the weakness of Type 4 passwords on Cisco IOS and Cisco IOS XE devices. Mr. Schmidt and Mr. Steube reported this issue to the Cisco PSIRT on March 12, 2013.
Cisco would like to thank Mr. Schmidt and Mr. Steube for sharing their research with Cisco and working toward a coordinated disclosure of this issue.
A limited number of Cisco IOS and Cisco IOS XE releases based on the Cisco IOS 15 code base include support for a new algorithm to hash user-provided plaintext passwords. This algorithm is called Type 4, and a password hashed using this algorithm is referred to as a Type 4 password. The Type 4 algorithm was designed to be a stronger alternative to the existing Type 5 and Type 7 algorithms to increase the resiliency of passwords used for the enable secret password and username username secret password commands against brute-force attacks.
This Cisco Security Response is available at http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4
Conditions: See published Cisco Security Response
Workaround: See published Cisco Security Response
Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and a Cisco Security Response is available at http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Resolved ios-authproxy Caveats
- CSCtz99447 —Resolved in 15.1(1)SY3
Symptom: Local webauth and HTTP services stop responding on the switch.
Conditions: A show processes | inc HTTP Proxy lists many instances of the “HTTP Proxy” service, and these do not disappear.
Workaround: The HTTP Proxy service may experience delay due to an incorrectly terminated HTTP or TCP session. In some cases, increasing the value of ip admission max-login-attempts works around this issue. In others, the stuck “HTTP Proxy” service will again become available after a TCP timeout.
Some browsers and background processes using HTTP transport can create incorrectly terminated HTTP/TCP sessions. If webauth clients are under control, changing web browsers or eliminating background processes that use HTTP transport may eliminate triggers for this issue.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C
CVE ID CVE-2012-4658 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCub93641 —Resolved in 15.1(1)SY3
The load balancing feature of the flex-vpn solution of Cisco IOS does not provide authentication facilities to avoid non authorized member to join the load balancing cluster. Thus, an attacker may impact the integrity of the flex-vpn system by inserting a rogue cluster member and having the load balance master to forward VPN session to it. A number of secondary effect, including black-holing of some of the VPN traffic may be triggered by this issue.
Flex-VPN with Load Balancing feature active
Workaround: Using CoPP and interface access-list may be used to allow only trusted router to join the load balancer cluster
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:W/RC:C CVE ID CVE-2012-5032 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCtz14399 —Resolved in 15.1(1)SY3
Symptom: A vulnerability in TCP stack of Cisco IOS Software could allow an unauthenticated, remote attacker to cause an ACK storm.
The vulnerability is due to improper closing of the established TCP connection. An attacker could exploit this vulnerability by sending a crafted sequence of TCP ACK and FIN packets to an affected device. An exploit could allow the attacker to cause an ACK storm resulting in excessive network utilization and high CPU.
Conditions: Multiple FIN/ACK packets are received.
Workaround: Do clear' tcp tcb 0x......' where the hex value is the address of the TCB stuck in LASTACK state in ’show tcp brief.'
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2013-5469 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5469
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCuh09324 —Resolved in 15.1(1)SY3
Symptom: UDP based entries are not deleted from the flowmgr table resulting in crash, or poor system response, with CPU hog messages being shown.
Conditions: Affected Platforms - images ct5760-ipservicesk9.bin cat3k_caa-universalk9.bin cat4500e-universalk9.bin
Device is configured with UDP services that originate from the device. This includes but not limited to the following features: * TFTP * Energy Wise * DNS * Cisco TrustSec
Workaround: If you suspect that you are affected by this bug, please do the following, for confirmation: Router#config terminal service internal end Router#show flowmgr
The output of this command will show many lines entries holding with the same port numbers. Disabling the feature that is being held in the flows until an upgrade can be performed, is a workaround.
A reload is required to clear the held flows.
Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2013-6704 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-6704
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Other Resolved Caveats in Release 15.1(1)SY3
Caveats Resolved in Release 15.1(1)SY2
- CSCug31561 —Resolved in 15.1(1)SY2
A vulnerability in the DHCP implementation of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
The vulnerability occurs during the parsing of crafted DHCP packets. An attacker could exploit this vulnerability by sending crafted DHCP packets to an affected device that has the DHCP server or DHCP relay feature enabled. An exploit could allow the attacker to cause a reload of an affected device.
Cisco has released free software updates that address this vulnerability. There are no workarounds to this vulnerability.
This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-dhcp
Note: The September 25, 2013, Cisco IOS Software Security Advisory bundled publication includes eight Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the September 2013 bundled publication.
Individual publication links are in ‘’Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication‘’ at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep13.html
- CSCsv74508 —Resolved in 15.1(1)SY2
Symptom: If a linecard is reset (either due to an error or a command such as hw-module slot reload) at the precise time an SNMP query is trying to communicate with that linecard, the RP could reset due to a CPU vector 400 error.
Conditions: This symptom occurs when the linecard is reset (either due to error or a command such as hw-module slot reload) at the precise time an SNMP query is received.
Workaround: There is no workaround.
- CSCtx56174 —Resolved in 15.1(1)SY2
Symptom: A vulnerability in the Zone-Based Firewall (ZBFW) component of Cisco IOS Software could allow an unauthenticated, remote attacker to cause an affected device to hang or reload.
The vulnerability is due to improper processing of specific HTTP packets when the device is configured for either Cisco IOS Content Filtering or HTTP application layer gateway (ALG) inspection. An attacker could exploit this vulnerability by sending specific HTTP packets through an affected device. An exploit could allow the attacker to cause an affected device to hang or reload.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are not available.
This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-cce
- CSCuf17023 —Resolved in 15.1(1)SY2
Symptom: A vulnerability in the Resource Reservation Protocol (RSVP) feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger an interface queue wedge on the affected device.
The vulnerability is due to improper parsing of UDP RSVP packets. An attacker could exploit this vulnerability by sending UDP port 1698 RSVP packets to the vulnerable device. An exploit could cause Cisco IOS Software and Cisco IOS XE Software to incorrectly process incoming packets, resulting in an interface queue wedge, which can lead to loss of connectivity, loss of routing protocol adjacency, and other denial of service (DoS) conditions.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available.
This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-rsvp
- CSCto87436 —Resolved in 15.1(1)SY2
Symptoms: In certain conditions, IOS device can crash, with the following error message printed on the console:
“%SYS-2-WATCHDOG: Process aborted on watchdog timeout, process = SSH Proc”
Conditions: In certain conditions, if an SSH connection to the IOS device is slow or idle, it may cause a box to crash with the error message printed on the console.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C CVE ID CVE-2012-5014 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Other Resolved Caveats in Release 15.1(1)SY2
Caveats Resolved in Release 15.1(1)SY1
- CSCtk15666 —Resolved in 15.1(1)SY1
Symptoms: IOS password lentgh is limited to 25 characters.
Conditions: IOS password lentgh is limited to 25 characters on NG3K products.
PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Resolved accsw-ease-of-use Caveats
- CSCub55790 —Resolved in 15.1(1)SY1
The Smart Install client feature in Cisco IOS Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
Affected devices that are configured as Smart Install clients are vulnerable.
Cisco has released free software updates that address this vulnerability. There are no workarounds for devices that have the Smart Install client feature enabled.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-smartinstall
- CSCua21166 —Resolved in 15.1(1)SY1
Symptoms: Unable to form IPSec tunnels due to error: “RM-4-TUNNEL_LIMIT: Maximum tunnel limit of 225 reached for Crypto functionality with securityk9 technology package license.”
Conditions: Even though the router does not have 225 IPsec SA pairs, error will prevent IPSec from forming. Existing IPSec SAs will not be affected.
Workaround: Reboot to clear out the leaked counter, or install hsec9 which will disable CERM (Crypto Export Restrictions Manager).
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.8/2.3:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:M/C:N/I:N/A:P/E:U/RL:W/RC:C
No CVE ID has been assigned to this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCub39268 —Resolved in 15.1(1)SY1
Symptom: Cisco ASR 1000 devices running an affected version of IOS-XE are vulnerable to a denial of service vulnerability due to the improper handling of malformed IKEv2 packets. An authenticated, remote attacker with a valid VPN connection could trigger this issue resulting in a reload of the device. Devices configured with redundant Route Processors may remain active as long as the attack is not repeated before the affected Route Processor comes back online.
Conditions: Cisco ASR1000 devices configured to perform IPSec VPN connectivity and running an affected version of Cisco IOS-XE are affected. Only authenticated IKEv2 connection is susceptible to this vulnerability.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5017 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCtg39957 —Resolved in 15.1(1)SY1
The Resource Reservation Protocol (RSVP) feature in Cisco IOS Software and Cisco IOS XE Software contains a DoS vulnerability.
Cisco has released free software updates that address this vulnerability. There are no workarounds available to mitigate this vulnerability.
This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-rsvp
Note: The March 27, 2013, Cisco IOS Software Security Advisory bundled publication includes seven Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2013 bundled publication.
Individual publication links are in “Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar13.html
- CSCtg47129 —Resolved in 15.1(1)SY1
The Cisco IOS Software implementation of the virtual routing and forwarding (VRF) aware network address translation (NAT) feature contains a vulnerability when translating IP packets that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-nat
Note: The March 27, 2013, Cisco IOS Software Security Advisory bundled publication includes seven Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2013 bundled publication.
Individual publication links are in “Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar13.html
Other Resolved Caveats in Release 15.1(1)SY1
Caveats Resolved in Release 15.1(1)SY
- CSCsv06973 —Resolved in 15.1(1)SY
Symptom: Router crashes For Authentication RESPONSE with GETUSER and when getuser-header-flags is modified and sent.
Conditions: TACACS single-connection is configured. When authorization is configured Telnet to router and removing authorization,telnet to router again
Workaround: Do not use TACACS single-connection option.
- CSCsv38166 —Resolved in 15.1(1)SY
The server side of the Secure Copy (SCP) implementation in Cisco IOS software contains a vulnerability that could allow authenticated users with an attached command-line interface (CLI) view to transfer files to and from a Cisco IOS device that is configured to be an SCP server, regardless of what users are authorized to do, per the CLI view configuration. This vulnerability could allow valid users to retrieve or write to any file on the device’s file system, including the device’s saved configuration and Cisco IOS image files, even if the CLI view attached to the user does not allow it. This configuration file may include passwords or other sensitive information.
The Cisco IOS SCP server is an optional service that is disabled by default. CLI views are a fundamental component of the Cisco IOS Role-Based CLI Access feature, which is also disabled by default. Devices that are not specifically configured to enable the Cisco IOS SCP server, or that are configured to use it but do not use role-based CLI access, are not affected by this vulnerability.
This vulnerability does not apply to the Cisco IOS SCP client feature.
Cisco has released free software updates that address this vulnerability.
There are no workarounds available for this vulnerability apart from disabling either the SCP server or the CLI view feature if these services are not required by administrators.
This advisory is posted at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-scp.
- CSCtl59814 —Resolved in 15.1(1)SY
Symptoms: Kerberos/Encrypted Telnet code needs to be improved. There is a potential buffer overflow condition in the code. There is no proof of an attack vector/exploit. However, the code needs to be improved.
Conditions: Cisco IOS device configured for Kerberos/Encrypted Telnet access.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:U/RL:U/RC:UC No CVE ID has been assigned to this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCts37717 —Resolved in 15.1(1)SY
Symptoms: Active RP may crash while processing packets. Conditions: Device is processing packets which are being punted to the RP at a rate faster than memory can be allocated or deallocated. Workaround: Implementing a CoPP policy rate-limiting packets punted to the RP may be a workaround, depending on specific circumstances and traffic pattern PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-1317 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCtz28544 —Resolved in 15.1(1)SY
Symptoms: Cisco ASR 1000 Series Aggregation Services Routers configured for Multicast Listener Discovery (MLD) tracking for IPv6 may reload after receiving certain MLD packets. The following traceback will be shown in the logs.
Exception to IOS Thread: Frame pointer 4081B7D8, PC = 1446A878
ASR1000-EXT-SIGNAL: U_SIGSEGV(11), Process = MLD
Conditions: Cisco ASR 1000 Series Aggregation Services Routers configured for Multicast Listener Discovery (MLD) tracking for IPv6.
Workaround: The only workaround is to disable MLD tracking.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5.8:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C
CVE ID CVE-2012-1366 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCin14467 —Resolved in 15.1(1)SY
Symptoms: A router may forward IP packets even when IP processing is disabled on the incoming interface.
Conditions: This symptom is observed on all Cisco routers running Cisco Express Forwarding (CEF).
Workaround: Configure an inbound access-list denying all traffic on the interface without IP address. Example :
access-list 100 deny ip any any
int x no ip address ip access-group 100 in
- CSCti33534 —Resolved in 15.1(1)SY
Symptoms: After launching a flood of random IPv6 router advertisements when an interface is configured with “ipv6 address autoconf”, removing the IPv6 configuration on the interface with “no ipv6 address autoconf” may cause a reload. Other system instabilities are also possible during and after the flood of random IPv6 router advertisements.
Conditions: Cisco IOS is configured with “ipv6 address autoconf”.
Workarounds: Not using IPv6 auto-configuration may be used as a workaround.
Further Information: Cisco IOS checks for the hop limit field in incoming Neighbour Discovery messages and packets received with a hop limit not equal to 255 are discarded. This means that the flood of ND messages has to come from a host that is directly connected to the Cisco IOS device.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5.5:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2010-4671 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCts16133 —Resolved in 15.1(1)SY
Symptoms: Cisco IOS Software on the Catalyst 6500 and 7600 may crash after removing/readding object-group configuration.
– Workaround is to perform object-group changes in this order:
• First remove the ACLs which are referencing the object-group
• Then remove/rebuild the object-group
Cisco IOS Software on the Catalyst 6500 and 7600 series contains a vulnerability that could allow an authenticated, local attacker to cause a reload of an affected device.
The vulnerability issue is due to logic processing in the ACL code. An attacker could exploit this vulnerability by editing the ACLs on the device.
An exploit could allow the attacker to reload the affected device.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.6/3.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2012-5037 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCtt35379 —Resolved in 15.1(1)SY
Summary Cisco IOS Software contains a vulnerability in the Border Gateway Protocol (BGP) routing protocol feature.
The vulnerability can be triggered when the router receives a malformed attribute from a peer on an existing BGP session.
Successful exploitation of this vulnerability can cause all BGP sessions to reset. Repeated exploitation may result in an inability to route packets to BGP neighbors during reconvergence times.
Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-bgp
Note: The September 26, 2012, Cisco IOS Software Security Advisory bundled publication includes 9 Cisco Security Advisories. Eight of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses a vulnerability in Cisco Unified Communications Manager. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the September 2012 bundled publication.
Individual publication links are in “Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep12.html PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-4617 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCty58300 —Resolved in 15.1(1)SY
Summary Cisco IOS Software contains a vulnerability in the Border Gateway Protocol (BGP) routing protocol feature.
The vulnerability can be triggered when the router receives a malformed attribute from a peer on an existing BGP session.
Successful exploitation of this vulnerability can cause all BGP sessions to reset. Repeated exploitation may result in an inability to route packets to BGP neighbors during reconvergence times.
Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-bgp
Note: The September 26, 2012, Cisco IOS Software Security Advisory bundled publication includes 9 Cisco Security Advisories. Eight of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses a vulnerability in Cisco Unified Communications Manager. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the September 2012 bundled publication.
Individual publication links are in “Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep12.html
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-4617 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCty89224 —Resolved in 15.1(1)SY
Symptom: IOS router may crash under certain circumstances when receiving a mvpnv6 update
Conditions: Receive mvpnv6 update
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-3895 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCsu73525 —Resolved in 15.1(1)SY
Symptom: Traceroute output becomes incorrect because VSA does not do a TTL decrement on the packet after decryption.
Conditions: The symptom is observed when configured IPSec with C7200 NPE-G2 VSA.
Workaround: Disable HW crypto engine - Use VTI
- CSCta79031 —Resolved in 15.1(1)SY
Symptom: If a cert map is changed of added to the trustpoint, the pub key cache for the peers is not cleared. This makes it possible for a client which was connected in the past to reconnect again even if it’s cert was banned by the cert map.
Updated the ‘Configuring Authorization and Revocation of Certificates in a PKI’ module with notes to indicate - If a certificate map is changed or added to the trustpoint, the public key cache for the peers is not cleared.
The link to the latest document is: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-cfg-authentifcn.html
- CSCth82164 —Resolved in 15.1(1)SY
Symptom: A peer’s key is cached indefinitely in the key cache.
The following messages indicate bypassing the revocation check.
*Jul 13 18:43:18.095: CRYPTO_PKI: Found public key in hash table. Bypassing certificate validation
Conditions: A method (OCSP, CDP, etc.) to check for certificate revocation is used, then it is changed to “none” (“revocation check none”), and finally it gets changed to some revocation method again.
This configuration transition “revocation check -> no revocation check -> revocation check” is what causes a problem.
Further Information: The problem is independent of which revocation method is used (OCSP, CDP). The problem will happen when revocation check is disabled with the command “revocation none”. This would cache the peer’s key infinitely into the cache. After this, turning on any revocation method will have no efect; validation will always succeed since the keys are cached.
The problem will only happen if someone turns off revocation and then later realizes that it was a mistake and turns it back on. If remote peer’s key is cached within that period then that cache entry will never be deleted. End Result: If the same remote peer tries to establish the tunnel again we would bypass validation and would not check if it is still a valid peer or not.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.0/4.1:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C
CVE ID CVE-2011-0935 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCtl59829 —Resolved in 15.1(1)SY
Symptom: Login success and failure messages only display the first 32 bits of the IPv6 source address in IPv4 format.
*Aug 5 19:39:07.195: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: cisco] [Source: 252.0.0.0] [localport: 23] [Reason: Login Authentication Failed - BadPassword] at 19:39:07 EST Wed Aug 5 2009
– Telnet or SSH from IPv6 enabled device to IPv6 address on router or switch.
– Have login success and failure logging enabled.
Further Problem Description: The IPv4 address is derived from the first 32 bits of the IPv6 address.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.3:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:OF/RC:C
No CVE ID has been assigned to this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCto00318 —Resolved in 15.1(1)SY
Symptoms: SSH session that is initiated from a router that is running affected Cisco IOS software may cause the router to reboot.
Conditions: Occurs when performing a SSH client session from the router.
Do not initiate a SSH session from the device.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.6/4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
CVE ID CVE-2012-4638 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCtq61128 —Resolved in 15.1(1)SY
Symptom: Router crash with Segmentation fault(11)
Conditions: It was observed on routers acting as IPSEC hub using certificates.
Workaround None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2011-4231 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCts68262 —Resolved in 15.1(1)SY
Symptoms: Certain SSH version 2 packets may cause a memory leak on a Cisco IOS device configured for SSH. Authentication is needed in order to exploit this vulnerability.
Conditions: This issue is observed on a Cisco IOS device configured for SSH version 2 after it has received malformed SSHv2 packets. Successful, exploitation may cause system degradation or a partial denial of service condition on an affected device.
Workaround: The only workaround is to disable SSH version 2.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:U/RC:C
CVE ID CVE-2011-3312 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCtt28703 —Resolved in 15.1(1)SY
Symptom: VPN client with RSA-SIG can access a profile where his CA trustpoint is not anchored
Workaround: Restrict access by using a certificate-map matching the right issuer.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.5/3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:P/I:N/A:N/E:POC/RL:W/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCth99104 —Resolved in 15.1(1)SY
Symptom: Certificate that should not be allowed bypasses validations checks.
Conditions: This happens when the PKI validation test command is used.
Workaround: Do not use the PKI validation test command.
Further Information: The PKI validation test command invokes the pubkey insert api which erroneously adds pubkey entries when at times it should not. this results in all subsequent validations bypassed for the same certificate.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 1.7/1.4:
https://intellishield.cisco.com/security/alertmanager/cvss?target=new&version=2.0&vector=AV:L/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C/CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
No CVE ID has been assigned to this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCta11223 —Resolved in 15.1(1)SY
Symptoms: A Cisco router may crash when the show dmvpn or show dmvpn detail commands are entered.
Conditions: This symptom is observed when the device is running Cisco IOS and configured with DMVPN. The crash occurs when the show dmvpn or show dmvpn detail commands are entered two or more times.
Workaround: There is no known workaround.
- CSCtc49782 —Resolved in 15.1(1)SY
Symptoms: Upgrade from 12.2(18)SXF6 to 12.2(33)SXH5 introduced additional vty lines to the running-configuration (vtp line 5 - 15). These new lines do not inherit the security ACL or transports configured by the customer on the old lines (0-4). Switch upgrade caused device to be non-compliant with network security policy defined by customer.
Condition: Software upgrade from 12.2(18)SXF6 to 12.2(33)SXH5.
Workaround: We have to manually configure the ACL for those newly introduced vty lines.
- CSCtd35382 —Resolved in 15.1(1)SY
Symptom: Smart Install is a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches. This means that a customer can ship a switch to a location, place it in the network and power it on with no configuration required on the switch.
When a vulnerability scanner such as NMAP, Nessus, Retina or other is run against the Smart Install port (TCP port 4786) the switch may display some memory error messages such as the following:
These messages do not cause any operational impact to the affected device (switch).
Conditions: Switch configured with the Smart Install feature (client or director).
Workaround: In Smart Install implementations the client switches are served by a common director. The switch selected as the director provides a single management point for images and configuration of client switches. hen a client switch is first installed into the network, the director automatically detects the new switch, and identifies the correct Cisco IOS image and the configuration file for downloading.
Switches that are clients have the Smart Install feature enabled by default and it cannot be disabled. The only way to workaround this issue is to apply an access control list (ACL) blocking TCP port 4786, if smart install is not needed.
- CSCtd95386 —Resolved in 15.1(1)SY
Symptom: An IPSec tunnel can be torn down if the router receives a replayed QM (Quick Mode) packet.
Conditions: This is only a problem when a replayed QM packet is received on an IPSec endpoint.
Workaround: None at this time.
- CSCtg09360 —Resolved in 15.1(1)SY
Symptom: Dot1x or port-security violation with RSPAN configured was observed.
Conditions: RSPAN should be configured.
– For Dot1x - change dot1x authentication mode on interface to multi-host
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.9/2.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCti54173 —Resolved in 15.1(1)SY
Symptoms: A Cisco7200 w/VAM2 2 configured for GETVPN may experience a memory leak for every packet that is fragmented at high CPU. This may cause system stability and the device to potentially reload. These packets are received from a trusted and configured GETVPN peer.
Conditions: The symptom is observed on a Cisco 7200 series router.
Workaround: There is no workaround.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.9/4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCti99869 —Resolved in 15.1(1)SY
Symptom: Middle buffer iomem leaks seen with dhcp snooping in relay agent environments alongwith the following error messgaes (error messages are seen when the free iomem goes very low and is unable to service a request for a buffer from it)
%SYS-2-MALLOCFAIL: Memory allocation of 1748 bytes failed from 0x42275FC0, alignment 32 Pool: I/O Free: 1264736 Cause: Memory fragmentation Alternate Pool: None Free: 0 Cause: No Alternate pool -Process= “Pool Manager”, ipl= 0, pid= 9
Conditions: DHCP snooping configured on the switch and snooping is operating in a relay agent environment. Problem is seen in 12.2SXI-12.2SXI4.
Problem not present in 12.2SXF, 12.2SXH, 12.2SRC,SRB,SRD based releases
Workaround: Force process switching of software switched packets on the dhcp server facing interface on the cat6k by configuring the no ip route-cache command on the router facing interface.
PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCtj90091 —Resolved in 15.1(1)SY
Symptom: When an ICMPv6 ACL is applied to an interface on PFC3C system, fragment entry may not be created in TCAM.
Further Problem Description: None
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C CVE ID CVE-2011-4012 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCtj95182 —Resolved in 15.1(1)SY
Symptom: When using a network scanner to check the network components if there have security issues or are woundable on a 3750, it apears that CPU goes high and there is a memory leak in SMI IBC server process
Conditions : Network scanner run on a 3750 running 12.2.55.SE
- CSCtk54650 —Resolved in 15.1(1)SY
Symptoms: After modifying the IPv6 ACL it can happen that some lines in the ACL get multiply indefinitely. Once we try to save such a config it will generate the following error:
Reloading the box in this state will result in empty configuration.
Conditions: Modifying the IPv6 ACL
Workaround: Remove and reapply the ACL
Further Problem Description: Upgrade to a release that has Cisco Bug ID: CSCts16133 integrated.
- CSCtl88673 —Resolved in 15.1(1)SY
Symptom: Enhancements to GDOI processing
- CSCtn22376 —Resolved in 15.1(1)SY
Symptoms: A memory leak occurs when processing specific packets, when ikev2 debugging is enabled.
Conditions: ikev2 debugging must be enabled
Workaround: Disable ikev2 debugging.
Further Problem Description: None.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/3.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C CVE ID CVE-2012-0360 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCto10165 —Resolved in 15.1(1)SY
Summary A vulnerability exists in the Smart Install feature of Cisco Catalyst Switches running Cisco IOS Software that could allow an unauthenticated, remote attacker to perform remote code execution on the affected device.
Cisco has released free software updates that address this vulnerability.
There are no workarounds available to mitigate this vulnerability other than disabling the Smart Install feature.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110928-smart-install.
- CSCto72927 —Resolved in 15.1(1)SY
Symptoms: Configuring an event manager policy may cause a cisco Router to stop responding.
Conditions: This issue is seen when a TCL policy is configured and copied to the device.
Workaround: There is no workaround.
- CSCtq36327 —Resolved in 15.1(1)SY
Symptom: A loop between a dot1x enabled port and another a)dot1x enabled port configured with open authentication or b) non-dot1x port, will create a spanning-tree bpdu storm in the network.
Workaround: Avoid creating a loop.
Further Problem Description: This is a day-1 issue and the fix is available in SXI7, SXJ2 and MA2.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C CVE ID CVE-2011-2057 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCtt03207 —Resolved in 15.1(1)SY
Symptom: Traffic flows through unauthorized supplicant switch
Conditions: Authenticator Switch should have established auto-config with authorized supplicant switch. Now bring up, unauthorized supplicant switch by physically connecting to hub placed between ASW & SSW. Though wrong dot1x credential is used, ASW allows network access for unauthorized SSW.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.9/2.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCtt16051 —Resolved in 15.1(1)SY
Cisco IOS Software contains a vulnerability in the Smart Install feature that could allow an unauthenticated, remote attacker to cause a reload of an affected device if the Smart Install feature is enabled. The vulnerability is triggered when an affected device processes a malformed Smart Install message on TCP port 4786.
Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability.
This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-smartinstall
- CSCtw80533 —Resolved in 15.1(1)SY
Symptom: Error message in the logs: %SYS-4-CHUNKSIBLINGSEXCEED: Number of siblings in a chunk has gone above the threshold. It is a result of a slow memory leak.
Conditions: Observed on ASR1000 running 15.1(2)S when polling crypto statistics
Workaround: Avoid stressing the box with multiple SNMP requests. Reload if the memory is completely depleted.
- CSCty90293 —Resolved in 15.1(1)SY
Processing Improvements for GREv6 over IPv6 Currenlty requires IP CEFv6 to be disabled
Workaround: use “tunnel protection” instead
- CSCty96049 —Resolved in 15.1(1)SY
Summary Cisco IOS Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. An attacker could exploit this vulnerability by sending a single DHCP packet to or through an affected device, causing the device to reload.
Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-dhcp
Note: The September 26, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Eight of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses a vulnerability in Cisco Unified Communications Manager. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the September 2012 bundled publication.
Individual publication links are in “Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication” at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep12.html
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2012-4621 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCte83104 —Resolved in 15.1(1)SY
Conditions: When an ipv6 RACL is confiured on an interface. All packets containing ipv6 optional headers are punted to RP. But if any packets that are sent with no L4 header are also hitting this punt entry present at the top of tcam.
- CSCtr88193 —Resolved in 15.1(1)SY
Symptom: Either High CPU or Crash resulting from large number of ipv6 hosts.
Conditions: This has been seen while sending Multicast Listener Discovery packets with IPv6 and mld snooping enabled.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.7/4.7:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2012-3062 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCtq39602 —Resolved in 15.1(1)SY
Symptom: DMVPN Tunnel is down with IPSEC configured. The show dmvpn from Spoke shows the state is IKE.
Conditions: After heavy traffic was pumping from DMVPN Hub to Spoke for some time, from a few minutes to a couple of hours.
Workaround: Configure “set' security-association lifetime kilobytes disable” to disable volumn based rekeying will reduce the problem.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2012-3915 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
- CSCtz02622 —Resolved in 15.1(1)SY
Symptoms: FlexVPN spoke crashed while passing spoke to spoke traffic.
Conditions: Passing traffic from spoke to spoke or clearing IKE SA on the spoke
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:M/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-3893 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Other Resolved Caveats in Release 15.1(1)SY
Troubleshooting
These sections describes troubleshooting guidelines for the Catalyst 6500 series switch configuration:
- System Troubleshooting
- Module Troubleshooting
- VLAN Troubleshooting
- Spanning Tree Troubleshooting
- Additional Troubleshooting Information
System Troubleshooting
This section contains troubleshooting guidelines for system-level problems:
- When the system is booting and running power-on diagnostics, do not reset the switch.
- After you initiate a switchover from the active supervisor engine to the redundant supervisor engine, or when you insert a redundant supervisor engine in an operating switch, always wait until the supervisor engines have synchronized and all modules are online before you remove or insert modules or supervisor engines or perform another switchover.
- If you have an interface whose speed is set to auto connected to another interface whose speed is set to a fixed value, configure the interface whose speed is set to a fixed value for half duplex. Alternately, you can configure both interfaces to a fixed-value speed and full duplex.
- If you apply both ACL and FnF with sampler on the SVI interface, the operational state of the Feature Manager gets reduced which causes the traffic to get software switched. In this state, if incoming traffic rate is high, CPU utilization will also go high. Therefore, apply ACL and FnF without sampler on the SVI interface. Otherwise, apply ACL and FnF with sampler on the physical interface.
Module Troubleshooting
This section contains troubleshooting guidelines for module problems:
- When you hot insert a module into a chassis, be sure to use the ejector levers on the front of the module to seat the backplane pins properly. Inserting a module without using the ejector levers might cause the supervisor engine to display incorrect messages about the module. For module installation instructions, refer to the Catalyst 6500 Series Module Installation Guide.
- Whenever you connect an interface that has duplex set to autonegotiate to an end station or another networking device, make sure that the other device is configured for autonegotiation as well. If the other device is not set to autonegotiate, the autonegotiating port will remain in half-duplex mode, which can cause a duplex mismatch resulting in packet loss, late collisions, and line errors on the link.
VLAN Troubleshooting
Although DTP is a point-to-point protocol, some internetworking devices might forward DTP frames. To avoid connectivity problems that might be caused by a switch acting on these forwarded DTP frames, do the following:
- For interfaces connected to devices that do not support DTP, in which trunking is not currently being used, configure interfaces with the switchport mode access command, which puts the interface into access mode and sends no DTP frames.
- When manually enabling trunking on a link to devices that do not support DTP, use the switchport nonegotiate and switchport mode trunk commands, which puts the interface into trunking mode without sending DTP frames.
Spanning Tree Troubleshooting
The Spanning Tree Protocol (STP) blocks certain ports to prevent physical loops in a redundant topology. On a blocked port, switches receive spanning tree bridge protocol data units (BPDUs) periodically from neighboring switches. You can configure the frequency with which BPDUs are received by entering the spanning-tree vlan vlan_ID hello-time command (the default frequency is set to 2 seconds). If a switch does not receive a BPDU in the time period defined by the spanning-tree vlan vlan_ID max-age command (20 seconds by default), the blocked port transitions to the listening state, the learning state, and to the forwarding state. As it transitions, the switch waits for the time period specified by the spanning-tree vlan vlan_ID forward-time command (15 seconds by default) in each of these intermediate states. If a blocked spanning tree interface does not receive BPDUs from its neighbor within 50 seconds, it moves into the forwarding state.
Note We do not recommend using the UplinkFast feature on switches with more than 20 active VLANs. The convergence time might be unacceptably long with more than 20 active VLANs.
To debug STP problems, follow these guidelines:
- The show vlan virtual-port command displays the number of virtual interfaces.
- These maximum numbers of virtual interfaces are supported:
Note Cisco IOS software displays a message if you exceed the maximum number of virtual interfaces.
- After a switchover from the active to the redundant supervisor engine, the ports on the redundant supervisor engine take longer to come up than other ports.
- Record all spanning tree-blocked ports in each switch in your network. For each of the spanning tree-blocked ports, record the output of the show interface command. Check to see if the port has registered many alignment, FCS, or any other type of line errors. If these errors are incrementing continuously, the port might drop input BPDUs. If the input queue counter is incrementing continuously, the port is losing input packets because of a lack of receive buffers. This problem can also cause the port to drop incoming BPDUs.
- On a blocked spanning tree port, check the duplex configuration to ensure that the port duplex is set to the same type as the port of its neighboring device.
- On trunks, make sure that the trunk configuration is set properly on both sides of the link.
- On trunks, if the neighboring device supports it, set duplex to full on both sides of the link to prevent any collisions under heavy traffic conditions.
Additional Troubleshooting Information
For additional troubleshooting information, refer to the publications at this URL:
http://www.cisco.com/c/en/us/support/switches/catalyst-6500-series-switches/tsd-products-support-troubleshoot-and-alerts.html
System Software Upgrade Instructions
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/28724-161.html
Notices
The following notices pertain to this software license.
OpenSSL/Open SSL Project
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product includes software written by Tim Hudson (tjh@cryptsoft.com).
License Issues
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.
Copyright © 1998-2007 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/)”.
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/)”.
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS”' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).
Copyright © 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young’s, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”.
The word ‘cryptographic’ can be left out if the routines from the library being used are not cryptography-related.
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson (tjh@cryptsoft.com)”.
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation.
To receive new and revised Cisco technical content directly to your desktop, you can subscribe to the What’s New in Cisco Product Documentation RSS feed. The RSS feeds are a free service.
This document is to be used in conjunction with the Catalyst 6500 Series Cisco IOS Software Configuration Guide publication.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)