Release Notes for Cisco IOS Release 15.1SY
Chronological List of Releases
Supervisor Engines, PFCs, DFCs, and CFC
Policy Feature Cards Supported with Supervisor Engine 2T
Distributed Forwarding Cards Supported with Supervisor Engine 2T
Supervisor Engine 720-10GE (CAT6000-VS-S720-10G/MSFC3)
Supervisor Engine 720 (CAT6000-SUP720/MSFC3)
Policy Feature Cards Supported with Supervisor Engine 720
Distributed Forwarding Cards Supported with Supervisor Engine 720
Centralized Forwarding Card (WS-F6700-CFC)
40-Gigabit Ethernet Switching Modules
WS-X6904-40G-2T 4-Port 40-Gigabit Ethernet Switching Module
10-Gigabit Ethernet Switching Modules
WS-X6908-10GE 8-Port 10-Gigabit Ethernet X2 Switching Module
WS-X6816-10T-2T, WS-X6716-10T 16-Port 10-Gigabit Ethernet Copper Switching Module
WS-X6816-10G-2T, WS-X6716-10G 16-Port 10-Gigabit Ethernet X2 Switching Module
WS-X6708-10GE 8-port 10-Gigabit Ethernet X2 Switching Module
WS-X6704-10GE 4-Port 10-Gigabit Ethernet XENPAK Switching Module
WS-X6502-10GE 1-port 10-Gigabit Ethernet Switching Module
Cisco Catalyst 6880-X Series Extensible Fixed Aggregation Switches
Cisco Catalyst 6807-XL Modular Switch
Instant Access Catalyst 6800ia Series Switches
Gigabit Ethernet Switching Modules
WS-X6848-SFP-2T, WS-X6748-SFP 48-Port Gigabit Ethernet SFP Switching Module
WS-X6824-SFP-2T, WS-X6724-SFP 24-Port Gigabit Ethernet SFP Switching Module
WS-X6816-GBIC 16-port Gigabit Ethernet GBIC Switching Module
WS-X6516A-GBIC 16-Port Gigabit Ethernet GBIC Switching Module
WS-X6516-GBIC 16-Port Gigabit Ethernet GBIC Switching Module
WS-X6416-GBIC 16-port Gigabit Ethernet GBIC Switching Module
WS-X6408A-GBIC 8-port Gigabit Ethernet GBIC Switching Module
WS-X6408-GBIC 8-port Gigabit Ethernet GBIC Switching Module
10/100/1000 Ethernet Switching Modules
WS-X6848-TX-2T, WS-X6748-GE-TX
WS-X6548-GE-TX, WS-X6548V-GE-TX, WS-X6548-GE-45AF
WS-X6148A-GE-TX, WS-X6148A-GE-45AF
WS-X6148-GE-TX, WS-X6148V-GE-TX, WS-X6148-GE-45AF
100MB Ethernet Switching Modules
10/100MB Ethernet Switching Modules
WS-X6148X2-RJ-45, WS-X6148X2-45AF
WS-X6348-RJ-45, WS-X6348-RJ-45V
WS-X6148A-RJ-45, WS-X6148A-45AF
WS-X6148-RJ-45, WS-X6148-RJ45V, WS-X6148-45AF
WS-X6148-RJ-21, WS-X6148-RJ21V, WS-X6148-21AF
Power over Ethernet Daughtercards
Small Form-Factor Pluggable (SFP) Modules
Gigabit Interface Converters (GBICs)
Application Control Engine (ACE) Module
Firewall Services Module (FWSM)
Intrusion Detection System Modules (IDSMs)
Network Analysis Modules (NAMs)
Wireless Services Modules (WiSMs)
New Features in Release 15.1(2)SY16
New Hardware Features in Release 15.1(2)SY16
New Software Features in Release 15.1(2)SY16
New Features in Release 15.1(2)SY15
New Hardware Features in Release 15.1(2)SY15
New Software Features in Release 15.1(2)SY15
New Features in Release 15.1(2)SY14
New Hardware Features in Release 15.1(2)SY14
New Software Features in Release 15.1(2)SY14
New Features in Release 15.1(2)SY13
New Hardware Features in Release 15.1(2)SY13
New Software Features in Release 15.1(2)SY13
New Features in Release 15.1(2)SY12
New Hardware Features in Release 15.1(2)SY12
New Software Features in Release 15.1(2)SY12
New Features in Release15.1(2)SY11
New Hardware Features in Release15.1(2)SY11
New Software Features in Release15.1(2)SY11
New Features in Release15.1(2)SY10
New Hardware Features in Release15.1(2)SY10
New Software Features in Release15.1(2)SY10
New Features in Release15.1(2)SY9
New Hardware Features in Release15.1(2)SY9
New Software Features in Release15.1(2)SY9
New Features in Release15.1(2)SY8
New Hardware Features in Release15.1(2)SY8
New Software Features in Release15.1(2)SY8
New Features in Release15.1(2)SY7
New Hardware Features in Release15.1(2)SY7
New Software Features in Release15.1(2)SY7
New Features in Release15.1(1)SY6
New Hardware Features in Release15.1(1)SY6
New Software Features in Release15.1(1)SY6
New Features in Release15.1(2)SY6
New Hardware Features in Release15.1(2)SY6
New Software Features in Release15.1(2)SY6
New Features in Release15.1(2)SY5
New Hardware Features in Release15.1(2)SY5
New Software Features in Release15.1(2)SY5
New Features in Release15.1(1)SY5
New Hardware Features in Release15.1(1)SY5
New Software Features in Release15.1(1)SY5
New Features in Release15.1(2)SY4
New Hardware Features in Release15.1(2)SY4
New Software Features in Release15.1(2)SY4
New Features in Release15.1(1)SY4
New Hardware Features in Release15.1(1)SY4
New Software Features in Release15.1(1)SY4
New Features in Release15.1(2)SY3
New Hardware Features in Release 15.1(2)SY3
New Software Features in Release 15.1(2)SY3
New Features in Release15.1(2)SY2
New Hardware Features in Release15.1(2)SY2
New Software Features in Release15.1(2)SY2
New Features in Release15.1(2)SY1
New Hardware Features in Release15.1(2)SY1
New Software Features in Release15.1(2)SY1
New Features in Release15.1(2)SY
New Hardware Features in Release15.1(2)SY
New Software Features in Release15.1(2)SY
New Features in Release15.1(1)SY3
New Hardware Features in Release15.1(1)SY3
New Software Features in Release15.1(1)SY3
New Features in Release15.1(1)SY2
New Hardware Features in Release15.1(1)SY2
New Software Features in Release15.1(1)SY2
New Features in Release15.1(1)SY1
New Hardware Features in Release15.1(1)SY1
New Software Features in Release15.1(1)SY1
New Features in Release15.1(1)SY
New Hardware Features in Release15.1(1)SY
New Software Features in Release15.1(1)SY
Software Features from Earlier Releases
Open Caveats in Release 15.1(2)SY
Open Caveats in Release 15.1(1)SY
Caveats Resolved in Release 15.1(2)SY16
Caveats Resolved in Release 15.1(2)SY15
Caveats Resolved in Release 15.1(2)SY14
Caveats Resolved in Release 15.1(2)SY13
Caveats Resolved in Release 15.1(2)SY12
Caveats Resolved in Release 15.1(2)SY11
Caveats Resolved in Release 15.1(2)SY10
Caveats Resolved in Release 15.1(2)SY9
Caveats Resolved in Release 15.1(2)SY8
Caveats Resolved in Release 15.1(2)SY7
Caveats Resolved in Release 15.1(1)SY6
Caveats Resolved in Release 15.1(2)SY6
Caveats Resolved in Release 15.1(2)SY5
Caveats Resolved in Release 15.1(1)SY5
Caveats Resolved in Release 15.1(2)SY4a
Caveats Resolved in Release 15.1(2)SY4
Caveats Resolved in Release 15.1(1)SY4
Caveats Resolved in Release 15.1(2)SY3
Caveats Resolved in Release 15.1(2)SY2
Caveats Resolved in Release 15.1(2)SY1
Caveats Resolved in Release 15.1(2)SY
Caveats Resolved in Release 15.1(1)SY3
Caveats Resolved in Release 15.1(1)SY2
Caveats Resolved in Release 15.1(1)SY1
Caveats Resolved in Release 15.1(1)SY
Additional Troubleshooting Information
System Software Upgrade Instructions
Obtaining Documentation and Submitting a Service Request
Note ● See this product bulletin for information about the standard maintenance and extended maintenance 15.1SY releases:
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-15-0sy/product_bulletin_c25-687567.html
http://www.cisco.com/c/en/us/products/switches/catalyst-6500-series-switches/literature.html
The most current version of this document is available on Cisco.com at this URL:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/release_notes.html
This publication consists of these sections:
Note ● See the “Images and Feature Sets” section for information about which releases are deferred.
This is a chronological list of the 15.1SY releases:
These releases support the hardware listed in the “Supported Hardware” section:
– Date of release: 20 February 2020
– Based on Release: 15.1(2)SY15
– Date of release: 20 August 2019
– Based on Release: 15.1(2)SY14
– Date of release: 14 February 2019
– Based on Release: 15.1(2)SY13
– Date of release: 6 September 2018
– Based on Release: 15.1(2)SY12
– Date of release: 30 April 2018
– Based on Release: 15.1(2)SY11
– Date of release: 27 July 2017
– Based on Release 15.1(2)SY10
– Date of release: 24 Feb 2017
– Date of release: 14 Oct 2016
– Date of release: 01 Sept 2016
– Date of release: 16 Mar 2016
– Date of release: 12 Nov 2015
– Date of release: 19 Sept 2015
– Date of release: 21 May 2015
– Date of release: 27 Mar 2015
– Date of release: 08 Nov 2014
– Date of release: 10 Oct 2014
– Date of release: 23 Jun 2014
– Date of release: 03 Mar 2014
– Date of release: 09 Dec 2013
– Date of release: 22 Mar 2014
– Date of release: 04 Oct 2013
– Date of release: 07 Sep 2013
– Date of release: 03 May 2013
– Date of release: 15 Oct 2012
– Based on Release 15.0(1)SY2 and Release 12.2(33)SXJ3
Note Release 15.1SY supports only Ethernet ports. Release 15.1SY does not support any WAN features or commands.
FPD image packages update FPD images. If a discrepancy exists between an FPD image and the Cisco IOS image, the module that has the FPD discrepancy is deactivated until the discrepancy is resolved. These modules use FPD images:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn85.html
http://www.cisco.com/c/en/us/support/cloud-systems-management/prime-network-analysis-module-software/products-release-notes-list.html
These sections describe the hardware supported in Release 15.1(2)SY1 and later releases:
Note Enter the show power command to display current system power usage.
Note For information about DRAM requirements on all supervisor engines, see this publication:
http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/qa_c67_457347.html
– Policy Feature Card 4XL (PFC4XL)
– Policy Feature Card 4 (PFC4)
See the “Policy Feature Cards Supported with Supervisor Engine 2T” section.
– For CompactFlash Type II flash PC cards sold by Cisco Systems, Inc., for use in Supervisor Engine 2T-10GE.
– QoS architecture: 2q4t / 1p3q4t
– Ports 1, 2, and 3: Gigabit Ethernet SFP (fiber SFP or 1000 Mbps RJ-45 SFP)
– Support for 10-Gigabit Ethernet X2 tranceivers
• With ports 1, 2, and 3 enabled: 2q4t / 1p3q4t
• With ports 1, 2, and 3 disabled: 8q4t / 1p7q4t
Note See the Supervisor Engine 2T-10GE Connectivity Management Processor Configuration Guide for information about the 10/100/1000 Mbps RJ-45 port.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/cmp_configuration/guide/sup2T_10GEcmp.html
Supervisor Engine 2T-10GE Restrictions
The defaults for XL mode are:
– IPv4 unicast and MPLS: 512,000 routes
– IPv4 multicast and IPv6 unicast and multicast: 256,000 routes
The defaults for Non-XL mode are:
– IPv4 unicast and MPLS: 192,000 routes
– IPv4 multicast and IPv6 unicast and multicast: 32,000 routes
Note The size of the global internet routing table plus any local routes might exceed the non-XL mode default partition sizes.
These are the theoretical maximum numbers of routes for the supported protocols (the maximums are not supported simultaneously):
– XL mode :
• IPv4 and MPLS: Up to 1,007,000 routes
• IPv4 multicast and IPv6 unicast and multicast: Up to 503,000 routes
– Non-XL mode :
• IPv4 and MPLS: Up to 239,000 routes
• IPv4 multicast and IPv6 unicast and multicast: Up to 119,000 routes
Enter the platform cef maximum-routes command to repartition the hardware FIB table. IPv4 unicast and MPLS require one hardware FIB table entry per route. IPv4 multicast and IPv6 unicast and multicast require two hardware FIB table entries per route. Changing the partition for one protocol makes corresponding changes in the partitions of the other protocols. You must enter the reload command to put configuration changes made with the platform cef maximum-routes command into effect.
Note With a non-XL-mode system, if your requirements cannot be met by repartitioning the hardware FIB table, upgrade components as necessary to operate in XL mode.
– PFC4 and DFC4—No restrictions (PFC4 mode).
– PFC4 and DFC4XL—The PFC4 restricts DFC4XL functionality: the DFC4XL functions as a DFC4 (PFC4 mode).
– PFC4XL and DFC4—PFC4XL functionality is restricted by the DFC4: after a reload with a DFC4-equipped module installed, the PFC4XL functions as a PFC4 (PFC4 mode).
– PFC4XL and DFC4XL—No restrictions (PFC4XL mode).
Note ● See the “Policy Feature Cards Supported with Supervisor Engine 2T” section for Policy Feature Cards (PFC) and Distributed Forwarding Card (DFC) restrictions.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/OL_24918.html
http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/catalyst-6500-series-supervisor-engine-2t/data_sheet_c78-648214.html
– Internal 1-GB CompactFlash card (sup-bootdisk:).
– 1-GB DRAM.
– 1-GB DRAM.
– Policy Feature Card 3CXL (PFC3CXL).
– Policy Feature Card 3C (PFC3C).
– See the “Policy Feature Cards Supported with Supervisor Engine 2T” section.
– For CompactFlash Type II flash PC cards sold by Cisco Systems, Inc., for use in Supervisor Engine 720-10GE.
– QoS architecture: 2q4t / 1p3q4t
– Support for Gigabit Ethernet SFPs
– QoS architecture: 2q4t / 1p3q4t
– Support for 10-Gigabit Ethernet X2 tranceivers
– QoS architecture: 2q4t / 1p3q4t or 8q4t / 1p7q4t
Note The 1-Gigabit Ethernet ports and the 10-Gigabit Ethernet ports have the same QoS port architecture (2q4t/1p3q4t) unless you disable the 1-Gigabit Ethernet ports with the mls qos 10g-only global configuration command, which is required to configure DSCP-based queueing. With the 1-Gigabit Ethernet ports disabled, the QoS port architecture of the 10-Gigabit Ethernet ports is 8q4t/1p7q4t.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_17277.html
Note Some Supervisor Engine 720 Release 12.2SX images are larger than the bootflash device and must be stored on a CompactFlash card (sup-bootdisk: or disk0: or disk1:).
– 512-KB packet buffer per port
– Port 1—Gigabit Interface Converter (GBIC)
– Port 2—Configurable as either:
Note If you install WS-SUP720-3BXL=, upgrade the memory on any DFC3-equipped switching modules. See this document for DFC3 memory upgrades:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_12409.html
Supervisor Engine 720 with PFC3BXL: – Internal 64-MB bootflash device (sup-bootflash:) – 1-GB or larger DRAM – 1-GB or larger DRAM
|
Note ● See this document for DFC3 memory upgrades:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_12409.html
– If you install WS-F6K-PFC3BXL=, upgrade the memory on any DFC3-equipped switching modules.
– See this publication for more information about WS-F6K-PFC3BXL=:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_16220.html
Supervisor Engine 720 with PFC3B: – Internal 64-MB bootflash device (sup-bootflash:) – 512-MB or larger DRAM – 512-MB or larger DRAM
|
– IPv4 unicast and MPLS—512,000 routes
– IPv4 multicast and IPv6 unicast and multicast—256,000 routes
The defaults for non-XL mode are:
– IPv4 unicast and MPLS—192,000 routes
– IPv4 multicast and IPv6 unicast and multicast—32,000 routes
Note The size of the global internet routing table plus any local routes might exceed the non-XL mode default partition sizes.
These are the theoretical maximum numbers of routes for the supported protocols (the maximums are not supported simultaneously):
• IPv4 and MPLS—Up to 1,007,000 routes
• IPv4 multicast and IPv6 unicast and multicast—Up to 503,000 routes
• IPv4 and MPLS—Up to 239,000 routes
• IPv4 multicast and IPv6 unicast and multicast—Up to 119,000 routes
Enter the mls cef maximum-routes command to repartition the hardware FIB table. IPv4 unicast and MPLS require one hardware FIB table entry per route. IPv4 multicast and IPv6 unicast and multicast require two hardware FIB table entries per route. Changing the partition for one protocol makes corresponding changes in the partitions of the other protocols. You must enter the reload command to put configuration changes made with the mls cef maximum-routes command into effect.
Note With a non-XL-mode system, if your requirements cannot be met by repartitioning the hardware FIB table, upgrade components as necessary to operate in XL mode.
– PFC3B and DFC3B—No restrictions (PFC3B mode; does not support virtual switch mode).
– PFC3B and DFC3BXL—The PFC3B restricts DFC3BXL functionality: after a reload with a DFC3BXL-equipped module installed, the DFC3BXL functions as a DFC3B (PFC3B mode; does not support virtual switch mode).
– PFC3B and DFC3C—The PFC3B restricts DFC3C functionality: the DFC3C functions as a DFC3B (PFC3B mode; does not support virtual switch mode).
– PFC3B and DFC3CXL—The PFC3B restricts DFC3CXL functionality: the DFC3CXL functions as a DFC3B (PFC3B mode; does not support virtual switch mode).
– PFC3BXL and DFC3B—PFC3BXL functionality is restricted by the DFC3B: after a reload with a DFC3B-equipped module installed, the PFC3BXL functions as a PFC3B (PFC3B mode; does not support virtual switch mode).
– PFC3BXL and DFC3BXL—No restrictions (PFC3BXL mode; does not support virtual switch mode).
– PFC3BXL and DFC3C—Each restricts the functionality of the other: the PFC3BXL functions as a PFC3B and the DFC3C functions as a DFC3B (PFC3B mode; does not support virtual switch mode).
– PFC3BXL and DFC3CXL—The PFC3BXL restricts DFC3CXL functionality: the DFC3CXL functions as a DFC3BXL (PFC3BXL mode; does not support virtual switch mode).
– PFC3C and DFC3B—PFC3C functionality is restricted by the DFC3B: after a reload with a DFC3B-equipped module installed, the PFC3C functions as a PFC3B (PFC3B mode; does not support virtual switch mode).
– PFC3C and DFC3BXL—PFC3C functionality is restricted by the DFC3BXL: after a reload with a DFC3BXL-equipped module installed, the PFC3C functions as a PFC3BXL (PFC3BXL mode; does not support virtual switch mode).
– PFC3C and DFC3C—No restrictions (PFC3C mode).
– PFC3C and DFC3CXL—The PFC3C restricts DFC3CXL functionality: the DFC3CXL functions as a DFC3C (PFC3C mode).
– PFC3CXL and DFC3B—PFC3CXL functionality is restricted by the DFC3B: after a reload with a DFC3B-equipped module installed, the PFC3CXL functions as a PFC3B (PFC3B mode; does not support virtual switch mode).
– PFC3CXL and DFC3BXL—PFC3CXL functionality is restricted by the DFC3BXL: after a reload with a DFC3BXL-equipped module installed, the PFC3CXL functions as a PFC3BXL (PFC3BXL mode; does not support virtual switch mode).
– PFC3CXL and DFC3C—PFC3CXL functionality is restricted by the DFC3C: after a reload with a DFC3C-equipped module installed, the PFC3CXL functions as a PFC3C (PFC3C mode).
– PFC3CXL and DFC3CXL—No restrictions (PFC3CXL mode).
Note Use VS-F6K-PFC3CXL= to upgrade a VS-S720-10G-3C with a PFC3CXL. See this publication for more information:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_16220.html
Note Use WS-F6K-PFC3BXL= to upgrade a WS-SUP720 or WS-SUP720-3B with a PFC3BXL. WS-F6K-PFC3BXL= includes 1 GB memory upgrades for the Supervisor Engine 720 and the MSFC3. See this publication for more information:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_16220.html
Note Use WS-F6K-PFC3B= to upgrade a WS-SUP720 with a PFC3B. See this publication for more information:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_16220.html
Note See the “Policy Feature Cards Supported with Supervisor Engine 2T” section for Policy Feature Cards (PFC) and Distributed Forwarding Card (DFC) restrictions.
Note ● WS-F6700-DFC3CXL uses memory that is installed on the switching module.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_15893.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/rommon/OL_6143.html
Note ● WS-F6700-DFC3C uses memory that is installed on the switching module.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_15893.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/rommon/OL_6143.html
Note ● Not supported in virtual switch mode.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_15893.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/rommon/OL_6143.html
Note ● Not supported in virtual switch mode.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_12409.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/rommon/OL_6010.html
http://www.cisco.com/c/en/us/support/docs/field-notices/200/fn24494.html
Note ● Not supported in virtual switch mode.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_15893.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/rommon/OL_6143.html
Note ● Not supported in virtual switch mode.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_12409.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/rommon/OL_6010.html
http://www.cisco.com/c/en/us/support/docs/field-notices/200/fn24494.html
– Fabric Channel #1: Ports 1 and 2 or 5 through 12
– Fabric Channel #2: Ports 3 and 4 or 13 through 20
– 40 Gigabit Ethernet oversubscribed mode:
—Four 40 Gigabit Ethernet ports
—Ports 1 through 4
– 10 Gigabit Ethernet oversubscribed mode:
—Sixteen 10 Gigabit Ethernet ports
—Ports 5 through 20
– Mixed 10/40 Gigabit Ethernet oversubscribed mode:
–Either two 40 Gigabit Ethernet ports (1 and 2)
–Or eight 10 Gigabit Ethernet ports (5 through 12)
–Either two 40 Gigabit Ethernet ports (3 and 4)
–Or eight 10 Gigabit Ethernet ports (13 through 20)
—Configurable per module or per bay:
—Supported in the top left bay and top right bay.
–40 Gigabit Ethernet port 1 (top left bay) and port 3 (top right bay)
–10 Gigabit Ethernet ports 5 through 9 (top left bay) and ports 13 through 16 (top right bay)
–Top left bay: 40 Gigabit Ethernet port 1 or 10 Gigabit Ethernet ports 5 through 9
Top right bay: 40 Gigabit Ethernet port 3 or 10 Gigabit Ethernet ports 13 through 16
– 40 Gigabit Ethernet performance mode, 10 Gigabit Ethernet oversubscribed mode:
—Either of these combinations:
–Top left bay: 40 Gigabit Ethernet port 1
Right bays: eight 10 Gigabit Ethernet ports (13 through 20)
–Left bays: eight 10 Gigabit Ethernet ports (5 through 13)
Top right bay: 40 Gigabit Ethernet port 3
– 40 Gigabit Ethernet oversubscribed mode, 10 Gigabit Ethernet performance mode:
—Either of these combinations:
–Top left bay: four 10 Gigabit Ethernet ports (5 through 9)
Right bays: two 40 Gigabit Ethernet ports (3 and 4)
–Left bays: two 40 Gigabit Ethernet ports (1 and 2)
Top right bay: four 10 Gigabit Ethernet ports (13 through 16)
40 Gigabit Ethernet on Cisco Catalyst 6500 Series Switches: How It Works
40 Gigabit Ethernet Interface Module for Cisco Catalyst 6500 Series Switches Data Sheet
8-port 10-Gigabit Ethernet X2 module |
||
– Oversubscription mode : 1p7q2t/1p7q4t
– Performance mode: 8q4t/1p7q4t
16-port 10-Gigabit Ethernet X2 module |
||
– Oversubscription mode : 1p7q2t/1p7q4t
– Performance mode: 8q4t/1p7q4t
8-port 10-Gigabit Ethernet X2 module |
||
– Oversubscription mode : 1p7q2t/1p7q4t
– Performance mode: 8q4t/1p7q4t
– Both modes support DSCP-based queueing
4-port 10-Gigabit Ethernet XENPAK |
||
– With Supervisor Engine 2T-10GE:
– With Supervisor Engine 720 or Supervisor Engine 720-10GE:
• WS-F6700-DFC3BXL (not supported in virtual switch mode)
• WS-F6700-DFC3B (not supported in virtual switch mode)
– With any supervisor engine, WS-F6700-CFC
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_12409.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/rommon/OL_6010.html
16 10-Gigabit (SFP+)/1-Gigabit ports (SFP), four port card slots, two power supply slots. It supports standard FIB/ACL/NetFlow tables. |
||
16 10-Gigabit (SFP+)/1-Gigabit ports (SFP), four port card slots, two power supply slots. It supports large FIB/ACL/NetFlow tables. |
||
C6880-X-LE-16P10G
1
|
Multi rate port card with standard tables. This module has 16 10-Gigabit or 1-Gigabit module slots which support 1-Gigabit SFPs or 10-Gigabit SFP+ modules. Supported only on the Catalyst 6880-X-LE switch model. |
|
Multi rate port card with XL tables. This module has 16 10-Gigabit or 1-Gigabit module slots which support 1-Gigabit SFPs or 10-Gigabit SFP+s modules. Supported only on the Catalyst 6880-X switch model. |
||
Note See these publications for more information: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6880-x-switch/data_sheet_c78-728228.html http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6880-x-switch/white_paper_c11-728540.html http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6880-x-switch/white_paper_c11-728541.html http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T.html |
The switch supports redundant power supply modules (AC-input), redundant supervisor engines, fan-tray, power supply convertor modules, clock modules, and voltage termination enhanced (VTT-E) modules |
||
Note See these publications for more information: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6807-xl-switch/data_sheet_c78-728229.html http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6807-xl-switch/white_paper_c11-728264.html http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T.html |
48-port 10/100/1000 RJ-45 PoE-capable Ethernet |
||
48-port 10/100/1000 RJ-45 PoE-capable Ethernet |
||
Note See these publications for more information: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6800ia-switch/data_sheet_c78-728230.html http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6800ia-switch/white_paper_c11-728265.html http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/instant_access.html http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6800ia/hardware/installation/guide/b_c6800ia_hig.html |
48-port Gigabit Ethernet SFP |
||
WS-X6748-SFP
(with WS-F6700-DFC3CXL , WS-F6700-DFC3C , WS-F6700-DFC3BXL (not supported in virtual switch mode) WS-F6700-DFC3B (not supported in virtual switch mode) or WS-F6700-CFC ) |
||
24-port Gigabit Mbps Ethernet SFP |
||
WS-X6724-SFP
(with WS-F6700-DFC3CXL , WS-F6700-DFC3C , WS-F6700-DFC3BXL (not supported in virtual switch mode) WS-F6700-DFC3B (not supported in virtual switch mode) or WS-F6700-CFC ) |
||
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/rommon/OL_6010.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/rommon/OL_6010.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/rommon/OL_6010.html
http://www.cisco.com/c/en/us/support/docs/field-notices/200/fn24494.html
These sections descibe the supported 10/100/1000 Ethernet switching modules:
– With Supervisor Engine 2T-10GE:
– With Supervisor Engine 720 or Supervisor Engine 720-10GE:
• WS-F6700-DFC3BXL (not supported in virtual switch mode)
• WS-F6700-DFC3B (not supported in virtual switch mode)
– With any supervisor engine, WS-F6700-CFC
– WS-X6148-RJ-45 or WS-X6148-RJ-45V (replace with WS-X6148-45AF-UG=).
– WS-X6148-RJ-21 or WS-X6148-RJ-21V (replace with WS-X6148-21AF-UG=).
Prestandard PoE daughtercard for WS-X6548-GE-TX and WS-X6148-GE-TX |
||
FourX coverter to convert each 40GE port into 4 10GE SFP+ ports |
Note ● WS-X6716-10G and WS-X6708-10GE do not support X2 modules that are labeled with a number that ends with -01. (This restriction does not apply to X2-10GB-LRM.)
http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/10-gigabit-modules/product_data_sheet0900aecd801f92aa.html
10G X2 to SFP+ Converter |
|||
10GBASE-ER Serial 1550-nm extended-reach, single-mode fiber (SMF), dispersion-shifted fiber (DSF) Note X2-10GB-ER modules labeled with a number that ends with -02 do not provide EMI compliance with WS-X6716-10G. |
|||
10GBASE-LR Serial 1310-nm long-reach, single-mode fiber (SMF), dispersion-shifted fiber (DSF) Note X2-10GB-LR modules labeled with a number that ends with -02 or -03 do not provide EMI compliance with WS-X6716-10G. |
|||
10GBASE-LX4 Serial 1310-nm multimode (MMF) http://www.cisco.com/c/en/us/support/docs/field-notices/misc/FN62840.html
|
|||
Note ● For information about DWDM XENPAKs, see the Cisco 10GBase DWDM XENPAK Modules data sheet:
http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/dwdm-transceiver-modules/product_data_sheet0900aecd801f9333.html
http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/catalyst-6500-series-supervisor-engine-720/product_data_sheet09186a008007cd00.html
10GBASE dense wavelength-division multiplexing (DWDM) 100-GHz ITU grid |
||
10GBASE-ER Serial 1550-nm extended-reach, single-mode fiber (SMF), dispersion-shifted fiber (DSF) Note XENPAK-10GB-ER units with Part No. 800-24557-01 are not supported, as described in this external field notice (CSCee47030): http://www.cisco.com/c/en/us/support/docs/field-notices/200/fn29736.html |
||
10GBASE-ER Serial 1550-nm extended-reach, single-mode fiber (SMF), dispersion-shifted fiber (DSF) |
||
10GBASE-LR Serial 1310-nm long-reach, single-mode fiber (SMF), dispersion-shifted fiber (DSF) |
||
10GBASE-LR Serial 1310-nm long-reach, single-mode fiber (SMF), dispersion-shifted fiber (DSF) |
||
10GBASE-LW XENPAK Module with WAN PHY for SMF Note XENPAK-10GB-LW operates at an interface speed compatible with SONET/SDH OC-192/STM-64. XENPAK-10GB-LW links might go up and down if the data rate exceeds 9Gbs. (CSCsi58211) |
||
Note ● For information about coarse wavelength-division multiplexing (CWDM) SFPs, see the Cisco CWDM GBIC and SFP Solutions data sheet:
http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/cwdm-transceiver-modules/product_data_sheet09186a00801a557c.html
http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/dwdm-transceiver-modules/product_data_sheet0900aecd80582763.html
http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/gigabit-ethernet-gbic-sfp-modules/product_data_sheet0900aecd8033f885.html
Note ● The CAT6000-VS-S720-10G/MSFC3 and WS-X6148-FE-SFP supports Fast Ethernet SFPs.
http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/fast-ethernet-sfp-modules/product_data_sheet0900aecd801f931c.html
Note The support listed in this section applies to all modules that use GBICs.
Note ● For service modules that run their own software, see the service module software release notes for information about the minimum required service module software version.
http://www.cisco.com/c/en/us/support/docs/field-notices/610/fn61935.html
http://www.cisco.com/c/en/us/support/interfaces-modules/ace-application-control-engine-module/tsd-products-support-model-home.html See the ACE module software release notes for information about the minimum required service module software version. |
http://www.cisco.com/c/en/us/support/interfaces-modules/catalyst-6500-series-7600-series-asa-services-module/tsd-products-support-model-home.html See the module software release notes for information about the minimum required service module software version. |
http://www.cisco.com/c/en/us/support/interfaces-modules/catalyst-6500-series-firewall-services-module/tsd-products-support-model-home.html See the WS-SVC-FWM-1-K9 software release notes for information about the minimum required WS-SVC-FWM-1-K9 software version. |
http://www.cisco.com/c/en/us/support/interfaces-modules/catalyst-6500-series-intrusion-detection-system-idsm-2-services-module/tsd-products-support-model-home.html See the IDSM software release notes for information about the minimum required IDSM software version. |
Network Analysis Module 3 |
||
– http://www.cisco.com/c/en/us/support/cloud-systems-management/prime-network-analysis-module-software/products-release-notes-list.html – http://www.cisco.com/c/en/us/support/cloud-systems-management/prime-network-analysis-module-software/tsd-products-support-series-home.html See the software release notes for information about the minimum required NAM software version. |
Wireless services modules run their own software—See these publications: http://www.cisco.com/c/en/us/support/interfaces-modules/services-modules/products-release-notes-list.html See the wireless services modules software release notes for information about the minimum required wireless services module software version. |
Note The power supplies in this section are not supported in these chassis:
Note Chassis with 64 MAC addresses automatically enable the Extended System ID feature, which is enabled with the spanning-tree extend system-id command. You cannot disable the extended-system ID in chassis that support 64 MAC addresses. The Extended System ID feature might already be enabled in your network, because it is required to support both extended-range VLANs and any chassis with 64 MAC addresses. Enabling the extended system ID feature for the first time updates the bridge IDs of all active STP instances, which might change the spanning tree topology.
Note With Supervisor Engine 2T-10GE, the slot reserved for a redundant supervisor engine can be populated with one of these modules:
– Before April 2009—1024 chassis MAC addresses – Starting in April 2009—64 chassis MAC addresses Note Chassis with 64 MAC addresses automatically enable the Extended System ID feature, which is enabled with the spanning-tree extend system-id command. You cannot disable the extended-system ID in chassis that support 64 MAC addresses. The Extended System ID feature might already be enabled in your network, because it is required to support both extended-range VLANs and any chassis with 64 MAC addresses. Enabling the extended system ID feature for the first time updates the bridge IDs of all active STP instances, which might change the spanning tree topology. |
||
– Before April 2009—1024 chassis MAC addresses – Starting in April 2009—64 chassis MAC addresses Note Chassis with 64 MAC addresses automatically enable the Extended System ID feature, which is enabled with the spanning-tree extend system-id command. You cannot disable the extended-system ID in chassis that support 64 MAC addresses. The Extended System ID feature might already be enabled in your network, because it is required to support both extended-range VLANs and any chassis with 64 MAC addresses. Enabling the extended system ID feature for the first time updates the bridge IDs of all active STP instances, which might change the spanning tree topology. |
||
|
||
Release 15.1SY supports only the hardware listed in the “Supported Hardware” section. Unsupported modules remain powered down if detected and do not affect system behavior.
Release 12.2SX supported these modules, which are not supported in Release 15.1SY:
Use Cisco Feature Navigator to display information about the images and feature sets in Release 15.1SY.
The releases includes strong encryption images. Strong encryption images are subject to U.S. and local country export, import, and use laws. The country and class of end users eligible to receive and use Cisco encryption solutions are limited. See this publication for more information:
http://www.cisco.com/web/about/doing_business/legal/global_export_trade/general_export/contract_compliance.html
The Universal Boot Loader (UBL) image is a minimal network-aware image that can download and install a Cisco IOS image from a running active supervisor engine in the same chassis. When newly installed as a standby supervisor engine in a redundant configuration, a supervisor engine running the UBL image automatically attempts to copy the image of the running active supervisor engine in the same chassis.
SX SY EFSU Compatibility Matrix (XLSX - Opens with Microsoft Excel)
Behavior changes describe the minor modifications that are sometimes introduced in a software release. When behavior changes are introduced, existing documentation is updated.
police rate 10 pps, burst 1 packets
police rate 1000 pps, burst 1000 packets
conform-action set-discard-class-transmit 48
exceed-action drop
so that all ipv6 icmp nd type 133-137 packets having invalid hop-limit (!=255) will be dropped in hardware.
For this class-map to be effective, following points has to be considered:
– This new class-map doesn't get applied on reload only, as auto-copp gets saved in the start-up config, and on reload the saved policy reappears.
– to apply the policy-map with new class-map, user has to remove the default control plane policy using no policy-map policy-default-autocopp, the new class-map for policy-default-autocopp appears upon reload.
– In config-mode a cli is available no platform qos auto-copp, which when applied, removes the policy-map policy-default-autocopp
– and when platform qos auto-copp applied, regenerates the policy-map policy-default-autocopp along with new class-map "class-copp-match-ndv6hl" and add service-policy to control-plane.
Old behavior: Running the CLI command “ show platform fex-debug status ” is no longer supported.
New behavior: Use the new CLI command “ show fex <fex-id> ” instead.
Additional Information: http://tools.cisco.com/bugsearch/bug/CSCux45230
Old behavior: The RADIUS server does not have Point-to-Point Tunneling Protocol (PPTP) tunnel-specific information because the tunnel-client endpoint and tunnel-server endpoint attributes are missing in the access-request packets sent to the RADIUS server.
New behavior: The following commands are introduced to identify the hostname or address of the network access server (NAS) at the initiator and server end of the Point-to-Point Tunneling Protocol (PPTP) tunnel by sending the Tunnel-Client-Endpoint attribute and the Tunnel-Server-Endpoint attribute in access-request packets to the RADIUS server.
– radius-server attribute 66 include-in-access-req
– radius-server attribute 67 include-in-access-req
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/m1/sec-m1-cr-book/sec-cr-r1.html
These sections describe the new features in Release 15.1(2)SY16, 20February 2020:
These sections describe the new features in Release 15.1(2)SY15, 20 August 2019:
These sections describe the new features in Release 15.1(2)SY14, 14 February 2019:
These sections describe the new features in Release 15.1(2)SY13, 6 September 2018:
These sections describe the new features in Release 15.1(2)SY12, 30April 2018:
These sections describe the new features in Release 15.1(2)SY11, 27 July 2017:
These sections describe the new features in Release 15.1(2)SY10, 24 Feb 2017:
These sections describe the new features in Release 15.1(2)SY9, 14 Oct 2016:
These sections describe the new features in Release 15.1(2)SY8, 01 Sept 2016:
These sections describe the new features in Release 15.1(2)SY7, 16 Mar 2016:
These sections describe the new features in Release 15.1(1)SY6, 12 Nov 2015:
These sections describe the new features in Release 15.1(2)SY6, 19 Sept 2015:
These sections describe the new features in Release 15.1(2)SY5, 21 May 2015:
These sections describe the new features in Release 15.1(1)SY5, 27 Mar 2015:
These sections describe the new features in Release 15.1(2)SY4, 08 Nov 2014:
These sections describe the new features in Release 15.1(1)SY4, 10 Oct 2014:
These sections describe the new features in Release 15.1(2)SY3, 23 Jun 2014:
http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/transceiver-modules/data_sheet_c78-455693.html
These sections describe the new features in Release 15.1(2)SY, 03 Mar 2014:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/instant_access.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/config_guide/sup2T/virtual_switching_systems.html#VSS_Quad-Sup_SSO_(VS4O)
These sections describe the new features in Release 15.1(2)SY1, 09 Dec 2013:
These sections describe the new features in Release 15.1(2)SY, 07 Sep 2013:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/instant_access.html
http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/dwdm-transceiver-modules/data_sheet_c78-711186.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-mt/irg-15-mt-book/irg-prefix-export.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-sy/sec-cts-15-sy-book/cts_sgacl_int.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/instant_access.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_pim/configuration/15-sy/imc-pim-15-sy-book/imc_basic_ipv6.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mtr/configuration/15-sy/mtr-15-sy-book/isis-mtr-multicast-address-family.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/instant_access.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mdata/configuration/15-sy/mdata-15sy-book/metadata-framework.html
http://www.cisco.com/c/en/us/td/docs/ios/media_monitoring/configuration/guide/15_1m_and_t/mm_15_1m_and_t/mm_mediatrace.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_serv/configuration/15-sy/imc-serv-15-sy-book/Multicast_only_Fast_Re-Route.html
http://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/guide/7600_15_0s_book/mvpn.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/iro-sup-vrf.html
http://www.cisco.com/c/en/us/td/docs/wireless/asr_901/mib/reference/asr_mib.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/iro-ospfv3-nsr.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/media_monitoring/configuration/15-sy/mm-15-sy-book/mm-pasv-mon.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dns/configuration/15-sy/dns-15-sy-book/dns-15-sy-book_chapter_0100.html
These sections describe the new features in Release 15.1(1)SY3, 21 Mar 2014:
These sections describe the new features in Release 15.1(1)SY2, 04 Oct 2013:
These sections describe the new features in Release 15.1(1)SY1, 03 May 2013:
– GLC-LH-SMD 1G SFP
– GLC-SX-MMD 1G SFP
– GLC-T 1G SFP
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/15-sy/dhcp-15-sy-book/ip6-dhcp-rel-agent.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/qos_class_mark_police.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/denial_of_service.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup720/15_1_sy_swcg_720/denial_of_service.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_pim/configuration/15-sy/imc-pim-15-sy-book/imc_hsrp_aware.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/configuration/15-sy/snmp-15-sy-book/nm-snmp-vpn-context.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_lisp/configuration/15-sy/irl-15-sy-book.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_lisp/configuration/15-sy/irl-15-sy-book.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/media_monitoring/configuration/15-sy/mm-15-sy-book.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/media_monitoring/configuration/15-sy/mm-15-sy-book/mm-mediatrace.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_te_path_setup/configuration/15-sy/mp-te-path-setup-15-sy-book/mp-te-path-setup-15-sy-book_chapter_01100.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/release_notes.html#New_Software_Features_in_Release_15.1(1)SY1
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/appc_cat6k.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/command_sum.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/15-sy/iap-15-sy-book.html
http://www.cisco.com/c/en/us/td/docs/ios/15_0sy/system/messages/15sysmg.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/vpls.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/config_guide/sup2T/virtual_switching_systems.html#VSS_Quad-Sup_SSO_(VS4O)
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup720/15_1_sy_swcg_720/virtual_switching_systems.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/15-sy/iap-15-sy-book/iap-wccp.html
These sections describe the new features in Release 15.1(1)SY, 15 Oct 2012:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/release_notes.html#10_GE_SFP+_Modules
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-domain-stripping.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/etherchannel.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup720/15_1_sy_swcg_720/etherchannel.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/configuration/15-sy/irb-15-sy-book/irb-bi-fwd-det.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/configuration/15-sy/irb-15-sy-book/irb-bi-fwd-det.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/configuration/15-sy/irb-15-sy-book/ip6-route-bfd-encaps.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/configuration/15-sy/irb-15-sy-book/irb-bi-fwd-det.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/configuration/15-sy/irb-15-sy-book/irb-bi-fwd-det.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-sy/irg-15-sy-book/irg-remove-as.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-sy/irg-15-sy-book/irg-event-vpn-import.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-sy/irg-15-sy-book/irg-neighbor-policy.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-sy/irg-15-sy-book/irg-neighbor-soo.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-sy/irg-15-sy-book/irg-bgp-mp-pic.html
http://www.cisco.com/c/en/us/td/docs/ios/iproute_bgp/configuration/guide/12_2sr/irg_12_2sr_book/irg_event_vpn_import.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-sy/irg-15-sy-book/irg-rt-filter.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-sy/irg-15-sy-book/irg-consistency-check.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/callhome.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup720/15_1_sy_swcg_720/callhome.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/saf/configuration/15-sy/saf-15-sy-book/saf-capman.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-rad-coa.html
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-cfg-authentifcn.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipswitch_cef/configuration/15-sy/isw-cef-15-sy-book/isw-cef-snmp-mib.html
http://www.cisco.com/c/en/us/td/docs/ios/ipswitch/configuration/guide/12_4/isw_12_4_book/cef_snmp_mib.html
http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/configuration/guide/Convert/IOS_Shell/nm_ios_shell.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-sy/sec-cts-15-sy-book/sec-cts-id-port-map.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/ident-conn_config.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-sy/sec-cts-15-sy-book/sec-cts-ndac.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/ident-conn_config.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-sy/sec-cts-15-sy-book/cts-subnet-sgt-map.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/ident-conn_config.html
http://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/convert/sec_data_urpf_15_1_book/sec_urpf_mib.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/dot1x_port_based_authentication.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup720/15_1_sy_swcg_720/dot1x_port_based_authentication.html
Without a redundant supervisor engine, if a TM_DATA_PARITY_ERROR, TM_LINK_ERR_INBAND, or TM_NPP_PARITY_ERROR error occurs, one of the following happens:
– If the system controller reset threshold has not been reached, reset the system controller ASIC.
– If the system controller reset threshold has been reached, reload the supervisor engine.
The default system controller reset threshold value is 1, configurable with the platform system-controller reset-threshold threshold_value command. The value range is 1 through 100.
TM_DATA_PARITY_ERROR, TM_LINK_ERR_INBAND, and TM_NPP_PARITY_ERROR errors cause system messages.
– Before the threshold is reached, the errors cause the following system messages:
%SYSTEM_CONTROLLER-<>-THRESHOLD
%SYSTEM_CONTROLLER-<>-ERROR
%SYSTEM_CONTROLLER-<>-MISTRAL_RESET
– After the threshold is reached, the errors cause the following system messages:
%SYSTEM_CONTROLLER-<>-ERROR
%SYSTEM_CONTROLLER-<>-FATAL
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cether/configuration/15-sy/ce-15-sy-book/ce-cfm-ieee-y1731.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/commands/additional_commands/cmds1.html
Note This feature is enabled by default.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/control_plane_policing_copp.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_basic/configuration/15-sy/mp-basic-15-sy-book/mp-ip-aware-mpls-netflow.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cether/command/ce-cr-book.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cether/command/ce-cr-book/ce-e1.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/15-sy/dhcp-15-sy-book/dhcp-prt-bsd-aa.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/15-sy/dhcp-15-sy-book/dhcp-relay-svr-option-82.html
http://www.cisco.com/c/en/us/td/docs/ios/iproute_eigrp/configuration/guide/12_2sr/ire_12_2sr_book/ire_cfg_eigrp.html
http://www.cisco.com/c/en/us/td/docs/ios/iproute_eigrp/configuration/guide/12_2sr/ire_12_2sr_book/ire_mib.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-sy/ire-15-sy-book/ire-wid-met.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-sy/ire-15-sy-book/ire-sha-256.html
http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/configuration/guide/12_2sx/nm_12_2sx_book/nm_eem_overview.html
http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/configuration/guide/12_2sx/nm_12_2sx_book/nm_eem_policy_cli.html
http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/configuration/guide/12_2sx/nm_12_2sx_book/nm_eem_policy_tcl.html
http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/configuration/guide/nm_eem_3-2.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/eem/configuration/15-mt/eem-15-mt-book/eem-overview.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/energywise/phase2_5/ios/configuration/guide/2_5ewise.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/energywise/phase2/ios/release/notes/OL19810.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/15-sy/evn-15-sy-book/evn-confg.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/15-sy/evn-15-sy-book/evn-overview.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/15-sy/evn-15-sy-book/evn-confg.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/15-sy/evn-15-sy-book/evn-overview.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/15-sy/evn-15-sy-book/evn-shared-svcs.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/flexlinks.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup720/15_1_sy_swcg_720/flexlinks.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fnetflow/configuration/15-sy/fnf-15-sy-book/cfg-ipv6-brg.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_nman/configuration/15-sy/ip6n-15-sy-book/ip6-tftp-supp.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cether/command/ce-cr-book.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cether/command/ce-cr-book/ce-e1.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_lsm/configuration/15-sy/imc-lsm-15-sy-book/imc_ha_mldp.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/qos_policy_based_queueing.html
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-cfg-authentifcn.html
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a3.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_igmp/configuration/15-sy/imc-igmp-15-sy-book/imc_igmpv3_hoststack.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_basic/configuration/15-sy/mp-basic-15-sy-book/mp-ip-aware-mpls-netflow.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_optim/configuration/15-sy/imc-optim-15-sy-book/imc_load_splt_ecmp.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-sy/sla-15-sy-book/sla_lsp_mon_autodisc.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-sy/sla-15-sy-book/sla_tcp_conn.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-sy/sla-15-sy-book/sla_ftp.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-sy/sla-15-sy-book/sla_dns.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-sy/sla-15-sy-book/sla_http.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/interface/configuration/15-sy/ir-15-sy-book/ir-impl-tun.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_rip/command/irr-cr-book/irr-cr-rip.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_rip/configuration/15-sy/bsm-15-sy-book/irr-cfg-info-prot.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_nman/configuration/15-sy/ip6n-15-sy-book/ip6-emb-mgmt.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_nman/configuration/15-sy/ip6n-15-sy-book/ip6-emb-mgmt.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_basic/configuration/15-sy/ip6b-15-sy-book/ip6-nd-cache.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_nman/configuration/15-sy/ip6n-15-sy-book/ip6-emb-mgmt.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/15-sy/sec-data-acl-15-sy-book/ip6-sec-acl-ext.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_pim/configuration/15-sy/imc-pim-15-sy-book/imc_basic_ipv6.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/15-sy/ip6-dev-track.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_basic/configuration/15-sy/ip6b-15-sy-book/ip6-neighb-disc.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/15-sy/ip6-nd-inspect.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/15-sy/iri-15-sy-book/ip6-pbr.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/15-sy/ip6f-15-sy-book/ip6-ra-guard.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/ip6-route-ospfv3-auth-ipsec.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/15-sy/sec-sec-for-vpns-w-ipsec-15-sy-book/sec-cfg-vpn-ipsec.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/config_guide/sup2T/vlan_acls.html#IPV6_VACL_(Vlan_Access_Control_List)
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/config_guide/sup720/vlan_acls.html#IPV6_VACL_(Vlan_Access_Control_List)
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-sy/irg-15-sy-book/ip6-mbgp-nsf-gr-rest.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_ldp/configuration/15-sy/mp-ldp-15-sy-book/mp-ldp-igp-synch.html
For a given IS-IS topology, IS-IS determines if BFD is usable for a given neighbor on that topology. BFD is not usable when BFD is enabled on both sides and the BFD session is down. When there are multiple BFD sessions enabled for different address families, such as IPv4 and IPv6, if BFD is not usable for any address family, then BFD is consider not usable for the entire adjacency on that topology. For example, if both IPv4 and IPv6 BFD are enabled for single topology, if either the IPv4 BFD session is down or IPv6 BFD session is down, the neighbor state will be set to DOWN state. If BFD is not enabled for a given address family, then BFD is considered usable for that address family.
For single topology mode, the neighbor state is down when either the IPv4 or IPv6 BFD session is not BFD usable, that is, if BFD is enabled on both sides and the BFD session is DOWN. If BFD is not enabled on either side, BFD will be set to TRUE. For multi-topology mode, IS-IS adjacency will be in UP state as long as any topology is UP. However, the neighbor for the topology where BFD is consider not usable is considered down for that specific topology. For example, if both IPv4 and IPv6 BFD are enabled, and the IPv4 session is DOWN and IPv6 session is UP, then the IS-IS adjacency is still UP. In this case, the IPv4 neighbor is considered DOWN and ipv6 neighbor is considered UP.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/configuration/xe-3s/irb-xe-3s-book/irb-bfd-isis-cbit.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/configuration/15-sy/irb-15-sy-book/ip6-bfd-isis-client.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mtr/configuration/15-sy/mtr-15-sy-book/isis-mtr-multicast-address-family.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_isis/configuration/15-sy/irs-15-sy-book/irs-instance-vrf.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_resil/configuration/15-sy/imc-resil-15-sy-book/imc_high_availability.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_ha/configuration/15-sy/mp-ha-15-sy-book/mp-6vpe-6pe-issu-sso.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_l2_vpns/configuration/15-sy/mp-l2-vpns-15-sy-book/mp-l2vpn-adv-vpls.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/power_over_ethernet.html+
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup720/15_1_sy_swcg_720/power_over_ethernet.html+
– IPv6 Support for IPsec and IKEv2. For more information about this feature, see the “Configuring Internet Key Exchange Version 2 (IKEv2) and FlexVPN Site-to-Site” module and the “Configuring Security for VPNs with IPsec” module at the following links:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-sy/sec-flex-vpn-15-sy-book/sec-cfg-ikev2-flex.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/15-sy/sec-sec-for-vpns-w-ipsec-15-sy-book/sec-cfg-vpn-ipsec.html
– OSPF for IPv6 (OSPFv3) Authentication Support with IPsec. For more information about this feature, see the “IPv6 Routing: OSPF for IPv6 Authentication Support with IPsec” module at the following link:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/ip6-route-ospfv3-auth-ipsec.html
– Call Home version 2 enhancements.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mdata/configuration/15-sy/mdata-15sy-book/metadata-framework.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_lsm/configuration/15-sy/imc-lsm-15-sy-book/ip6-mcast-mld-limits.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_lsm/configuration/15-sy/imc-lsm-15-sy-book/imc_mldp_filter.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_lsm/configuration/15-sy/imc-lsm-15-sy-book/imc_mldp-based_mvpn.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_ldp/configuration/15-sy/mp-ldp-15-sy-book/mp-ldp-igp-synch.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_l2_vpns/configuration/15-sy/mp-l2-vpns-15-sy-book/vpls-o-gre.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_l2_vpns/configuration/15-sy/mp-l2-vpns-15-sy-book/mp-pw-status.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_te_path_protect/configuration/15-sy/mp-te-path-protect-15-sy-book/mp-te-bfd-frr.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_te_path_protect/configuration/15-sy/mp-te-path-protect-15-sy-book/mp-te-path-prot.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_pim/configuration/15-sy/imc-pim-15-sy-book/imc_mtr.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mtr/configuration/15-sy/mtr-15-sy-book/isis-mtr-multicast-address-family.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/commands/additional_commands.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_serv/configuration/15-sy/imc-serv-15-sy-book/imc_service_reflect.html
The user can now map a set of VPN routing and forwarding (S,G) to a data MDT group in one of the following ways:
– 1:1 mapping (1 permit in ACL)
– Many to 1 mapping (many permits in ACL)
– Many to many mapping (multiple permits in ACL and a nonzero mask data MDT)
Because the total number of configurable data MDTs is 1024, the user can use this maximum number of mappings in any of the described combinations.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/15-sy/nat-15-sy-book/iadnat-mpls-vpn.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/dot1x_port_based_authentication.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup720/15_1_sy_swcg_720/dot1x_port_based_authentication.html
http://www.cisco.com/c/en/us/td/docs/ios/netflow/command/reference/nf_book/nf_01.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup720/15_1_sy_swcg_720/netflow.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/15-sy/sec-usr-cfg-15-sy-book/sec-no-svc-pw-recvry.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_resil/configuration/15-sy/imc-resil-15-sy-book/imc_high_availability.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/configuration/15-sy/bsm-15-sy-book/bsm-ntpv4-mib.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/configuration/15-sy/bsm-15-sy-book/bsm-time-calendar-set.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/configuration/15-sy/bsm-15-sy-book/ip6-ntpv4.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/iro-nsr-ospf.html
With the typical hub and spoke topology in a campus environment, the Wiring Closets (spokes) are connected to the distribution switch (Hub) forwarding all non-local traffic to the distribution layer. There is no requirement to hold a complete routing table at the Wireless Closet switches. In best practices designs, the distribution switch sends a default route to the Wiring Closet switch for reaching inter- area and external routes (OSPF Stub area configuration). The OSPF for Routed Access feature supporst this type of topology.
The IP base image supports OSPF for Routed Access. The Enterprise services image continues to be required if multiple OSPFv2 and OSPFv3 instances with no route restrictions are required. Additionally, Enterprise Services is required to enable the VRF-lite feature.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/iro-ttl.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/iro-ttl.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/ip6-route-ospfv3-add-fam.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/configuration/15-sy/irb-15-sy-book/ip6-route-bfd-ospfv3.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/ip6-route-ospfv3-fastcon.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/ip6-route-ospfv3-gr-rest.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/ip6-route-ospfv3-esp.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/command/iro-cr-book.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-parse-improve.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-aaa-comm-criteria-pwd.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cether/configuration/15-sy/ce-15-sy-book/ce-per-port-loc-config.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_pim/configuration/15-sy/imc-pim-15-sy-book/imc_monitor_maint.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_pim/configuration/15-sy/imc-pim-15-sy-book/imc_basic_ipv6.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/config_guide/sup2T/power_over_ethernet.html#PoE_Plus_(PoE+,_PoEP)_support
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/config_guide/sup720/power_over_ethernet.html#PoE_Plus_(PoE+,_PoEP)_support
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/port_security.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup720/15_1_sy_swcg_720/port_security.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/15-sy/sec-usr-cfg-15-sy-book/sec-cfg-sec-4cli.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/ip6-aaa-support.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-per-vrf-aaa.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_rad/configuration/15-sy/sec-usr-rad-15-sy-book/sec-cfg-radius.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_rsvp/configuration/15-sy/qos-rsvp-15-sy-book/config-rsvp.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/saf/configuration/15-sy/saf-15-sy-book/saf-dyn-neigh.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/Cisco_IOS_Configuration_Fundamentals_Command_Reference.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15-sy/sec-usr-ssh-15-sy-book/sec-usr-ssh-sec-shell.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15-sy/sec-usr-ssh-15-sy-book/sec-secure-shell-v2.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15-sy/sec-usr-ssh-15-sy-book/sec-secure-shell-v2.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_ha/configuration/15-sy/mp-ha-15-sy-book/mp-6vpe-6pe-issu-sso.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/configuration/15-sy/irb-15-sy-book/ip6-bfd-static.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/traffic_storm_control.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup720/15_1_sy_swcg_720/traffic_storm_control.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cether/command/ce-cr-book.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cether/command/ce-cr-book/ce-e1.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/ip6-tacacs.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_nman/configuration/15-sy/ip6n-15-sy-book/ip6-tftp-supp.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-sy/sec-cts-15-sy-book/sec-cts-id-port-map.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-sy/sec-cts-15-sy-book/sec-cts-sg-download.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/iro-ttl-sec-ospfv3.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_l2_vpns/configuration/15-sy/mp-l2-vpns-15-sy-book/vpls-auto-bgp.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_l2_vpns/configuration/15-sy/mp-l2-vpns-15-sy-book/vpls-o-gre.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/configuration/15-sy/bsm-15-sy-book/bsm-time-calendar-set.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/esm/configuration/15-sy/esm-15-sy-book/esm-vrf.html
http://www.cisco.com/c/en/us/td/docs/ios/ipv6/command/reference/ipv6_book/ipv6_09.html
http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/command/reference/nm_book/nm_09.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/Cisco_IOS_Configuration_Fundamentals_Command_Reference.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_arp/configuration/15-sy/arp-15-sy-book/arp-vrfaware-arp.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-sy/fhp-15-sy-book/fhrp-vrrpv3.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/15-sy/iap-15-sy-book/iap-wccp-cfg-rtr-id.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/15-sy/iap-15-sy-book/iap-wccp-ftimers.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/wsma/configuration/15-sy/wsma-15-sy-book/wsma.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/wsma/configuration/15-sy/wsma-15-sy-book/wsma-tls.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/wsma/configuration/15-sy/wsma-15-sy-book/wsma.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/xmlpi/configuration/15-sy/xml-pi-15-sy-book/xml-pi.html
Use Cisco Feature Navigator to display supported features that were introduced in earlier releases.
Cisco IOS images for the Supervisor Engine 2T do not support mls commands or mls as a keyword. See this document for a list of some of the mls commands that have been replaced:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/replacement_commands.html
Note Some of the replacement commands support different keyword and parameter values than those supported by the Release 12.2SX commands.
Cisco IOS images for the Supervisor Engine 2T do not support these commands:
Note The IPsec Network Security feature (configured with the crypto ipsec command) is supported in software only for administrative connections to Catalyst 6500 series switches.
These features are not supported in Release 15.1SY:
Note Release 15.1SY supports server load balancing (SLB) as implemented on the Application Control Engine (ACE) module (ACE30-MOD-K9).
Note Release 15.1SY supports the SPAN and VACL redirect features, which have equivalent functionality.
Note Release 15.1SY supports IEEE 802.1Q trunking.
– Internetwork Packet Exchange (IPX)
– NetWare Link-Services Protocol (NLSP)
– Service Advertising Protocol (SAP)
– IPX Access Control List Violation Logging
– IPX Access List Plain English Filters
– IPX Encapsulation for 802.10 VLAN
– IPX Multilayer Switching (IPX MLS)
Note Release 15.1SY supports these spanning tree protocols:
—Rapid Spanning Tree Protocol (RSTP):
• spanning-tree mode rapid-pvst global configuration mode command
• Enabled by default
—Multiple Spanning Tree Protocol (MSTP):
• spanning-tree mode mst global configuration mode command
• Can be enabled
Note Release 15.1SY supports the Firewall Services Module (WS-SVC-FWM-1-K9).
Symptom: An error similar to the following may be observed in the syslogs of a Cisco IOS device:
*May 4 13:40:46.760: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error, -PC= :200CD000+1502CF4 -Traceback= 1#e06f72c62c6bef347348f23bdccc4b7f :200CD000+30D51C0 :200CD000+30D5588 :200CD000+3103724 :200CD000+6F2FD4C :200CD000+1502CF4 :200CD000+15033E0 :200CD000+446FF08 :200CD000+446E0B0 :200CD000+443DA40 :200CD000+442D158 :200CD000+445C0F8
No functional impact is observed.
Conditions: This is currently believed to affect all released versions of IOS code which support the CISCO-ENTITY-EXT-MIB. This may occur when polling the ceExtSysBootImageList object in CISCO-ENTITY-EXT-MIB. This object returns a semicolon-separated list of boot statements on the device, similar to the following:
CISCO-ENTITY-EXT-MIB::ceExtSysBootImageList.5000 = STRING: "flash bootflash:cat4500e-universalk9.SPA.03.04.05.SG.151-2.SG5.bin;flash bootflash:cat4500e-universalk9.SPA.03.04.02.SG.151-2.SG2.bin"
The DATACORRUPTION error will occur under a specific corner case, where the total length of one or more complete boot variables (counted starting after the 'boot system' token) is less than 255 bytes, BUT when semicolons are added (one per boot statement) meets or exceeds this number.
Consider the following example:
boot system bootflash:this_is_a_128_character_long_boot_statement_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
boot system bootflash:this_is_a_125_character_long_boot_statement_yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
128 + 125 + 2 semicolons = 255 characters (bytes)
If another boot statement is added after this, the DATACORRUPTION error will be seen and the SNMP query will return invalid data.
Workaround: Reduce the quantity/length of configured boot variables.
Further Problem Description: This is not known to have any functional impact outside of the (potentially alarming) error message. The error will only be printed once, but subsequent occurrences of this condition can be seen via the 'show data-corruption' command.
Symptom: The HTTPS client only offer till SSLv3.0 which is vulnerable to poodle attack.
Conditions: Any Application is using HTTPS client with SSL3.0
Workaround: Disable app which use HTTPS client.
Further Problem Description: After fixing Poodle (CSCur23656) in the ssl component, this fix in the http component is required too. After the fix, TLS 1.0 will be used. After this fix HTTPS client will only offer TSL1.0.
Symptom: 7200 router crash during multiple session validations.
Conditions: When two certificate validations in progress, 7200 platform is crashing.
Further Problem Description: This defect more visible on 7200 platform than any other platform. This is not only limited to GetVPN configuration, but also with any configurations like IKEv2.
Symptom: Router may become unresponsive. Memory is all used up and no longer available for other processes. Router may eventually reload on its own OR would need to be reloaded manually, to restore services.
Conditions: Normal operations.
Workaround: Track Used memory and when it approaches 70-80% utilization levels, please schedule a reload.
Further Problem Description: Output of show process mem sorted will show signs of increase in Used. Memory held by processes Chunk Manager and CCSIP_TLS_SOCKET will show corresponding increase. show mem all totals will show increase for List Headers
Symptom: A vulnerability in the IPv6 snooping feature from the first-hop security features in Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to insufficient Control Plane Protection (CPPr) against specific IPv6 ND packets. An attacker could exploit this vulnerability by sending a flood of traffic consisting of specific IPv6 ND packets to an affected device where the IPv6 snooping feature is configured.
Conditions: See published Cisco Security Advisory
Workaround: See published Cisco Security Advisory
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2015-6278 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptom: A vulnerability in the IPv6 snooping feature from the first-hop security features in Cisco IOS and IOS XE Software could allow an
unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to insufficient validation of IPv6 ND packets that use the Cryptographically Generated Address (CGA) option. An attacker could exploit this vulnerability by sending a malformed packet to an affected device where the IPv6 Snooping feature is enabled. Cisco has released software updates that address these vulnerabilities. There are no workarounds to mitigate these vulnerabilities. This advisory
is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150923-fhs
Note The September 23, 2015, release of the Cisco IOS and IOS XE Software Security Advisory bundled publication includes three Cisco Security Advisories. All the advisories address vulnerabilities in Cisco IOS Software and Cisco IOS XE Software. Individual publication links are in Cisco
Event Response: September 2015 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep15.html
Conditions: See published Cisco Security Advisory
Workaround: See published Cisco Security Advisory
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2015-6279 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptom: This product includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2015-4000, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1792, CVE-2015-1791, CVE-2014-8176
This bug has been opened to address the potential impact on this product.
Conditions: Following Cisco IOS features may invoke the affected code and might be vulnerable
- SSLVPN feature (for any platform running IOS) ("webvpn gateway")
- SSLVPN feature (for CSR1000V running IOS-XE) ("crypto ssl profile")
- HTTPS client feature ("copy https://......", DynDNS client,...)
- Voice-XML HTTPS client feature
- HTTPS server feature ("ip http secure-server")
- Settlement for Packet Telephony feature
Workaround: See published Cisco Security Advisory
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the
time of evaluation are: 7.8/6.4
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: Cisco IOS and IOS-XE include a version of OpenSSL that may be affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-3505 - Double Free when processing DTLS packets
CVE-2014-3506 - DTLS memory exhaustion
CVE-2014-3507 - DTLS memory leak from zero-length fragments
CVE-2014-3508 - Information leak in pretty printing functions
CVE-2014-3509 - Race condition in ssl_parse_serverhello_tlsext
CVE-2014-3510 - OpenSSL DTLS anonymous EC(DH) denial of service
CVE-2014-3511 - OpenSSL TLS protocol downgrade attack
CVE-2014-3512 - SRP buffer overrun
CVE-2014-5139 - Crash with SRP ciphersuite in Server Hello message
This bug has been opened to address the potential impact on this product.
Conditions: See published Cisco Security Advisory
Further Problem Description: At this point the investigation is ongoing, this bug will be updated in the future to reflect better the real impact on the product.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:
https://intellishield.cisco.com/security/alertmanager/cvss?target=new&version=2.0&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: This product includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206
This bug has been opened to address the potential impact on this product.
Conditions: The following Cisco IOS features may invoke the affected code and may be vulnerable:
- SSLVPN feature (for any platform running IOS) ("webvpn gateway")
- SSLVPN feature (for CSR1000V running IOS-XE) ("crypto ssl profile")
- HTTPS client feature ("copy https://......", DynDNS client,...)
- Voice-XML HTTPS client feature
- HTTPS server feature ("ip http secure-server")
- Settlement for Packet Telephony feature
Affected Versions: One of more of these vulnerabilities affect all versions of IOS prior to the versions listed in the Integrated In field of this defect
Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 5.0/3.7
http://tools.cisco.com/security/center/cvssCalculator.x?version=2.0&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: This product includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0292, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288
This bug has been opened to address the potential impact on Cisco IOS and IOS-XE products.
Conditions: LIST SPECIFIC VULNERABLE CONFIGURATION INFORMATION. IF DEFAULT CONFIGURATION IS VULNERABLE, USE THE TEXT "Exposure is not configuration dependent."
Following Cisco IOS features may invoke the affected code and might be vulnerable:
- SSLVPN feature (for any platform running IOS) ("webvpn gateway")
- SSLVPN feature (for CSR1000V running IOS-XE) ("crypto ssl profile")
- HTTPS client feature ("copy https://......", DynDNS client,...)
- Voice-XML HTTPS client feature
- HTTPS server feature ("ip http secure-server")
- Settlement for Packet Telephony feature
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 7.1/6.9
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: A vulnerability in the TCL script interpreter of Cisco IOS Software could allow an authenticated, local attacker to escalate its privileges from those of a non-privileged user to a privileged (level 15) user. This would allow a non-privileged user to execute privileged commands
(those under privilege level 15). The vulnerability is due to an error on resetting VTY privileges after running a TCL script. An attacker could exploit this vulnerability by establishing a session to an affected device immediately after a TCL script has been run. An attacker would need to provide valid credentials and successfully pass authentication to the device.
Conditions: This behavior is timing dependent, as the attacker would need to log-in to the device immediately after the TCL script finishes execution.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.6/5.5:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C&version=2.
CVE ID CVE-2015-4185 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
A vulnerability in the TCP input module of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a memory leak and
eventual reload of the affected device. The vulnerability is due to improper handling of certain crafted packet sequences used in establishing a TCP three-way handshake. An attacker could exploit this vulnerability by sending a crafted sequence of TCP packets while establishing a thee-way handshake. A successful exploit could allow the attacker to cause a memory leak and eventual reload of the affected device.
There are no workarounds for this vulnerability.
Cisco has released free software updates that address this vulnerability. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-tcpleak
Note The March 25, 2015, Cisco IOS Software Security Advisory bundled publication includes seven Cisco Security Advisories. The advisories address vulnerabilities in Cisco IOS Software and Cisco IOS XE Software. Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security
Advisory Bundled Publication at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar15.html
Symptom: A 6500 reloads after negotiating an IPSec tunnel with ASR9000.
Conditions: The 6500 needs to run 12.2(33)SXJ8 and the IPsec engine must be a WS-SSC-600 WS-IPSEC-3 combination.This crash does not happen with 7600-SSC-400 IPSEC-2 combination.
Further Problem Description: A vulnerability in the IKE subsystem of Cisco WS-IPSEC-3 service module could allow an authenticated, remote attacker to cause a reload of the Catalyst switch. The vulnerability is due to insufficient bounds checks on a specific message during the establishment of an IPSEC tunnel. An attacker could exploit this vulnerability by successfully establishing an IKE session and sending the offending packet during subsequent negotiations. An exploit could allow the attacker to cause a denial of service by forcibly reloading the switch.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.9/4.9:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:U/RC:C&version=2.0
CVE ID CVE-2015-0771 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptom: A vulnerability in the implementation of the IP version 6 (IPv6) protocol stack in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause I/O memory depletion on an affected device that has IPv6 enabled. The vulnerability is triggered when an affected device processes a malformed IPv6 packet.
Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ipv6
Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication.
Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html
Conditions: See published Cisco Security Advisory
Workaround: See published Cisco Security Advisory
Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-2113 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Other Resolved Caveats in Release 15.1(2)SY3
Symptom: A vulnerability in TCP stack of Cisco IOS Software could allow an unauthenticated, remote attacker to cause an ACK storm.
The vulnerability is due to improper closing of the established TCP connection. An attacker could exploit this vulnerability by sending a crafted sequence of TCP ACK and FIN packets to an affected device. An exploit could allow the attacker to cause an ACK storm resulting in excessive network utilization and high CPU.
Conditions: Multiple FIN/ACK packets are received.
Workaround: Do clear' tcp tcb 0x......' where the hex value is the address of the TCB stuck in LASTACK state in ’show tcp brief.'
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2013-5469 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5469
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Other Resolved Caveats in Release 15.1(2)SY2
Symptom: If a linecard is reset (either due to an error or a command such as hw-module slot reload) at the precise time an SNMP query is trying to communicate with that linecard, the RP could reset due to a CPU vector 400 error.
Conditions: This symptom occurs when the linecard is reset (either due to error or a command such as hw-module slot reload) at the precise time an SNMP query is received.
Workaround: There is no workaround.
Resolved ios-authproxy Caveats
Symptom: Local webauth and HTTP services stop responding on the switch.
Conditions: A show processes | inc HTTP Proxy lists many instances of the “HTTP Proxy” service, and these do not disappear.
Workaround: The HTTP Proxy service may experience delay due to an incorrectly terminated HTTP or TCP session. In some cases, increasing the value of ip admission max-login-attempts works around this issue. In others, the stuck “HTTP Proxy” service will again become available after a TCP timeout.
Some browsers and background processes using HTTP transport can create incorrectly terminated HTTP/TCP sessions. If webauth clients are under control, changing web browsers or eliminating background processes that use HTTP transport may eliminate triggers for this issue.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C
CVE ID CVE-2012-4658 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptoms: Cisco router hangs until a manual power cycle is done. If the scheduler isr-watchdog command is configured, the device will crash and recover instead of hanging until a power cycle is done.
Conditions: This is seen with websense URL filtering enabled and with zone based firewalls.
Workaround: Disable URL-based filtering.
Symptoms: Packets sent by the Cisco IOS NTP server will have the IP identification field set to zero, behavior which may be flagged as a vulnerability by some security scanners.
Conditions: NTP server configured on Cisco IOS
Workaround: There is no workaround
Further Problem Description: Other UDP-based services on IOS (SNMP and DHCP as two examples) set the IP ID field to a nonzero value. As CVE-2002-0510 was originally reported as a way to identify a device as running a Linux 2.4-based kernel, the actual value of using this as a method to identify the underlying OS is very low.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C
CVE ID CVE-2002-0510 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptoms: In certain conditions, IOS device can crash, with the following error message printed on the console:
“%SYS-2-WATCHDOG: Process aborted on watchdog timeout, process = SSH Proc”
Conditions: In certain conditions, if an SSH connection to the IOS device is slow or idle, it may cause a box to crash with the error message printed on the console.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C CVE ID CVE-2012-5014 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Other Resolved Caveats in Release 15.1(2)SY
Symptom: This is the Cisco response to research performed by Mr. Philipp Schmidt and Mr. Jens Steube from the Hashcat Project on the weakness of Type 4 passwords on Cisco IOS and Cisco IOS XE devices. Mr. Schmidt and Mr. Steube reported this issue to the Cisco PSIRT on March 12, 2013.
Cisco would like to thank Mr. Schmidt and Mr. Steube for sharing their research with Cisco and working toward a coordinated disclosure of this issue.
A limited number of Cisco IOS and Cisco IOS XE releases based on the Cisco IOS 15 code base include support for a new algorithm to hash user-provided plaintext passwords. This algorithm is called Type 4, and a password hashed using this algorithm is referred to as a Type 4 password. The Type 4 algorithm was designed to be a stronger alternative to the existing Type 5 and Type 7 algorithms to increase the resiliency of passwords used for the enable secret password and username username secret password commands against brute-force attacks.
This Cisco Security Response is available at http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4
Conditions: See published Cisco Security Response
Workaround: See published Cisco Security Response
Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and a Cisco Security Response is available at http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Resolved ios-authproxy Caveats
Symptom: Local webauth and HTTP services stop responding on the switch.
Conditions: A show processes | inc HTTP Proxy lists many instances of the “HTTP Proxy” service, and these do not disappear.
Workaround: The HTTP Proxy service may experience delay due to an incorrectly terminated HTTP or TCP session. In some cases, increasing the value of ip admission max-login-attempts works around this issue. In others, the stuck “HTTP Proxy” service will again become available after a TCP timeout.
Some browsers and background processes using HTTP transport can create incorrectly terminated HTTP/TCP sessions. If webauth clients are under control, changing web browsers or eliminating background processes that use HTTP transport may eliminate triggers for this issue.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C
CVE ID CVE-2012-4658 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
The load balancing feature of the flex-vpn solution of Cisco IOS does not provide authentication facilities to avoid non authorized member to join the load balancing cluster. Thus, an attacker may impact the integrity of the flex-vpn system by inserting a rogue cluster member and having the load balance master to forward VPN session to it. A number of secondary effect, including black-holing of some of the VPN traffic may be triggered by this issue.
Flex-VPN with Load Balancing feature active
Workaround: Using CoPP and interface access-list may be used to allow only trusted router to join the load balancer cluster
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:W/RC:C CVE ID CVE-2012-5032 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: A vulnerability in TCP stack of Cisco IOS Software could allow an unauthenticated, remote attacker to cause an ACK storm.
The vulnerability is due to improper closing of the established TCP connection. An attacker could exploit this vulnerability by sending a crafted sequence of TCP ACK and FIN packets to an affected device. An exploit could allow the attacker to cause an ACK storm resulting in excessive network utilization and high CPU.
Conditions: Multiple FIN/ACK packets are received.
Workaround: Do clear' tcp tcb 0x......' where the hex value is the address of the TCB stuck in LASTACK state in ’show tcp brief.'
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2013-5469 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5469
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: UDP based entries are not deleted from the flowmgr table resulting in crash, or poor system response, with CPU hog messages being shown.
Conditions: Affected Platforms - images ct5760-ipservicesk9.bin cat3k_caa-universalk9.bin cat4500e-universalk9.bin
Device is configured with UDP services that originate from the device. This includes but not limited to the following features: * TFTP * Energy Wise * DNS * Cisco TrustSec
Workaround: If you suspect that you are affected by this bug, please do the following, for confirmation: Router#config terminal service internal end Router#show flowmgr
The output of this command will show many lines entries holding with the same port numbers. Disabling the feature that is being held in the flows until an upgrade can be performed, is a workaround.
A reload is required to clear the held flows.
Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2013-6704 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-6704
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Other Resolved Caveats in Release 15.1(1)SY3
A vulnerability in the DHCP implementation of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
The vulnerability occurs during the parsing of crafted DHCP packets. An attacker could exploit this vulnerability by sending crafted DHCP packets to an affected device that has the DHCP server or DHCP relay feature enabled. An exploit could allow the attacker to cause a reload of an affected device.
Cisco has released free software updates that address this vulnerability. There are no workarounds to this vulnerability.
This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-dhcp
Note: The September 25, 2013, Cisco IOS Software Security Advisory bundled publication includes eight Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the September 2013 bundled publication.
Individual publication links are in ‘’Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication‘’ at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep13.html
Symptom: If a linecard is reset (either due to an error or a command such as hw-module slot reload) at the precise time an SNMP query is trying to communicate with that linecard, the RP could reset due to a CPU vector 400 error.
Conditions: This symptom occurs when the linecard is reset (either due to error or a command such as hw-module slot reload) at the precise time an SNMP query is received.
Workaround: There is no workaround.
Symptom: A vulnerability in the Zone-Based Firewall (ZBFW) component of Cisco IOS Software could allow an unauthenticated, remote attacker to cause an affected device to hang or reload.
The vulnerability is due to improper processing of specific HTTP packets when the device is configured for either Cisco IOS Content Filtering or HTTP application layer gateway (ALG) inspection. An attacker could exploit this vulnerability by sending specific HTTP packets through an affected device. An exploit could allow the attacker to cause an affected device to hang or reload.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are not available.
This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-cce
Symptom: A vulnerability in the Resource Reservation Protocol (RSVP) feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger an interface queue wedge on the affected device.
The vulnerability is due to improper parsing of UDP RSVP packets. An attacker could exploit this vulnerability by sending UDP port 1698 RSVP packets to the vulnerable device. An exploit could cause Cisco IOS Software and Cisco IOS XE Software to incorrectly process incoming packets, resulting in an interface queue wedge, which can lead to loss of connectivity, loss of routing protocol adjacency, and other denial of service (DoS) conditions.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available.
This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-rsvp
Symptoms: In certain conditions, IOS device can crash, with the following error message printed on the console:
“%SYS-2-WATCHDOG: Process aborted on watchdog timeout, process = SSH Proc”
Conditions: In certain conditions, if an SSH connection to the IOS device is slow or idle, it may cause a box to crash with the error message printed on the console.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C CVE ID CVE-2012-5014 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Other Resolved Caveats in Release 15.1(1)SY2
Symptoms: IOS password lentgh is limited to 25 characters.
Conditions: IOS password lentgh is limited to 25 characters on NG3K products.
PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Resolved accsw-ease-of-use Caveats
The Smart Install client feature in Cisco IOS Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
Affected devices that are configured as Smart Install clients are vulnerable.
Cisco has released free software updates that address this vulnerability. There are no workarounds for devices that have the Smart Install client feature enabled.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-smartinstall
Symptoms: Unable to form IPSec tunnels due to error: “RM-4-TUNNEL_LIMIT: Maximum tunnel limit of 225 reached for Crypto functionality with securityk9 technology package license.”
Conditions: Even though the router does not have 225 IPsec SA pairs, error will prevent IPSec from forming. Existing IPSec SAs will not be affected.
Workaround: Reboot to clear out the leaked counter, or install hsec9 which will disable CERM (Crypto Export Restrictions Manager).
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.8/2.3:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:M/C:N/I:N/A:P/E:U/RL:W/RC:C
No CVE ID has been assigned to this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: Cisco ASR 1000 devices running an affected version of IOS-XE are vulnerable to a denial of service vulnerability due to the improper handling of malformed IKEv2 packets. An authenticated, remote attacker with a valid VPN connection could trigger this issue resulting in a reload of the device. Devices configured with redundant Route Processors may remain active as long as the attack is not repeated before the affected Route Processor comes back online.
Conditions: Cisco ASR1000 devices configured to perform IPSec VPN connectivity and running an affected version of Cisco IOS-XE are affected. Only authenticated IKEv2 connection is susceptible to this vulnerability.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5017 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
The Resource Reservation Protocol (RSVP) feature in Cisco IOS Software and Cisco IOS XE Software contains a DoS vulnerability.
Cisco has released free software updates that address this vulnerability. There are no workarounds available to mitigate this vulnerability.
This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-rsvp
Note: The March 27, 2013, Cisco IOS Software Security Advisory bundled publication includes seven Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2013 bundled publication.
Individual publication links are in “Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar13.html
The Cisco IOS Software implementation of the virtual routing and forwarding (VRF) aware network address translation (NAT) feature contains a vulnerability when translating IP packets that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-nat
Note: The March 27, 2013, Cisco IOS Software Security Advisory bundled publication includes seven Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2013 bundled publication.
Individual publication links are in “Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar13.html
Other Resolved Caveats in Release 15.1(1)SY1
Symptom: Router crashes For Authentication RESPONSE with GETUSER and when getuser-header-flags is modified and sent.
Conditions: TACACS single-connection is configured. When authorization is configured Telnet to router and removing authorization,telnet to router again
Workaround: Do not use TACACS single-connection option.
The server side of the Secure Copy (SCP) implementation in Cisco IOS software contains a vulnerability that could allow authenticated users with an attached command-line interface (CLI) view to transfer files to and from a Cisco IOS device that is configured to be an SCP server, regardless of what users are authorized to do, per the CLI view configuration. This vulnerability could allow valid users to retrieve or write to any file on the device’s file system, including the device’s saved configuration and Cisco IOS image files, even if the CLI view attached to the user does not allow it. This configuration file may include passwords or other sensitive information.
The Cisco IOS SCP server is an optional service that is disabled by default. CLI views are a fundamental component of the Cisco IOS Role-Based CLI Access feature, which is also disabled by default. Devices that are not specifically configured to enable the Cisco IOS SCP server, or that are configured to use it but do not use role-based CLI access, are not affected by this vulnerability.
This vulnerability does not apply to the Cisco IOS SCP client feature.
Cisco has released free software updates that address this vulnerability.
There are no workarounds available for this vulnerability apart from disabling either the SCP server or the CLI view feature if these services are not required by administrators.
This advisory is posted at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-scp.
Symptoms: Kerberos/Encrypted Telnet code needs to be improved. There is a potential buffer overflow condition in the code. There is no proof of an attack vector/exploit. However, the code needs to be improved.
Conditions: Cisco IOS device configured for Kerberos/Encrypted Telnet access.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:U/RL:U/RC:UC No CVE ID has been assigned to this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptoms: Active RP may crash while processing packets. Conditions: Device is processing packets which are being punted to the RP at a rate faster than memory can be allocated or deallocated. Workaround: Implementing a CoPP policy rate-limiting packets punted to the RP may be a workaround, depending on specific circumstances and traffic pattern PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-1317 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptoms: Cisco ASR 1000 Series Aggregation Services Routers configured for Multicast Listener Discovery (MLD) tracking for IPv6 may reload after receiving certain MLD packets. The following traceback will be shown in the logs.
Exception to IOS Thread: Frame pointer 4081B7D8, PC = 1446A878
ASR1000-EXT-SIGNAL: U_SIGSEGV(11), Process = MLD
Conditions: Cisco ASR 1000 Series Aggregation Services Routers configured for Multicast Listener Discovery (MLD) tracking for IPv6.
Workaround: The only workaround is to disable MLD tracking.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5.8:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C
CVE ID CVE-2012-1366 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptoms: A router may forward IP packets even when IP processing is disabled on the incoming interface.
Conditions: This symptom is observed on all Cisco routers running Cisco Express Forwarding (CEF).
Workaround: Configure an inbound access-list denying all traffic on the interface without IP address. Example :
access-list 100 deny ip any any
int x no ip address ip access-group 100 in
Symptoms: After launching a flood of random IPv6 router advertisements when an interface is configured with “ipv6 address autoconf”, removing the IPv6 configuration on the interface with “no ipv6 address autoconf” may cause a reload. Other system instabilities are also possible during and after the flood of random IPv6 router advertisements.
Conditions: Cisco IOS is configured with “ipv6 address autoconf”.
Workarounds: Not using IPv6 auto-configuration may be used as a workaround.
Further Information: Cisco IOS checks for the hop limit field in incoming Neighbour Discovery messages and packets received with a hop limit not equal to 255 are discarded. This means that the flood of ND messages has to come from a host that is directly connected to the Cisco IOS device.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5.5:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2010-4671 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptoms: Cisco IOS Software on the Catalyst 6500 and 7600 may crash after removing/readding object-group configuration.
– Workaround is to perform object-group changes in this order:
• First remove the ACLs which are referencing the object-group
• Then remove/rebuild the object-group
Cisco IOS Software on the Catalyst 6500 and 7600 series contains a vulnerability that could allow an authenticated, local attacker to cause a reload of an affected device.
The vulnerability issue is due to logic processing in the ACL code. An attacker could exploit this vulnerability by editing the ACLs on the device.
An exploit could allow the attacker to reload the affected device.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.6/3.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2012-5037 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Summary Cisco IOS Software contains a vulnerability in the Border Gateway Protocol (BGP) routing protocol feature.
The vulnerability can be triggered when the router receives a malformed attribute from a peer on an existing BGP session.
Successful exploitation of this vulnerability can cause all BGP sessions to reset. Repeated exploitation may result in an inability to route packets to BGP neighbors during reconvergence times.
Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-bgp
Note: The September 26, 2012, Cisco IOS Software Security Advisory bundled publication includes 9 Cisco Security Advisories. Eight of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses a vulnerability in Cisco Unified Communications Manager. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the September 2012 bundled publication.
Individual publication links are in “Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep12.html PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-4617 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Summary Cisco IOS Software contains a vulnerability in the Border Gateway Protocol (BGP) routing protocol feature.
The vulnerability can be triggered when the router receives a malformed attribute from a peer on an existing BGP session.
Successful exploitation of this vulnerability can cause all BGP sessions to reset. Repeated exploitation may result in an inability to route packets to BGP neighbors during reconvergence times.
Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-bgp
Note: The September 26, 2012, Cisco IOS Software Security Advisory bundled publication includes 9 Cisco Security Advisories. Eight of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses a vulnerability in Cisco Unified Communications Manager. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the September 2012 bundled publication.
Individual publication links are in “Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep12.html
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-4617 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: IOS router may crash under certain circumstances when receiving a mvpnv6 update
Conditions: Receive mvpnv6 update
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-3895 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: Traceroute output becomes incorrect because VSA does not do a TTL decrement on the packet after decryption.
Conditions: The symptom is observed when configured IPSec with C7200 NPE-G2 VSA.
Workaround: Disable HW crypto engine - Use VTI
Symptom: If a cert map is changed of added to the trustpoint, the pub key cache for the peers is not cleared. This makes it possible for a client which was connected in the past to reconnect again even if it’s cert was banned by the cert map.
Updated the ‘Configuring Authorization and Revocation of Certificates in a PKI’ module with notes to indicate - If a certificate map is changed or added to the trustpoint, the public key cache for the peers is not cleared.
The link to the latest document is: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-cfg-authentifcn.html
Symptom: A peer’s key is cached indefinitely in the key cache.
The following messages indicate bypassing the revocation check.
Conditions: A method (OCSP, CDP, etc.) to check for certificate revocation is used, then it is changed to “none” (“revocation check none”), and finally it gets changed to some revocation method again.
This configuration transition “revocation check -> no revocation check -> revocation check” is what causes a problem.
Further Information: The problem is independent of which revocation method is used (OCSP, CDP). The problem will happen when revocation check is disabled with the command “revocation none”. This would cache the peer’s key infinitely into the cache. After this, turning on any revocation method will have no efect; validation will always succeed since the keys are cached.
The problem will only happen if someone turns off revocation and then later realizes that it was a mistake and turns it back on. If remote peer’s key is cached within that period then that cache entry will never be deleted. End Result: If the same remote peer tries to establish the tunnel again we would bypass validation and would not check if it is still a valid peer or not.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.0/4.1:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C
CVE ID CVE-2011-0935 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: Login success and failure messages only display the first 32 bits of the IPv6 source address in IPv4 format.
*Aug 5 19:39:07.195: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: cisco] [Source: 252.0.0.0] [localport: 23] [Reason: Login Authentication Failed - BadPassword] at 19:39:07 EST Wed Aug 5 2009
– Telnet or SSH from IPv6 enabled device to IPv6 address on router or switch.
– Have login success and failure logging enabled.
Further Problem Description: The IPv4 address is derived from the first 32 bits of the IPv6 address.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.3:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:OF/RC:C
No CVE ID has been assigned to this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptoms: SSH session that is initiated from a router that is running affected Cisco IOS software may cause the router to reboot.
Conditions: Occurs when performing a SSH client session from the router.
Do not initiate a SSH session from the device.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.6/4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
CVE ID CVE-2012-4638 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: Router crash with Segmentation fault(11)
Conditions: It was observed on routers acting as IPSEC hub using certificates.
Workaround None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2011-4231 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptoms: Certain SSH version 2 packets may cause a memory leak on a Cisco IOS device configured for SSH. Authentication is needed in order to exploit this vulnerability.
Conditions: This issue is observed on a Cisco IOS device configured for SSH version 2 after it has received malformed SSHv2 packets. Successful, exploitation may cause system degradation or a partial denial of service condition on an affected device.
Workaround: The only workaround is to disable SSH version 2.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:U/RC:C
CVE ID CVE-2011-3312 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: VPN client with RSA-SIG can access a profile where his CA trustpoint is not anchored
Workaround: Restrict access by using a certificate-map matching the right issuer.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.5/3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:P/I:N/A:N/E:POC/RL:W/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: Certificate that should not be allowed bypasses validations checks.
Conditions: This happens when the PKI validation test command is used.
Workaround: Do not use the PKI validation test command.
Further Information: The PKI validation test command invokes the pubkey insert api which erroneously adds pubkey entries when at times it should not. this results in all subsequent validations bypassed for the same certificate.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 1.7/1.4:
https://intellishield.cisco.com/security/alertmanager/cvss?target=new&version=2.0&vector=AV:L/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C/CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
No CVE ID has been assigned to this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptoms: A Cisco router may crash when the show dmvpn or show dmvpn detail commands are entered.
Conditions: This symptom is observed when the device is running Cisco IOS and configured with DMVPN. The crash occurs when the show dmvpn or show dmvpn detail commands are entered two or more times.
Workaround: There is no known workaround.
Symptoms: Upgrade from 12.2(18)SXF6 to 12.2(33)SXH5 introduced additional vty lines to the running-configuration (vtp line 5 - 15). These new lines do not inherit the security ACL or transports configured by the customer on the old lines (0-4). Switch upgrade caused device to be non-compliant with network security policy defined by customer.
Condition: Software upgrade from 12.2(18)SXF6 to 12.2(33)SXH5.
Workaround: We have to manually configure the ACL for those newly introduced vty lines.
Symptom: Smart Install is a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches. This means that a customer can ship a switch to a location, place it in the network and power it on with no configuration required on the switch.
When a vulnerability scanner such as NMAP, Nessus, Retina or other is run against the Smart Install port (TCP port 4786) the switch may display some memory error messages such as the following:
These messages do not cause any operational impact to the affected device (switch).
Conditions: Switch configured with the Smart Install feature (client or director).
Workaround: In Smart Install implementations the client switches are served by a common director. The switch selected as the director provides a single management point for images and configuration of client switches. hen a client switch is first installed into the network, the director automatically detects the new switch, and identifies the correct Cisco IOS image and the configuration file for downloading.
Switches that are clients have the Smart Install feature enabled by default and it cannot be disabled. The only way to workaround this issue is to apply an access control list (ACL) blocking TCP port 4786, if smart install is not needed.
Symptom: An IPSec tunnel can be torn down if the router receives a replayed QM (Quick Mode) packet.
Conditions: This is only a problem when a replayed QM packet is received on an IPSec endpoint.
Workaround: None at this time.
Symptom: Dot1x or port-security violation with RSPAN configured was observed.
Conditions: RSPAN should be configured.
– For Dot1x - change dot1x authentication mode on interface to multi-host
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.9/2.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptoms: A Cisco7200 w/VAM2 2 configured for GETVPN may experience a memory leak for every packet that is fragmented at high CPU. This may cause system stability and the device to potentially reload. These packets are received from a trusted and configured GETVPN peer.
Conditions: The symptom is observed on a Cisco 7200 series router.
Workaround: There is no workaround.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.9/4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: Middle buffer iomem leaks seen with dhcp snooping in relay agent environments alongwith the following error messgaes (error messages are seen when the free iomem goes very low and is unable to service a request for a buffer from it)
%SYS-2-MALLOCFAIL: Memory allocation of 1748 bytes failed from 0x42275FC0, alignment 32 Pool: I/O Free: 1264736 Cause: Memory fragmentation Alternate Pool: None Free: 0 Cause: No Alternate pool -Process= “Pool Manager”, ipl= 0, pid= 9
Conditions: DHCP snooping configured on the switch and snooping is operating in a relay agent environment. Problem is seen in 12.2SXI-12.2SXI4.
Problem not present in 12.2SXF, 12.2SXH, 12.2SRC,SRB,SRD based releases
Workaround: Force process switching of software switched packets on the dhcp server facing interface on the cat6k by configuring the no ip route-cache command on the router facing interface.
PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: When an ICMPv6 ACL is applied to an interface on PFC3C system, fragment entry may not be created in TCAM.
Further Problem Description: None
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C CVE ID CVE-2011-4012 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: When using a network scanner to check the network components if there have security issues or are woundable on a 3750, it apears that CPU goes high and there is a memory leak in SMI IBC server process
Conditions : Network scanner run on a 3750 running 12.2.55.SE
Symptoms: After modifying the IPv6 ACL it can happen that some lines in the ACL get multiply indefinitely. Once we try to save such a config it will generate the following error:
Reloading the box in this state will result in empty configuration.
Conditions: Modifying the IPv6 ACL
Workaround: Remove and reapply the ACL
Further Problem Description: Upgrade to a release that has Cisco Bug ID: CSCts16133 integrated.
Symptom: Enhancements to GDOI processing
Symptoms: A memory leak occurs when processing specific packets, when ikev2 debugging is enabled.
Conditions: ikev2 debugging must be enabled
Workaround: Disable ikev2 debugging.
Further Problem Description: None.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/3.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C CVE ID CVE-2012-0360 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Summary A vulnerability exists in the Smart Install feature of Cisco Catalyst Switches running Cisco IOS Software that could allow an unauthenticated, remote attacker to perform remote code execution on the affected device.
Cisco has released free software updates that address this vulnerability.
There are no workarounds available to mitigate this vulnerability other than disabling the Smart Install feature.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110928-smart-install.
Symptoms: Configuring an event manager policy may cause a cisco Router to stop responding.
Conditions: This issue is seen when a TCL policy is configured and copied to the device.
Workaround: There is no workaround.
Symptom: A loop between a dot1x enabled port and another a)dot1x enabled port configured with open authentication or b) non-dot1x port, will create a spanning-tree bpdu storm in the network.
Workaround: Avoid creating a loop.
Further Problem Description: This is a day-1 issue and the fix is available in SXI7, SXJ2 and MA2.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C CVE ID CVE-2011-2057 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: Traffic flows through unauthorized supplicant switch
Conditions: Authenticator Switch should have established auto-config with authorized supplicant switch. Now bring up, unauthorized supplicant switch by physically connecting to hub placed between ASW & SSW. Though wrong dot1x credential is used, ASW allows network access for unauthorized SSW.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.9/2.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Cisco IOS Software contains a vulnerability in the Smart Install feature that could allow an unauthenticated, remote attacker to cause a reload of an affected device if the Smart Install feature is enabled. The vulnerability is triggered when an affected device processes a malformed Smart Install message on TCP port 4786.
Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability.
This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-smartinstall
Symptom: Error message in the logs: %SYS-4-CHUNKSIBLINGSEXCEED: Number of siblings in a chunk has gone above the threshold. It is a result of a slow memory leak.
Conditions: Observed on ASR1000 running 15.1(2)S when polling crypto statistics
Workaround: Avoid stressing the box with multiple SNMP requests. Reload if the memory is completely depleted.
Processing Improvements for GREv6 over IPv6 Currenlty requires IP CEFv6 to be disabled
Workaround: use “tunnel protection” instead
Summary Cisco IOS Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. An attacker could exploit this vulnerability by sending a single DHCP packet to or through an affected device, causing the device to reload.
Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-dhcp
Note: The September 26, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Eight of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses a vulnerability in Cisco Unified Communications Manager. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the September 2012 bundled publication.
Individual publication links are in “Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication” at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep12.html
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2012-4621 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Conditions: When an ipv6 RACL is confiured on an interface. All packets containing ipv6 optional headers are punted to RP. But if any packets that are sent with no L4 header are also hitting this punt entry present at the top of tcam.
Symptom: Either High CPU or Crash resulting from large number of ipv6 hosts.
Conditions: This has been seen while sending Multicast Listener Discovery packets with IPv6 and mld snooping enabled.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.7/4.7:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2012-3062 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: DMVPN Tunnel is down with IPSEC configured. The show dmvpn from Spoke shows the state is IKE.
Conditions: After heavy traffic was pumping from DMVPN Hub to Spoke for some time, from a few minutes to a couple of hours.
Workaround: Configure “set' security-association lifetime kilobytes disable” to disable volumn based rekeying will reduce the problem.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2012-3915 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptoms: FlexVPN spoke crashed while passing spoke to spoke traffic.
Conditions: Passing traffic from spoke to spoke or clearing IKE SA on the spoke
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:M/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-3893 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Other Resolved Caveats in Release 15.1(1)SY
These sections describes troubleshooting guidelines for the Catalyst 6500 series switch configuration:
This section contains troubleshooting guidelines for system-level problems:
This section contains troubleshooting guidelines for module problems:
Although DTP is a point-to-point protocol, some internetworking devices might forward DTP frames. To avoid connectivity problems that might be caused by a switch acting on these forwarded DTP frames, do the following:
The Spanning Tree Protocol (STP) blocks certain ports to prevent physical loops in a redundant topology. On a blocked port, switches receive spanning tree bridge protocol data units (BPDUs) periodically from neighboring switches. You can configure the frequency with which BPDUs are received by entering the spanning-tree vlan vlan_ID hello-time command (the default frequency is set to 2 seconds). If a switch does not receive a BPDU in the time period defined by the spanning-tree vlan vlan_ID max-age command (20 seconds by default), the blocked port transitions to the listening state, the learning state, and to the forwarding state. As it transitions, the switch waits for the time period specified by the spanning-tree vlan vlan_ID forward-time command (15 seconds by default) in each of these intermediate states. If a blocked spanning tree interface does not receive BPDUs from its neighbor within 50 seconds, it moves into the forwarding state.
Note We do not recommend using the UplinkFast feature on switches with more than 20 active VLANs. The convergence time might be unacceptably long with more than 20 active VLANs.
To debug STP problems, follow these guidelines:
Note Cisco IOS software displays a message if you exceed the maximum number of virtual interfaces.
For additional troubleshooting information, refer to the publications at this URL:
http://www.cisco.com/c/en/us/support/switches/catalyst-6500-series-switches/tsd-products-support-troubleshoot-and-alerts.html
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/28724-161.html
The following notices pertain to this software license.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product includes software written by Tim Hudson (tjh@cryptsoft.com).
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.
Copyright © 1998-2007 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/)”.
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/)”.
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS”' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).
Copyright © 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young’s, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”.
The word ‘cryptographic’ can be left out if the routines from the library being used are not cryptography-related.
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson (tjh@cryptsoft.com)”.
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation.
To receive new and revised Cisco technical content directly to your desktop, you can subscribe to the What’s New in Cisco Product Documentation RSS feed. The RSS feeds are a free service.