Release Notes for the Catalyst 4500 Series Switch, Cisco IOS Release 12.2(44)SG Current Release 12.2(44)SG—March 27, 2008 Previous Releases 12.2(40)SG, 12.2(37)SG1, 12.2(37)SG, 12.2(31)SGA5, 12.2(31)SGA4, 12.2(31)SGA3, 12.2(31)SGA2, 12.2(31)SGA1, 12.2(31)SGA, 12.2(31)SG3, 12.2(31)SG2, 12.2(31)SG1, 12.2(31)SG, 12.2(25)SG4, 12.2(25)SG3, 12.2(25)SG2, 12.2(25)SG1, 12.2(25)SG, 12.2(25)EWA13, 12.2(25)EWA12, 12.2(25)EWA11, 12.2(25)EWA10, 12.2(25)EWA9, 12.2(25)EWA8, 12.2(25)EWA7, 12.2(25)EWA6, 12.2(25)EWA5, 12.
Cisco IOS Software Packaging for the Cisco Catalyst 4500 Series • Orderable Product Numbers:, page 2 • Catalyst 4500 Series Switch Cisco IOS Release Strategy, page 6 • System Requirements, page 7 • New and Changed Information, page 22 • Upgrading the System Software, page 41 • Limitations and Restrictions, page 53 • Caveats, page 64 • Troubleshooting, page 300 • Related Documentation, page 302 • Notices, page 305 • Obtaining Documentation, Obtaining Support, and Security Guidelines, pa
Cisco IOS Software Packaging for the Cisco Catalyst 4500 Series • S45IPBK9-12244SG—Cisco IOS software for the Catalyst 4500 Series Supervisor Engine 6-E (IP Base Image with 3DES) (cat4500-ipbasek9-mz) • S45EES-12244SG—Cisco IOS software for the Catalyst 4500 Series Supervisor Engine 6-E (Enterprise Services image) (cat4500-ipbasek9-mz) • S45EESK9-12244SG—Cisco IOS software for the Catalyst 4500 Series Supervisor Engine 6-E (Enterprise Services image) (cat4500-ipbasek9-mz) • S45IPB-12240SG—Cisco IOS
Cisco IOS Software Packaging for the Cisco Catalyst 4500 Series Note • S45IPBK9-12231SG—Cisco IOS software for the Catalyst 4500 Series Supervisor Engines II-Plus, II-Plus-TS, II-Plus-10GE, IV, V, and V-10GE (IP Base image with Triple Data Encryption Standard (3DES)) (cat4500-ipbasek9-mz) • S45ES-12231SG—Cisco IOS software for the Catalyst 4500 Series Supervisor Engines IV, V, and V-10GE (Enterprise Services image with BGP support) (cat4500-entservices-mz) • S45ESK9-12231SG—Cisco IOS software for the
Cisco IOS Software Packaging for the Cisco Catalyst 4500 Series • S4KL3E-12220EW—Cisco IOS software for the Catalyst 4500 series switch, enhanced Layer 3 and voice software image including OSPF, IS-IS, and EIGRP, Release 12.2(20)EW (cat4000-i5s-mz.122-20.EW) • S4KL3K91-12220EW—Cisco IOS software for the Catalyst 4500 series switch, with 3DES strong encryption, basic Layer 3 and voice software image (SSHv1, SSHv2, RIPv1, RIPv2, static routes, AppleTalk, and IPX), Release 12.2(20)EW (cat4000-i9k91s-mz.
Catalyst 4500 Series Switch Cisco IOS Release Strategy • S4KL3-12113EW—Cisco IOS software for the Catalyst 4500 series switch, Supervisor Engines III and IV, basic Layer 3 and voice software image (RIP, Static Routes, AppleTalk and IPX), Release 12.1(13)EW • S4KL3E-12113EW—Cisco IOS software for the Catalyst 4500 series switch, Supervisor Engines III and IV, enhanced Layer 3 and voice software image including OSPF, IGRP, EIGRP, and IS-IS, Release 12.
System Requirements Cisco IOS Software Migration Guide Figure 1 displays the Cisco IOS Software Release 12.2(44)SG plan relative to the 12.2S release train and identifies the recommended migration path. Note that 12.2(44)SG will not be the base release for a new maintenance train. Currently, the Cisco Catalyst 4500 platform has two active maintenance trains: 12.2(25)EWA and 12.2(31)SGA. Figure 1 12.2(18)S Software Release Strategy for the Catalyst 4500 Series Switch 12.2(25)S 12.2(30)S 12.2(37)S 12.
System Requirements Memory Requirements These are the minimum required memory configurations for Cisco IOS software on the Catalyst 4500 series switch: • 256-MB SDRAM DIMM • 32-MB Flash SIMM Supported Hardware on Catalyst 4500 Series Switch Table 1 lists the hardware supported on the Catalyst 4500 Series Switch.
System Requirements Table 1 Supported Hardware (continued) Product Number (append Product Description with “=” for spares) Software Release Minimum Recommended WS-X4524-GB-RJ45V 24-port 10/100/1000BASE-T RJ-45 Catalyst 4500 series PoE 802.3af 12.2(18)EW 12.2(31)SGA4 WS-X4548-GB-RJ45 48-port 10/100/1000BASE-T Gigabit Ethernet module 12.1(19)EW 12.2(31)SGA4 WS-X4548-GB-RJ45V 48-port 10/100/1000BASE-T RJ-45 Catalyst 4500 series PoE 802.3af 12.2(18)EW 12.
System Requirements Table 1 Supported Hardware (continued) Product Number (append Product Description with “=” for spares) Software Release Minimum Recommended GLC-FE-100BX-D 100BASE-BX10-D, 1550 nm TX/1310 nm RX wavelength 12.2(25)SG 12.2(31)SGA4 GLC-FE-100BX-U 100BASE-BX10-U, 1310 nm TX/1550 nm RX wavelength 12.2(25)SG 12.2(31)SGA4 Small Form-Factor Pluggable Gigabit Ethernet Modules GLC-BX-D 1000BASE-BX10-D small form-factor pluggable module For DOM support, see Table 5 on page 13. 12.
System Requirements Table 1 Supported Hardware (continued) Product Number (append Product Description with “=” for spares) Software Release Minimum Recommended Other Modules MEM-C4K-FLD64M Catalyst 4500 series switch CompactFlash, 64 MB Option 12.1(8a)EW 12.2(31)SGA4 MEM-C4K-FLD128M Catalyst 4500 series switch CompactFlash, 128 MB Option 12.1(8a)EW 12.2(31)SGA4 WS-F4531 Catalyst 4500 series switch NetFlow Services Card on Catalyst 4500 series switch Supervisor Engines IV and V 12.
System Requirements Table 2 CWDM GBIC and SFP Supported Wavelengths for the Catalyst 4500 Classic Series Switch Product Number (append with “=” for spares) Product Description CWDM-GBIC (or SFP) -1590 CWDM-GBIC (or SFP) -1610 Software Release Minimum Recommended Longwave 1590 nm laser single-mode 12.1(12c)EW 12.2(31)SGA4 Longwave 1610 nm laser single-mode 12.1(12c)EW 12.2(31)SGA4 Table 3 briefly describes the seven chassis in the Catalyst 4500 Series Switch.
System Requirements Table 4 lists the software release information for the Catalyst 4500 Series Switch supervisor engines. Table 4 Supervisor Engine Support on the Catalyst 4500 Series Switch Supervisor Engine Software Release Minimum Recommended Supervisor Engine II Catalyst operating system software Supervisor Engine II-Plus 12.1(19)EW 12.2(31)SGA4 Supervisor Engine II-Plus-TS 12.2(20)EWA 12.2(31)SGA4 Supervisor Engine II-Plus-10GE 12.2(25)SG 12.2(25)SG4 Supervisor Engine IV 12.
System Requirements Table 6 Supported E-Series Hardware Product Number Description WS-C4507R-E Cisco Catalyst 4500 E-Series 7-Slot Chassis WS-C4510R-E • Fan tray • No Power Supply • Redudant supervisor engine capability Cisco Catalyst 4500 E-Series 10-Slot Chassis WS-X45-Sup6-E • Fan tray • No Power Supply • Redudant supervisor engine capability Cisco Catalyst 4500 E-Series Sup 6-E, 2x10GE(X2) w/ TwinGig WS-X4648-RJ45V-E • Cisco Catalyst 4500 E-Series 48-Port PoE 802.
System Requirements Table 7 Cisco IOS Software Feature Set for the Catalyst 4500 Series and E-Series Switch Layer 2 traceroute Unidirectional Ethernet port Per-VLAN spanning tree (PVST) and PVST+ Spanning-tree root guard Spanning-tree Loop guard and PortFast BPDU Filtering Support for 9216 byte frames Port security on PVLANs Private VLANs Private VLAN DHCP snooping Private VLAN Promiscuous Trunk Community PVLANs ISL5-based VLAN encapsulation (excluding blocking ports on WS-X4418-GB and WS-X4412-2GB-T)6 I
System Requirements Table 7 Cisco IOS Software Feature Set for the Catalyst 4500 Series and E-Series Switch uRPF12 (Sup 6-E only) Hardware-based IP CEF routing at 48 Mpps Up to 128,000 IP routes Up to 32,000 IP host entries (Layer 3 adjacencies) Up to 16,000 IP multicast route entries Multicast flooding suppression for STP changes Software routing of IPX, AppleTalk, and IPv6.
System Requirements Table 7 Cisco IOS Software Feature Set for the Catalyst 4500 Series and E-Series Switch Load balancing for routed traffic, based on source and destination IP addresses Load sharing for bridged traffic based on MAC addresses ISL on all EtherChannels IEEE 802.
System Requirements Table 7 Cisco IOS Software Feature Set for the Catalyst 4500 Series and E-Series Switch IfIndex persistence UDLR31 Enhanced SNMP MIB support SNMP32 version 1, version 2, and version 3 SNMP version 3 (with encryption) IPv6 Multicast Listener Discovery Snooping (Supervisor Engine 6-E only) Option 82 Enhancement DHCP server and relay-agent DHCP snooping DHCP client autoconfiguration DHCP Option 82 Pass Through 802.1X port-based authentication 802.1X with port security 802.
System Requirements Table 7 Cisco IOS Software Feature Set for the Catalyst 4500 Series and E-Series Switch Inline power support for Cisco IP phones PoE37 Enhanced Power over Ethernet Support (Supervisor Engine 6-E only) Power redundancy RPR38 SSO39 SSO Aware HSRP SSO support for routed ports Non-stop Forwarding Awareness Non-stop Forwarding Awareness for EIGRP-stub in IP base for all supervisor engines Non-stop Forwarding with Stateful Switchover ISSU40 MAC Address Notification Combined Mode Power Resil
System Requirements 4. VMPS = VLAN Management Policy Server 5. ISL = Inter-Switch Link 6. Ports 3 thru 18 on the WS-X4418-GB and ports 1 thru 12 on the WS-X4412-2GB 7. Does not apply to Supervisor Engine 6-E 8. Requires the Catalyst 4500 series switch Supervisor Engine V 9. The ip classless command is not supported as classless routing is enabled by default. 10. PBR = policy-based routing 11. CEF = Cisco Express Forwarding 12. uRPF = Unicast Reverse Path Forwarding 13.
System Requirements – CDP IPv6 Address Family – CEFv6 – DNS resolver for AAAA over an IPv4 transport – DNS resolver for AAAA over an IPv6 transport – Extended ACL – Hop-by-Hop option header – ICMP Rate Limiting – ICMPv6 – ICMPv6 Redirect – IPv6 MIB – IPv6 over IEEE 802.
New and Changed Information – DECnet access list – Protocol type-code access list • ADSL and Dial access for IPv6 • AppleTalk EIGRP (use native AppleTalk routing instead) • Bridge groups • Cisco IOS software IPX ACLs: – <1200-1299> IPX summary address access list • Cisco IOS software-based transparent bridging (also called “fallback bridging”) • Connectionless (CLNS) routing; including IS-IS routing for CLNS. IS-IS is supported for IP routing only.
New and Changed Information • New Hardware Features in Release 12.2(25)EWA, page 29 • New Software Features in Release 12.2(25)EWA, page 30 • New Hardware Features in Release 12.2(25)EW, page 31 • New Software Features in Release 12.2(25)EW, page 31 • New Hardware Features in Release 12.2(20)EWA, page 31 • New Software Features in Release 12.2(20)EWA, page 32 • New Hardware Features in Release 12.2(20)EW, page 32 • New Software Features in Release 12.
New and Changed Information Release 12.2(44)SG provides the following new hardware for the Catalyst 4500 series switch: • None New Software Features in Release 12.2(44)SG Release 12.2(44)SG provides the following Cisco IOS software features for the Catalyst 4500 series switch: Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.
New and Changed Information A brief list of primary E-Series hardware supported by Cisco IOS Release 12.
New and Changed Information • Option 82 Enhancement (“Configuring DHCP Snooping, IP Source Guard, and IPSG for Statis Hosts” chapter) New Hardware Features in Release 12.2(37)SG Note The Catalyst 4006 chassis is no longer supported in Cisco IOS Release 12.2(37)SG. Release 12.2(37)SG provides the following new hardware for the Catalyst 4500 series switch: • None New Software Features in Release 12.2(37)SG Release 12.
New and Changed Information New Software Features in Release 12.2(31)SGA Release 12.2(31)SGA provides the following Cisco IOS software features for the Catalyst 4500 series switch: Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.
New and Changed Information • Private VLAN Promiscuous Trunk (“Configuring Private VLANs” chapter) • MAC Address Notification (“Administering the Switch” chapter) • Voice VLAN Sticky Port Security (“Configuring Port Security” chapter) • Combined Mode Power Resiliency (“Environmental Monitoring and Power Management” chapter) • Virtual Router Redundancy Protocol (VRRP) (Refer to the Cisco IOS Release 12.3 documentation) • Secure Copy Protocol (SCP) (Refer to the Cisco IOS Release 12.
New and Changed Information • IS-IS MIB (Refer to the Cisco IOS Release 12.3 documentation • Microflow Policing Full Flow Match (“Configuring QoS” and Configuring Netflow” chapters) • POST enhancement for Supervisor Engine V-10GE (“Diagnostics on the Catalyst 4500 Series Switch”) • OSPF Fast Convergence. Catalyst 4500 series switch will support Fast Hellos, ISPF, and LSA Throttling. Refer to the following URLs for the Cisco IOS Release 12.3 documentation: http://www.cisco.
New and Changed Information Figure 2 Cavities of X2 Transceivers on the Catalyst 4948-10GE Ca ta lys tW S- C4 94 81 0G E CO X1 N LIN MG K T X2 Ca ta lys tW S- C4 94 81 0G E CO X1 N T X2 130091 MG New Software Features in Release 12.2(25)EWA Release 12.2(25)EWA provides the following Cisco IOS software features for the Catalyst 4500 series switch: Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.
New and Changed Information • 802.1X Radius-Supplied Session Timeout (“Understanding and Configuring 802.1X Port-Based Authentication” chapter) • DHCP Option 82 Pass Through (“Configuring DHCP Snooping and IP Source Guard” chapter) New Hardware Features in Release 12.2(25)EW Note This release is deferred to 12.2(25)EWA2. Release 12.
New and Changed Information New Software Features in Release 12.2(20)EWA Release 12.2(20)EWA provides the following Cisco IOS software features for the Catalyst 4500 series switch: Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide. • Non-Stop Forwarding Awareness (“Configuring Supervisor Engine Redundancy Using RPR and SSO” chapter) • Stateful Switchover (“Configuring Supervisor Engine Redundancy Using RPR and SSO” chapter) • 802.
New and Changed Information New Hardware Features in Release 12.2(18)EW Release 12.
New and Changed Information New Software Features in Release 12.1(20)EW Release 12.1(20)EW provides the following Cisco IOS features for the Catalyst 4500 series switch: Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.
New and Changed Information New Software Features in Release 12.1(19)EW Release 12.1(19)EW provides the following Cisco IOS software features for the Catalyst 4500 series switch: Note Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.
New and Changed Information • Catalyst 4500 Series Switch Cisco IOS Command Reference at the following URL: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_1_19/command/index.htm New Hardware Features in Release 12.1(13)EW Release 12.
New and Changed Information For more information on these features, refer to these publications: • Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide at the following URL: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_1_13/config/index.htm • Catalyst 4500 Series Switch Cisco IOS Command Reference at the following URL: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_1_13/command/index.htm New Hardware Features in Release 12.1(12c)EW Release 12.
New and Changed Information – Spanning-tree Loop guard and PortFast BPDU Filtering (refer to the “Configuring STP Features” chapter) – 802.1s and 802.1w (refer to the “Understanding and Configuring Multiple Spanning Trees” chapter) – IGMP filtering on trunks – PVLAN isolated trunk port (refer to the “Configuring PVLANs” chapter) – DHCP snooping (refer to the “Understanding and Configuring DHCP Snooping" chapter) – 802.1X port-based authentication (refer to the "Configuring 802.
New and Changed Information – Command Reference for the Catalyst 4006 Switch with Supervisor Engine III at the following URL: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_1_11/command/index.htm Release 12.1(11b)EW provides these features: • Multiple VLAN access port (only for data and voice VLANs) • Inline power management for Cisco IP phones and Aironet 350 Wireless Access Points on the WS-X4148-RJ45V module.
New and Changed Information – Command Reference for the Catalyst 4006 Switch with Supervisor Engine III at the following URL: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_18a/command/index.htm Release 12.1(8a)EW provides these features: • The Layer 2 features are as follows: Note The following chapter references are for the Software Configuration Guide for the Catalyst 4006 Switch with Supervisor Engine III.
Upgrading the System Software • Multiple-Hot Standby Routing Protocol (M-HSRP; refer to “Hot Standby Router Protocol” in the Cisco IOS Network Protocols Configuration Guide, Part 1, and the Cisco IOS Network Protocols Command Reference, Part 1) • Access control using several supported authentication methods (refer to the “Configuring the Switch for the First Time” chapter) • Switched Port Analyzer (SPAN); (refer to the “Understanding and Configuring SPAN” chapter) • Quality of Service (QoS); (refer
Upgrading the System Software Table 9 Supervisor Engine and Recommended ROMMON Release Supervisor Engine Minimum ROMMON Release Recommended ROMMON Release V-10GE 12.2(25r)EW 12.2(31r)SGA1 ME-X4924-10GE 12.2(25)EW 12.2(31r)SGA1 Table 10 ROMMON Release and Promupgrade Programs ROMMON Release Promupgrade Program 12.1(11br)EW cat4000-sup3-promupgrade-121_11br_EW 12.1(12r)EW cat4000-sup3-promupgrade-121_12r_ew 12.1(19r)EW cat4000-ios-promupgrade-121_19r_EW 12.
Upgrading the System Software Note The examples in this section use the programmable read-only memory (PROM) upgrade version 12.1(20r)EW1 and Cisco IOS Release 12.1(20)EW1. For other releases, replace the ROMMON release and Cisco IOS software release with the appropriate releases and filenames. Follow this procedure to upgrade your supervisor engine ROMMON: Step 1 Note Step 2 Directly connect a serial cable to the console port of the supervisor engine.
Upgrading the System Software ********************************************************** Rom Monitor Program Version 12.1(12r)EW . .(output truncated) . Established physical link 100MB Half Duplex Network layer connectivity may take a few seconds rommon 1 > Step 6 Caution Run the PROM upgrade program by entering this command: boot bootflash:cat4000-ios-promupgrade-121_20r_EW1 No intervention is necessary to complete the upgrade. To ensure a successful upgrade, do not interrupt the upgrade process.
Upgrading the System Software The following example shows how to delete the cat4000-ios-promupgrade-121_20r_EW1 image from bootflash and reclaim unused space: Switch# delete bootflash:cat4000-ios-promupgrade-121_20r_EW1 Switch# squeeze bootflash: All deleted files will be removed, proceed (y/n) [n]? y Squeeze operation may take some time, proceed (y/n) [n]? y Switch# Step 9 Use the show version command to verify that the ROMMON has been upgraded Switch#show version Cisco Internetwork Operating System Sof
Upgrading the System Software Follow this procedure to upgrade your supervisor engine ROMMON to Release 12.1(20r)EW1. This procedure can be used when console access is not available and when the ROMMON upgrade must be performed remotely. Note Step 1 Note Step 2 In the following section, use the PROM upgrade version cat4000-ios-promupgrade-121_20r_EW1. Establish a Telnet session to the supervisor engine.
Upgrading the System Software ROMMON. When the upgrade is complete the supervisor engine will autoboot, and the second BOOT variable command will load the Cisco IOS software image specified by the second BOOT command. Note The config-register must be set to autoboot. In this example, we assume that the console port baud rate is set to 9600 bps and that the config-register is set to 0x0102. Use the config-register command to autoboot using image(s) specified by the BOOT variable.
Upgrading the System Software * * * Welcome to Rom Monitor for WS-X4515 System. * * Copyright (c) 2002 by Cisco Systems, Inc. * * All rights reserved. * * * ********************************************************** Rom Monitor Program Version 12.1(12r)EW Board type 2, Board revision 7 Swamp FPGA revision 28, Dagobah FPGA revision 86 ***** The system will autoboot in 5 seconds ***** Type control-C to prevent autobooting. . . . . .
Upgrading the System Software config-register = 0x0102 Autobooting using BOOT variable specified file..... Current BOOT file is --- bootflash:cat4000-i9s-mz.121-20.EW1 Rommon reg: 0x56000380 Running IOS...
Upgrading the System Software Switch# delete bootflash:cat4000-ios-promupgrade-121_20r_EW1 Switch# squeeze bootflash: All deleted files will be removed, proceed (y/n) [n]? y Squeeze operation may take some time, proceed (y/n) [n]? y Switch# Step 11 Use the show bootvar command to verify that the ROMMON upgrade program has been removed from the BOOT variable. Switch#sh bootvar BOOT variable = bootflash:cat4000-i9s-mz.121-20.
Upgrading the System Software Step 3 Download the software image into Flash memory using the copy tftp command. The following example shows how to download the Cisco IOS software image cat4000-is-mz.121-12c.EW from the remote host 172.20.58.78 to bootflash: Switch# copy tftp: bootflash: Address or name of remote host [172.20.58.78]? Source filename [cat4000-is-mz121_12c.EW]? Destination filename [cat4000-is-mz.121-12c.EW]? Accessing tftp://172.20.58.78/cat4000-is-mz.121-12c.EW... Loading cat4000-is-mz.
Upgrading the System Software Step 6 Use the config-register command to set the configuration register to 0x2102. The following example show how to set the second least significant bit in the configuration register: Switch# configure terminal Switch(config)# config-register 0x2102 Switch(config)# exit Switch# write Building configuration... Compressed configuration from 3723 to 1312 bytes [OK] Switch# Step 7 Caution Enter the reload command to reset the switch and load the software.
Limitations and Restrictions ********************************************************** * * * Welcome to Rom Monitor for WS-X4014 System. * * Copyright (c) 2002 by Cisco Systems, Inc. * * All rights reserved. * * * ********************************************************** Rom Monitor Program Version 12.1(12r)EW Board type 1, Board revision 5 Swamp FPGA revision 16, Dagobah FPGA revision 47 MAC Address IP Address Netmask Gateway TftpServer Main Memory : : : : : : 00-30-85-XX-XX-XX 10.10.10.91 255.255.
Limitations and Restrictions – NLSP – Jumbo Frames • For AppleTalk software routing, the following are not supported: – AURP – AppleTalk Control Protocol for PPP – Jumbo Frames – EIGRP • For NFL, the following are not supported: – The following packets are not accounted for by the NetFlow Services card: Control packets Packets with link-level errors ARP, RARP – Software flow cache size is fixed – Distribution not based on IP packet size • For PBR, the following are not supported: – Matching cannot be
Limitations and Restrictions • Catalyst 4500 supervisor engines will not be properly initialized if the VLAN configuration in the startup file does not match the information stored in the VLAN database file. This situation might occur if a backup configuration file was used. • A Layer 2 LACP channel cannot be configured with the spanning tree PortFast feature. • Netbooting using a boot loader image is not supported. See the “Troubleshooting” section on page 300 for details on alternatives.
Limitations and Restrictions • Only ports 1 and 2 on the WS-X4418-GB and ports 13 and 14 on the WS-X4412-2GB-T module can be set as ISL trunks. • The Fast Ethernet port (10/100) on the supervisor module is active in ROMMON mode only. • If an original packet is dropped due to transmit queue shaping and/or sharing configurations, a SPAN packet copy can still be transmitted on the SPAN port. • For all software releases, do not use over 100,000 routes.
Limitations and Restrictions • Support for PoE depends on the use of line cards and power supplies that support PoE. PoE switching modules – WS-X4148-RJ45V – WS-X4224-RJ45V – WS-X4248-RJ45V – WS-X4248-RJ21V – WS-X4524-GB-RJ45V – WS-X4548-GB-RJ45V PoE enabled power supplies – PWR-C45-1300ACV – PWR-C45-1400DC – PWR-C4K-2800AC – PWR-C45-1400AC – PWR-C45-1300ACV • While configuring PVLAN promiscuous trunk ports, the maximum number of mappings is 500 primary VLANs to 500 secondary VLANs. • 802.
Limitations and Restrictions Workarounds: 1. Disable inline power on the switch ports using the power inline never command. 2. Configure the media converter to autonegotiate the speed and duplex instead of running at 100 Mbps and full duplex. (CSCee62109) • IPSG for Static Hosts basically supports the same port mode as IPSG except that it does not support trunk port: – It supports Layer 2 access port and PVLAN host port (isolated or community port).
Limitations and Restrictions Due to tight integration of CPP implementation between IOS and platform code, an error message will always appear during boot-up and CPP will not be applied when downgrading IOS software from a version where this caveat is integrated to a previous release (where this fix is not present): %Invalid control plane policy-map; Please unconfigure policy-map attached to control-plane, and associated class-maps, and execute config command "macro global apply system-cpp" error: failed t
Limitations and Restrictions Switch(config-if)# no ip verify source Switch(config-if)# no ip device tracking max" To enable IPSG with Static Hosts on a port, issue the following commands: Switch(config)# ip device tracking ****enable IP device tracking globally Switch(config)# ip device tracking max ***set an IP device tracking maximum on int Switch(config-if)# ip verify source tracking [port-security] ****activate IPSG on port Caution Note If you only configure the ip verify source tracking [port-
Limitations and Restrictions For example, if the active supervisor engine is in slot 1, and you have configured interface GE 1/1, the supervisor engine in slot 2 becomes active if you remove the active supervisor engine from the chassis. In addition, while the startup configuration file is being parsed, you will receive an error message indicating that interface GE1/1 is no longer present. This behavior is correct.
Limitations and Restrictions – The FAT file system honors the Microsoft Windows file attribute of "read-only" and "read-write", but it does not support the Windows file "hidden" attribute. – Supervisor Engine 6-E uses the FAT file system for compact flash (slot0). If a compact flash is not formatted in FAT file system (such as compact flash on a supervisor engine other than 6-E), the switch does not recognize it. • The Fast Ethernet port (10/100) on the supervisor module is active in ROMMON mode only.
Limitations and Restrictions • If a Catalyst 4500 series switch requests information from the Cisco Secure Access Control Server (ACS) and the message exchange times out because the server does not respond, a message similar to this appears: 00:02:57: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.20.246.206:1645,1646 is not responding. If this message appears, check that there is network connectivity between the switch and the ACS.
Caveats • No CLI exists to reflect uRPF drop packets during hardware switching. The sh ip traffic and show cef int commands do not reflect uRPF drops. • IPv6 ACL is not supported on a switchport. IPv6 packets cannot be filtered on switchports using any of the known methods (PACL, VACL, or MACLs). • Class-map match statements using match ip prec | dscp match only IPv4 packets whereas matches performed with match prec | dscp match both IPv4 and IPv6 packets.
Caveats Note For the latest information on PSIRTS, refer to the Security Advisories on CCO at the following URL: http://www.cisco.com/en/US/products/products_security_advisories_listing.html Open Caveats in Cisco IOS Release 12.2(44)SG This section lists the open caveats in Cisco IOS Release 12.2(44)SG: • When you enter the access-list N permit host hostname command on a redundant chassis operating in SSO mode, you might observe the following syslog messages.
Caveats • When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up. – If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated. – If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain.
Caveats – This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled. The switch receives packets that require redirection and the destination MAC address is already in ARP table. Workarounds: – Do not inject packets that require IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch. – Configure the correct default gateway on the host side.
Caveats Workaround: None. This is an informational message. (CSCsi60898) • If you attempt to downgrade to Cisco IOS Release 12.2(37)SG from Release 12.2(37)SG1 and if the process is started with active supervisor engine in slot-2, the downgrade fails at ‘runversion.’ Workaround: None. (CSCsj83688) • If an Cisco IP Phone has an supplicant attached, upon reloading a DUT port configured with MDA and attached to phones and supplicants, the port will not pass traffic. Phone will in an unknown state.
Caveats Workaround: Do not configure feature combinations that conflict. Currently the above conflict between QoS policies matching on COS bits and IPv6 configuration with partial masking of the lower 48 bits of the source address is the only known conflicting feature combination. If matching on COS bits is required by the QoS policy, architect the IPv6 network using /80 subnets or larger.
Caveats Workaround: Provided the queue in question is non-default (queuing actions are not configured in the class-default class of the policy-map), detach and re-attach the service-policy. If this happens on the default queue, modifying and resetting some queuing parameters like bandwidth/shape fixes the issue. (CSCsk62457 • When an E-series switch encounters either a fan tray failure or a supervisor critical temperature, the chassis shuts off.
Caveats • In policy map, if a queuing class with the bandwidth remaining percent <> command sits before a priority queuing class configuration, the bandwidth remaining percent <> command action is applied on reload. Workaround: Re-apply the policy-map. (CSCsk75793 • When the CPU transmits .1X packet on an interface that has an egress qos policy attached, the packet is not matched and exits without any QoS marking actions. When a packet is sent to the CPU it may get sent out on some other interface.
Caveats • Executing default interface twice on a port configured with the cisco-phone macro displays the back trace. Workaround: Remove the configuration line by line without entering the default interface command. (CSCsj23103) • When you enter the show policy-map vlan vlan command, unconditional marking actions that are configured on the VLAN are not shown. Workaround: None. However, if you enter the show policy-map name, the unconditional marking actions are displayed.
Caveats • Uplinks go down when upgrading the rommon of an WS-X45-SUP6-E supervisor from version 0.34 to a later version. This behavior occurs in a redundant switch when the ACTIVE supervisor engine is running IOS, the STANDBY supervisor engine is in rommon, and the STANDBY's rommon is upgraded from version 0.34 or to a later version. The upgrade process will cause the uplinks on the STANDBY supervisor engine to go down but the ACTIVE supervisor engine will be unaware of this.
Caveats In a queuing QoS policy, there can be zero or more queuing classes that have an explicit, user specified, bandwidth share specified. There can be zero or more queuing classes that do not have such user specified bandwidth share. The system takes the unallocated bandwidth share and allocates it equally among the latter set of classes.
Caveats Workaround: After bootup, reattach a queuing policy on a physical interface. (CSCsk87548) • When you delete a port-channel with a per-port per-VLAN QoS policy, the switch crashes. Workaround: Before deleting the port-channel, do the following: 1. Remove any per-port per-VLAN QoS policies, if any. 2. Remove the VLAN configuration on the port-channel with the no vlan-range command. (CSCsk91916) • The cbQosPoliceCfgTable mib object is not populated by the police bps byte command. Workaround: None.
Caveats Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 police: Per-interface Conform: 9426560 bytes Exceed: 16573440 bytes Workaround: Verify that the MAC addresses being transmitted through the system are learned.
Caveats Switch(config)# no monitor session n source cpu queue all rx Switch(config)# monitor session n source cpu queue (CSCsc94802) • To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command. Workaround: None. (CSCsc11726) • An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port.
Caveats Workaround: Remove the transceiver from the new port and place it in the old port. Once the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693). • The following error message is seen during an ISSU upgrade from Cisco IOS Release 12.2(31)SGA or 12.2(31)SGA1 to Cisco IOS Release 12.2(37)SG or later images: %CHKPT-4-INVALID: Invalid checkpoint client ID (189) Workaround: None. This message is an informational message.
Caveats One feature combination that can trigger this problem is the attempt to combine a QoS policy that matches on cos bits with IPv6 ACL configuration that matches on IPv6 source addresses that partially mask in the lower 48 bits of the address. (IPv6 subnets in the /81 to /127 range will also trigger this behavior if IPv6 multicast routing is enabled.) Workaround: Do not configure feature combinations that conflict.
Caveats When an output service-policy is attached to an interface and if the policy is configured to apply DBL on a queue, the flows that are enqueued to the queue are subjected to the DBL algorithm. If one or more flows are classified as belligerent (flows do not back-off in response to drops because of congestion in the queue), those flows continue to be classified as belligerent even when DBL is disabled on that queue.
Caveats • When two switches are connected back-to-back via two or more links and when a packet is locallyoriginated, the source IP address may not correspond to the IP address of the outgoing interface. A switch receiving such a packet with unicast RPF feature enabled might drop the incoming packet. Workaround: None. (CSCsh99124) • A Catalyst 4500 series switch with Supervisor Engine 6-E will support a maximum of 32 MTU values system wide. On a switch running Cisco IOS Release 12.
Caveats Workaround: None. You cannot explicitly check the trusted boundary state. However, you can indirectly determine this state: The trusted boundary feature ensures whether the packet’s COS/DSCP value will b e trusted or not. When the interface is not in a trusted state, the COS/DSCP fields are forced to zero on a received packet. A QoS policy exists on that interface that uses that COS/DSCP value for classification.
Caveats • If a class-map is configured with exceed-action drop, re-configuring the same class-map with exceed-action transmit causes class-map configurations to conflict for the same class-map. Workaround: If you plan to change a class-map action, such as exceed-action, you meed to remove the class-map with the no class c1 command under policy-map submode. Then, apply the new class-map with the updated changes.
Caveats Workaround: None. (CSCsl72868) Resolved Caveats in Cisco IOS Release 12.2(40)SG This section lists the resolved caveats in Release 12.2(40)SG: • If you initiate a scp copy from the console and it is delayed long enough to cause a timeout, the console is disconnected. Workarounds: – Use a different copy protocol. – Set a longer ssh timout.
Caveats Open Caveats in Cisco IOS Release 12.2(37)SG1 This section lists the open caveats in Cisco IOS Release 12.2(37)SG1: • When you enter the access-list N permit host hostname command on a redundant chassis operating in SSO mode, you might observe the following syslog messages. The command is not synchronized with the redundant supervisor engine, and keepalive warnings appear.
Caveats • When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up. – If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated. – If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain.
Caveats • An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port. This could occur for these reasons: – A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch. – This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled.
Caveats • When dot1x (radius assigned vlan), port security and voice VLAN is enabled on the port with phone and PC connected to it and PC get authenticated in radius assigned VLAN, on switchover, first packet come from PC will trigger the security violation. Workaround: Issue shut/no shut on the port to authorize the PC correctly. (CSCsi31362 • IGMP Filtering feature is not available in Cisco IOS Release 12.2(37)SG. For example, the command igmp filter ....
Caveats Resolved Caveats in Cisco IOS Release 12.2(37)SG1 This section lists the resolved caveats in Release 12.2(37)SG1: • Cisco IOS Software has been enhanced with the introduction of additional software checks to signal improper use of data structures. This feature has been introduced in select Cisco IOS Software releases published after April 5, 2007. The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp: May 17 10:01:27.
Caveats This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml (CSCsd81407) • Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features: – Session Initiation Protocol (SIP) – Media Gateway Control Protocol (MGCP) – Signaling protocols H.323, H.
Caveats Open Caveats in Cisco IOS Release 12.2(37)SG This section lists the open caveats in Cisco IOS Release 12.2(37)SG: • When you enter the access-list N permit host hostname command on a redundant chassis operating in SSO mode, you might observe the following syslog messages. The command is not synchronized with the redundant supervisor engine, and keepalive warnings appear.
Caveats • When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up. – If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated. – If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain.
Caveats • An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port. This could occur for these reasons: – A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch. – This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled.
Caveats • When dot1x (radius assigned vlan), port security and voice VLAN is enabled on the port with phone and PC connected to it and PC get authenticated in radius assigned VLAN, on switchover, first packet come from PC will trigger the security violation. Workaround: Issue shut/no shut on the port to authorize the PC correctly. (CSCsi31362 • IGMP Filtering feature is not available in Cisco IOS Release 12.2(37)SG. For example, the command igmp filter ....
Caveats rebooting the standby supervisor engine. Please verify that the above encapsulation command is removed in the running configuration on the active supervisor engine for the above interfaces. The standby supervisor engine will now boot up into SSO mode. Save the configuration on the active supervisor engine after making the above changes.
Caveats Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml. Note Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS.
Caveats Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Caveats Note Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Caveats clearwater# sh policy-map int FastEthernet3/2 Service-policy output: p1 Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 police: Per-interface Conform: 9426560 bytes Exceed: 16573440 bytes Workaround: Verify that the MAC addresses being transmitted through the system are learned.
Caveats QueueID Old QueueName New QueueName 5 control-packet control-packet 6 rpf-failure control-packet 7 adj-same-if control-packet 8 control-packet 11 adj-same-if 13 acl input log rfp-failure 14 acl input forward acl input log Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs.
Caveats This problem only occurs if the interface configured with port security is in violation restrict mode (through the switchport port-security violation restrict command). Moreover, the interface must be in security violation state when you apply the default interface command. Workarounds: Bring the interface into shutdown mode before you apply the default interface command. (CSCsf30157) • Configure a LACP channel in 802.
Caveats Resolved Caveats in Cisco IOS Release 12.2(31)SGA5 This section lists the resolved caveats in Release 12.2(31)SGA5: • After an ISSU is performed on a WS-X4448-GB-SFP linecard running Cisco IOS Release 12.2(31)SGA, the output of the show inventory command does not display some of the 1000Base SFPs. Workaround: None.
Caveats Workaround: Remove the trunk configuration and configure the link as an access port. (CSCsl09521) • A router configured with ip summary-address rip 0.0.0.0 0.0.0.0 that is running RIP on releases later than Cisco IOS 12.3(14.8) will send out the default with a metric of 16. • A switch running RIP on a Cisco IOS Release after 12.3(14.8) that has ip summary-address rip 0.0.0.0 0.0.0.0 configured on an interface will send out the default with a metric of 16.
Caveats clearwater#sh policy-map int FastEthernet3/2 Service-policy output: p1 Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 police: Per-interface Conform: 9426560 bytes Exceed: 16573440 bytes Workaround: Verify that the MAC addresses being transmitted through the system are learned.
Caveats QueueID Old QueueName New QueueName 5 control-packet control-packet 6 rpf-failure control-packet 7 adj-same-if control-packet 8 control-packet 11 adj-same-if 13 acl input log rfp-failure 14 acl input forward acl input log Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs.
Caveats 00:10:06: %BGP-5-DAMPENING_HIGH_MAX_PENALTY: Maximum penalty (32473) is more than allowed maximum 000). Dampening is OFF At this point, if you revert back to the bgp dampening command on the active supervisor engine, the new command is not synchronized with the standby supervisor engine. Workarounds: Issue the no bgp dampening command, then the bgp dampening command.
Caveats • When hardcoded duplex and speed settings are deleted after an interface shuts down, an "a-" is added to the duplex and speed in the output from the show interface status command. This does not impact performance. Workaround: Issue the no shutdown command. (CSCsg27395) • When a transceiver is removed rapidly from one port and placed in another on the same chassis, occasionally a duplicate seeprom message is displayed and the port is not able to handle traffic.
Caveats • An inconsistancy exists between the default signalling DSCP value used by the Catalyst 4500 series switch and CallManager 4.x, which uses DSCP 24 (by default) for the Cisco IP phone and softphone signalling. However, Auto-QoS operating on a switch requires DSCP 26. This inconsistancy causes Cisco IP phone packets to egress the switch with an incorrect DSCP. This also prevents Softphone/IP Communicator packets from obtaining the appropriate QoS.
Caveats Open Caveats in Cisco IOS Release 12.2(31)SGA3 This section lists the open caveats in Cisco IOS Release 12.2(31)SGA3: • When you enter the access-list N permit host hostname command on a redundant chassis operating in SSO mode, you might observe the following syslog messages. The command is not synchronized with the redundant supervisor engine, and keepalive warnings appear.
Caveats Workaround: If the SVIs associated with the physical interface are down after the switchover, issue shutdown and no shutdown commands on the physical interface to bring up the SVIs. (CSCsb02308) • When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up.
Caveats • To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command. Workaround: None. (CSCsc11726) • A bulk sync failure upon issuing the switchport trunk encapsulation dot1q command causes the standby supervisor engine to reload. Workaround:When this happens, the mismatched command list can be displayed on the active supervisor engine by issuing the show issu config-sync failures mcl command. The WS-X4418-GB module only supports the default dot1q encapsulation.
Caveats Workarounds: Bring the interface into shutdown mode before you apply the default interface command. (CSCsf30157) • After an ISSU is performed on a WS-X4448-GB-SFP linecard running Cisco IOS Release 12.2(31)SGA, the output of the show inventory command does not display some of the 1000Base SFPs. Workaround: None. (CSCse43697) • A bulk sync failure upon issuing the switchport trunk encapsulation dot1q command causes the standby supervisor engine to reload.
Caveats • In rare instances, the Supervisor Engine V-10GE might reload with the crashdump vector 0x00000100. Workaround: Monitor the switch and note the number of occurrences as well as any changes on the network prior to the reload. (CSCsh13318) • When hardcoded duplex and speed settings are deleted after an interface shuts down, an "a-" is added to the duplex and speed in the output from the show interface status command. This does not impact performance. Workaround: Issue the no shutdown command.
Caveats This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-nhrp.shtml. (CSCin95836) Open Caveats in Cisco IOS Release 12.2(31)SGA2 This section lists the open caveats in Cisco IOS Release 12.2(31)SGA2: • When you enter the access-list N permit host hostname command on a redundant chassis operating in SSO mode, you might observe the following syslog messages. The command is not synchronized with the redundant supervisor engine, and keepalive warnings appear.
Caveats • Occassionally, on redundant systems in SSO mode, applying the apply cisco-phone $AVID vlan $VVID vlan macro command to an interface connected to an IP phone may render the interface in the wrong state relative to the standby supervisor engine. This causes the SVI to be “down” after the switchover. Workaround: If the SVIs associated with the physical interface are down after the switchover, issue shutdown and no shutdown commands on the physical interface to bring up the SVIs.
Caveats – Use a different copy protocol. – Set a longer ssh timout. (CSCsc94317) • To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command. Workaround: None. (CSCsc11726) • A bulk sync failure upon issuing the switchport trunk encapsulation dot1q command causes the standby supervisor engine to reload. Workaround:When this happens, the mismatched command list can be displayed on the active supervisor engine by issuing the show issu config-sync failures mcl command.
Caveats This problem only occurs if the interface configured with port security is in violation restrict mode (through the switchport port-security violation restrict command). Moreover, the interface must be in security violation state when you apply the default interface command. Workarounds: Bring the interface into shutdown mode before you apply the default interface command. (CSCsf30157) • After an ISSU is performed on a WS-X4448-GB-SFP linecard running Cisco IOS Release 12.
Caveats • When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you configure qos account layer2 encapsulation. Workaround: None. (CSCsg58526) • In rare instances, the Supervisor Engine V-10GE might reload with the crashdump vector 0x00000100. Workaround: Monitor the switch and note the number of occurrences as well as any changes on the network prior to the reload.
Caveats set ip next-hop Workaround: Ensure that the next-hops do not fall under a route pointing to Null0. Such routes may have been entered either statically or by a routing protocol configured for summarization. (CSCsd88586) • After a PC configured for 802.1X disconnects from an IP phone port through a Catalyst 4500 series switch, the port transitions to the guest VLAN. When a PC reconnects, the switch successfully authenticates the user but the user remains on the guest VLAN.
Caveats Step 6 RMA the line card if the problem persists with RMA. Ask the TAC engineer to create an EFA. (CSCsf26804) • Windows XP PCs configured for machine authentication and PEAP may not receive an updated IP address from the DHCP server based on user credentials if the PC has been machine authenticated and can ping its previously assigned default gateway. Workaround: Upgrade to Cisco IOS Release 12.2(25)EWA10 or 12.2(31)SGA2.
Caveats clearwater#sh policy-map int FastEthernet3/2 Service-policy output: p1 Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 police: Per-interface Conform: 9426560 bytes Exceed: 16573440 bytes Workaround: Verify that the MAC addresses being transmitted through the system are learned.
Caveats QueueID Old QueueName New QueueName 5 control-packet control-packet 6 rpf-failure control-packet 7 adj-same-if control-packet 8 control-packet 11 adj-same-if 13 acl input log rfp-failure 14 acl input forward acl input log Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs.
Caveats This could occur for these reasons: – A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch. – This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled. The switch receives packets that require redirection and the destination MAC address is already in ARP table.
Caveats • Configure a LACP channel in 802.1q tunnel mode between a Catalyst 4500 series switch and a Catalyst 6000 series switch, and apply the redundancy reload shelf command on the Catalyst 4500 series switch. This can cause link flaps on the EtherChannel interface when the Catalyst 4500 switch reloads. This happens to redundant Catalyst 4500 system, regardless the number of supervisor engines on the chassis. This problem applies to Cisco IOS Releases 12.2(31)SG and the 12.2(31)SGA maintenance train.
Caveats • If the ACL of an SVI interface is too large for the TCAM, ARP replies for the associated VLAN may not be processed. Workaround: Upgrade to Cisco IOS Release 12.2(31)SG or later and resize the TCAM with the access-list hardware region balance command to support the ACL Verify TCAM utilization with the show platform hardware acl statistics utilization brief command.
Caveats Workaround: Use Hardware Control Plane Policing (CoPP) to police GARP packets. (CSCsg08775) • Configuring an ACL on a port configured with the switchport access vlan dynamic command will restart the Catalyst 4500 series switch. This issue impacts Catalyst 4500 series switches running IOS releases including and earlier than 12.2(31)SGA and 12.2(25)EWA6. Workaround: None. (CSCsg03745) • The HSRP Active-Router does not respond to ARP requests for the virtual IP (VIP) address.
Caveats • The switch may reset after a PVLAN trunk port receives a high number of IGMP report messages. Workaround: Disable the PVLAN trunk port. (CSCsg46891) • A switch configured in Rapid PVST spanning tree mode will not automatically recover an interface that was placed into ROOT_Inc state by ROOT guard. Workaround: Bounce any interface on the 4500 switch causing a spanning tree topology change.
Caveats Workaround: None. (CSCsf16422) • When your DHCP address lease time is not updated on a switch configured with IP Source Guard, you cannot renew your DHCP IP addresses. Your non-DHCP traffic is dropped and the following error message is logged: %IP_SOURCE_GUARD-4-IP_SOURCE_GUARD_DENY_PACKET: IP Source Guard detects and drops illegal traffic Workaround: Disable and enable the affected switch ports. (CSCsd65833) • When you configure a switch with an IEEE 802.
Caveats • A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).
Caveats 000105: Jul 9 config-changed 000106: Jul 9 config-changed 000107: Jul 9 config-changed 01:23:36.721 PDT: %HA_CONFIG_SYNC-3-LBL_CFGSYNC: Unable to sync command to standby 01:23:46.777 PDT: %HA_CONFIG_SYNC-3-LBL_CFGSYNC: Unable to sync command to standby 01:23:56.
Caveats • If you modify policers with a large number of VLAN tags on a Catalyst 4507R or a 4510R chassis with dual supervisor engines operating in SSO mode during substantial CPU bound traffic, the following message appears: %HA_CONFIG_SYNC-3-LBL_CFGSYNC: Unable to sync config-changed command to standby Workaround: Reset the standby supervisor by entering the redundancy reload peer command. This command synchronizes the standby supervisor configuration with the active supervisor.
Caveats • When you do not save the running configuration on the active supervisor engine before a Stateful Switchover occurs due to the failure of the active supervisor engine, the following error message is observed: 00:00:26: %PM-4-PORT_INCONSISTENT: Port Gi3/1 is inconsistent: IDB state down (set 00:00:02 ago), link: up (00:00:02 ago) Traffic loss is observed for about 500 ms.
Caveats • While upgrading the Catalyst 4500 series switch with ISSU, issuing the issu runversion command as the standby supervisor engine boots causes the active supervisor engine to report a bulk sync failure due to a mismatch command (MCL). The MCL errors are reported only for PoE interfaces on WS-X4506-GB-T line cards configured for inline power with the power inline static max command. The standby supervisor engine automatically resets and re-boots in RPR mode.
Caveats • When the standby supervisor engine is not synced with the active supervisor engine that is configured for ISSU during an IOS upgrade of IOS, the following messages appear: %IDBINDEX_SYNC-3-IPC_ERR: ifindex_sync_standby_port : no such port. -Process= "rf task", ipl= 0, pid= 54 -Traceback= Workaround: None. (CSCse31818) • A Catalyst 4500 series switch clears the mac-add-table notif counters when the feature is disabled. Workaround: Re-connect.
Caveats When an active TCP connection is established and when data is sent by the Cisco router to the remote router at a much faster rate than the remote router can handle, the router might advertise a zero window. So, when the router reads the data, the window is re-opened and the new window is advertised. When this situation occurs, and when the Cisco router has saved data to TCP in order to be send to the remote router, the Cisco router may drop the TCP connection.
Caveats • After an SSO switchover, you may receive a “PM-4-PORT_INCONSISTENT” error message on the switch console if you enter the shutdown command, then the no shutdown command on the port that is in UDLD error-disable state. This does not impact the switch; the port remains in UDLD error-disable state. Re-entering the shutdown command, then the no shutdown command on the same port will ensure that the error message does not re-appear. Workaround: None.
Caveats QueueID Old QueueName New QueueName 7 adj-same-if control-packet 8 control-packet 11 adj-same-if 13 acl input log rfp-failure 14 acl input forward acl input log Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs.
Caveats Resolved Caveats in Cisco IOS Release 12.2(31)SG3 This section lists the resolved caveats in Release 12.2(31)SG3: • Cisco IOS Software has been enhanced with the introduction of additional software checks to signal improper use of data structures. This feature has been introduced in select Cisco IOS Software releases published after April 5, 2007. The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp: May 17 10:01:27.
Caveats 000102: Jul 9 config-changed 000103: Jul 9 config-changed 000104: Jul 9 config-changed 000105: Jul 9 config-changed 000106: Jul 9 config-changed 000107: Jul 9 config-changed 01:23:06.598 PDT: %HA_CONFIG_SYNC-3-LBL_CFGSYNC: command to standby 01:23:16.642 PDT: %HA_CONFIG_SYNC-3-LBL_CFGSYNC: command to standby 01:23:26.682 PDT: %HA_CONFIG_SYNC-3-LBL_CFGSYNC: command to standby 01:23:36.721 PDT: %HA_CONFIG_SYNC-3-LBL_CFGSYNC: command to standby 01:23:46.
Caveats On a switch that support redundancy, the generation of the self-signed certificate is performed independently on the active and the standby supervisor engines. So, the certificates differ. After switchover, the HTTP client that holds the old certificate can not connect to the HTTPS server. Workaround: Re-connect.
Caveats • Occasionally, on redundant systems in SSO mode, applying the apply cisco-phone $AVID vlan $VVID vlan macro command to an interface connected to an IP phone may render the interface in the wrong state relative to the standby supervisor engine. This causes the SVI to be “down” after the switchover. Workaround: If the SVIs associated with the physical interface are down after the switchover, issue shutdown and no shutdown commands on the physical interface to bring up the SVIs.
Caveats This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml. (CSCsi01470) Open Caveats in Cisco IOS Release 12.2(31)SG1 This section lists the open caveats in Cisco IOS Release 12.2(31)SG1: • When you enter the access-list N permit host hostname command on a redundant chassis operating in SSO mode, you might observe the following syslog messages. The command is not synchronized with the redundant supervisor engine, and keepalive warnings appear.
Caveats • Occasionally, on redundant systems in SSO mode, applying the apply cisco-phone $AVID vlan $VVID vlan macro command to an interface connected to an IP phone may render the interface in the wrong state relative to the standby supervisor engine. This causes the SVI to be “down” after the switchover. Workaround: If the SVIs associated with the physical interface are down after the switchover, issue shutdown and no shutdown commands on the physical interface to bring up the SVIs.
Caveats Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example: Switch(config)# no monitor session n source cpu queue all rx Switch(config)# monitor session n source cpu queue (CSCsc94802) • If you initiate a scp copy from the console and it is delayed long enough to cause a timeout, the console is disconnected. Workarounds: – Use a different copy protocol. – Set a longer ssh timout.
Caveats It only happens on releases that include the fix for CSCse85200. When turning on "debug cdp even," the following message appears: CDP-EV: Received item (type : 9) with invalid length 4 Workaround: None. (CSCsf07847) Open Caveats in Cisco IOS Release 12.2(31)SG This section lists the open caveats in Cisco IOS Release 12.2(31)SG: • When you enter the access-list N permit host hostname command on a redundant chassis operating in SSO mode, you might observe the following syslog messages.
Caveats Workaround: None. (CSCeg48586) • Occasionally, on redundant systems in SSO mode, applying the apply cisco-phone $AVID vlan $VVID vlan macro command to an interface connected to an IP phone may render the interface in the wrong state relative to the standby supervisor engine. This causes the SVI to be “down” after the switchover.
Caveats QueueID Old QueueName New QueueName 13 acl input log rfp-failure 14 acl input forward acl input log Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs.
Caveats This caveat is fixed in 12.2(25)EWA11 and 12.2(31)SGA4 software releases. Release 12.2(37)SG is other recommended software release. 12.2(37)SG does not have the fix for CSCsf26804 and hence does not run into CSCsk85158. A linecard replacement is not needed. Do not RMA the module. (CSCsk85158) Resolved Caveats in Cisco IOS Release 12.2(31)SG This section lists the resolved caveats in Release 12.
Caveats Further Information: On the 13th September 2006, Phenoelit Group posted an advisory containing three vulnerabilities: – VTP Version field DoS – Integer Wrap in VTP revision – Buffer Overflow in VTP VLAN name These vulnerabilities are addressed by Cisco IDs: – CSCsd52629/CSCsd34759—VTP version field DoS – CSCse40078/CSCse47765—Integer Wrap in VTP revision – CSCsd34855/CSCei54611—Buffer Overflow in VTP VLAN name Cisco’s statement and further information are available on the Cisco public website at
Caveats disconnected. If a WS-X4148-FE-BD-LC port is connected to a converter box in SML mode, and the Ethernet cable on the box is removed, the port will eventually go into errdisable mode because of the continuous connecting and disconnecting (flapping) of the link. Workaround: Configure the convertor box (CPE device) to operate in either LT (Link Test) or ML (Missing Link) mode.
Caveats Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 police: Per-interface Conform: 9426560 bytes Exceed: 16573440 bytes Workaround: Verify that the MAC addresses being transmitted through the system are learned.
Caveats • When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up. – If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated. – If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain.
Caveats Open Caveats in Cisco IOS Release 12.2(25)SG3 This section lists the open caveats in Cisco IOS Release 12.2(25)SG3: • Changes to console speed are not updated in ROMMON. If a system is reloaded, you will not see a prompt until Cisco IOS software re-starts. Workaround: None. (CSCee65294) • On a system reload, some of the QoS policies that had previously loaded into the hardware may fail to load due to limited space.
Caveats 000105: Jul 9 config-changed 000106: Jul 9 config-changed 000107: Jul 9 config-changed 01:23:36.721 PDT: %HA_CONFIG_SYNC-3-LBL_CFGSYNC: Unable to sync command to standby 01:23:46.777 PDT: %HA_CONFIG_SYNC-3-LBL_CFGSYNC: Unable to sync command to standby 01:23:56.
Caveats • When Fast Hellos is configured on an interface thru the command ip ospf dead-interval minimal hello-multiplier, the dead-interval can be changed to exceed 1 second with the ip ospf dead-interval keyword. However, the running configuration still displays the ip ospf dead-interval minimal hello-multiplier command instead of the ip ospf dead-interval command. Workaround: To change the dead-interval when Fast Hellos is enabled, first disable Fast Hellos and then configure the new dead-interval.
Caveats Resolved Caveats in Cisco IOS Release 12.2(25)SG3 This section lists the resolved caveats in Release 12.2(25)SG3: • Cisco IOS Software has been enhanced with the introduction of additional software checks to signal improper use of data structures. This feature has been introduced in select Cisco IOS Software releases published after April 5, 2007. The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp: May 17 10:01:27.
Caveats (Missing Link) mode in which the optical side always stays shut down if the Ethernet cable is disconnected. If a WS-X4148-FE-BD-LC port is connected to a converter box in SML mode, and the Ethernet cable on the box is removed, the port will eventually go into errdisable mode because of the continuous connecting and disconnecting (flapping) of the link. Workaround: Configure the convertor box (CPE device) to operate in either LT (Link Test) or ML (Missing Link) mode.
Caveats Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 police: Per-interface Conform: 9426560 bytes Exceed: 16573440 bytes Workaround: Verify that the MAC addresses being transmitted through the system are learned.
Caveats • When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up. – If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated. – If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain.
Caveats Workaround: Gather the output from the show tech-support command and open a service request with the Technical Assistance Center (TAC) or designated support organization. (CSCsj44081) • Cisco IOS and Cisco IOS XR contain a vulnerability when processing specially crafted IPv6 packets with a Type 0 Routing Header present. Exploitation of this vulnerability can lead to information leakage on affected Cisco IOS and Cisco IOS XR devices, and may also result in a crash of the affected Cisco IOS device.
Caveats Workaround: Disable QoS with the no qos command, and then re-enable QoS with the qos global command. (CSCee52449) • Insertion of unsupported SFPs (small form-factor pluggable optics) into a WS-X4448-GB-SFP or WS-X4448-GB-LX module and can cause undetected communication failures between the supervisor engine and the corresponding module. Subsequent insertion or removal of SFPs from the module is not recognized by the system.
Caveats • In a hierarchical policer configuration with parent as the aggregate policer and child as the microflow policer, child microflow policer-matched packets report only the packets that are in the profile (they match the policing rate). Packets that exceed the policing rate are not reported in the class-map packet match statistics. Workaround: None.
Caveats engine remain administratively shutdown. So, the no shut command does not get synced correctly on the standby supervisor engine. After issuing the shut command, if you wait 30-60 seconds before issuing a no shut command, you will not see the problem. Workaround: Re-issue the shut and no shut commands on the ports.
Caveats There are workarounds available to mitigate the effects of the vulnerability. The workaround depends on if Mobile IPv6 is used and what version on Cisco IOS is being currently used. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml (CSCsd40334) • Cisco Catalyst 6000, 6500 series and Cisco 7600 series that have a Network Analysis Module installed are vulnerable to an attack, which could allow an attacker to gain complete control of the system.
Caveats disconnected. If a WS-X4148-FE-BD-LC port is connected to a converter box in SML mode, and the Ethernet cable on the box is removed, the port will eventually go into errdisable mode because of the continuous connecting and disconnecting (flapping) of the link. Workaround: Configure the convertor box (CPE device) to operate in either LT (Link Test) or ML (Missing Link) mode.
Caveats Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 police: Per-interface Conform: 9426560 bytes Exceed: 16573440 bytes Workaround: Verify that the MAC addresses being transmitted through the system are learned.
Caveats • When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up. – If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated. – If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain.
Caveats • When you apply smartport macros (like “cisco-switch” and “cisco-desktop”) on a WS-C457R or a WS-C4510R are using CNA, the active supervisor goes through an unexpected switchover. Workaround: No workarounds are available. Enter the default interface command and apply smartport macros such as “cisco-switch” and “cisco-desktop”. (CSCsb59783) • When you enter the default interface command on a WS-C457R or a WS-C4510R are using HTTP, the active supervisor goes through an unexpected switchover.
Caveats This caveat is cosmetic only; it does not impact the operation of the switch. Workaround: Power-cycle the switch. (CSCsg00796) • When hardcoded duplex and speed settings are deleted after an interface shuts down, an "a-" is added to the duplex and speed in the output from the show interface status command. This does not impact performance. Workaround: Issue the no shutdown command. (CSCsg27395) Resolved Caveats in Cisco IOS Release 12.
Caveats Resolved Caveats in Cisco IOS Release 12.2(25)EWA12 This section lists the resolved caveat in Cisco IOS Release 12.2(25)EWA12: • If a switch has a redundant supervisor, under rare conditions you will observe the following situation: You first observe the keepalive missing warning messages. Then, after the keepalive protocol times out, a switchover to the standby supervisor engine occurs.
Caveats Workaround: Either downgrade to Cisco IOS Release 12.2(25)EWA9 or an earlier release, or upgrade to Cisco IOS Release 12.2(31)SGA2 and later releases, or Cisco IOS Release 12.2(37)SG. (CSCsj47170) • When you add the ip ssh ver 2 command to the configuration of the primary supervisor engine and you fail over to the secondary supervisor engine, the command is present in the configuration of the secondary supervisor engine.
Caveats Note Do not enable these commands on a production switch unless instructed by Cisco TAC. *Nov 13 address *Nov 13 address *Nov 13 address *Nov 13 address 12:56:32.066 CLT-1: 00:D0:02:2D:38:1A 12:56:34.030 CLT-1: 00:D0:02:2D:38:1A 12:56:34.046 CLT-1: 00:D0:02:2D:38:1A 12:56:34.
Caveats Workaround: Provide the entire command sequence in the browser "command" area as if you were entering the commands through the CLI. (CSCei76082) • A Catalyst 4500 series switch upgrading to IOS versions 12.2(25)EWA or 12.2(31)SG might show unusual uptime in the output of the show version command: Switch uptime is 113 years, 43 weeks, 4 days, 7 hours, 53 minutes This does not impact the operation of the Catalyst 4500 series switch, appearing to be strictly cosmetic.
Caveats Workaround: Upgrade the software to either: – Cisco IOS Release 12.2(31)SGA2 and higher, or – Cisco IOS Release 12.2(37)SG and higher (CSCsh44170) • In software releases 12.2(25)EWA10, 12.2(31)SGA2 and 12.2(31)SGA3, PoE Health Monitoring Diagnostic software introduced via CSCsf26804 incorrectly reports PoE errors for module WS-X4548-GB-RJ45V, hardware revision 4.0. (Use the show module command to see the hardware revision of module.
Caveats Step 2 Determine if the same IP phone works using another line card(s) within the switch. Step 3 Capture show tech-support and show platform chassis module module. Step 4 Reset the linecard by issuing hw-module module module reset or by removing and reinserting the line card. Determine if the IP phone receives power from the switch. Step 5 Capture show tech-support and show platform chassis module module. Step 6 RMA the line card if the problem persists with RMA.
Caveats This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-nhrp.shtml. (CSCin95836) • The server side of the Secure Copy (SCP) implementation in Cisco IOS contains a vulnerability that allows any valid user, regardless of privilege level, to transfer files to and from an IOS device that is configured to be a Secure Copy server. This vulnerability could allow valid users to retrieve or write to any file on the device’s filesystem, including the device’s saved configuration.
Caveats • A Catalyst 4500 series switch upgrading to IOS versions 12.2(25)EWA or 12.2(31)SG might show unusual uptime in the output of the show version command: Switch uptime is 113 years, 43 weeks, 4 days, 7 hours, 53 minutes This does not impact the operation of the Catalyst 4500 series switch, appearing to be strictly cosmetic. Workaround: Power-cycle the switch. (CSCsg00796) • A Catalyst 4500 series switch running Cisco IOS Release 12.
Caveats -Traceback= 0x41A23CC8 0x41BAA3D8 0x41BA6A08 0x41B96B4C 0x41BA6768 0x41BA7490 0x41BA7750 0x41BAC854 0x41BA120C 0x40C27024 0x40C26760 0x41BA203C 0x40C73E58 0x40C926E8 0x41834200 0x418341E4 %Software-forced reload Workaround: Do not initiate SSH or SCP sessions from the router. (CSCsb54378) • When you remove the radius-server source-ports 1645-1646 default command, the switch sends the RADIUS requests with the wrong source port, causing the authentication attempts to fail.
Caveats Note Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml. A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007.
Caveats – Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304 – Processing Finished messages, documented as Cisco bug ID CSCsd92405 Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml. Note Another related advisory has been posted with this advisory.
Caveats • If the ACL configured on an SVI is too large for the TCAM, ARP replies for the associated VLAN may not be processed. Workaround: Upgrade to Cisco IOS Release 12.2(31)SGA and resize the TCAM with the access-list hardware region balance command to support the ACL. Verify TCAM utilization with the show platform hardware acl statistics utilization brief command. (CSCsh50565) Resolved Caveats in Cisco IOS Release 12.2(25)EWA8 This section lists the resolved caveats in Cisco IOS Release 12.
Caveats The Energy Policy Act of 2005 (H.R.6.ENR), Section 110 changes the start date from the first Sunday of April to the second Sunday of March, and it changes the end date from the last Sunday of October to the first Sunday of November. Workaround: Use the clock summer-time command to manually configure the proper start and end date for daylight savings time.
Caveats Resolved Caveats in Cisco IOS Release 12.2(25)EWA7 This section lists the resolved caveats in Cisco IOS Release 12.2(25)EWA7: • When VRF Packet Leaking is configured on a Catalyst 4500 series switch with a Supervisor Engine IV, a packet loss of 50 per cent occurs when you ping a VRF interface IP address from a device in the global table. Packets forwarded by the switch are not impacted. Workaround: None. (CSCej36831) • If you running Cisco IOS Release 12.
Caveats • While running Cisco IOS Release 12.2(25)EWA6 on either the Catalyst 4500 series switch, the 4013+TS supervisor engine, or the 4306-GB-T linecard, you might experience the following problem on RJ45 ports: – At 1Gbps, the ports cannot sustain the linerate when sending packets greater than 6656 bytes. – In rare situations, the TxQueue's associated with the RJ45 ports may get stuck when the packets of greater than 6656 bytes are involved and the port is operating at 10Mbps, 100Mbps, or 1Gbps.
Caveats Ports 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 S 9 . 10 . 11 . 12 . 13 . 14 . 15 . 16 . Ports 17 . 18 . 19 . 20 . 21 . 22 . 23 . 24 . 25 . 26 . 27 . 28 . 29 . 30 . 31 . 32 . Ports 33 . 34 . 35 . 36 . 37 . 38 . 39 . 40 . 41 . 42 . 43 . 44 . 45 . 46 . 47 . 48 . You can verify the failure by looking at the output of the show platform software interface stub internal command for any of the faulty ports.
Caveats Input Input Input Output Output Output Output Acl(PortOrVlan) Qos(PortAndVlan) Qos(PortOrVlan) Acl(PortAndVlan) Acl(PortOrVlan) Qos(PortAndVlan) Qos(PortOrVlan) 8105 0 0 0 5 0 0 / / / / / / / 8112 8128 8128 8112 8112 8128 8128 ( 99) ( 0) ( 0) ( 0) ( 0) ( 0) ( 0) 1014 0 0 0 3 0 0 / / / / / / / 1014 1016 1016 1014 1014 1016 1016 (100) ( 0) ( 0) ( 0) ( 0) ( 0) ( 0) On a Catalyst 4500 series switch running Cisco IOS Release 12.
Caveats A Cisco Security Advisory for this vulnerability is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070228-nam.shtml. (CSCse52951) Open Caveats in Cisco IOS Release 12.2(25)EWA6 This section lists the open caveats in Cisco IOS Release 12.2(25)EWA6: • When you enter the access-list N permit host hostname command on a redundant chassis operating in SSO mode, you might observe the following syslog messages.
Caveats • An active supervisor engine WS-X4516-10GE in a WS-C4510R chassis running Cisco IOS Release 12.2(25)EWA2 crashes when you replace the standby supervisor engine WS-X4516-10GE. Workaround: None. (CSCsd46408) • When a third-party device is connected to a 1000BaseX interface and the link is shutdown/unshutdown, the autonegotiation process takes considerable time to complete and the link needs several minutes to come up again. Workaround: Disable autonegotiation or flow-control.
Caveats • The following error messages may appear on a Catalyst 4500 series switch after reload, causing it to lose its VLAN configuration and preventing you from recreating them: This is observed on a switch whose VTP is in transparent mode, Version 2, after some non-default settings for VLANs 1003 and 1005 (token ring) were learned when the switch was in server mode.
Caveats Workaround: Check the variable with the show bootvar command before issuing the write memory command. (CSCeg74620). • For Cisco IOS Releases preceeding Cisco IOS 12.2(25)EWA6, if the Inline Power circuit of a 4200W power supply fails, the supervisor engine might not switchover to the Active power supply. This will result in a IP phone outage because the Inline power drops to zero. This problem can occur in redundant mode or combined mode. Workarounds: – Remove the failed power supply from the bay.
Caveats http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml Conditions: This DDTS resolves a symptom of CSCec71950. Cisco IOS with this specific DDTS are not at risk of crash if CSCec71950 has been resolved in the software. Workaround: Cisco IOS versions with the fix for CSCec71950 are not at risk for this issue and no workaround is required.
Caveats Open Caveats in Cisco IOS Release 12.2(25)EWA5 This section lists the open caveats in Cisco IOS Release 12.2(25)EWA5: • When you enter the access-list N permit host hostname command on a redundant chassis operating in SSO mode, you might observe the following syslog messages. The command is not synchronized with the redundant supervisor engine, and keepalive warnings appear.
Caveats • Occasionally, when a Catalyst 4500 series switch is in VTP client mode and “switchport trunk prunning vlan none” is configured on the trunk port, the trunk interface fails to send VLAN joins to the VTP server. Some of the VLAN is pruned on the link to the VTP server even when those VLANs are used. Workaround: Instead of using the "none" option, provide a specific VLAN when enabling VTP pruning on the trunk interface.
Caveats • A WS-4948G, WS-4948G-10GE, WS-X4506-GB-T, and WS-X4013+TS might display the following message while running the Cisco IOS Release 12.2(20)EWA and later: %C4K_HWPORTMAN-4-BLOCKEDTXQUEUE: Blocked transmit queue HwTxQId1 on Switch Phyport 18,count=342141 Ports with a duplex mis-match and the switch port operating in half duplex will exhibit this problem and no traffic will flow through those ports.
Caveats 000102: Jul 9 config-changed 000103: Jul 9 config-changed 000104: Jul 9 config-changed 000105: Jul 9 config-changed 000106: Jul 9 config-changed 000107: Jul 9 config-changed 01:23:06.598 PDT: %HA_CONFIG_SYNC-3-LBL_CFGSYNC: command to standby 01:23:16.642 PDT: %HA_CONFIG_SYNC-3-LBL_CFGSYNC: command to standby 01:23:26.682 PDT: %HA_CONFIG_SYNC-3-LBL_CFGSYNC: command to standby 01:23:36.721 PDT: %HA_CONFIG_SYNC-3-LBL_CFGSYNC: command to standby 01:23:46.
Caveats Workaround: Instead of using the "none" option, you must provide a specific VLAN when enabling VTP pruning on the trunk interface. (CSCei42957) • If UDLD is enabled on a trunk port with native VLAN tagging enabled, the UDLD protocol packets are sent out untagged. This may cause UDLD interoperability issues with other Cisco switches that expect to always see tagged packets on trunk ports. Workaround: None.
Caveats • With IP multicast routing and IGMP snooping enabled, a Catalyst 4500 series switch does not send ARP requests to a partner switch if the trunk port on the Catalyst 4500 switch is the only interface carrying private VLANs. Workaround: Configure any other port on the Catalyst 4500 switch (not necessarily one connected to the partner switch) as a regular trunk interface. Ensure that the interface is “link up” and carries both primary and isolated VLANs.
Caveats • Symptoms: The VTP feature in certain versions of Cisco IOS software is vulnerable to a locally-exploitable buffer overflow condition and potential execution of arbitrary code. If a VTP summary advertisement is received with a Type-Length-Value (TLV) containing a VLAN name greater than 100 characters, the receiving switch will reset with an Unassigned Exception error.
Caveats • When PBR is configured on a Supervisor Engine III or Supervisor Engine IV, hardware-switched PBR packets update the access list or route map statistics improperly. Workaround: None. (CSCdz10171) • A CompactFlash module formatted on either Supervisor Engine III or Supervisor Engine IV that uses Cisco IOS Releases 12.1(14)E, 12.1(19)E, or 12.1(13)EW will not work on Supervisor Engine II-Plus. The CompactFlash module will continue to work on the other supervisor engines.
Caveats Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 police: Per-interface Conform: 9426560 bytes Exceed: 16573440 bytes Workaround: Verify that the MAC addresses being transmitted through the system are learned.
Caveats • Modifying a policer may not work if you configure more than 800 policers. Workaround: Remove, reconfigure and reinstall policers, or, use less than 800 policers. (CSCsa66422) Resolved Caveats in Cisco IOS Release 12.2(25)EWA3 This section lists the resolved caveats in Release 12.2(25)EWA3: • Through normal software maintenance processes, Cisco is removing deprecated functionality. These changes have no impact on system operation or feature availability.
Caveats • A CompactFlash module formatted on either Supervisor Engine III or Supervisor Engine IV that uses Cisco IOS Releases 12.1(14)E, 12.1(19)E, or 12.1(13)EW will not work on Supervisor Engine II-Plus. The CompactFlash module will continue to work on the other supervisor engines. Workaround: Format the CompactFlash module on any Catalyst 4500 series switch supervisor engine that uses Release 12.1(19)EW (or later).
Caveats Workaround: Verify that the MAC addresses being transmitted through the system are learned. (CSCef01798) • After an SSO switchover, you may receive a “PM-4-PORT_INCONSISTENT” error message on the switch console if you enter the shutdown command, then the no shutdown command on the port that is in UDLD error-disable state. This does not impact the switch; the port remains in UDLD error-disable state.
Caveats Resolved Caveats in Cisco IOS Release 12.2(25)EWA2 This section lists the resolved caveats in Release 12.2(25)EWA2: • If the switch receives an unlearned source MAC address after a security violation, memory is consumed in creating a security violation-related SNMP trap for each source MAC address. If the switch receives several unlearned source MAC addresses at a very high rate, considerable memory is consumed to ensure that the SNMP traps are generated and sent out correctly.
Caveats • Deleting the trusted boundary configuration from a port that does not have a phone attached to it and which was configured using the auto qos voip cisco command leaves the port in an untrusted state. The auto qos voip cisco command will configure two CLI's on a port: qos trust cos and qos trust device cisco-phone. Removing the qos trust device cisco-phone command (using the no qos trust cisco-phone command) will cause the port to remain in an untrusted state. Workaround: None.
Caveats You might receive the following error message-related trace back for any of the configured interfaces within the range: 1d02h: %INTERFACE_API-3-NOADDSUBBLOCK: The SWIDB subblock named UDLD was not added to GigabitEthernet#/# -Traceback= 1022E35C 10291A1C 1055FE5C 103E3890 103E3924 1038D228 103EF2C8 103EF758 1043D910 101E1B90 103BA750 101E0DA4 101E0858 101FA910 1030F04C 103059E8 Workarounds: To avoid the error message, do either of the following: 1.
Caveats • When PBR is configured on a Supervisor Engine III or Supervisor Engine IV, hardware-switched PBR packets update the access list or route map statistics improperly. Workaround: None. (CSCdz10171) • A CompactFlash module formatted on either Supervisor Engine III or Supervisor Engine IV that uses Cisco IOS Releases 12.1(14)E, 12.1(19)E, or 12.1(13)EW will not work on Supervisor Engine II-Plus. The CompactFlash module will continue to work on the other supervisor engines.
Caveats • In rare instances, when you are using MAC ACL-based policers, the packet match counters in show policy-map interface fa6/1 do not show the packets being matched: clearwater#sh policy-map int FastEthernet3/2 Service-policy output: p1 Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 police: Per-interface Conform: 9426560 bytes Exceed: 16573440 bytes Workaround: Verify that the MAC addresses being transmitted through the
Caveats Workaround: Either enter a shutdown/no shutdown on the port or detach and reapply the service policy. (CSCef30883) • When a switchport configured with port security is converted from an access to a promiscuous port, the port security configuration is lost. The show interface command will show that port security is no longer configured. Workaround: After converting a switchport with port security to a promiscuous port, apply the port security interface command again.
Caveats Switch(config-if-range)# vlan 1000-4094 % Command failed on interface GigabitEthernet3/4. Aborting Switch(config)# Workaround: Create the VLANs in global or interface command mode. CSCsa54831) • Deleting the trusted boundary configuration from a port that does not have a phone attached to it and which was configured using the auto qos voip cisco command leaves the port in an untrusted state.
Caveats Open Caveats in Cisco IOS Release 12.2(25)EWA This section lists the open caveats in Cisco IOS Release 12.2(25)EWA: • Changes to console speed are not updated in ROMMON. If a system is reloaded, you will not see a prompt until Cisco IOS software re-starts. Workaround: None. (CSCee65294) • On a system reload, some of the QoS policies that had previously loaded into the hardware may fail to load due to limited space.
Caveats 000105: Jul 9 config-changed 000106: Jul 9 config-changed 000107: Jul 9 config-changed 01:23:36.721 PDT: %HA_CONFIG_SYNC-3-LBL_CFGSYNC: Unable to sync command to standby 01:23:46.777 PDT: %HA_CONFIG_SYNC-3-LBL_CFGSYNC: Unable to sync command to standby 01:23:56.
Caveats Workaround: Exit, then re-enter interface configuration mode. All commands will be accepted, even after you enter the macro apply command. (CSCsa44632) • If the switch receives an unlearned source MAC address after a security violation, memory is consumed in creating a security violation-related SNMP trap for each source MAC address.
Caveats If this sample configuration is contained in the startup-config, then the ACL filter would work properly after the Catalyst 4500 series switch boots. This caveat only impacts Cisco IOS Release 12.2(25)EWA.
Caveats Resolved Caveats in Cisco IOS Release 12.2(25)EWA This section lists the resolved caveats in Release 12.2(25)EWA: • A spurious error message appears when an SSH connection disconnects after an idle timeout. Workaround: Disable idle timeouts. (CSCec30214) • When the access VLAN of an access port is converted into an RSPAN VLAN, the show interface and show interface inactive commands indicate that the interface is up and connected.
Caveats disconnected. If a WS-X4148-FE-BD-LC port is connected to a converter box in SML mode, and the Ethernet cable on the box is removed, the port will eventually go into errdisable mode because of the continuous connecting and disconnecting (flapping) of the link. Workaround: Configure the convertor box (CPE device) to operate in either LT (Link Test) or ML (Missing Link) mode. (CSCed28409) • A spurious error message appears when an SSH connection disconnects after an idle timeout.
Caveats • When the access VLAN of an access port is converted into an RSPAN VLAN, the show interface and show interface inactive commands indicate that the interface is up and connected. This problem is strictly cosmetic; the interface is no longer forwarding traffic. Workaround: None. (CSCsa44090) • When a Catalyst 4500 series switch exhausts the packet buffers and can no longer receive packets, the Rx-No_pkt_Buff field in the output of the show platform interface all command may not get updated.
Caveats • If the switch receives an unlearned source MAC address after a security violation, memory is consumed in creating a security violation-related SNMP trap for each source MAC address. If the switch receives several unlearned source MAC addresses at a very high rate, considerable memory is consumed to ensure that the SNMP traps are generated and sent out correctly. Workaround: Configure the trap-rate to limit very small number of traps every second.
Caveats • When the gigabit port of a Catalyst 3550 switch with inline power (WS-C3550-25-PWR) is connected to the gigabit port of a Catalyst 4500 series switch with Supervisor Engine WS-X4516 and Release 12.2(18)EW or 12.2(20)EW, the gigabit uplink port on the Catalyst 3550 switch fails POST (lost loopback packet) during bootup. Workarounds: 1. Disconnect the cable connecting the uplink ports on the Catalyst 3550 switch to the Catalyst 4500 series switch before booting the Catalyst 3550 switch.
Caveats disconnected. If a WS-X4148-FE-BD-LC port is connected to a converter box in SML mode, and the Ethernet cable on the box is removed, the port will eventually go into errdisable mode because of the continuous connecting and disconnecting (flapping) of the link. Workaround: Configure the convertor box (CPE device) to operate in either LT (Link Test) or ML (Missing Link) mode. (CSCed28409) • A spurious error message appears when an SSH connection disconnects after an idle timeout.
Caveats • The PoE status LED on the WS-X4506-GB-T linecard is always off. Moreover, PoE status does not appear in the output of the show environment command. Workaround: None. This was fixed in Cisco IOS Release 12.2(25)EWA. (CSCeh26976) Resolved Caveats in Cisco IOS Release 12.2(20)EWA4 This section lists the resolved caveats in Release 12.2(20)EWA4: • Some (or all) CDP neighbors are invisible. It only happens on releases that include the fix for CSCse85200.
Caveats • On a system reload, some of the QoS policies that had previously loaded into the hardware may fail to load due to limited space. Workaround: Disable QoS with the no qos command, and then reenable QoS with the qos global command. (CSCee52449) • Insertion of unsupported SFPs (small form-factor pluggable optics) into a WS-X4448-GB-SFP or WS-X4448-GB-LX module and can cause undetected communication failures between the supervisor engine and the corresponding module.
Caveats Workaround: When using the access-list N permit host hostname command, specify the IP address of the host rather than the hostname (CSCef67489) • After a supervisor engine switchover in SSO mode, the Diagnostic Optical Monitoring feature (CLI and MIB support) might not work as expected. The show interfaces transceiver command will not display any output. Workaround: Reload the supervisor engines.
Caveats disconnected. If a WS-X4148-FE-BD-LC port is connected to a converter box in SML mode, and the Ethernet cable on the box is removed, the port will eventually go into errdisable mode because of the continuous connecting and disconnecting (flapping) of the link. Workaround: Configure the convertor box (CPE device) to operate in either LT (Link Test) or ML (Missing Link) mode. (CSCed28409) • A spurious error message appears when an SSH connection disconnects after an idle timeout.
Caveats • The PoE status LED on the WS-X4506-GB-T linecard is always off. Moreover, PoE status does not appear in the output of the show environment command. Workaround: None. This was fixed in Cisco IOS Release 12.2(25)EWA. (CSCeh26976) Resolved Caveats in Cisco IOS Release 12.2(20)EWA2 This section lists the resolved caveats in Release 12.
Caveats • When PBR is configured on a Supervisor Engine III or Supervisor Engine IV, hardware-switched PBR packets update the access list or route map statistics improperly. Workaround: None. (CSCdz10171) • A CompactFlash module formatted on either Supervisor Engine III or Supervisor Engine IV that uses Cisco IOS Releases 12.1(14)E, 12.1(19)E, or 12.1(13)EW will not work on Supervisor Engine II-Plus. The CompactFlash module will continue to work on the other supervisor engines.
Caveats Resolved Caveats in Cisco IOS Release 12.2(20)EWA1 This section lists the resolved caveats in Release 12.2(20)EWA1: • NetFlow Feature Acceleration has been deprecated and removed from Cisco IOS. The global command ip flow-cache feature-accelerate will no longer be recognized in any IOS configuration. If your router configuration does not currently contain the command ip flow-cache feature-accelerate, this change does not affect you.
Caveats disconnected. If a WS-X4148-FE-BD-LC port is connected to a converter box in SML mode, and the Ethernet cable on the box is removed, the port will eventually go into errdisable mode because of the continuous connecting and disconnecting (flapping) of the link. Workaround: Configure the convertor box (CPE device) to operate in either LT (Link Test) or ML (Missing Link) mode. (CSCed28409) • A spurious error message appears when an SSH connection disconnects after an idle timeout.
Caveats • The PoE status LED on the WS-X4506-GB-T linecard is always off. Moreover, PoE status does not appear in the output of the show environment command. Workaround: None. This was fixed in Cisco IOS Release 12.2(25)EWA. (CSCeh26976) Resolved Caveats in Cisco IOS Release 12.2(20)EWA This section lists the resolved caveats in Release 12.2(20)EWA: • The DHCP snooping database agent has a maximum of 8192 entries.
Caveats • Changes to console speed are not updated in ROMMON. If a system is reloaded, you will not see a prompt until Cisco IOS software re-starts. Workaround: None. (CSCee65294) • The DHCP snooping database agent has a maximum of 8192 entries. If the number of DHCP bindings learned by the system exceeds this number, the entries in the database agent will be cleared out, the entries in hardware will be retained, and switching will continue. However, upon reload, bindings and connectivity will be lost.
Caveats Resolved Caveats in Cisco IOS Release 12.2(20)EW4 This section lists the resolved caveats in release 12.2(20)EW4: • Some (or all) CDP neighbors are invisible. It only happens on releases that include the fix for CSCse85200. When turning on "debug cdp even," the following message appears: CDP-EV: Received item (type : 9) with invalid length 4 Workaround: None.
Caveats 2. Before starting up the Catalyst 3550 switch, issue the shutdown command on the Gigabit Ethernet ports on the Catalyst 4500 series switch. After starting up the Catalyst 3550 switch, issue the no shutdown command on the Gigabit Ethernet ports on the Catalyst 4500 switch. (CSCee50578) • Changes to console speed are not updated in ROMMON. If a system is reloaded, you will not see a prompt until Cisco IOS software re-starts. Workaround: None.
Caveats • A CompactFlash module formatted on either Supervisor Engine III or Supervisor Engine IV that uses Cisco IOS Releases 12.1(14)E, 12.1(19)E, or 12.1(13)EW will not work on Supervisor Engine II-Plus. The CompactFlash module will continue to work on the other supervisor engines. Workaround: Format the CompactFlash module on any Catalyst 4500 series switch supervisor engine that uses Release 12.1(19)EW (or later). (CSCeb36355) Resolved Caveats in Cisco IOS Release 12.
Caveats Workaround: Either remove the IP source guard configuration using the no ip verify source vlan dhcp-snooping port-security command and reconfigure using ip verify source vlan dhcp-snooping port-security command or shut down the interface (after removing the policy) using the shutdown command and reactivate it using the no shutdown command. (CSCee44402) • On a system reload, some of the QoS policies that had previously loaded into the hardware, may fail to load due to limited space.
Caveats More details can be found in the security advisory that is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml. (CSCef68324) Open Caveats in Cisco IOS Release 12.2(20)EW1 This section lists the open caveats in Cisco IOS Release 12.2(20)EW1. • For Release 12.
Caveats • When in SML (Smart Missing Link) mode, some converter boxes (CPE devices) send pulses on the optical side when the Ethernet cable is removed. These converter boxes should also have an LT (Link Test) mode in which the optical side stays active regardless of the connection status and an ML (Missing Link) mode in which the optical side always stays shut down if the Ethernet cable is disconnected.
Caveats Open Caveats in Cisco IOS Release 12.2(20)EW This section lists the open caveats in Cisco IOS Release 12.2(20)EW. • For Release 12.2(18)EW or later, when the Gigabit Ethernet port of a Catalyst 3550 switch with inline power (WS-C3550-25-PWR) is connected to the Gigabit Ethernet port of a Catalyst 4500 series switch with a Supervisor Engine V (WS-X4516), the port on the Catalyst 3500 switch fails POST (power-on self test) during startup. Workarounds: 1.
Caveats disconnected. If a WS-X4148-FE-BD-LC port is connected to a converter box in SML mode, and the Ethernet cable on the box is removed, the port will eventually go into errdisable mode because of the continuous connecting and disconnecting flapping of the link. Workaround: Configure the convertor box (CPE device) to operate in either LT (Link Test) or ML (Missing Link) mode. (CSCed28409) • A spurious error message appears when an SSH connection disconnects after an idle timeout.
Caveats • When you upgrade a Cisco IOS software image from Release 12.1(12c) or 12.1(19)E to a release in the 12.2 release train, the following syslog message appears: "00:00:01: %C4K_IOSSYS-3-BLANKSTARTUPCONFIG: Blank or invalid startup-config, booting up with defaults". Workaround: You may ignore the message. (CSCed26025) • When configured for VRF-Lite, a Catalyst 4500 series switch inadvertently forwards packets received on the VRF interface for those destinations not in the VRF routing table.
Caveats Resolved Caveats in Cisco IOS Release 12.2(18)EW7 This section lists the resolved caveats in release 12.2(18)EW7: • Some (or all) CDP neighbors are invisible. It only happens on releases that include the fix for CSCse85200. When turning on "debug cdp even," the following message appears: CDP-EV: Received item (type : 9) with invalid length 4 Workaround: None. (CSCsf07847) Open Caveats in Cisco IOS Release 12.2(18)EW6 This section lists the open caveats in Cisco IOS Release 12.2(18)EW6.
Caveats Workaround: None. (CSCsa96905) • If ARP Inspection and DHCP Snooping are enabled and MAC ACLs are applied on a Catalyst 4500 series switch, the switch shows high CPU. The show platform health command shows that the processes holding the CPU are: – KxAclPathMan update – TagMan-RecreateMtegR – K2L2 Address Table R Workaround: Remove the MAC ACLs.
Caveats • A Catalyst 4500 series switch running in pim dense-mode marks the OIL of (*,G) with an "H" flag (hardware switching flag). Ordinarily, switches operating in pim dense-mode should not use (*,G) to forward traffic. This situation does not impact (S,G) multicast traffic forwarding. Workaround: None. (CSCeh46536) • After configuring speed nonnegotiate in an interface range on a WS-X4306 module on a Catalyst 4500 series switch, Symbol-Err and Sequence-Err counters may increase.
Caveats Further Information: On the 13th September 2006, Phenoelit Group posted an advisory containing three vulnerabilities: – VTP Version field DoS – Integer Wrap in VTP revision – Buffer Overflow in VTP VLAN name These vulnerabilities are addressed by Cisco IDs: – CSCsd52629/CSCsd34759—VTP version field DoS – CSCse40078/CSCse47765—Integer Wrap in VTP revision – CSCsd34855/CSCei54611—Buffer Overflow in VTP VLAN name Cisco’s statement and further information are available on the Cisco public website at
Caveats Open Caveats in Cisco IOS Release 12.2(18)EW5 This section lists the open caveats in Cisco IOS Release 12.2(18)EW5. • When 802.1Q and Layer 2 Protocol Tunneling are disabled on a switch, and the switch is rebooted after saving the configuration, spanning-tree BPDU filtering is not disabled automatically on the port. Workaround: Manually disable spanning-tree BPDU filtering on the interface with the no spanning-tree bpdufilter command.
Caveats This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml. (CSCei61732) Open Caveats in Cisco IOS Release 12.2(18)EW4 This section lists the open caveats in Cisco IOS Release 12.2(18)EW4. • When 802.1Q and Layer 2 Protocol Tunneling are disabled on a switch, and the switch is rebooted after saving the configuration, spanning-tree BPDU filtering is not disabled automatically on the port.
Caveats The removal of NetFlow Feature Acceleration does not affect any other aspects of Netflow operation, for example Access-list processing. The features are separate and distinct. Cisco Express Forwarding (CEF) supersedes the deprecated NetFlow Feature Acceleration.
Caveats • Interfaces on the module WS-X4148-RJ45V may not establish a link with a Daiden DN-2800G media converter, when both the switch and the media converter interfaces are configured to operate at 100 Mbps and full duplex. This situation occurs when the interface on the module is configured to automatically detect and power up devices inline with the power inline auto command. This caveat is exhibited in all software releases. Workarounds: 1.
Caveats Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type. Multiple Cisco products are affected by the attacks described in this Internet draft. Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
Caveats Workaround: Enter the ip route vrf 0.0.0.0 0.0.0.0 null 0 command. (CSCed20990) • Ports in suspended mode due to misconfiguration in the LACP port channel do not recover, even after reconfiguring the ports. This situation occurs when most ports are configured for dot1q encapsulation and one or more ports are not.
Caveats This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml. The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
Caveats DHCP packets. Cisco is providing free fixed software to address this issue. There are also workarounds to mitigate this vulnerability. This issue was introduced by the fix included in CSCdx46180 and is being tracked by Cisco Bug ID CSCee50294. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20041110-dhcp.html • When in SML (Smart Missing Link) mode, some converter boxes (CPE devices) send pulses on the optical side when the Ethernet cable is removed.
Caveats • When DHCP snooping, IP source guard, and trunks are configured on all 240 interfaces of a Catalyst 4500 series switch that is equipped with a Supervisor Engine II+, all TCAM space on the switch might be exhausted. Workaround: None. (CSCed18765) • When configured for VRF-Lite, a Catalyst 4500 series switch incorrectly forwards packets received on the VRF interface for those destinations not in the VRF routing table.
Caveats Workarounds: 1. Before starting up the Catalyst 3550 switch, disconnect the cable connecting the uplink ports on the Catalyst 3550 switch to the Catalyst 4500 series switch. Once the Catalyst 3550 switch boots, reconnect the cable. 2. Before starting up the Catalyst 3550 switch, enter the shutdown command on the Gigabit Ethernet ports on the Catalyst 4500 series switch.
Caveats • The show mod command will not display the correct status of a WS-X4604-GWY module if the gateway module has failed. The status of the module incorrectly displays as “Ok,” but the correct status is “Offline.” This problem has been resolved in the Release 12.3(8.3)T image of the WS-X4604-GWY module. Workaround: Use SNMP to monitor both the gateway module and the supervisor engine as separate devices. (CSCea90578) Open Caveats in Cisco IOS Release 12.
Caveats • When you upgrade a Cisco IOS software image from Release 12.1(12c) or 12.1(19)E to a release in the 12.2 release train, the following syslog message appears: "00:00:01: %C4K_IOSSYS-3-BLANKSTARTUPCONFIG: Blank or invalid startup-config, booting up with defaults". Workaround: Ignore the message. It is harmless. (CSCed26025) • A spurious error message appears when an SSH connection disconnects after an idle timeout. Workaround: Disable idle timeouts.
Caveats that drops the "RPF failure" packets before they reach the CPU of the non-forwarding router. Normally the show ip mfib fastdrop command displays a list of all active fastdrop entries. In some cases the “fastdrop” entry might be displayed. Workaround: None. However, you can use the show ip mfib log command to validate that the RPF failure packets are not forwarded to the CPU. (CSCec45313) • If a port is in shutdown state, then the show interfaces command might report an incorrect media type.
Caveats Workaround: None. However, you can use the show ip mfib log command to validate that the RPF failure packets are not forwarded to the CPU. (CSCec45313) • Occasionally, Enabling auto QoS for the first time might cause the switch to reload. Workaround: Issue the show auto qos interface command, and then apply all displayed commands manually. (CSCec43783) • If a port is in shutdown state, then the show interfaces command might report an incorrect media type.
Caveats • Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution. Cisco has made free software available that includes the additional integrity checks for affected customers. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml.
Caveats • If you have enabled jumbo frames or baby giants, and the switch routes packets destined to a router port (as configured with the no switchport command on a WS-X4418-GB or WS-X4412-2GB-T module), the switch might reload when it tries to fragment these packets. Workaround: Either disable the jumbo frames or baby giants feature, or remove the WS-X4418-GB or WS-X4412-2GB-T module from the chassis.
Caveats cnfFeatureActive cnfFeatureAttaches cnfFeatureDetaches cnfFeatureConfigChanges 1.3.6.1.4.1.9.9.99999.1.3.4.1.3 1.3.6.1.4.1.9.9.99999.1.3.4.1.4 1.3.6.1.4.1.9.9.99999.1.3.4.1.5 1.3.6.1.4.1.9.9.99999.1.3.4.1.6 (CSCsa81379) Open Caveats in Cisco IOS Release 12.1(20)EW1 This section lists the open caveats in Cisco IOS Release 12.1(20)EW1. • For Cisco IOS Release 12.1(20)EW, in certain scenarios that entail LACP port channels, misconfigured ports do not recover, even after the configuration is fixed.
Caveats • When PBR is configured on a Catalyst 4500 Series Switch Supervisor Engine III or IV, hardware-switched PBR packets update the access list or route map statistics improperly. Workaround: None. (CSCdz10171) • When at least 2000 VLAN interfaces are configured in a startup-configuration file, a switch might take at least 10 minutes to boot up. During this time, the switch is unresponsive. Workaround: Configure fewer SVIs in the startup configuration file.
Caveats protocol ensures that only one router is elected to forward traffic to the LAN segment. The non-forwarding router, however, might still have a multicast route for that same multicast flow. If so, the non-forwarding router creates a multicast "fastdrop" entry in the hardware forwarding table that drops the "RPF failure" packets before they reach the CPU of the non-forwarding router. Normally the show ip mfib fastdrop command displays a list of all active fastdrop entries.
Caveats Resolved Caveats in Cisco IOS Release 12.1(20)EW This section lists the resolved caveats in Release 12.1(20)EW: • When a PortFast-enabled port assumes the forwarding state, it is added to the multicast flood set and starts receiving all unknown multicast traffic. This situation occurs only if the port was previously down and is now up, and IGMP snooping is enabled on that VLAN. Workaround: Disable the PortFast feature on the port.
Caveats • Release 12.1(19)EW can have 10/100 autonegotiation interoperability problems on a WS-X4148-RJ45V (Network Interface Card) that uses the Realtec RTL8139A Chipset. Workaround: Turn autonegotiation off. (CSCea18531) • The interface range command is incompatible with the no ip igmp snooping tcn flood command. Workaround: Apply the CLI directly on the interface. (CSCeb33811) Resolved Caveats in Cisco IOS Release 12.1(19)EW3 This section lists the resolved caveats in Release 12.
Caveats Workaround: Format the CompactFlash card on any Catalyst 4500 series supervisor engine running 12.1(19)EW. • If a switchport in loop-inconsistent mode is sending BPDUs and is elected the “designated root” on the segment, it will not be able to recover from loop-inconsistent mode. Workaround: Disable and then reenable the switchport. (CSCeb06811) • Release 12.
Caveats • The show mod command will not reflect the correct status of a WS-X4604-GWY module, if the gateway module has crashed. The status of the module is displayed as “Ok”; the status should be “Offline”. Workaround: Use SNMP to monitor both the gateway module and the supervisor engine as separate devices. (CSCea90578) • When a PortFast-enabled port assumes the forwarding state, it is added to the multicast flood set and starts receiving all unknown multicast traffic.
Caveats • IGMPv3 leaves are not being forwarded to the multicast router ports, which impacts bandwidth by delaying the pruning of traffic from the router to the host. The result is unwanted multicast traffic between the router and the switch, which remains longer than necessary. The problem is corrected when the router “ages out” the interface from the group, which usually occurs on the router’s next IGMP general query.
Caveats • IGMPv3 leaves are not being forwarded to the multicast router ports, which impacts bandwidth by delaying the pruning of traffic from the router to the host. The result is unwanted multicast traffic between the router and the switch, which remains longer than necessary. The problem is corrected when the router “ages out” the interface from the group, which usually occurs on the router’s next IGMP general query.
Caveats • A CompactFlash card formatted on either Supervisor Engine III or IV running 12.1E or 12.1(13)EW will not work on Supervisor Engine II-Plus. The CompactFlash card will continue to work on other supervisor engines. Workaround: Format the CompactFlash card on any Catalyst 4500 series supervisor engine running 12.1(19)EW. • If a switchport in loop-inconsistent mode is sending BPDUs and is elected the “designated root” on the segment, it will not be able to recover from loop-inconsistent mode.
Caveats • When a nonblocking gigaport is configured as “unidirectional receive-only” and as “speed nonegotiation,” the port link may not come up after both CLIs are unconfigured. Workaround: Do one of the following: – Avoid configuring both unidirectional receive-only and speed nonegotiation on the same port, because the former places a port in speed nonegotiation mode. – Enter the shut and no shut commands to reset the port’s link partner and bring up the port’s link.
Caveats • When a VLAN filter is applied to filter IP traffic based on Layer 4 information, fragmented packets might not be filtered correctly. Only the initial fragment has all the Layer 4 information. Noninitial fragments do not have any Layer 4 information (for example, UDP ports and the TCP flag). Workaround: If IP packets can be fragmented in your network, program ACLs in the VLAN map, without any Layer 4 information.
Caveats • If none of a port-channel’s ports support Jumbo Frame, your attempt to change the MTU on the port-channel will change the port-channel's MTU, but not the member ports' MTU. Moreover, none of the member ports are suspended. In contrast, if some of the member ports support jumbo frames, this scenario does not happen and the ports that do not support jumbo frames are suspended. Workaround: Do not change the port-channel's MTU if none of its member ports support jumbo frames.
Caveats Resolved Caveats in Cisco IOS Release 12.1(13)EW4 This section lists the resolved caveats in Release 12.1(13)EW4. • Through normal software maintenance processes, Cisco is removing deprecated functionality. These changes have no impact on system operation or feature availability. (CSCei76358) • Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability.
Caveats • When a Catalyst 4000 Supervisor Engine III or IV is configured to use PBR, and the route-map specifies that the action is a default next-hop, that action is taken only if the ARP resolution for the specified host has already taken place. If the ARP resolution has not taken place, the system does not consider the host to be a valid default next-hop. Workaround: Ping the specified host to ensure that it is always in the ARP table.
Caveats • If an ACL is applied to more than one interface, and any Access Control Entry (ACE) in the ACL is subsequently modified, then the Ternary Content Addressable Memory (TCAM) usage of that ACL is multiplied by the number of interfaces to which the ACL is applied. Workaround: Detach the ACL from one interface at a time (without deleting the ACL), and then reattach the ACL to that interface. (CSCdw28603) Resolved Caveats in Cisco IOS Release 12.
Caveats • Supervisor engine status may not register as faulty and the status LED may not turn amber when a fan-tray fails or is removed. Moreover, the status LED may not go turn red when the power supply fails or is removed. Workaround: None. (CSCdz55274) • When a non-blocking gigaport is configured as “unidirectional receive-only” as well as “speed nonegotiation,” once both CLIs are unconfigured, the port link may not come up.
Caveats • When the spanning tree mode is PVST, isolated trunk ports transmit BPDUs with the primary VLAN instead of the secondary VLAN. Workaround: Use the spanning-tree bpduguard enable interface command to enable BPDU Guard to detect any BPDUs received on private VLAN trunk ports.
Caveats This POST behavior is a software issue and has been resolved in 12.1(12c)EW2, 12.1(13)EW2, 12.1(19)EW, and 12.1(20)E images. Workaround: None. (CSCeb59442) Open Caveats in Cisco IOS Release 12.1(13)EW1 This section lists the open caveats in Release 12.1(13)EW1. • Cisco routers and switches running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets are vulnerable to a Denial of Service (DoS) attack.
Caveats • When a non-blocking gigaport is configured as “unidirectional receive-only” as well as “speed nonegotiation,” once both CLIs are unconfigured, the port link may not come up. Workaround: Do one of the following: – Avoid configuring both unidirectional receive-only and speed nonegotiation on the same port, because the former places a port in speed nonegotiation mode. – Issue shut and no shut commands to reset the port’s link partner and bring up the port's link.
Caveats • When a secondary VLAN is disabled using the shutdown VLAN configuration command and re-enabled using the no shutdown VLAN configuration command, any subsequent flooded/multicast packets received on the private VLAN port does not reach all the destinations. Workaround: Do not use the shutdown and no shutdown VLAN configuration command to disable the VLAN. Instead, delete and recreate the secondary VLAN with the proper VLAN type and association configuration.
Caveats • When a large number of flows use a congested queue, some non aggressive flows might experience large drops of traffic. When the queue is cleared, the packets flow normally for all the flows. Workaround: None. (CSCea19319) Open Caveats in Cisco IOS Release 12.1(13)EW This section lists the open caveats in Release 12.1(13)EW.
Caveats • When a non-blocking gigaport is configured as “unidirectional receive-only” as well as “speed nonegotiation,” once both CLIs are unconfigured, the port link may not come up. Workaround: Do one of the following: – Avoid configuring both unidirectional receive-only and speed nonegotiation on the same port, because the former places a port in speed nonegotiation mode. – Issue shut and no shut commands to reset the port’s link partner and bring up the port's link.
Caveats • When a secondary VLAN is disabled using the shutdown VLAN configuration command and re-enabled using the no shutdown VLAN configuration command, any subsequent flooded/multicast packets received on the private VLAN port does not reach all the destinations. Workaround: Do not use the shutdown and no shutdown VLAN configuration command to disable the VLAN. Instead, delete and recreate the secondary VLAN with the proper VLAN type and association configuration.
Caveats Open Caveats in Cisco IOS Release 12.1(12c)EW4 This section lists the open caveats in release 12.1(12c)EW4. • Private VLAN trunks will continue to operate as private trunks after you configure them as normal trunks using the switchport mode trunk command. While the trunks are in this state, the interfaces will not show up as private VLAN trunks in the output of the show vlan private-vlan command.
Caveats • The CLI erroneously permits enabling 802.1X on ports that are configured as private VLAN trunks and private VLAN access ports. This configuration may result in unexpected behavior. Workaround: Don't configure 802.1X on PVLAN ports.
Caveats • When a secondary VLAN is disabled using the shutdown VLAN configuration command and re-enabled using the no shutdown VLAN configuration command, any subsequent flooded/multicast packets received on the private VLAN port do not reach all the destinations. Workaround: Do not use the shutdown and no shutdown VLAN configuration command to disable the VLAN. Instead, delete and recreate the secondary VLAN with the proper VLAN type and association configuration.
Caveats cnfFeatureActiveSlot cnfFeatureTable cnfFeatureEntry cnfFeatureType cnfFeatureSlot cnfFeatureActive cnfFeatureAttaches cnfFeatureDetaches cnfFeatureConfigChanges 1.3.6.1.4.1.9.9.99999.1.3.3 1.3.6.1.4.1.9.9.99999.1.3.4 1.3.6.1.4.1.9.9.99999.1.3.4.1 1.3.6.1.4.1.9.9.99999.1.3.4.1.1 1.3.6.1.4.1.9.9.99999.1.3.4.1.2 1.3.6.1.4.1.9.9.99999.1.3.4.1.3 1.3.6.1.4.1.9.9.99999.1.3.4.1.4 1.3.6.1.4.1.9.9.99999.1.3.4.1.5 1.3.6.1.4.1.9.9.99999.1.3.4.1.6 (CSCsa81379) Open Caveats in Cisco IOS Release 12.
Caveats • On systems with redundant supervisors and large and complex configurations, where the system is actively processing startup-config file, the standby supervisor engine may take over from the active supervisor engine in the boot process.
Caveats This POST behavior is a software issue and has been resolved in 12.1(12c)EW2, 12.1(13)EW2, 12.1(19)EW, and 12.1(20)E images. Workaround: None. (CSCeb59442) Open Caveats in Cisco IOS Release 12.1(12c)EW1 This section lists the open caveats in Release 12.1(12c)EW1. • Cisco routers and switches running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets are vulnerable to a Denial of Service (DoS) attack.
Caveats • When the spanning tree mode is PVST, isolated trunk ports transmit BPDUs with the primary VLAN instead of the secondary VLAN. Workaround: Use the spanning-tree bpduguard enable interface command to enable BPDU Guard to detect any BPDUs received on private VLAN trunk ports.
Caveats Workaround: After the switch boots, verify that the standby supervisor engine has a valid cat4000_flash:vlan.dat file. If you suspect the file is invalid, copy the valid file using the following command on the active supervisor: copy cat4000_flash:vlan.dat slavecat4000_flash:vlan.dat (CSCdy26890) • No log message is generated when a power supply fails. Workaround:.Review the output of the show power command to check the status of power supplies.
Caveats • ACLs containing more than six L4 port operators trigger L4 operator expansion. Certain range operators are expanded too broadly, which causes the affected ACEs to match more packets than they should. Less-than and greater-than operators are expanded correctly in all cases. This issue affects only Cisco IOS Release 12.1(12c)EW. Workaround: Avoid configuring ACLs that trigger L4 operator expansion. (CSCdy70646) Open Caveats in Cisco IOS Release 12.
Caveats • Disabling IGMP snooping with a large number of groups and VLANs might cause CPU HOG and HOST FLAPPING. If so, you will see messages like the following on the console: 2d07h: %SYS-3-CPUHOG: Task ran for 8692 msec (0/0), process = Exec, PC = 128790. 2d07h: %C4K_EBM-4-HOSTFLAPPING: Host 00:10:0B:10:B9:20 in vlan 200 is flapping between port Po2 and port Po1 Workaround: None.
Caveats Resolved Caveats in Cisco IOS Release 12.1(12c)EW This section lists the resolved caveats in Release 12.1(12c)EW: • A Catalyst 4006 switch with Supervisor Engine III using Release 12.1(11b)EW might crash when you enter the following command while the port channel set to channel-no is in a shutdown state: show platform software etherchannel port-channel channel-no This command was introduced in software release 12.1(11b)EW. Software release 12.1(8a)EW is not affected by this caveat.
Caveats • On a Catalyst 4006 switch with Supervisor Engine III, the output rate in show interface command might display a value greater than the bandwidth that the interface can handle. Workaround: None. (CSCdx30670) • When you use a large number of ACLs with more than 1000 entries, the switch can take more than five minutes to boot up. Workaround: Use extended named ACLs. Named ACLs specified in the ACL config mode do not exhibit this behavior.
Caveats Workaround: This condition is temporary and can be resolved by resetting the switch. (CSCdx66345) • When burst CPU traffic conditions (low CPU traffic combined with intermittent bursts of routing updates) occur, packets sent to the CPU can be lost. This traffic interruption can occur for less than one second or for a few minutes. No intervention is required, the switch recovers automatically. (CSCdy06162) • A Catalyst 4006 switch with Supervisor Engine III using Release 12.
Caveats Resolved Caveats in Cisco IOS Release 12.1(11b)EW This section lists the resolved caveats in Release 12.1(11b)EW: • In the show power and show environment commands, the status of the Power Entry Module (PEM) is reported incorrectly. If the status of the PEM is listed as bad, it is actually good, and if the status is listed as good, it is actually bad. This has no affect on system operation. n software release 12.1(8a)EW1, the PEM is supported only in the show commands.
Caveats Workaround: Do not clear the groups all at once. Instead, clear each IGMP group cache entry separately. (CSCdw46417) • When you use a large number of ACLs with more than 1000 entries, the switch can take more than five minutes to boot up. Workaround: Use extended named ACLs. Named ACLs specified in the ACL config mode do not exhibit this behavior.
Caveats Resolved Caveats in Cisco IOS Release 12.1(8a)EW1 This section lists the resolved caveats in Release 12.1(8a)EW1: • An error can occur with management protocol processing. Please use the following URL for further information: http://www.cisco.com/cgi-bin/bugtool/onebug.pl?bugid=CSCdw65903 (CSCdw65903) Open Caveats in Cisco IOS Release 12.1(8a)EW This section lists the open caveats in Release 12.
Troubleshooting Review the output of the show ip msdp sa-cache EXEC command to see if some of the SAs can be filtered based on the source address, the Rendezvous point (RP) address, or the autonomous system (AS) number. (CSCdw35003) • If you create Switched Virtual Interfaces (SVI) for both a primary VLAN and secondary VLAN and then delete them, a subsequent association between the VLANs the switch could reboot your switch.
Troubleshooting Netbooting from the ROMMON Netbooting using a boot loader image is not supported. Instead, use one of the following options to boot an image: 1. Boot from a CompactFlash card by entering the following command: rommon 1> boot slot0: 2. Use ROMMON TFTP boot. The ROMMON TFTP boot is very similar to the BOOTLDR TFTP boot, except that: – the BOOTLDR variable should not be set – the TFTP server must be accessible from the Ethernet management port on the supervisor engine.
Related Documentation Troubleshooting Modules This section contains troubleshooting guidelines for modules: • When you hot insert a module into a chassis, always use the ejector levers on the front of the module to seat the backplane pins properly. Inserting a module without using the ejector levers might cause the supervisor engine to display incorrect messages about the module. For module installation instructions, refer to the Catalyst 4500 Series Module Installation Guide.
Related Documentation On Cisco.com at Technical Documents: Documentation Home Page: Cisco IOS Software Configuration: Cisco IOS Release 12.2: Caveats Note If you have an account on Cisco.com, you can use Bug Navigator II to find caveats of any severity for any release. To reach Bug Navigator II, go to Cisco.com and click Login. Then go to Software Center: Cisco IOS Software: Cisco Bugtool Navigator II. Another option is to go to http://www.cisco.com/support/bugtools.
Related Documentation Books Major Topics • Cisco IOS Configuration Fundamentals Configuration Guide • Cisco IOS Configuration Fundamentals Command Reference • Cisco IOS Interface Configuration Guide • Cisco IOS Interface Command Reference • Cisco IOS IP and IP Routing Configuration Guide • Cisco IOS IP and IP Routing Command Reference • Cisco IOS Multiservice Applications Configuration Guide • Cisco IOS Multiservice Applications Command Reference • Cisco IOS Quality of Service Solutions
Notices Notices The following notices pertain to this software license. OpenSSL/Open SSL Project This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). License Issues The OpenSSL toolkit stays under a dual license, i.e.
Notices LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). Original SSLeay License: Copyright © 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).
Obtaining Documentation, Obtaining Support, and Security Guidelines Obtaining Documentation, Obtaining Support, and Security Guidelines For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.
Obtaining Documentation, Obtaining Support, and Security Guidelines Release Notes for the Catalyst 4500 Series Switch, Cisco IOS Release 12.
