Release Notes for the Catalyst 4500 Series Switch, Cisco IOS Releases 12.2(54)SG to 12.2(37)SG Current Release 12.2(54)SG1—February 7, 2011 Previous Releases 12.2(54)SG, 12.2(53)SG9, 12.2(53)SG8, 12.2(53)SG7, 12.2(53)SG6, 12.2(53)SG5, 12.2(53)SG4, 12.2(53)SG3, 12..2(53)SG2, 12.2(53)SG1, 12.2(53)SG, 12.2(52)XO, 12.2(52)SG, 12.2(50)SG8, 12.2(50)SG7, 12.2(50)SG6, 12.2(50)SG5, 12.2(50)SG4, 12.2(50)SG3, 12.2(50)SG2, 12.2(50)SG1, 12.2(50)SG, 12.2(46)SG, 12.2(44)SG1, 12.2(44)SG, 12.
Cisco IOS Software Packaging for the Cisco Catalyst 4500 Series • System Requirements, page 12 • New and Changed Information, page 30 • Upgrading the System Software, page 44 • Limitations and Restrictions, page 56 • Caveats, page 69 • Troubleshooting, page 426 • Related Documentation, page 428 • Notices, page 429 • Obtaining Documentation and Submitting a Service Request, page 432 Cisco IOS Software Packaging for the Cisco Catalyst 4500 Series A new Cisco IOS Software package for Cisco C
Cisco IOS Software Packaging for the Cisco Catalyst 4500 Series Table 1 LAN Base/IP Base Image Support Feature LAN Base IP Base Enterprise Services 10G Uplink Use 12.2(46)SG1 Yes Yes 802.1p prioritization 12.2(46)SG1 Yes Yes 802.1p/802.1q 12.2(46)SG1 Yes Yes 802.1w/802.1s 12.2(46)SG1 Yes Yes 802.1X (w/ Guest VLAN and VLAN Assignment) 12.2(50)SG Yes Yes 802.1X and MAB with ACL assignment 12.2(50)SG Yes Yes 802.1X (Auth-Fail VLAN, Critical Auth, Accounting) 12.
Cisco IOS Software Packaging for the Cisco Catalyst 4500 Series Table 1 LAN Base/IP Base Image Support Feature LAN Base IP Base Enterprise Services Config File 12.2(46)SG1 Yes Yes Console Access 12.2(46)SG1 Yes Yes Control Plane Policing 12.2(46)SG1 Yes Yes Copy Command 12.2(46)SG1 Yes Yes CoS to DSCP Map Yes Yes Yes Debug Commands 12.2(46)SG1 Yes Yes Device Management 12.2(46)SG1 Yes Yes DHCP Server 12.2(46)SG1 Yes Yes DHCP Snooping 12.
Cisco IOS Software Packaging for the Cisco Catalyst 4500 Series Table 1 LAN Base/IP Base Image Support Feature LAN Base IP Base Enterprise Services HSRP v2 IPV6 No support No Yes ID 4.0 Voice Vlan assignment 12.2(46)SG1 Yes Yes ID4.1 Filter ID and per use ACL 12.2(46)SG1 Yes Yes IGMP 12.2(46)SG1 Yes Yes IGMP Snooping 12.2(46)SG1 Yes Yes Ingress Policing 12.2(46)SG1 Yes Yes Interface Access (Telnet, Console/Serial, Web) 12.2(46)SG1 Yes Yes IP Source Guard 12.
Cisco IOS Software Packaging for the Cisco Catalyst 4500 Series Table 1 LAN Base/IP Base Image Support Feature LAN Base IP Base Enterprise Services Management IPV6 port 12.2(52)SG Yes Yes MLD Snooping 12.2(53)SG Yes Yes Multicast Filtering 12.2(46)SG1 Yes Yes Multihop SXP (CTS) No support 12.2(52SG Yes Network Edge Access Topology (NEAT) No support Yes Yes No. of QoS Filters Yes (4K entries) Yes Yes No.
Cisco IOS Software Packaging for the Cisco Catalyst 4500 Series Table 1 LAN Base/IP Base Image Support Feature LAN Base IP Base Enterprise Services RPVST+ 12.2(53)SG Yes Yes RSPAN 12.2(46)SG1 Yes Yes Service Advertisement Framework (SAF) No support No Yes Smart Call Home No support Yes Yes SmartPorts (Role based MACRO) 12/2(53)SG Yes Yes SNMP (including SNMv3) 12.2(46)SG1 Yes Yes Source port Filtering (Private VLAN) 12.
Cisco IOS Software Packaging for the Cisco Catalyst 4500 Series Orderable Product Numbers: • S49LB-12254SG(=)—Cisco IOS Software for Cisco Catalyst 4500 Series Switch (LAN Base image) • S49LBK9-12254SG(=)—Cisco IOS Software for Cisco Catalyst 4500 Series Switch (LAN Base image with Triple Data Encryption) • S49IPB-12254SG(=)—Cisco IOS Software for Cisco Catalyst 4500 Series Switch (IP Base image) • S49IPBK9-12254SG(=)—Cisco IOS Software for Cisco Catalyst 4500 Series Switch (IP Base image with Tripl
Cisco IOS Software Packaging for the Cisco Catalyst 4500 Series • S45EIPBUK9-12253SG - Cisco IOS Software for the Cisco Catalyst 4500 Series Supervisor Engine 6L-E (IP Base Upgrade image with 3DES) • S45ELB-12252X0 - Cisco IOS software for the Catalyst 4500 Sup 6L-E (LAN Base, without crypto • S45ELBK9- 12252X0 Cisco IOS software for the Catalyst 4500 Sup 6L-E (LAN Base image with Triple Data Encryption Standard(3DES)) • S45EIPB-12252X0 Cisco IOS software for the Catalyst 4500 Sup 6L-E (IP Base imag
Cisco IOS Software Packaging for the Cisco Catalyst 4500 Series • S45EES-12250SG—Cisco IOS software for the Catalyst 4500 Series Supervisor Engine 6-E (Enterprise Services image) (cat4500-ipbasek9-mz) • S45EESK9-12250SG—Cisco IOS software for the Catalyst 4500 Series Supervisor Engine 6-E (Enterprise Services image) (cat4500-ipbasek9-mz) • S45IPB-12246SG—Cisco IOS software for the Catalyst 4500 Series Supervisor Engines II-Plus, II-Plus-TS, II-Plus-10GE, IV, V, and V-10GE (IP Base image, without Crypt
Catalyst 4500 Series Switch Cisco IOS Release Strategy • S45ESK9-12240SG—Cisco IOS software for the Catalyst 4500 Series Supervisor Engines IV, V, and V-10GE (Enterprise Services image with 3DES and BGP support) (cat4500-entservicesk9-mz) • S45EIPB-12240SG—Cisco IOS software for the Catalyst 4500 Series Supervisor Engine 6-E (IP Base Image) • S45IPBK9-12240SG—Cisco IOS software for the Catalyst 4500 Series Supervisor Engine 6-E (IP Base Image with 3DES) (cat4500-ipbasek9-mz) • S45EES-12240SG—Cisco I
System Requirements Figure 1 Software Release Strategy for the Catalyst 4500 Series Switch New Feature Releases 12.2(46)SG 12.2(50)SG 12.2(52)SG 12.2(31)SGA 12.2(53)SG 12.2(54)SG 12.2(53)SG Maintenance Train 12.2(52)XO 12.2(53) 12.2(53) SG1 SG2 12.2(50)SG Maintenance Train End of Software Maintenance ..... 12.2(50) 12.2(50) 12.2(50) SG1 SG2 SG7 Aug 2011 End of Software Maintenance ..... 12.2(31) SGA1 12.2(31) SGA10 12.2(31) SGA11 July 2010 252113 12.
System Requirements Supported Hardware on Catalyst 4500 Series Switch Table 2 lists the hardware supported on the Catalyst 4500 Series Switch. Table 2 Supported Hardware Product Number (append Product Description with “=” for spares) Software Release Minimum Supervisor Engines WS-X4013+= Catalyst 4500 series switch Supervisor Engine II-Plus Note WS-X4013+TS WS-X4013+10GE This engine is supported only on 3, 6, and 7 slot chassis (not on 10-slot chassis).
System Requirements Table 2 Supported Hardware (continued) Product Number (append Product Description with “=” for spares) Software Release Minimum WS-X4506-GB-T 6-port Alternately-Wired 10/100/1000BASE-T Catalyst 4500 12.2(20)EWA series Power over Ethernet (PoE) 802.3af or 1000BASE-X SFP WS-X4524-GB-RJ45V 24-port 10/100/1000BASE-T RJ-45 Catalyst 4500 series PoE 802.3af 12.2(18)EW WS-X4548-GB-RJ45 48-port 10/100/1000BASE-T Gigabit Ethernet module 12.
System Requirements Table 2 Supported Hardware (continued) Product Number (append Product Description with “=” for spares) Software Release WS-X4232-RJ-XX 32-port 10/100 Fast Ethernet RJ-45 modular uplink switching module 12.1(8a)EW MEM-C4K-FLD64M Catalyst 4500 series switch CompactFlash, 64 MB Option 12.1(8a)EW MEM-C4K-FLD128M Catalyst 4500 series switch CompactFlash, 128 MB Option 12.
System Requirements Table 3 briefly describes the four chassis in the Catalyst 4500 Series Switch. For the chassis listed in the table, refer to Table 6 on page 18 for software release information.
System Requirements Table 4 DOM Support on the Catalyst 4500 Series Switch Transceiver Module Support in Software Since... CWDM- SFP-xx 12.2(20)EWA DWDM-GBIC-xx 12.1(19)EW DWDM-SFP 12.2(37)SG DWDM-X2-xx 12.2(50)SG GLC-BX-D 12.2(20)EWA GLC-BX-U 12.2(20)EWA SFP-10G-SR 12.2(54)SG SFP-10G-LR 12.2(54)SG SFP-10G-LRM 12.2(54)SG Supported Hardware on Catalyst 4500 E-Series Switch In addition to the classic line cards and supervisor engines, Cisco IOS Software Release 12.
System Requirements Table 5 Supported E-Series Hardware Product Number Description WS-C4510R-E Cisco Catalyst 4500 E-Series 10-Slot Chassis WS-C4510R+E • Fan tray • No Power Supply • Redundant supervisor engine capability • All port card slots support 6, 24, and 48Gbps when used with Supervisor Engine 7-E. Slots 8, 9, and 10 are limited to 6Gbps when used with a Supervisor Engine 6-E.
System Requirements Table 6 Chassis Sup II+ WS-C4507R+E Chassis and Supervisor Compatiblity Sup II+TS Sup II+10G Sup IV Sup V Sup V-10GE Sup 6-E Sup 6L-E M: 12.2(54)SG M: 12.2(54)SG M: 12.2(54)SG M: 12.2(54)SG M: 12.2(54)SG M: 12.2(54)SG M: 12.2(54)SG R: 12.2(54)SG R: 12.2(54)SG R: 12.2(54)SG R: 12.2(54)SG R: 12.2(54)SG R: 12.2(54)SG R: 12.2(54)SG M: 12.2(31)SGA6 M: 12.2(31)SGA6 M: 12.2(40)SG R: 12.2(31)SGA8 R: 12.2(31)SGA8 R: 12.2(44)SG M: 12.2(54)SG M: 12.2(54)SG M: 12.
System Requirements Table 7 Cisco IOS Software Feature Set for the Catalyst 4500 Series and E-Series Switch Support for 9216 byte frames Port security on PVLANs Private VLANs Private VLAN DHCP snooping Private VLAN promiscuous trunk Private VLAN trunks5 Community PVLANs ISL6-based VLAN encapsulation (excluding blocking ports on WS-X4418-GB and WS-X4412-2GB-T)7 IEEE 802.1Q-based VLAN encapsulation Multiple VLAN access port VLAN Trunking Protocol (VTP) and VTP domains VTP v3 No.
System Requirements Table 7 Cisco IOS Software Feature Set for the Catalyst 4500 Series and E-Series Switch Match CoS for non-IPV4 traffic IPv6 Forwarding in Hardware (Sup 6-E and Sup 6L-E only) CoS Mutation CEF13 load balancing uRPF14 (Sup 6-E and Sup 6L-E only) Hardware-based IP CEF routing at 48 Mpps Up to 128,000 IP routes Up to 32,000 IP host entries (Layer 3 adjacencies) Up to 16,000 IP multicast route entries Multicast flooding suppression for STP changes Software routing of IPX, AppleTalk, and IP
System Requirements Table 7 Cisco IOS Software Feature Set for the Catalyst 4500 Series and E-Series Switch DVMRP28 SSM NTP29 WCCP version 2 Layer 2 Redirection VRRP30 SCP31 GLBP32 EtherChannel Features Cisco EtherChannel technology - 10/100/1000 Mbps, 10 Gbps Load balancing for routed traffic, based on source and destination IP addresses Load sharing for bridged traffic based on MAC addresses ISL on all EtherChannels IEEE 802.
System Requirements Table 7 Cisco IOS Software Feature Set for the Catalyst 4500 Series and E-Series Switch CDP 2nd Port Status TLV MAC Address-Table Move Update Flex Link Bi-directional Fast Convergence Flex Link VLAN Load-Balancing Flex Links Flex Links Interface Preemption 802.1ab Link Layer Discovery Protocol (LLDP) 802.
System Requirements Table 7 Cisco IOS Software Feature Set for the Catalyst 4500 Series and E-Series Switch DHCP Relay Agent for IPv6 37 802.1X Multiple Domain Authentication and Multiple Authorization 802.1X with ACL Assignment and Redirect URLs 802.1X with per-user ACL and Filter-ID ACL RADIUS-Provided Session Timeouts RADIUS CoA MAC Move and Replace 802.1X with Guest VLANs 802.1X port-based authentication 802.1X with port security 802.1X accounting 802.1X with voice VLAN ID 802.
System Requirements Table 7 Cisco IOS Software Feature Set for the Catalyst 4500 Series and E-Series Switch Downloadable ACLs Control Plane Policing Two-Rate Three-Color Policing (Sup 6-E and Sup 6L-E only) Local Proxy ARP Dynamic ARP Inspection on PVLANs Dynamic ARP Inspection Dynamic Multi-Protocol Ternary Content Addressable Memory (Sup 6-E and Sup 6L-E only) Per-port QoS43 rate-limiting and shaping QoS for IPv6 Per-port Per-VLAN QoS Per-VLAN CTI ARP QoS (Sup 6-E and Sup 6L-E only) Inline power suppor
System Requirements Table 7 Cisco IOS Software Feature Set for the Catalyst 4500 Series and E-Series Switch Service-Aware Resource Allocation (Sup 6-E and Sup 6L-E only) TwinGig Converter Module (Sup 6-E nd 6L-E only) FAT File System (Sup 6-E and Sup 6L-E only) High Availability: 2+2 10GE or 4+4 1GE active uplinks (Sup 6-E only) EEM51 EEM with ISSU VSS client with PagP+ IP/SLA52 Embedded management53 MAC notify MIB Eight configurable queues per port (Sup 6-E and Sup 6L-E only) X2 Link Debounce Timer IP S
System Requirements Table 7 Cisco IOS Software Feature Set for the Catalyst 4500 Series and E-Series Switch VLAN Mapping (VLAN Translation) GOLD Online Diagnostics (Sup 6-E and 6L-E only) IPSG for Static Hosts Layer Control Packet Fa1 interface (Ethernet management port)56 1. Requires the Catalyst 4500 series switch Supervisor Engine V 2. Hardware-based transparent bridging within a VLAN 3. MAC = Media Access Control 4. VMPS = VLAN Management Policy Server 5. Only Supervisr Engine 6-E 6.
System Requirements 43. QoS = Quality of Service 44. PoE = Power over Ethernet 45. RPR = Supervisor engine redundancy 46. SSO = Stateful switchover (includes Stateful IGMP Snooping and Stateful DHCP Snooping) 47. ISSU = In Service Software Upgrade Process 48. The Catalyst 4500 series switch supports Fast Hellos, ISPF, and LSA Throttling. 49. CNA = Cisco Network Assistant; Minimum CNA release that supports Releases 12.2(25)EW is 1.0(2). Minimum CNA release that supports Release 12.2(20)EWA is 1.0(1). 50.
System Requirements • FAT filesystem • PIM (SM, DM, SDM) • QoS – Two Rate three Color Policing – Table map support for marking – Class based queuing actions (shaping/bandwidth/queue-limit/dbl/strict priority) • Voltage Margining CLI • QoS for IPv6 • ARP QoS Unsupported Features For all Supervisor Engines (II-Plus thru 6-E), the following features are not supported in Cisco IOS Release 12.
New and Changed Information • Reflexive ACLs • Routing IPv6 over an MPLS network • Two-way community VLANs in private VLANs • WCCP version 1 • CFM CoS • PBR with EOT New and Changed Information These sections describe the new and changed information for the Catalyst 4500 series switch running Cisco IOS software: • New Hardware Features in Release 12.2(54)SG1, page 31 • New Software Features in Release 12.2(54)SG1, page 31 • New Hardware Features in Release 12.
New and Changed Information • New Software Features in Release 12.2(40)SG, page 43 New Hardware Features in Release 12.2(54)SG1 Release 12.2(54)SG1 provides the following new hardware on the Catalyst 4500 series switch: • Catalyst 4948E-F—The Catalyst 4948E and Catalyst 4948E-F share the same internal hardware and software. The Catalyst 4948E draws cold air into the port side and exhausts hot air on the power supply side.
New and Changed Information For details refer to the URL: http://www.cisco.com/en/US/docs/switches/lan/energywise/phase2/ios/configuration/guide/ew_v2. html • GOLD Online Diagnostics ("Performing Diagnostics" chapter; Supervisor E ngine 6-E only) • Identity 4.1 ACL Policy Enhancements ("Configuring Network Security with ACLs" chapter) • Identity 4.1 Network Edge Access Topology ("Configuring 802.
New and Changed Information New Software Features in Release 12.2(53)SG5 Release 12.2(53)SG5 provides no new features for the Catalyst 4500 series switch. New Hardware Features in Release 12.2(53)SG4 Release 12.2(53)SG4 provides the following new hardware on the Catalyst 4500 series switch: • WS-C4507-R+E • WS-C4510-R+E New Software Features in Release 12.2(53)SG4 Release 12.2(53)SG4 provides no new features for the Catalyst 4500 series switch. New Hardware Features in Release 12.2(53)SG3 Release 12.
New and Changed Information Release 12.2(53)SG2 provides no new features for the Catalyst 4500 series switch. New Hardware Features in Release 12.2(53)SG1 Release 12.2(53)SG1 provides no new hardware for the Catalyst 4500 series switch. New Software Features in Release 12.2(53)SG1 Release 12.2(53)SG1 provides no new features for the Catalyst 4500 series switch. New Hardware Features in Release 12.2(53)SG Release 12.2(53)SG does not provide any new hardware for the Catalyst 4500 series switch.
New and Changed Information New Hardware Features in Release 12.2(52)XO Release 12.2(52)XO provides the following new hardware for the Catalyst 4500 series switch: • WS-X45-Sup6L-E, Catalyst 4500 E-series switch Supervisor Engine 6L-E • PWR-C45-6000ACV, Catalyst 4500 series switch 6000 Watt AC power supply Note Only supported on 3, 6, and 7 slot chassis and IP LAN and IP BASE images New Software Features in Release 12.2(52)XO Note This release is equivalent in functionality to 12.
New and Changed Information • Supported MIBs – Cisco Enhanced Image MIB – Cisco HSRP extension MIB – CISCO-CALLHOME-MIB.my – EnergyWise MIB – POE MIB – POE ext MIB – Entity-Diag-MIB – Bridge MIB • Time Protocols (SNTP, TimeP) master On Supervisor Engine 6L-E • Community PVLAN support • Ethertype Classification • QinQ • PPPoE IA (or Intermediate Agent) New Hardware Features in Release 12.2(52)SG Release 12.
New and Changed Information • Local WebAuth Enhancement • MDA with Voice Assignment • HSRP v2 for IPv4 • HSRP v2 or IPv6 • DHCPv6 Enhancements – DHCPv6 Ethernet Remote ID option – DHCPv6 Relay - Persistent Interface ID option DHCPv6 Relay Agent notification for Prefix Delegation • SSM Mapping • PIM Accept Register - Rogue Multicast Server Protection (route-map option is not supported) • VRF lite NSF support with routing protocols OSPF/EIGRP/BGP • Supported MIBs – Cisco Enhanced Image MIB –
New and Changed Information New Hardware Features in Release 12.2(50)SG2 Release 12.2(50)SG2 provides no new hardware for the Catalyst 4500 series switch. New Software Features in Release 12.2(50)SG2 Release 12.2(50)SG2 provides no new features for the Catalyst 4500 series switch. New Hardware Features in Release 12.2(50)SG1 Release 12.2(50)SG1 provides no new hardware for the Catalyst 4500 series switch. New Software Features in Release 12.2(50)SG1 Release 12.
New and Changed Information Note The implementation for multiple spanning tree (MST) changed from the previous release. Multiple STP (MSTP) complies with the IEEE 802.1s standard. Previous MSTP implementations were based on a draft of the IEEE 802.1s standard. • IGMP Querier (“Configuring IGMP Snooping” chapter) • OSPF and EIGRP fast convergence and protection (Refer to the Cisco IOS Release 12.
New and Changed Information • Private VLAN trunks (“Configuring Private VLANs” chapter) • SVI Auto State Exclude (“Configuring Layer 3 Interfaces” chapter) • Unicast MAC filtering (“Configuring Network Security with ACLs” chapter) • QoS for IPv6 (refer to the Cisco IOS Release 12.4T documentation) New Hardware Features in Release 12.2(46)SG Note In addition to the classic line cards and supervisor engines, Cisco IOS Software Release 12.
New and Changed Information – HSRP with EOT – VRRP with EOT – GLBP with EOT – IP SLA with EOT – Reliable Backup Static Routing with EOT • CFM 802.1ag (Refer to the “Configuring Ethernet CFM and OAM” chapter) • E-OAM 802.3ah (Refer to the “Configuring Ethernet CFM and OAM” chapter) Note The implementation for multiple spanning tree (MST) changed from the previous release. Multiple STP (MSTP) complies with the IEEE 802.1s standard. Previous MSTP implementations were based on a draft of the IEEE 802.
New and Changed Information • High availability, 2+2 10GE or 4+4 1GE active uplinks (Refer to the “Configuring Interfaces” chapter) • Enhanced Power over Ethernet Support ((Refer to the “Configuring Power over Ethernet” chapter) • Eight configurable queues per port (Refer to the “Configuring QoS” chapter) On all the Supervisor Engines (II-Plus thru 6-E) • EEM with ISSU For details, refer to the EEM Home Page: http://www.cisco.com/en/US/products/ps6815/products_ios_protocol_group_home.
New and Changed Information • WS-X4648-RJ45V+E - Cisco Catalyst 4500 E-Series 48-Port Premium PoE 10/100/1000 • WS-X4606-X2-E - Cisco Catalyst 4500 E-Series 6-Port 10GbE (X2) New Software Features in Release 12.2(40)SG Release 12.2(40)SG provides the following Cisco IOS software features for the Catalyst 4500 series switch: Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.
Upgrading the System Software Upgrading the System Software In most cases, upgrading the switch to a newer release of Cisco IOS software does not require a ROMMON upgrade. However, if you are running an early release of Cisco IOS software and plan to upgrade, refer to the following tables for the minimum Cisco IOS image and the recommended ROMMON release, respectively. Note Caution You must upgrade to ROMMON Release 12.2(44r)SG5 to run Cisco IOS Release 12.
Upgrading the System Software Table 10 ROMMON Release and Promupgrade Programs ROMMON Release Promupgrade Program 12.1(11br)EW cat4000-sup3-promupgrade-121_11br_EW 12.1(12r)EW cat4000-sup3-promupgrade-121_12r_ew 12.1(19r)EW cat4000-ios-promupgrade-121_19r_EW 12.1(20r)EW1 cat4000-ios-promupgrade-121_20r_EW1 12.1(20r)EW2 cat4000-ios-promupgrade-121_20r_EW2 12.2(20r)EW cat4000-ios-promupgrade-122_20r_EW 12.2(20r)EW1 cat4000-ios-promupgrade-122_20r_EW1 12.
Upgrading the System Software Guidelines for Upgrading the ROMMON Caution If your supervisor engine is shipped with a newer version of ROMMON then do not downgrade! The new ROMMON will have board settings based on a hardware revision of components, and old settings will not work. Upgrading the Supervisor Engine ROMMON from the Console Caution To avoid actions that might make your system unable to boot, read this entire section before starting the upgrade.
Upgrading the System Software 455620 bytes copied in 2.644 secs (172322 bytes/sec) Switch# Step 5 Enter the reload command to reset the switch, press Ctrl-C to stop the boot process, and re-enter ROMMON. The following example shows the output after a reset into ROMMON: Switch# reload Proceed with reload? [confirm] 03:57:16:%SYS-5-RELOAD:Reload requested ********************************************************** * * * Welcome to Rom Monitor for WS-X4515 System.
Upgrading the System Software Beginning erase of 0x80000 bytes at offset 0x3f80000... Beginning write of prom Done! (0x4e8ec bytes at offset 0x3f80000)... This could take as little as 30 seconds or up to 2 minutes. Please DO NOT RESET! Success! The prom has been upgraded successfully. System will reset itself and reboot in about 15 Step 7 Boot the Cisco IOS software image, and enter the show version command to verify that ROMMON has been upgraded to 12.1(20r)EW1.
Upgrading the System Software Upgrading the Supervisor Engine ROMMON Remotely Using Telnet Caution To avoid actions that might make your system unable to boot, read this entire section before starting the upgrade. Follow this procedure to upgrade your supervisor engine ROMMON to Release 12.1(20r)EW1. This procedure can be used when console access is not available and when the ROMMON upgrade must be performed remotely.
Upgrading the System Software Switch# write Building configuration... Compressed configuration from 3641 to 1244 bytes [OK] Switch# Use the boot system flash bootflash:file_name command to set the BOOT variable. You will use two BOOT commands: one to upgrade the ROMMON and a second to load the Cisco IOS software image after the ROMMON upgrade is complete. Notice the order of the BOOT variables in the example below. At bootup the first BOOT variable command upgrades the ROMMON.
Upgrading the System Software The following example shows the console port output from a successful ROMMON upgrade followed by a system reset. Your Telnet session is disconnected during the ROMMON upgrade, so you will not see this output. This step could take 2-3 minutes to complete. You will need to reconnect your Telnet session after 2-3 minutes when the Cisco IOS software image and the interfaces are loaded.
Upgrading the System Software Beginning erase of 0x80000 bytes at offset 0x3f80000... Beginning write of prom Done! (0x4e8ec bytes at offset 0x3f80000)... This could take as little as 30 seconds or up to 2 minutes. Please DO NOT RESET! Success! The prom has been upgraded successfully. System will reset itself and reboot in about 15 . .(output truncated) . ******** The system will autoboot now ******** config-register = 0x0102 Autobooting using BOOT variable specified file.....
Upgrading the System Software 3 Ethernet/IEEE 802.3 interface(s) 51 FastEthernet/IEEE 802.3 interface(s) 2 Gigabit Ethernet/IEEE 802.3 interface(s) 403K bytes of non-volatile configuration memory. Configuration register is 0x0102 Switch# Step 10 Use the delete command to delete the PROM upgrade program from bootflash and the squeeze command to reclaim unused space.
Upgrading the System Software • On most systems, a field of 30 characters is used for the host name and the prompt in the CLI. Longer configuration mode prompts may be truncated. To upgrade the Cisco IOS software on your Catalyst 4500 series switch, use this procedure: Step 1 Download Cisco IOS Release 12.1(20)EW from Cisco.com, and place the image on a TFTP server in a directory that is accessible from the supervisor engine that is upgraded.
Upgrading the System Software Step 5 Use the boot system flash command to add the Cisco IOS software image to the BOOT variable. The following example shows how to add the cat4000-is-mz.121-12c.EW image to the BOOT variable: Switch# configure terminal Switch(config)# boot system flash bootflash:cat4000-is-mz.121-12c.EW Switch(config)# exit Switch# write Building configuration...
Limitations and Restrictions This could take as little as 30 seconds or up to 2 minutes. Please DO NOT RESET! Success! FPGA image has been upgraded successfully. System will reset itself and reboot in about 15 seconds. 0 ********************************************************** * * * Welcome to Rom Monitor for WS-X4014 System. * * Copyright (c) 2002 by Cisco Systems, Inc. * * All rights reserved. * * * ********************************************************** Rom Monitor Program Version 12.
Limitations and Restrictions • TDR is only supported on interfaces Gi1/1 through Gi1/48, at 1000BaseT under open or shorted cable conditions. TDR length resolution is +/- 10 m. If the cable is less than 10 m or if the cable is properly terminated, the TDR result displays "0" m. If the interface speed is not 1000BaseT, an "unsupported" result status displays. TDR results will be unreliable for cables extended with the use of jack panels or patch panels.
Limitations and Restrictions Workaround (2): Request the output of the show running-config command using NETCONF and parse that output for the desired strings. This is useful when the desired lines contain nothing in common. For example, the rules in this access list do not contain a common string and the order (three permits, then a deny, then another permit), prevent the spec file entry from using permit as a search string, as in the following example: Extended MAC access list MACCOY permit 0000.0000.
Limitations and Restrictions – NHRP (Next Hop Resolution Protocol) – NLSP – Jumbo Frames • For AppleTalk software routing, the following are not supported: – AURP – AppleTalk Control Protocol for PPP – Jumbo Frames – EIGRP • For the NetFlow feature, the following limitations apply: – NetFlow will not account for control packets, packets that encountered link-level errors, and ARP/RARP packets. – The software cache for NetFlow is fixed, users cannot change the size.
Limitations and Restrictions • A Layer 2 LACP channel cannot be configured with the spanning tree PortFast feature. • Netbooting using a boot loader image is not supported. See the “Troubleshooting” section on page 426 for alternatives. • You cannot downgrade to Cisco IOS Release 12.1(8a)EW1 after running Release 12.1(13)EW (or higher). If you need to downgrade, contact your TAC representative for further instructions, and mention caveat CSCdz59058.
Limitations and Restrictions • For all software releases, do not use over 100,000 routes. • Use the no ip unreachables command on all interfaces with ACLs configured for performance reasons. • Layer 3 path load-balancing metrics are not supported in Cisco IOS Releases 12.1(8a)EW, 12.1(11b)EW, 12.1(12c)EW, 12.1(13)EW, 12.1(19)EW, and 12.1(20)EW. (CSCdv10578) • The threshold for the Dynamic ARP Inspection err-disable function is set to 15 ARP packets per second per interface.
Limitations and Restrictions – WS-X4248-RJ21V – WS-X4524-GB-RJ45V – WS-X4548-GB-RJ45V – 'WS-X4548-GB-RJ45V+ PoE-enabled power supplies: – PWR-C45-1300ACV – PWR-C45-1400DC – PWR-C4K-2800AC – PWR-C45-1400AC – PWR-C45-1300ACV – 'PWR-C45-6000ACV' • The maximum number of mappings for configuring PVLAN promiscuous trunk ports is 500 primary VLANs to 500 secondary VLANs. • The 802.1X inaccessible authentication bypass feature is not supported with the NAC LAN port IP feature.
Limitations and Restrictions • IPSG for static hosts should not be used on uplink ports. • Selective DBL is only supported for non-tagged or single-tagged IP packets. To achieve Selective DBL-like functionality with a non-IP packet (like Q-in-Q and IPX), apply an input policy map that matches CoS values and specifies DBL in the class map. • For Selective DBL, if the topology involves Layer 2 Q in Q tunneling, the match cos policy map will apply to the incoming port.
Limitations and Restrictions To maximize the 100-BASE-FX port density of 7 and 10 slot chassis when using Supervisor Engine 6-E install WS-4248-FE-SFP line cards with FX optics instead of WS-X4148-FX-MT line cards. If WS-X4148-FX-MT line cards are required, two options are available: – Option 1 You can use only 4 linecard slots on the Cat4507R chassis and 6 line card slots on the Cat4510R chassis. – Option 2 When all slots are required, you can only use one WS-X4448-GB-RJ45 line card.
Limitations and Restrictions configure its uplink select mode to all. Supervisor Engine V-10GE supports all Catalyst 4500 Series linecards in slot 10 when its uplink select mode is configured as tengigabitethernet or gigabitethernet. Supervisor Engine 6-E supports all Catalyst 4500 series linecards in slot 10. • Prior to Cisco IOS Release 12.
Limitations and Restrictions Workaround: Display the configuration with the show standby command, then remove the CLI. Here is an example of show standby GigabitEthernet1/1 command output: switch(config)# interface g1/1 switch(config)# no standby 0 name (0 is hsrp group number) • For HSRP preempt delay to function consistently, you must use the standby delay minimum command.
Limitations and Restrictions • If you first configure an IP address or IPv6 address on a Layer 3 port, then change the Layer 3 port to a Layer 2 port with the switchport command, and finally change it back to a Layer 3 port, the original IP/IPv6 address is lost. • In a redundant system, do not remove and reinsert the standby supervisor engine while the active supervisor engine is booting. Doing so may cause the online diagnostics test to fail.
Limitations and Restrictions – Inactive host bindings will appear in the device tracking table when either a VLAN is associated with another port or a port is removed from a VLAN. So, as hosts are moved across subnets, the hosts appear in the device tracking table as inactive. – Autostate SVI does not work on EtherChannel.
Caveats The Catalyst 4503-E and Catalyst 4506-E have no caveats. The Catalyst 4507R-E configurations that use power supplies rated at 1400 W or above also have no caveats.
Caveats Open Caveats for Cisco IOS Release 12.2(54)SG1 This section lists the open caveats for Cisco IOS Release 12.
Caveats QueueID Old QueueName New QueueName 8 control-packet 11 adj-same-if 13 acl input log rfp-failure 14 acl input forward acl input log Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs.
Caveats • When you send traffic on a VLAN ID higher than 3000, the convergence timing caused by a failure exceeds 225 ms. Workaround: None. (CSCsm30320) • An IP unnumbered configuration is lost after a switch reloads. Workarounds: Do one of the following: – After a reload, copy the startup-config to the running-config. – Use a loopback interface as the target of the ip unnumbered command. – Change the CLI configuration so that during bootup the router port is created first.
Caveats Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661 • Class-map hit counters do not increment on the egress policy-map when it is attached to the primary VLAN on a PVLAN trunk ports. However, the traffic is properly classified and the actions configured in the policy are applied properly. Workaround: None.
Caveats a. Reconfigure the VLAN load balancing configuration on the desired REP ports. b. Use the shut command on any one REP port in the segment to cause a failure in that segment. c. Use the no-shut on the same port to restore normal REP topology with one ALT port. d. Invoke manual preemption on a primary edge port to obtain VLAN load balancing with the new configuration.
Caveats Similarly, the show epm sessions command always displays the authentication method as DOT1X. Workaround: To view the authentication method used for a client, enter the show authentication sessions command. CSCsx42157 • With CFM enabled globally as well as on an ingress interface, CFM packets received on the interface are not policed with hardware control plane policing. Workaround: None.
Caveats Workaround: None. (CSCsl72868) • Uplinks go down when you upgrade the ROMMON of an WS-X45-SUP6-E supervisor from version 0.34 to a later version. This behavior occurs in a redundant switch when the active supervisor engine is running Cisco IOS, the standby supervisor engine is in ROMMON, and the standby supervisor engine’s ROMMON is upgraded from version 0.34 or to a later version.
Caveats • RA Guard counters are not incremented in the output of the show ipv6 first-hop counters interface command when Router Advertisement and Router Redirect packets with Destination address FF02::x are dropped. Workaround: None. CSCtf69108 • ND/NS packets are dropped when an IPv6 ACL is attached to an Layer 3 interface.
Caveats Workaround: None. CSCti08570 • A Supervisor Engine 6-E or Supervisor Engine 6L-E running cat4500e-ipbasek9-mz.122-53.SG1 might experience a reload because of interface flapping. Workaround: None. CSCtf49878 • When software reads the hardware status of a linecard before it fully initializes, a supervisor engine experiences a software-initiated crash. Workaround: None. CSCtf82009 • The Spanning Tree process disables VLAN on a trunk interface if it was configured for VLAN Mapping Translation.
Caveats appeared on the switch followed by link flaps, transceiver (HAMM module, X2, sfp) insertion/removal on uplinks (base board ports on 4900M) Workarounds: – Reload the switch when the error message displays. – Upgrade to Cisco Catalyst Release 12.2(54)SG1, Cisco Catalyst Release 12.2(53)SG4 (and later), when available. CSCtk75675 Open Caveats for Cisco IOS Release 12.2(54)SG This section lists the open caveats for Cisco IOS Release 12.
Caveats This only affects a switch that has any of the following queues configured as SPAN source in releases prior to 12.2(31)SG and saved to the startup configuration. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG.
Caveats • When a transceiver is removed rapidly from one port and placed in another on the same chassis, occasionally a duplicate seeprom message appears and the port is not able to handle traffic. Workaround: Remove the transceiver from the new port and place it in the old port. After the SFP is recognized in the old port, remove it slowly and insert it in the new port.
Caveats This applies to classic or E-series Catalyst 4500 supervisor engines running Cisco IOS Release 12.2(50)SG Workaround: None. (CSCsw14005) • The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.1X on the port and reconnect the host to a IP phone (with CDP port status TLV support) that is connected to the switch.
Caveats Workaround: None CSCtb30327 • If time is not specified in the link debounce command, the default value depends on the supervisor engine. The default is 10 mS for a Catalyst 4900M switch, Supervisor Engine 6-E, and Supervisor Engine 6L-E. The default is 100 mS for all other supervisor engines. Despite the different default value, you can configure any value in the time range. Workaround: None.
Caveats CSCtg83631 • If an X2 or SFP is in an inactive uplink port on a Supervisor Engine V-10GE, Supervisor II+10GE, Supervisor 6-E, or Supervisor 6-LE, it may cause threshold violations to be reported once every 10 minutes. Workaround: Remove the X2 or SFP from the port. CSCth08212 • When Fallback WebAuth and Multi-host are configured on a port and no PACL exists, permit ip any any is installed in the TCAM and all traffic from the host is allowed to pass. Workaround: Configure an ACL on the port.
Caveats • If burst is not explicitly configured for a single rate policer, the show policy-map command displays an incorrect burst value. Workaround: Enter the show policy-map interface command to find the actual burst value programmed. (CSCsi71036) • When you enter the show policy-map vlan vlan command, unconditional marking actions that are configured on the VLAN are not shown. Workaround: None. If you enter the show policy-map name, however, the unconditional marking actions appear.
Caveats Workaround: None. CSCtc46340 • Before large PACLs are fully loaded in hardware, you might observe a false completion messages like the following: Dec 1 18:44:59.926: %C4K_COMMONHWACLMAN-4-HWPROGSUCCESS: Input Security: pacl - now fully loaded in hardware *Dec 1 18:44:59.926: %C4K_COMMONHWACLMAN-4-ALLACLINHW: All configured ACLs now fully loaded in hardware - hardware switching / QoS restored. Workaround: No functional impact.
Caveats Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port. The connected host is authenticated so it should be able to send traffic and the STP state should be forwarding. Workaround: Enter shut, then no shut on the port.
Caveats Workaround: Unconfigure any generic QOS policies from the system. The QoS policies with the match any attribute cause IPv6 entries to become active. If the switch is a pure Layer 2 device, remove the generic protocol family attributes and narrow it to the protocol family. (CSCsq84796) • IPv6 MLD entries are active even if an IPv6 MLD related configuration does not exist. Workaround: Unconfigure all generic QOS policies from the system. CSCsq84853 • You observe a .
Caveats • Systems running Cisco IOS Release 12.2(40)SG do not support the handling of .1Q packets for software QoS lookup. Workaround: None. (CSCsk66449) • When you enter the show adjacency x.x.x.x internal command for an adjacency, the packet counters are increment correctly but the byte counters remain 0. Workaround: None. CSCsu35604 • A switch crashes if a PBR policy, configured to match on prefix-list(s) instead of ACL(s), is attached to an interface.
Caveats Workaround: Reload the active and standby supervisor engine. While performing OIR of the supervisor engines, you must remove the engines completely before re-insertion. CSCsy70428 • If you configure OFM on an EtherChannel (with at least two interfaces), when you shut or remove the first member that joined the channel, you lose the CFM neighbor. Workaround: Clear the errors with the clear ethernet cfm errors command. CSCsv43819 • The IP router option may not work with IGMP version 2.
Caveats Open Caveats for Cisco IOS Release 12.2(53)SG9 This section lists the open caveats for Cisco IOS Release 12.2(53)SG9: • When you enter the access-list N permit host hostname command on a redundant chassis operating in SSO mode, you might observe the following syslog messages. The command is not synchronized with the redundant supervisor engine, and keepalive warnings appear.
Caveats • When you enter the ip http secure-server command (or if the system reads it from the startup configuration), the device searches for a persistent self-signed certificate during boot up. – If such a certificate does not exist and the device's hostname and default_domain are set, then a persistent self-signed certificate is generated. – If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain.
Caveats Workarounds: – Do not inject packets that require an IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch. – Configure the correct default gateway on the host side. (CSCse75660) • When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you enter the qos account layer2 encapsulation command. Workaround: None.
Caveats Workaround: Clear the errors with the clear ethernet cfm errors command. (CSCsv43819) • On a Catalyst 4500 switch running Cisco IOS Release 12.2(50)SG, when the access VLAN is deleted and then restored on a port configured with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the restoration. Workaround: Shut down, and then reopen the interface.
Caveats Workaround: None. CSCsy38640 • When you enter the show adjacency x.x.x.x internal command for an adjacency, the packet counters are increment correctly but the byte counters remain 0. Workaround: None. CSCsu35604 • On a redundant switch running Cisco IOS Release 12.2(52)SG, after a ports is authorized through 802.1X, the show dot1x interface statistics command may display empty values on the standby supervisor engine. The statistics are displayed properly on the active supervisor.
Caveats • On a wireless control system (WCS), some device information is incorrectly displayed for PCs sitting behind an lldp-med capable phone. Specifically, WCS displays the phone's serial number, model number, and software version in the PC's device information. All other information about the PC is correctly displayed on WCS. This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.
Caveats • WS-X4548-GB-RJ45V stops supplying inline power to interfaces 1-8 after you perform a switchover to the redundant supervisor engine and expire the watchdog timer. Workaround: Reload the linecard by entering the hw-module reset command. CSCti17849 • If you observe a periodic increase in call or packet drops and a constant decrease in free memory available in your switch, you could use the show memory debug leak command.
Caveats Rebooting in 10 seconds... 10 09 08 07 06 05 04 03 02 01 " Supervisor Engine II+10GE is not supported on a ten-slot chassis. So, the correct message is displayed but the chassis type listed is WS-C4510R-E instead of WS-C4510R+E. Workarounds: – Place the Supervisor Engine II+10GE in a seven-slot chassis. – Place a supervisor engine that is supported in a ten-slot chassis. The discrepancy in identifying the chassis type is purely cosmetic.
Caveats • If burst is not explicitly configured for a single rate policer, the show policy-map command displays an incorrect burst value. Workaround: Enter the show policy-map interface command to find the actual burst value programmed. (CSCsi71036) • When you enter the show policy-map vlan vlan command, unconditional marking actions that are configured on the VLAN are not shown. Workaround: None. If you enter the show policy-map name, however, the unconditional marking actions appear.
Caveats You only see this behavior if you initially did not allocate a VLAN before you configure the IFM, and then at a later time allocate the same VLAN. Workaround: Unconfigure, and then reconfigure the IFM on the port. • When you configure vlan dot1q tag native globally on Supervisor Engine 6-E, MST control packets are tagged on egress on the native VLAN. This conflicts with 802.1s.
Caveats Resolved Caveats in Cisco IOS Release 12.2(53)SG9 This section lists the resolved caveats in Release 12.2(53)SG9: • When a trunk port is configured with a native VLAN other than VLAN 1, REP packets are not sent on that VLAN. Workaround: Retain the default setting (VLAN 1) for the native VLAN on trunks ports.
Caveats Workaround: When using the access-list N permit host hostname command, specify the IP address of the host rather than the hostname (CSCef67489) • In rare instances, when you are using MAC ACL-based policers, the output of the show policy-map interface fa6/1 command does not display the packets being matched: Switch# show policy-map int fa6/1 Service-policy output: p1 Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 polic
Caveats QueueID Old QueueName New QueueName 11 adj-same-if 13 acl input log rfp-failure 14 acl input forward acl input log Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs.
Caveats • When you send traffic on a VLAN ID higher than 3000, the convergence timing caused by a failure exceeds 225 ms. Workaround: None. (CSCsm30320) • An IP unnumbered configuration is lost after a switch reloads. Workarounds: Do one of the following: – After a reload, copy the startup-config to the running-config. – Use a loopback interface as the target of the ip unnumbered command. – Change the CLI configuration so that during bootup the router port is created first.
Caveats • After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands: %SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.101 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8 %SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.
Caveats CSCsy37181 • When you request an on demand Call Home message send without specifying a profile name & the specified module returns an unknown diagnostic result, the following error message displays: Switch# call-home send alert-group diagnostic module 2 Sending diagnostic info call-home message ... Please wait. This may take some time ... Switch# *Jan 3 01:54:24.
Caveats • On a Layer 2 port (that is, a switchport) of Supervisor Engine II+ thru V-10GE, the |auto qos voice trust command auto generates qos trust cos configuration, in addition to other parameters. However, when the port is converted from Layer 2 to Layer 3 with the no switchport command, the qos trust dscp command should be generated. Workaround: When interface mode is changed from Layer2 to Layer3, manually change interface trust state by enter the cos trust dscp command.
Caveats %C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is WS-C4510R-E, but chassis' serial eeprom chassis type is Unknown chassis type or %C4K_CHASSIS-3-CHASSISTYPEMISMATCHINSPROM: Supervisor's FPGA register chassis type is WS-C4507R-E, but chassis' serial eeprom chassis type is Unknown chassis type and %C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot of unsupported type 14" (where n is a slot number) Workaround: Load Cisco IOS Releases 12.
Caveats When an output service policy attaches to an interface and if the policy is configured to apply DBL on a queue, the flows that are enqueued are subjected to the DBL algorithm. One or more flows that are classified as belligerent (flows that do not back off in response to drops because of congestion in the queue) continue to be classified as belligerent even when DBL is disabled on that queue.
Caveats • Uplinks go down when upgrading the ROMMON of an WS-X45-SUP6-E supervisor from version 0.34 to a later version. This behavior occurs in a redundant switch when the active supervisor engine is running Cisco IOS, the standby supervisor engine is in ROMMON, and the standby supervisor engine’s ROMMON is upgraded from version 0.34 or to a later version. The upgrade process causes the uplinks on the standby supervisor engine to go down but the active supervisor engine is unaware of this.
Caveats The active supervisor engine also displays following log message for each linecard slot in the chassis: %C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot of unsupported type 14 where n is the slot number If the standby supervisor engine boots, the active supervisor engine displays the following message and reboots: %C4K_REDUNDANCY-2-POSTFAIL_RESET: Power-On Self Test (POST) failure on ACTIVE supervisor detected.
Caveats 000102: Jul 9 config-changed 000103: Jul 9 config-changed 000104: Jul 9 config-changed 000105: Jul 9 config-changed 000106: Jul 9 config-changed 000107: Jul 9 config-changed 01:23:06.598 PDT: %HA_CONFIG_SYNC-3-LBL_CFGSYNC: command to standby 01:23:16.642 PDT: %HA_CONFIG_SYNC-3-LBL_CFGSYNC: command to standby 01:23:26.682 PDT: %HA_CONFIG_SYNC-3-LBL_CFGSYNC: command to standby 01:23:36.721 PDT: %HA_CONFIG_SYNC-3-LBL_CFGSYNC: command to standby 01:23:46.
Caveats This only affects a switch that has any of the following queues configured as SPAN source in releases prior to 12.2(31)SG and saved to the startup configuration. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG.
Caveats • When a transceiver is removed rapidly from one port and placed in another on the same chassis, occasionally a duplicate seeprom message appears and the port is not able to handle traffic. Workaround: Remove the transceiver from the new port and place it in the old port. After the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693).
Caveats • When you remove a line card containing ports configured with IGMP snooping while booting a standby supervisor engine, the active supervisor engine does not synchronize this configuration to the standby supervisor engine as a part of a bulk synchronization. When you reinstall the line card, the configuration in the active and standby supervisor engines will differ. Workaround: Do one of the following: – Reload the standby switch again with the line card in place.
Caveats Workaround: None.
Caveats • If a host is authenticated in the data VLAN, the STP state of the VLAN is blocked. Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port. The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding. Workaround: Enter shut, then no shut on the port.
Caveats • A switch might fail an ftp to a dhcp-snooping file if the file’s size is 0 Kb. Workaround: When creating the file, enter some characters, remove the ftp command, then re-enter it as follows: Switch(config)# no ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.$ Switch(config)# ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.
Caveats – Place a supervisor engine that is supported in a ten-slot chassis. The discrepancy in identifying the chassis type is purely cosmetic. CSCtl80173 Supervisor Engine 6-E Specific Caveats • Systems running Cisco IOS Release 12.2(40)SG do not support the handling of .1Q packets for software QoS lookup. Workaround: None. (CSCsk66449) • Under some conditions, one or more flows continue to be dropped because of DBL even after DBL has been removed from the service policy.
Caveats Workaround: None. If you enter the show policy-map name, however, the unconditional marking actions appear. (CSCsi94144) • Supervisor Engine II-Plus-TS in a Catalyst 4503-E chassis running ROMMON lists the chassis type as Unknown. After booting Cisco IOS, the chassis type is listed properly. Workaround: None. (CSCsl72868) • When you specify a DBL action for the class-default class map in a policy map, it might not work depending on the size of the default queue.
Caveats • When you configure vlan dot1q tag native globally on Supervisor Engine 6-E, MST control packets are tagged on egress on the native VLAN. This conflicts with 802.1s. The Cisco 7600 Series router drops its MST proposal agreements (because it expects the native VLAN MST control packets to be untagged), causing 30 seconds of traffic loss while spanning tree converges. Workaround: Disable native VLAN tagging on the trunk port of the switch using the no switchport trunk native vlan tag command.
Caveats • A vulnerability exists in the Cisco IOS software that may allow a remote application or device to exceed its authorization level when authentication, authorization, and accounting (AAA) authorization is used. This vulnerability requires that the HTTP or HTTPS server is enabled on the Cisco IOS device. Products that are not running Cisco IOS software are not vulnerable. Cisco has released free software updates that address these vulnerabilities.
Caveats – The RADIUS server was down previously, and a port without traffic (for example, a hub with no devices attached) was authorized into the inaccessible authentication bypass (IAB) VLAN without an associated MAC address. The RADIUS server becomes available again, and the IAB-authorized port transitions to another state. Workaround: None. CSCtx61557 Open Caveats for Cisco IOS Release 12.2(53)SG6 This section lists the open caveats for Cisco IOS Release 12.
Caveats Workaround: None. (CSCeg48586) • When you enter the ip http secure-server command (or if the system reads it from the startup configuration), the device searches for a persistent self-signed certificate during boot up. – If such a certificate does not exist and the device's hostname and default_domain are set, then a persistent self-signed certificate is generated. – If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain.
Caveats – The switch administrator enters the shutdown and no shutdown commands on an outgoing interface that has enabled IP unnumbered. The switch receives packets that require redirection; and the destination MAC address is already in ARP table. Workarounds: – Do not inject packets that require an IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch. – Configure the correct default gateway on the host side. (CSCse75660) • When policing IEEE 802.
Caveats Workaround: Before removing a line card, delete the statically configured ip source binding entries on any of the interfaces on the line card. (CSCsv54529) • If you configure OFM on an EtherChannel (with at least two interfaces), when you shut or remove the first member that joined the channel, you lose the CFM neighbor. Workaround: Clear the errors with the clear ethernet cfm errors command. (CSCsv43819) • On a Catalyst 4500 switch running Cisco IOS Release 12.
Caveats • Class-map hit counters do not increment on the egress policy-map when it is attached to the primary VLAN on a PVLAN trunk ports. However, the traffic is properly classified and the actions configured in the policy are applied properly. Workaround: None. CSCsy72343 • When .1X with MDA is set in host mode and guest VLAN is enabled, when you pump traffic from a traffic generator at a high rate, a Security violation is wrongly flagged. Workaround: None.
Caveats CSCsz20149 • Packets entering a switch as fragments or with a non-zero fragment offset field are not be subjected to PBR. Workaround: None. CSCsz06719 (4500 + 4900, for now) • On a wireless control system (WCS), some device information is incorrectly displayed for PCs sitting behind an lldp-med capable phone. Specifically, WCS displays the phone's serial number, model number, and software version in the PC's device information. All other information about the PC is correctly displayed on WCS.
Caveats • If time is not specified in the link debounce command, the default value depends on the supervisor engine. The default is 10 mS for C4900M, Supervisor Engine 6-E, and Supervisor Engine 6L-E. The default is 100 mS for all other supervisor engines. Workaround: None. Despite the different default value, you can configure any value in the time range.
Caveats • A vulnerability exists in the Cisco IOS software that may allow a remote application or device to exceed its authorization level when authentication, authorization, and accounting (AAA) authorization is used. This vulnerability requires that the HTTP or HTTPS server is enabled on the Cisco IOS device. Products that are not running Cisco IOS software are not vulnerable. Cisco has released free software updates that address these vulnerabilities.
Caveats – The RADIUS server was down previously, and a port without traffic (for example, a hub with no devices attached) was authorized into the inaccessible authentication bypass (IAB) VLAN without an associated MAC address. The RADIUS server becomes available again, and the IAB-authorized port transitions to another state. Workaround: None. CSCtx61557 • When a trunk port is configured with a native VLAN other than VLAN 1, REP packets are not sent on that VLAN.
Caveats If this happens on the default queue, modifying and resetting some queuing parameters such as bandwidth and shape resolves the problem. (CSCsk62457 • A Catalyst 4500 series switch with Supervisor Engine 6-E supports a maximum of 32 MTU values system wide. On a switch running Cisco IOS Release 12.2(40)SG, all MTU values configured on a line card are set to default when the module is reset. MTU values are not retained for modules that are physically moved. Workaround: None.
Caveats There is no workaround for the link flap issue. (CSCsm81875) • Changing flow control configuration with traffic and pause frames causes some traffic loss. This problem can happen when pause frames are sent to the switch port and the flow control receive configuration is toggled on 10-Gb port. Workaround: Change the flow control receive configuration when no traffic exists.
Caveats While active supervisor engine is up, no traffic can be handled by the switch. The two supervisor engines might alternately reboot continuously. Workaround: Use Cisco IOS Release 12.2(53)SG4, 12.2(54)SG, 15.0(1)SG or later images with WS-C4510R+E and WS-C4507R+E chassis. CSCtl84092 • When a LAN Base image from Cisco IOS Release 12.2(53)SG3 or earlier is loaded on a WS-C4510R+E or WS-C4507R+E chassis, the system hangs and there is no error message. Cisco IOS Release 12.
Caveats 2. Configure an IP address and an IPv6 address on loopback interfaces. 3. Enable the SNMP engine. CSCsw92921 • When flex link load balancing is used, MAC addresses sourced over the backup interface are not programmed into the dynamic MAC address table. Source address learning is triggered for all traffic from these MAC addresses, which may cause high CPU. Workaround: Configure static MAC addresses for the source addresses on the backup flex link interface.
Caveats Open Caveats for Cisco IOS Release 12.2(53)SG5 This section lists the open caveats for Cisco IOS Release 12.2(53)SG5: • When you enter the access-list N permit host hostname command on a redundant chassis operating in SSO mode, you might observe the following syslog messages. The command is not synchronized with the redundant supervisor engine, and keepalive warnings appear.
Caveats • When you enter the ip http secure-server command (or if the system reads it from the startup configuration), the device searches for a persistent self-signed certificate during boot up. – If such a certificate does not exist and the device's hostname and default_domain are set, then a persistent self-signed certificate is generated. – If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain.
Caveats Workarounds: – Do not inject packets that require an IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch. – Configure the correct default gateway on the host side. (CSCse75660) • When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you enter the qos account layer2 encapsulation command. Workaround: None.
Caveats Workaround: Clear the errors with the clear ethernet cfm errors command. (CSCsv43819) • On a Catalyst 4500 switch running Cisco IOS Release 12.2(50)SG, when the access VLAN is deleted and then restored on a port configured with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the restoration. Workaround: Shut down, and then reopen the interface.
Caveats If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine’s MAC address table, causing possible connectivity interruption on the host. Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine.
Caveats • If you simultaneously apply a service-policy to a port in the output direction and a service-policy to a vlan-range under that port in the output direction, the class-map hit counters in the output of the show policy-map interface command are wrong. Workaround: None. The queue transmit counters as well as the policing statistics (if any) are correct. CSCsz20149 • Packets entering a switch as fragments or with a non-zero fragment offset field are not be subjected to PBR. Workaround: None.
Caveats – Default ACL (the IP access-list) configured on the interface specifies deny ip any any. – Dynamic policy authorization for the client specifies permit ip any any. Workaround: Add entries to the Default ACL in addition to 'deny ip any any'. CSCsz63739 • If time is not specified in the link debounce command, the default value depends on the supervisor engine. The default is 10 mS for C4900M, Supervisor Engine 6-E, and Supervisor Engine 6L-E. The default is 100 mS for all other supervisor engines.
Caveats CSCtq73579 • If you use AAA accounting with the broadcast keyword, a switch may either display unpredictable behavior or crash. Workaround: Do not use AAA accounting with the broadcast keyword. CSCts56125 • A vulnerability exists in the Cisco IOS software that may allow a remote application or device to exceed its authorization level when authentication, authorization, and accounting (AAA) authorization is used.
Caveats provided the following conditions apply: – A switchport is configured with the following: authentication event server dead action authorize... authenticaton event server alive action reinitalize – The RADIUS server was down previously, and a port without traffic (for example, a hub with no devices attached) was authorized into the inaccessible authentication bypass (IAB) VLAN without an associated MAC address.
Caveats For this condition to persist, the transmit queues in question must remain congested for a long period of time, and that congestion must be caused by flows that remain belligerent. Workaround: Provided the queue in question is nondefault (queuing actions are not configured in the class-default class of the policy map), detach and reattach the service policy. If this happens on the default queue, modifying and resetting some queuing parameters such as bandwidth and shape resolves the problem.
Caveats This behavior occurs in a redundant switch when the active supervisor engine is running Cisco IOS, the standby supervisor engine is in ROMMON, and the standby supervisor engine’s ROMMON is upgraded from version 0.34 or to a later version. The upgrade process causes the uplinks on the standby supervisor engine to go down but the active supervisor engine is unaware of this.
Caveats %C4K_CHASSIS-2-MUXBUFFERTYPENOTSUPPORTED: Mux Buffer in slot of unsupported type 14 where n is the slot number If the standby supervisor engine boots, the active supervisor engine displays the following message and reboots: %C4K_REDUNDANCY-2-POSTFAIL_RESET: Power-On Self Test (POST) failure on ACTIVE supervisor detected. Detected the Standby Supervisor bootupFailed While active supervisor engine is up, no traffic can be handled by the switch.
Caveats • Some non-powered devices fail to linkup when connected to a 4648-RJ45-E/+E line card port with a 2 or 4-wire cable (1,2,3,6). Workarounds: – Use a 4-pair wire. – Enter the power inline never command. – Enter the speed auto 10 100 command. CSCtn43537 • When reconnecting to a switch using IP device tracking, a Windows Vista, Windows 2008, or Windows 2007 device registers a duplicate address message. Workaround: Disable gratuitous ARP on the Windows device. CSCtn27420 • 802.
Caveats Workaround: If you include snmp-server enable traps envmon in the device configuration, a ciscoEnvMonSuppStatusChangeNotification is generated when the power supply either turns off or fails. CSCtl72109 • A switch might crash if ip cef accounting non-recursive is configured and BGP routes are being supplied. Workaround: Disable IP cef accounting. CSCtn68186 • A port channel will not establish correctly if the following conditions apply: – vlan dot1q tag native is configured.
Caveats • A switch crashes when you use no set extcommunity cost to remove set extcommunity cost in a route-map and you enter show run. Workaround: Remove the entire route-map and re-create it. CSCsr23563 • On a SSH and telnet-configured switch, if you configure a banner, then SSH to the router, the banner shows incorrectly: pqiu@apt-cse-613% ssh cisco@10.66.79.
Caveats • In rare instances, when you are using MAC ACL-based policers, the output of the show policy-map interface fa6/1 command does not display the packets being matched: Switch# show policy-map int fa6/1 Service-policy output: p1 Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 police: Per-interface Conform: 9426560 bytes Exceed: 16573440 bytes Workaround: Verify that the MAC addresses being transmitted through the system a
Caveats QueueID Old QueueName New QueueName 13 acl input log rfp-failure 14 acl input forward acl input log Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs.
Caveats Workaround: None. (CSCsm30320) • An IP unnumbered configuration is lost after a switch reloads. Workarounds: Do one of the following: – After a reload, copy the startup-config to the running-config. – Use a loopback interface as the target of the ip unnumbered command. – Change the CLI configuration so that during bootup the router port is created first.
Caveats a. Reconfigure the VLAN load balancing configuration on the desired REP ports. b. Use the shut command on any one REP port in the segment to cause a failure in that segment. c. Use the no-shut on the same port to restore normal REP topology with one ALT port. d. Invoke manual preemption on a primary edge port to obtain VLAN load balancing with the new configuration.
Caveats • When multiple streams of CRC errors are encountered on a WS-C4900M chassis configured with OAM monitoring of frame errored seconds, OAM does not report the value of errored frame seconds correctly if you configure the following CLIs: ethernet oam link-monitor frame-seconds window ethernet oam link-monitor frame-seconds threshold low Workaround: Configure a lower value for the low threshold so that the frame errors are seen divided into the expected number of frame errored seconds.
Caveats Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port. The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding. Workaround: Enter shut, then no shut on the port.
Caveats Workaround: When creating the file, enter some characters, remove the ftp command, then re-enter it as follows: Switch(config)# no ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.$ Switch(config)# ip dhcp snooping database ftp://griff:ddd@192.168.1.4/test1.
Caveats CSCtr91106 • A switch operating as a DHCP server where sessions receive DHCP information from a RADIUS server may experience a crash and DHCP related errors. Workaround: None. CSCtj48387 • A vulnerability in the Multicast Source Discovery Protocol (MSDP) implementation of Cisco IOS Software and Cisco IOS XE Software could allow a remote, unauthenticated attacker to cause a reload of an affected device.
Caveats Not Supported on Supervisor Engine 6-E • With CFM enabled globally as well as on an ingress interface, CFM packets received on the interface are not policed with hardware control plane policing. Workaround: None. (CSCso93282) When Supervisor Engine II+10GE attempts to boot in a non-production 4510R+E chassis, the following error message is displayed: " ERROR! Sup II+10GE 10GE (X2), 1000BaseX (SFP) not supported in WS-C4510R-E chassis, system can not boot Rebooting in 10 seconds...
Caveats Workaround: Reinsert the X2. (CSCsk43618) • When the CPU transmits a .1X packet on an interface that has an attached egress QoS policy, the packet is not matched and exits without any QoS marking actions. When a packet is sent to the CPU it may get sent out on some other interface. If so, the original CoS value for a .1X packet cannot be matched by software QoS (according to CSCsk66449). The packet is transmitted with the CoS value it was generated with (7, for the MLDv1 packets described here).
Caveats The issue is observed only for packets that are logically switched but are internally controlled such that on egress the system is generated by the switch itself. This can happen for certain snooping features such as DAI, IGMP snooping, DHCP snooping, and MLD snooping. This can also happen for IPv4/v6 packets with IP options/ extension headers that need processing in software. Workaround: None.
Caveats Cisco IOS Release 12.2(53)SG3 and earlier are not supported on WS-C4510R+E and WS-4507R+E chassis and should display a valid error message when loaded. Workaround: Load a LAN Base image from Cisco IOS Release 12.2(53)SG4 and later. CSCtl89329 • If Supervisor Engine 6-E or Supervisor Engine 6L-E is inserted in a 4507R+E or 4510R+E chassis, ROMMON incorrectly reports the chassis as 4507R-E or 4510R-E. Workaround: None. CSCtl74638 Resolved Caveats in Cisco IOS Release 12.
Caveats Open Caveats for Cisco IOS Release 12.2(53)SG3 This section lists the open caveats for Cisco IOS Release 12.2(53)SG3: • When you enter the access-list N permit host hostname command on a redundant chassis operating in SSO mode, you might observe the following syslog messages. The command is not synchronized with the redundant supervisor engine, and keepalive warnings appear.
Caveats • When you enter the ip http secure-server command (or if the system reads it from the startup configuration), the device searches for a persistent self-signed certificate during boot up. – If such a certificate does not exist and the device's hostname and default_domain are set, then a persistent self-signed certificate is generated. – If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain.
Caveats Workarounds: – Do not inject packets that require an IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch. – Configure the correct default gateway on the host side. (CSCse75660) • When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you enter the qos account layer2 encapsulation command. Workaround: None.
Caveats Workaround: Clear the errors with the clear ethernet cfm errors command. (CSCsv43819) • On a Catalyst 4500 switch running Cisco IOS Release 12.2(50)SG, when the access VLAN is deleted and then restored on a port configured with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the restoration. Workaround: Shut down, and then reopen the interface.
Caveats • After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands: %SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.101 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8 %SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.
Caveats • On a redundant switch running Cisco IOS Release 12.2(52)SG, after a ports is authorized through 802.1X, the show dot1x interface statistics command may display empty values on the standby supervisor engine. The statistics are displayed properly on the active supervisor. Workaround: None.
Caveats The IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored. CSCsz34522 • If a host is authenticated in the data VLAN, the STP state of the VLAN is blocked.
Caveats The show memory debug leak lowmem command can work in extremely low memory conditions but might crash the switch due to its very high CPU intensity. It also takes between 20 and 90 minutes to complete. Workaround: If call or packet drops persist, contact TAC rather than entering these commands on your own. CSCsi48986 • If you are using a large custom Webauth login page on a switch running Cisco IOS Release 12.2(53)SG3 or IOS-XE 3.1.
Caveats Note The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication.
Caveats When an output service policy attaches to an interface and if the policy is configured to apply DBL on a queue, the flows that are enqueued are subjected to the DBL algorithm. One or more flows that are classified as belligerent (flows that do not back off in response to drops because of congestion in the queue) continue to be classified as belligerent even when DBL is disabled on that queue.
Caveats • Uplinks go down when upgrading the ROMMON of an WS-X45-SUP6-E supervisor from version 0.34 to a later version. This behavior occurs in a redundant switch when the active supervisor engine is running Cisco IOS, the standby supervisor engine is in ROMMON, and the standby supervisor engine’s ROMMON is upgraded from version 0.34 or to a later version. The upgrade process causes the uplinks on the standby supervisor engine to go down but the active supervisor engine is unaware of this.
Caveats Resolved Caveats in Cisco IOS Release 12.2(53)SG3 This section lists the resolved caveats in Release 12.2(53)SG3: • The IP router option may not work with IGMP version 2. Workaround: None. CSCsv42869 • Graphics referenced in HTML pages may not be displayed in a user's browser during web authentication. Workaround: Embed the graphic into the HTML file up to 256 kilobytes (according to RFC 2397).
Caveats Open Caveats for Cisco IOS Release 12.2(53)SG2 This section lists the open caveats for Cisco IOS Release 12.2(53)SG2: • When you enter the access-list N permit host hostname command on a redundant chassis operating in SSO mode, you might observe the following syslog messages. The command is not synchronized with the redundant supervisor engine, and keepalive warnings appear.
Caveats • When you enter the ip http secure-server command (or if the system reads it from the startup configuration), the device searches for a persistent self-signed certificate during boot up. – If such a certificate does not exist and the device's hostname and default_domain are set, then a persistent self-signed certificate is generated. – If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain.
Caveats Workarounds: – Do not inject packets that require an IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch. – Configure the correct default gateway on the host side. (CSCse75660) • When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you enter the qos account layer2 encapsulation command. Workaround: None.
Caveats Workaround: Clear the errors with the clear ethernet cfm errors command. (CSCsv43819) • On a Catalyst 4500 switch running Cisco IOS Release 12.2(50)SG, when the access VLAN is deleted and then restored on a port configured with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the restoration. Workaround: Shut down, and then reopen the interface.
Caveats • Graphics referenced in HTML pages may not be displayed in a user's browser during web authentication. Workaround: Embed the graphic into the HTML file up to 256 kilobytes (according to RFC 2397).
Caveats • When a link fails on a closed REP segment of 16 nodes configured with VLANs on each node, the convergence time exceeds 250ms especially for multicast traffic. Workaround: None. This does not impact REP functionality, but it impacts restoration timing. Traffic restoration time after the failure of a REP segment sometimes exceeds 200ms. CSCsx55704 • On a redundant switch running Cisco IOS Release 12.2(52)SG, after a ports is authorized through 802.
Caveats CSCsz20149 • Packets entering a switch as fragments or with a non-zero fragment offset field are not be subjected to PBR. Workaround: None. CSCsz06719 (4500 + 4900, for now) • On a wireless control system (WCS), some device information is incorrectly displayed for PCs sitting behind an lldp-med capable phone. Specifically, WCS displays the phone's serial number, model number, and software version in the PC's device information. All other information about the PC is correctly displayed on WCS.
Caveats – Default ACL (the IP access-list) configured on the interface specifies deny ip any any. – Dynamic policy authorization for the client specifies permit ip any any. Workaround: None. CSCsz63739 • If time is not specified in the link debounce command, the default value depends on the supervisor engine. The default is 10 mS for C4900M, Supervisor Engine 6-E, and Supervisor Engine 6L-E. The default is 100 mS for all other supervisor engines. Workaround: None.
Caveats Workaround: None. CSCtj48387 • A vulnerability in the Multicast Source Discovery Protocol (MSDP) implementation of Cisco IOS Software and Cisco IOS XE Software could allow a remote, unauthenticated attacker to cause a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial of service (DoS) condition. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.
Caveats Supervisor Engine 6-E Specific Caveats • Systems running Cisco IOS Release 12.2(40)SG do not support the handling of .1Q packets for software QoS lookup. Workaround: None. (CSCsk66449) • Under some conditions, one or more flows continue to be dropped because of DBL even after DBL has been removed from the service policy. When an output service policy attaches to an interface and if the policy is configured to apply DBL on a queue, the flows that are enqueued are subjected to the DBL algorithm.
Caveats Workaround: None. (CSCsl72868) • When you specify a DBL action for the class-default class map in a policy map, it might not work depending on the size of the default queue. Workaround: To ensure that the DBL action operates on the default queue, use the queue-limit command to specify an explicit queue size. This command dictates the size range. (CSCso06422) • Uplinks go down when upgrading the ROMMON of an WS-X45-SUP6-E supervisor from version 0.34 to a later version.
Caveats • When CX1 or SFP+ are plugged into a OneX converter (CVR-X2-SFP10G) in a WS-X4908-10GE, the later requires 1 minute to boot the link. Workaround: None. CSCtc46340 Resolved Caveats in Cisco IOS Release 12.2(53)SG2 This section lists the resolved caveats in Release 12.2(53)SG2: • A WS-X45-SUP6-E in a Catalyst 4510R chassis running Cisco IOS Release 12.2(52)SGA may fail to boot when 7 or more WS-X4248-RJ45V are installed in the chassis. This is only seen in Cisco IOS Release 12.2(52)SG.
Caveats Workaround: Reconfigure tracking on the newly created interface. (CSCsr66876) • When a PVLAN isolated port is connected to a router serving as a multicast source, and you enable IGMP snooping, the routers connected to the isolated ports display as PIM neighbors. Workaround: Do one of the following: – Do not attach routers to PVLAN isolated ports. – Disable IGMP snooping (either globally or on the VLAN). – Do not use a router connected to PVLAN isolated port as a multicast source.
Caveats • EnergyWise is enabled and you use the energywise level level recurrence importance importance at minute hour day_of_month month day_of_week interface configuration command to configure a recurring event on a switch.
Caveats • The 4500-E and 4900M switches running IOS Release 12.2(53)SG1 or 12.2(50)SG6 may crash when the only Qos service-policy in a given VLAN is at the VLAN level. The problem occurs when the following three conditions are met: – A software-generated or software-switched packet exits an interface (P), which is a member of a VLAN (V). – The packet is not a high priority; PAK_PRIORITY is not set.
Caveats 000103: Jul 9 config-changed 000104: Jul 9 config-changed 000105: Jul 9 config-changed 000106: Jul 9 config-changed 000107: Jul 9 config-changed 01:23:16.642 PDT: %HA_CONFIG_SYNC-3-LBL_CFGSYNC: command to standby 01:23:26.682 PDT: %HA_CONFIG_SYNC-3-LBL_CFGSYNC: command to standby 01:23:36.721 PDT: %HA_CONFIG_SYNC-3-LBL_CFGSYNC: command to standby 01:23:46.777 PDT: %HA_CONFIG_SYNC-3-LBL_CFGSYNC: command to standby 01:23:56.
Caveats QueueID Old QueueName New QueueName 5 control-packet control-packet 6 rpf-failure control-packet 7 adj-same-if control-packet 8 control-packet 11 adj-same-if 13 acl input log rfp-failure 14 acl input forward acl input log Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs.
Caveats • When performing an ISSU upgrade and the versions of the active and standby supervisor engines differ, you see the following message in the standby supervisor engine console: %XDR-6-XDRINVALIDHDR: XDR for client (CEF push) dropped (slots:2 from slot:3 context:145 length:11) due to: invalid context Workaround: None. This is an informational message. (CSCsi60898) • When you send traffic on a VLAN ID higher than 3000, the convergence timing caused by a failure exceeds 225 ms. Workaround: None.
Caveats • A switch crashes while deleting an expExpressionTable row with SNMP and setting expExpressionEntryStatus to 6. • Egress traffic may not be allowed if you configure 802.1X as a Unidirectional Controlled Port. Workarounds: Do one of the following: – Enter spanning-tree portfast then authentication control-direction in on a 802.1X port. – Enter shut then no shut on a 802.1X port.
Caveats (CSCsv69853) • When you remove an SFP+ from a OneX converter in a X2 slot, it takes approximately 45 seconds for the system to recognize this action. During this time, all commands indicate that the SFP+ is still present. Reinserting the SFP+ in another port or inserting another SFP+ in the same port can cause a “duplicate seeprom” error message. Workaround: When a log message appears indicating that the SFP+ has been removed, do one of the following: – Enter any commands for that port.
Caveats • When .1X with MDA is set in host mode and guest VLAN is enabled, when you pump traffic from a traffic generator at a high rate, a Security violation is wrongly flagged. Workaround: None. CSCsy38640 • When you enter the show adjacency x.x.x.x internal command for an adjacency, the packet counters are increment correctly but the byte counters remain 0. Workaround: None.
Caveats While performing OIR of the supervisor engines, the engines must be removed completely before re-insertion. CSCsy70428 • When you request an on demand Call Home message send without specifying a profile name & the specified module returns an unknown diagnostic result, the following error message displays: Switch# call-home send alert-group diagnostic module 2 Sending diagnostic info call-home message ... Please wait. This may take some time ... Switch# *Jan 3 01:54:24.
Caveats Workaround: Disable explicit host tracking on the affected VLANs. CSCsz28612 • On a wireless control system (WCS), some device information is incorrectly displayed for PCs sitting behind an lldp-med capable phone. Specifically, WCS displays the phone's serial number, model number, and software version in the PC's device information. All other information about the PC is correctly displayed on WCS. This only happens when the switch is running network mobility service protocol (nmsp).
Caveats Prior to Cisco IOS Release 12.2(53)SG1 and 12.2(50)SG6, the switchport block multicast command blocks IP Multicast, Layer 2 multicast, and broadcast traffic. (CSCta61825) CSCtb30327 • A switch running Cisco IOS Release 12.2(53)SG displays the message %C4K_EBM-4-HOSTFLAPPING: happening between master loopback port and the source port during layer3 (IPv4 and IPv6) packets loop using ethernet oam (EOAM) This message is does not impact performance. Workaround: None.
Caveats • If time is not specified in the link debounce command, the default value depends on the supervisor engine. The default is 10 mS for C4900M, Supervisor Engine 6-E, and Supervisor Engine 6L-E. The default is 100 mS for all other supervisor engines. Workaround: None. Despite the different default value, you can configure any value in the time range. CSCte51948 • A switch may crash while loading BGP routes if the ip cef accounting non-recursive command is already configured.
Caveats Individual publication links are in ''Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication'' at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html CSCtr28857 • A switch crashes after displaying the message: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (Unknown MAC) on Interface Gi5/39 AuditSessionID AC156241000000670001BC9.
Caveats If this happens on the default queue, modifying and resetting some queuing parameters such as bandwidth and shape resolves the problem. (CSCsk62457 • When an E-series switch encounters either a fan tray failure or a supervisor engine critical temperature, the chassis shuts off. The output of the show crashdump command will not indicate the cause of the power-down. Workarounds: Use the show log command to find the cause of the power-down.
Caveats • Uplinks go down when upgrading the ROMMON of an WS-X45-SUP6-E supervisor from version 0.34 to a later version. This behavior occurs in a redundant switch when the active supervisor engine is running Cisco IOS, the standby supervisor engine is in ROMMON, and the standby supervisor engine’s ROMMON is upgraded from version 0.34 or to a later version. The upgrade process causes the uplinks on the standby supervisor engine to go down but the active supervisor engine is unaware of this.
Caveats Workaround: Disable native VLAN tagging on the trunk port of the switch using the no switchport trunk native vlan tag command. CSCsz12611 • A WS-X45-SUP6-E in a Catalyst 4510R chassis running Cisco IOS Release 12.2(52)SGA may fail to boot when 7 or more WS-X4248-RJ45V are installed in the chassis. This is only seen in Cisco IOS Release 12.2(52)SG. Workaround: Downgrade to Cisco IOS Release 12.2(50)SG3.
Caveats Resolved Caveats in Cisco IOS Release 12.2(53)SG1 This section lists the resolved caveats in Release 12.2(53)SG1 • When you configure switchport block multicast on a port to block unknown multicast traffic, broadcast traffic is also blocked. Therefore, the port will receive neither unknown multicast or broadcast traffic. All broadcast traffic (such as ARP request and DHCP discovery) are not received by the port. So, protocols that use such broadcasts stop working.
Caveats Workaround: Ensure that the port is active before apply the policy-map or entering the show policy-map command. The command to activate a previously inactive interface is the following: hw-module module [module number] port-group [group number] select [gigabitethernet] CSCtb90328 • When you configure EnergyWise power control on PoE ports with a time-based execution schedule, time entry executes without adjusting for daylight savings time.
Caveats Workaround: None. CSCsz38442 • When the vlan-port state changes on flexlink ports, the following two messages appear on the console: A syslog warning message "%SM-4-BADEVENT: Event 'forward' is invalid for the current state 'present': pm_vp .." A traceback error message This issue happens only on flexlink ports under the following two scenarios: – You configure flexlink vlan load balancing before changing the port mode of a backup interface to trunk mode.
Caveats Open Caveats for Cisco IOS Release 12.2(53)SG This section lists the open caveats for Cisco IOS Release 12.2(53)SG: • When you enter the access-list N permit host hostname command on a redundant chassis operating in SSO mode, you might observe the following syslog messages. The command is not synchronized with the redundant supervisor engine, and keepalive warnings appear.
Caveats • When you enter the ip http secure-server command (or if the system reads it from the startup configuration), the device searches for a persistent self-signed certificate during boot up. – If such a certificate does not exist and the device's hostname and default_domain are set, then a persistent self-signed certificate is generated. – If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain.
Caveats Workarounds: – Do not inject packets that require an IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch. – Configure the correct default gateway on the host side. (CSCse75660) • When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you enter the qos account layer2 encapsulation command. Workaround: None.
Caveats • On a Catalyst 4500 switch running Cisco IOS Release 12.2(50)SG, when the access VLAN is deleted and then restored on a port configured with 802.1x multi-auth, authorized 802.1X clients cannot pass traffic because the spanning tree remains in a Disabled state after the restoration. Workaround: Shut down, and then reopen the interface. (CSCso50921) • When you delete and recreate an interface, the tacking process is unable to track its state track.
Caveats • When you remove a line card containing ports configured with IGMP snooping while booting a standby supervisor engine, the active supervisor engine does not synchronize this configuration to the standby supervisor engine as a part of a bulk synchronization. When you reinstall the line card, the configuration in the active and standby supervisor engines will differ. Workaround: Do one of the following: – Reload the standby switch again with the line card in place.
Caveats %SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.102 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8 This applies to classic or E-series Catalyst 4500 supervisor engines running Cisco IOS Release 12.2(50)SG Workaround: None. (CSCsw14005) • The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.
Caveats • When the ports connecting a RADIUS server and a client are placed in different VLANs, and you enter the ip radius source-interface command and perform two SSO switchovers, the authenticated session is lost. Workaround: Re-authenticate the client.
Caveats CSCsz20149 • On a switch running Cisco IOS Release 12.2(50)SG or 12.2(52)SG, when an 802.1X port configured with PVLAN community VLAN receives a new PVLAN assignment from the AAA server, resetting the configuration on this interface may cause the switch to reload. Workaround: None. CSCsz38442 • Packets entering a switch as fragments or with a non-zero fragment offset field are not be subjected to PBR. Workaround: None. CSCsz06719 (4500 + 4900, for now) • After enabling a 802.
Caveats Assuming that you configured authentication open on the port and a host is authenticated on that port, if you unconfigure open auth (no authentication open), the STP state becomes blocked on an authenticated port. The connected host is authenticated so it should be able to send traffic and the STP state should be Forwarding. Workaround: Enter shut, then no shut on the port.
Caveats – Default ACL (the IP access-list) configured on the interface specifies deny ip any any. – Dynamic policy authorization for the client specifies permit ip any any. Workaround: None. CSCsz63739 • EnergyWise is enabled and you use the energywise level level recurrence importance importance at minute hour day_of_month month day_of_week interface configuration command to configure a recurring event on a switch.
Caveats • A vulnerability exists in the Cisco IOS software that may allow a remote application or device to exceed its authorization level when authentication, authorization, and accounting (AAA) authorization is used. This vulnerability requires that the HTTP or HTTPS server is enabled on the Cisco IOS device. Products that are not running Cisco IOS software are not vulnerable. Cisco has released free software updates that address these vulnerabilities.
Caveats – The RADIUS server was down previously, and a port without traffic (for example, a hub with no devices attached) was authorized into the inaccessible authentication bypass (IAB) VLAN without an associated MAC address. The RADIUS server becomes available again, and the IAB-authorized port transitions to another state. Workaround: None. CSCtx61557 • When a trunk port is configured with a native VLAN other than VLAN 1, REP packets are not sent on that VLAN.
Caveats – LogRkiosModuleShutdownTemp messages in the log indicate that the supervisor engine critical temperature exceeded the failure threshold. (CSCsk48632) • A Catalyst 4500 series switch with Supervisor Engine 6-E supports a maximum of 32 MTU values system wide. On a switch running Cisco IOS Release 12.2(40)SG, all MTU values configured on a line card are set to default when the module is reset. MTU values are not retained for modules that are physically moved. Workaround: None.
Caveats – Power-cycle the standby supervisor engine by briefly pulling it from the chassis. There is no workaround for the link flap issue. (CSCsm81875) • Changing flow control configuration with traffic and pause frames causes some traffic loss. This problem can happen when pause frames are sent to the switch port and the flow control receive configuration is toggled on 10-Gb port. Workaround: Change the flow control receive configuration when no traffic exists.
Caveats • Output IPv6 ACLs with Ace to match on the ICMP option fail on a switch. The following conditions may cause a RACL to malfunction: – ACL are applied on the output direction of the interface. – IPv6 ACL contain Ace to match on the ICMP option fields (ICMP Type or ICMP Code).
Caveats • Cisco IOS Software contains a vulnerability that could allow an attacker to cause a Cisco IOS device to reload by remotely sending a crafted encryption packet. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://tools.cisco.
Caveats Workaround: Verify that the MAC addresses being transmitted through the system are learned. (CSCef01798) • After an SSO switchover, you may receive a “PM-4-PORT_INCONSISTENT” error message on the switch console if you enter the shutdown command, and then enter the no shutdown command on the port that is in UDLD disable state. This does not affect the switch; the port remains in UDLD disable state.
Caveats Workaround: None. (CSCsc11726) • An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port. This situation could occur for these reasons: – A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch. – The switch administrator enters the shutdown and no shutdown commands on an outgoing interface that has enabled IP unnumbered.
Caveats – Change the CLI configuration so that during bootup the router port is created first. (CSCsq63051) • In SSO mode, when a port channel is created, deleted, and recreated on an active supervisor engine with the same channel number, the standby port channel state goes out of sync. After a switch over, the following message displays: %PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent: Workaround: When the port channel starts to flap, enter shut and no shut on the port channel.
Caveats Workaround: None. (CSCsv07019) • Certain Cisco Trusted Security (CTS) SXP connection configuration may not consistently select the best source IP for each SXP connection. On a switch with multiple Layer 3 interfaces, if the CTS SXP connection is configured without specifying source IP address and no default SXP source IP address is configured on the box, different SXP connections may acquire different source IP address for each connection.
Caveats (CSCsv90044) • Graphics referenced in HTML pages may not be displayed in a user's browser during web authentication. Workaround: Embed the graphic into the HTML file up to 256 kilobytes (according to RFC 2397).
Caveats CSCsw42967 • When a link fails on a closed REP segment of 16 nodes configured with VLANs on each node, the convergence time exceeds 250ms especially for multicast traffic. Workaround: None. This does not impact REP functionality, but it impacts restoration timing. Traffic restoration time after the failure of a REP segment sometimes exceeds 200ms. CSCsx55704 • On a redundant switch running Cisco IOS Release 12.2(52)SG, after a ports is authorized through 802.
Caveats *Jan 3 01:54:24.471: %CALL_HOME-3-ONDEMAND_MESSAGE_FAILED: call-home on-demand message failed to send (ERR 18, The alert group is not subscribed) Workaround: Specify a profile name when you enter the diagnostic command. You might want to avoid requesting on demand send for invalid modules. First, enter the show module command to check for valid or present modules.
Caveats • When a switch enabled for explicit host tracking runs IGMPv3, ports that stopped sending IGMPv3 reports are displayed in the IGMPv3 table until a timeout. This behavior didn’t exist in Cisco IOS Release 12.2(50)SG. Workaround: Disable explicit host tracking in the affected VLANs. CSCsz28612 • On wireless control system (WCS), some device information is incorrectly displayed for PCs sitting behind an lldp-med capable phone.
Caveats CSCsz63739 • EnergyWise is enabled and you use the energywise level level recurrence importance importance at minute hour day_of_month month day_of_week interface configuration command to configure a recurring event on a switch.
Caveats • If a switch running Cisco IOS Release 12.2(52)SG receives MPLS packets, SA miss and host learning will cause high CPU. Workarounds: – Enter the mac address-table dynamic group protocols ip other command. – Configure a static MAC address. CSCta09651 Supervisor Engine 6-E Specific Caveats • Systems running Cisco IOS Release 12.2(40)SG do not support the handling of .1Q packets for software QoS lookup. Workaround: None.
Caveats When a packet is sent to the CPU it may get sent out on some other interface. If so, the original CoS value for a .1X packet cannot be matched by software QoS (according to CSCsk66449). The packet is transmitted with the CoS value it was generated with (7, for the MLDv1 packets described here). Workaround: None. Part of the root cause of this problem is captured in CSCsk66449, which indicates that the software QoS cannot match a .1X packet.
Caveats • Initially, REP configured with VLAN load balancing (VLB) works correctly. When you enter a force-switchover on the switch that has a port acting as the secondary ALT port, a loop is induced in the topology. Workaround: Enter shut followed by no shut on any REP port (of the same segment in which VLB is configured) in the topology.
Caveats Resolved Caveats in Cisco IOS Release 12.2(52)XO This section lists the resolved caveats in Release 12.2(52)XO: • If you configure OFM on an EtherChannel (with at least two interfaces), when you shut or remove the first member that joined the channel, you lose the CFM neighbor. Workaround: Clear the errors with the clear ethernet cfm errors command. (CSCsv43819) • On a switch with Supervisor Engine WS-X45-SUP6-E running Cisco IOS Release 12.2(46)SG or 12.
Caveats event syslog action 1 cli action 2 cli action 3 cli action 4 cli action 5 cli pattern command command command command command "changed state to up" "enable" "conf t" "interface gigabitEthernet 2/1" "no qos" "qos" On Supervisor Engine 6-E or a Catalyst 4900M switch, remove and reapply the QoS service policy on the impacted VLAN: Switch# conf t Enter configuration commands, one per line. End with CNTL/Z.
Caveats CSCsx74970 • When you run an SNMP (getmany) query on cbQosPoliceStatsTable and cbQosREDClassStatsTable with a single SSH window (session), CPU utilization achives 99 per cent. If you query cbQosPoliceStatsTable and cbQosREDClassStatsTable from 18 SSH sessions, a CPU-HOG error message displays. Workaround: None, other than stopping the query. CSCsw89720 • On a supervisor engine running Cisco IOS Release 12.
Caveats L1 Instruction Cache: ENABLED L1 Data Cache: ENABLED L2 Cache: ENABLED Machine Check Interrupts: 5 L1 Instruction Cache Parity Errors: 3 L1 Instruction Cache Parity Errors (CPU30): 1 L1 Data Cache Parity Errors: 1 CSCsx15372 • On a switch running Cisco IOS Release12.2(50)SG, supplicants authorized on PVLAN in multi-auth host mode do not move to an Unauthorized state when you remove the PVLAN. This problem occurs only when a port is configured with PVLAN and 802.1X multi-auth.
Caveats (CSCsw32519) • Entering lacp or pagp command on an fa1 management interface in channel-group x or channel-protocol mode causes the active supervisor engine to reload. Port-channel functionality is not supported on the fa1 management interface. This is a configuration error. Workaround: None. (CSCsv91302) • On classic series supervisors and Supervisor Engine 6-E running Cisco IOS Release 12.
Caveats (CSCsh72408) • IPv6 EIGRP routes are not learned through the port channel. Workaround: Unconfigure the port channel and the associated physical port, and reconfigure them. (CSCsq74229) • Ordinarily, you observe the following messages frequently in the logs, which imply no impact to performance: 001298: .Oct 8 01:38:50.968: %C4K_SWITCHINGENGINEMAN-4-TCAMINTERRUPT: flCam0 aPErr interrupt. errAddr: 0x2947 dPErr: 1 mPErr: 0 valid: 1 001299: .Oct 8 01:51:20.
Caveats Switch# sh runn int fa 3/1 channel-group 2 mode on -- Port in etherchannel Switch# conf t Switch(config)# int fa 3/1 Switch(config-if)# auto qos voip trust AutoQoS Error: AutoQoS can not be configured on member port(s) of a port-channel This problem is first seen in 12.2(40)SG. Workaround: Manually apply the configuration that is generated by AutoQoS. Do not use Auto Qos.
Caveats CSCsy29140 • Cisco IOS Software contains a vulnerability that could allow an attacker to cause a Cisco IOS device to reload by remotely sending a crafted encryption packet. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090923-tls • CSCsq24002 Open Caveats for Cisco IOS Release 12.2(52)SG This section lists the open caveats for Cisco IOS Release 12.
Caveats • After an SSO switchover, you may receive a “PM-4-PORT_INCONSISTENT” error message on the switch console if you enter the shutdown command, and then enter the no shutdown command on the port that is in UDLD disable state. This does not affect the switch; the port remains in UDLD disable state. Reentering the shutdown command, and then entering the no shutdown command on the same port will ensure that the error message does not reappear. Workaround: None.
Caveats This situation could occur for these reasons: – A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch. – The switch administrator enters the shutdown and no shutdown commands on an outgoing interface that has enabled IP unnumbered. The switch receives packets that require redirection; and the destination MAC address is already in ARP table.
Caveats • In SSO mode, when a port channel is created, deleted, and recreated on an active supervisor engine with the same channel number, the standby port channel state goes out of sync. After a switch over, the following message displays: %PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent: Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the port channel, create a new channel.
Caveats On a switch with multiple Layer 3 interfaces, if the CTS SXP connection is configured without specifying source IP address and no default SXP source IP address is configured on the box, different SXP connections may acquire different source IP address for each connection. Workaround: Do one of the following: – Ensure that only one active Layer 3 interface exists on the switch. – Specify the source of the IP address in each SXP connection configuration to avoid ambiguity.
Caveats Workaround: Embed the graphic into the HTML file up to 256 kilobytes (according to RFC 2397). The following browsers support RFC 2397: – Internet Explorer 8 – Mozilla Firefox – Safari (CSCsu37834) • After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands: %SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.
Caveats Workaround: None. This does not impact REP functionality, but it impacts restoration timing. Traffic restoration time after the failure of a REP segment sometimes exceeds 200ms. CSCsx55704 • On a redundant switch running Cisco IOS Release 12.2(52)SG, after a ports is authorized through 802.1X, the show dot1x interface statistics command may display empty values on the standby supervisor engine. The statistics are displayed properly on the active supervisor. Workaround: None.
Caveats You might want to avoid requesting on demand send for invalid modules. First, enter the show module command to check for valid or present modules. CSCsz05888 • When an access-list is attached to an interface under extreme hardware resource exhaustion, the ACL may not be automatically loaded into the hardware even if hardware resources later become available. No TCAM entries are available for the new access-list.
Caveats Workaround: Disable explicit host tracking in the affected VLANs. CSCsz28612 • On wireless control system (WCS), some device information is incorrectly displayed for PCs sitting behind an lldp-med capable phone. Specifically, WCS displays the phone's serial number, model number, and software version in the PC's device information. All other information about the PC is correctly displayed on WCS. This only happens when the switch is running network mobility service protocol (nmsp).
Caveats • EnergyWise is enabled and you use the energywise level level recurrence importance importance at minute hour day_of_month month day_of_week interface configuration command to configure a recurring event on a switch.
Caveats • Under some conditions, one or more flows continue to be dropped because of DBL even after DBL has been removed from the service policy. When an output service policy attaches to an interface and if the policy is configured to apply DBL on a queue, the flows that are enqueued are subjected to the DBL algorithm.
Caveats Workaround: None. If you enter the show policy-map name, however, the unconditional marking actions appear. (CSCsi94144) • Supervisor Engine II-Plus-TS in a Catalyst 4503-E chassis running ROMMON lists the chassis type as Unknown. After booting Cisco IOS, the chassis type is listed properly. Workaround: None. (CSCsl72868) • When you specify a DBL action for the class-default class map in a policy map, it might not work depending on the size of the default queue.
Caveats • When a CFM Inward Facing MEP (IFM) is configured on a VLAN that is not allocated on a switch port that is DOWN, the show ethernet cfm maintenance-points local command displays the IFM CC Status as inactive. When you allocate the VLAN, the CC-status remains inactive. You only see this behavior if you initially did not allocate a VLAN before you configure the IFM, and then at a later time allocate the same VLAN. Workaround: Unconfigure, and then reconfigure the IFM on the port.
Caveats CSCsu01848 • Under normal operation, you will observe the following messages in the logs: 001298: .Oct 8 01:38:50.968: %C4K_SWITCHINGENGINEMAN-4-TCAMINTERRUPT: flCam0 aPErr interrupt. errAddr: 0x2947 dPErr: 1 mPErr: 0 valid: 1 001299: .Oct 8 01:51:20.100: %C4K_SWITCHINGENGINEMAN-4-TCAMINTERRUPT: flCam0 aPErr interrupt.
Caveats Switch(config-if-vlan-range)# service policy input secVlanInPolicy Switch(config-if-vlan-range)# end Switch# CSCsw19087 • Your standby supervisor engine crashes when you enter the following commands: interface range GigabitEthernet8/2 - 48 switchport voice vlan 505 qos vlan-based tx-queue 3 priority high ip dhcp snooping limit rate 100 The problem occurs on redundant Catalyst 4500 series switches that run Cisco IOS Releases 12.2(46)SG or 12.
Caveats If you require authentication control-direction in, configure the port for multi-authentication or Multi-Domain Authentication (MDA). CSCsx98360 • On a redundant switch running Cisco IOS Releases 12.2(50)SG or 12.2(50)SG1 where 802.1X VVID and port security are configured on a port, CDP MAC from the non 802.1X capable Cisco IP phone might not be added to the port security table on the standby supervisor engine. Workaround: None. This problem is fixed in Cisco IOS Releases 12.2(50)SG2 and 12.
Caveats Workaround: Configure the native VLAN for the PVLAN isolated trunk. (CSCsv38137) • On a switch running Cisco IOS Release12.2(50)SG, supplicants authorized on PVLAN in multi-auth host mode do not move to an Unauthorized state when you remove the PVLAN. This problem occurs only when a port is configured with PVLAN and 802.1X multi-auth. Workaround: Shut down, and then reopen the interface. (CSCsr58573) • A switch does not accept the snmp mib target list vrf command.
Caveats • Entering lacp or pagp command on an fa1 management interface in channel-group x or channel-protocol mode causes the active supervisor engine to reload. Port-channel functionality is not supported on the fa1 management interface. This is a configuration error. Workaround: None. (CSCsv91302) • On classic series supervisors and Supervisor Engine 6-E running Cisco IOS Release 12.
Caveats • IPv6 EIGRP routes are not learned through the port channel. Workaround: Unconfigure the port channel and the associated physical port, and reconfigure them. (CSCsq74229) • Ordinarily, you observe the following messages frequently in the logs, which imply no impact to performance: 001298: .Oct 8 01:38:50.968: %C4K_SWITCHINGENGINEMAN-4-TCAMINTERRUPT: flCam0 aPErr interrupt. errAddr: 0x2947 dPErr: 1 mPErr: 0 valid: 1 001299: .Oct 8 01:51:20.
Caveats • Ping does not execute prior to a posture validation. Workaround: Reapply the identity policy on the interface with the permit icmp command. (CSCsu03507 • If you configure PVLAN isolated trunk on a switch, and no native VLAN is assigned to the isolated trunk port, you must assign the native VLAN with the sw private-vlan trunk native vlan command. Workaround: Configure the native VLAN for the PVLAN isolated trunk.
Caveats Workaround: None. (CSCsv91302) • When you attempt an ISSU upgrade or downgrade between Cisco IOS Release 12.2(50)SG and 12.2(44)SG or 12.2(46)SG, the switch displays a traceback. Workaround: None.
Caveats Workaround: Do not use the nested policy-map feature in Cisco IOS Release 12.2(40)SG and 12.2(44)SG. (CSCsy80664) • If you change the mode of the switch port from CFM-supported mode to CFM-unsupported mode, CFM is disabled automatically. When you reset the mode to supported, the CFM state remains Disabled, as observed in the running configuration of the interface. If you run ISSU runversion from Cisco IOS Release 12.2(44)SG to 12.2(46)SG, you observe a bulk-sync failure.
Caveats • During an ISSU upgrade from an earlier release to Cisco IOS Release 12.2(52)SG (and later) or a downgrade from Cisco IOS Release 12.2(52)SG (and later) to an earlier release, the following harmless message (and traceback) is displayed by the PM ISSU client in the older release. Please ignore this message. *Aug 7 14:28:27.
Caveats • After an SSO switchover, you may receive a “PM-4-PORT_INCONSISTENT” error message on the switch console if you enter the shutdown command, and then enter the no shutdown command on the port that is in UDLD disable state. This does not affect the switch; the port remains in UDLD disable state. Reentering the shutdown command, and then entering the no shutdown command on the same port will ensure that the error message does not reappear. Workaround: None.
Caveats This situtation could occur for these reasons: – A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch. – The switch administrator enters the shutdown and no shutdown commands on an outgoing interface that has enabled IP unnumbered. The switch receives packets that require redirection; and the destination MAC address is already in ARP table.
Caveats • In SSO mode, when a port channel is created, deleted, and recreated on an active supervisor engine with the same channel number, the standby port channel state goes out of sync. After a switch over, the following message displays: %PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent: Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the port channel, create a new channel.
Caveats On a switch with multiple Layer 3 interfaces, if the CTS SXP connection is configured without specifying source IP address and no default SXP source IP address is configured on the box, different SXP connections may acquire different source IP address for each connection. Workaround: Do one of the following: – Ensure that only one active Layer 3 interface exists on the switch. – Specify the source of the IP address in each SXP connection configuration to avoid ambiguity.
Caveats Workaround: When a log message appears indicating that the SFP+ has been removed, do one of the following: – Enter any commands for that port. – Insert an SFP+ in that port. – Reinsert the removed SFP+ in any other port. (CSCsv90044) • The following system message may appear after you enter the verify command on an image in bootflash. Catalyst-4507# verify bootflash:cat4500-entservices-mz.122-37.
Caveats This applies to classic or E-series Catalyst 4500 supervisor engines running Cisco IOS Release 12.2(50)SG Workaround: None. (CSCsw14005) • The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.1X on the port and reconnect the host to a IP phone (with CDP port status TLV support) that is connected to the switch.
Caveats Not Supported on Supervisor Engine 6-E • With CFM enabled globally as well as on an ingress interface, CFM packets received on the interface are not policed with hardware control plane policing. Workaround: None. (CSCso93282) • During an ISSU upgrade or downgrade from v122_31_sg_throttle to v122_46_sg_throttle, the following error message displays on the console of the active supervisor engine: Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internal software error occurred.
Caveats Workaround: Reinsert the X2. (CSCsk43618) • When the CPU transmits a .1X packet on an interface that has an attached egress QoS policy, the packet is not matched and exits without any QoS marking actions. When a packet is sent to the CPU it may get sent out on some other interface. If so, the original CoS value for a .1X packet cannot be matched by software QoS (according to CSCsk66449). The packet is transmitted with the CoS value it was generated with (7, for the MLDv1 packets described here).
Caveats • Changing flow control configuration with traffic and pause frames causes some traffic loss. This problem can happen when pause frames are sent to the switch port and the flow control receive configuration is toggled on 10-Gb port. Workaround: Change the flow control receive configuration when no traffic exists. (CSCso71647) • IGMP snooping entries are active even after you disable IGMP snooping globally. Workaround: Disable IGMP snooping on all the relevant VLANs before disabling it globally.
Caveats Workaround: Unconfigure 100/Full, execute shut/no shut, then reconfigure 100/Full on the local switch. CSCtf76196 • A switch fails if you configure a PBR policy to match on prefix-list(s) instead of ACL(s). Workaround: Configure the route map to only match on ACL(s). CSCtg22126 Open Caveats for Cisco IOS Release 12.2(50)SG7 This section lists the open caveats for Cisco IOS Release 12.
Caveats • After an SSO switchover, you may receive a “PM-4-PORT_INCONSISTENT” error message on the switch console if you enter the shutdown command, and then enter the no shutdown command on the port that is in UDLD disable state. This does not affect the switch; the port remains in UDLD disable state. Reentering the shutdown command, and then entering the no shutdown command on the same port will ensure that the error message does not reappear. Workaround: None.
Caveats This situtation could occur for these reasons: – A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch. – The switch administrator enters the shutdown and no shutdown commands on an outgoing interface that has enabled IP unnumbered. The switch receives packets that require redirection; and the destination MAC address is already in ARP table.
Caveats • In SSO mode, when a port channel is created, deleted, and recreated on an active supervisor engine with the same channel number, the standby port channel state goes out of sync. After a switch over, the following message displays: %PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent: Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the port channel, create a new channel.
Caveats • Certain Cisco Trusted Security (CTS) SXP connection configuration may not consistently select the best source IP for each SXP connection. On a switch with multiple Layer 3 interfaces, if the CTS SXP connection is configured without specifying source IP address and no default SXP source IP address is configured on the box, different SXP connections may acquire different source IP address for each connection.
Caveats • When you remove an SFP+ from a OneX converter in a X2 slot, it takes approximately 45 seconds for the system to recognize this action. During this time, all commands indicate that the SFP+ is still present. Reinserting the SFP+ in another port or inserting another SFP+ in the same port can cause a “duplicate seeprom” error message. Workaround: When a log message appears indicating that the SFP+ has been removed, do one of the following: – Enter any commands for that port.
Caveats %SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.102 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8 This applies to classic or E-series Catalyst 4500 supervisor engines running Cisco IOS Release 12.2(50)SG Workaround: None. (CSCsw14005) • The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.
Caveats Despite the different default value, you can configure any value in the time range. CSCte51948 Not Supported on Supervisor Engine 6-E • With CFM enabled globally as well as on an ingress interface, CFM packets received on the interface are not policed with hardware control plane policing. Workaround: None.
Caveats On a switch running Cisco IOS Release 12.2(40)SG, all MTU values configured on a line card are set to default when the module is reset. MTU values are not retained for modules that are physically moved. Workaround: None. (CSCsk52542) • On rare occasions, if you use an X2 SR transceiver on a WS-X4706-10GE running Cisco IOS Release 12.2(40)SG, you observe CRC errors after a reload or power cycle upon inserting the card or X2. Workaround: Reinsert the X2. (CSCsk43618) • When the CPU transmits a .
Caveats This behavior occurs in a redundant switch when the active supervisor engine is running Cisco IOS, the standby supervisor engine is in ROMMON, and the standby supervisor engine’s ROMMON is upgraded from version 0.34 or to a later version. The upgrade process causes the uplinks on the standby supervisor engine to go down but the active supervisor engine is unaware of this.
Caveats • On Cisco IOS Releases 12.2(50)SG7 and 12.2(50)SG6, if you reload a local switch (Catalyst 4900M or Supervisor Engine 6-E) with [speed] full/[duplex] full configuration on interface Fa1, the link on both sides will be down after bootup. Workaround: Unconfigure 100/Full, execute shut/no shut, then reconfigure 100/Full on the local switch. CSCtf76196 Resolved Caveats in Cisco IOS Release 12.2(50)SG7 This section lists the resolved caveats in Release 12.
Caveats Workarounds: Do one of the following – Use a different GBIC. – Downgrade to Cisco IOS Release 12.2(46)SG. – Upgrade to Cisco IOS Release 12.2(53)SG2 or 12.2(50)SG7. CSCtd40838 • Output IPv6 ACLs with Ace to match on the ICMP option fail on a switch. The following conditions may cause a RACL to malfunction: – ACL are applied on the output direction of the interface. – IPv6 ACL contain Ace to match on the ICMP option fields (ICMP Type or ICMP Code).
Caveats • When you enter the issu loadversion command in a redundant chassis, you might observe a traceback accompanied by a “Bad parent VLAN ID” error message. Workaround: None. (CSCsv59929) • On a Catalyst 4500 series switch running Cisco IOS Release 12.2(50)SG and later versions, if you enter the clear port-security dynamic interface fastethernet1 command, the switch reloads. Do not enter this command if port security is not configured on the interface. Do not enter this command on fa1.
Caveats Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 police: Per-interface Conform: 9426560 bytes Exceed: 16573440 bytes Workaround: Verify that the MAC addresses being transmitted through the system are learned.
Caveats Switch(config)# monitor session n source cpu queue (CSCsc94802) • To enable IP CEF (if it is disabled by hardware exhaustion), enter the ip cef distributed command. Workaround: None. (CSCsc11726) • An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port.
Caveats Workarounds: Do one of the following: – After a reload, copy the startup-config to the running-config. – Use a loopback interface as the target of the ip unnumbered command. – Change the CLI configuration so that during bootup the router port is created first. (CSCsq63051) • In SSO mode, when a port channel is created, deleted, and recreated on an active supervisor engine with the same channel number, the standby port channel state goes out of sync.
Caveats • When the switch port configured with 802.1X Multi-Domain Authentication (MDA) and Guest VLAN is connected to a non-802.1X supplicant PC through a hub, the port falls back to a guest VLAN. Subsequently, it is stuck in the guest VLAN and ignores all EAPOL traffic from another 802.1X supplicant PC connected to the hub. Workaround: None. (CSCsu42775) • VTP databases do not propagate through promiscuous trunk ports.
Caveats (CSCsv44866) • When you enter the issu loadversion command in a redundant chassis, you might observe a traceback accompanied by a “Bad parent VLAN ID” error message. Workaround: None. (CSCsv59929) • If you change the mode of the switch port from CFM-supported mode to CFM-unsupported mode, CFM is disabled automatically. When you reset the mode to supported, the CFM state remains Disabled, as observed in the running configuration of the interface.
Caveats 01:09:25: %SIGNATURE-4-NOT_PRESENT: %WARNING: Signature not found in file bootflash:cat4500-entservices-mz.122-37.SG1. This symptom may occur when running Cisco IOS Release 12.2(40)SG or later. Workaround: Verify the integrity of the image using the verify /md5 command. Compare the resultant MD5 signature with the signature posted on CCO for that image.
Caveats bWorkaround: Enter shutdown, then no shutdown on the interface. This triggers relearning to occur, and a synchronization of the host's MAC to the standby supervisor engine. CSCsw91661 • Class-map hit counters do not increment on the egress policy-map when it is attached to primary VLAN on private VLAN trunk ports. However, the traffic is properly classified and the actions configured in policy are applied properly. Workaround: None.
Caveats Supervisor Engine 6-E Specific Caveats • Systems running Cisco IOS Release 12.2(40)SG do not support the handling of .1Q packets for software QoS lookup. Workaround: None. (CSCsk66449) • Under some conditions, one or more flows continue to be dropped because of DBL even after DBL has been removed from the service policy. When an output service policy attaches to an interface and if the policy is configured to apply DBL on a queue, the flows that are enqueued are subjected to the DBL algorithm.
Caveats • When the trusted boundary feature is enabled on an interface, no command exists to verify the current operating state. Workaround: None. You cannot explicitly verify the trusted boundary state. However, you can indirectly ascertain this state: The trusted boundary feature ensures that the packet’s CoS/DSCP value is trusted or not. When the interface is not in a trusted state, the CoS/DSCP fields are forced to zero on a received packet.
Caveats The issue is observed only for packets that are logically switched but are internally controlled such that on egress the system is generated by the switch itself. This can happen for certain snooping features such as DAI, IGMP snooping, DHCP snooping, and MLD snooping. This can also happen for IPv4/v6 packets with IP options/ extension headers that need processing in software. Workaround: None. (CSCso96660) • Initially, REP configured with VLAN load balancing (VLB) works correctly.
Caveats IPv6 access list a2 permit icmp 2020::/96 any nd-ns sequence 10 deny ipv6 any any sequence 20 Workaround: None. CSCtc13297 • On PVLAN trunk ports, learned MAC addresses age out unconditionally, resulting in flooding not only at the initial phase of frame delivery, but periodically at every MAC age interval. This behavior makes use of the switchport block unicast command risky, because it prevents communication. Workaround: None.
Caveats If the high CPU is due to the QoS configuration, upgrade the IOS image and enter the no qos statistics classification command. CSCta54369 • If many ARP entries (47k) exist and you clear the ARP table, the system reloads and the switch crashes with the message: ROM by abort at PC 0x0 Workaround: None. Downgrade to Cisco IOS Release 12.2(50)SG3 if needed.
Caveats Open Caveats for Cisco IOS Release 12.2(50)SG5 This section lists the open caveats for Cisco IOS Release 12.2(50)SG5: • When you enter the access-list N permit host hostname command on a redundant chassis operating in SSO mode, you might observe the following syslog messages. The command is not synchronized with the redundant supervisor engine, and keepalive warnings appear.
Caveats • When you enter the ip http secure-server command (or if the system reads it from the startup configuration), the device searches for a persistent self-signed certificate during boot up. – If such a certificate does not exist and the device's hostname and default_domain are set, then a persistent self-signed certificate is generated. – If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain.
Caveats Workarounds: – Do not inject packets that require an IP redirect sent out to an IP unnumbered port within 3 minutes of booting the Catalyst 4500 series switch. – Configure the correct default gateway on the host side. (CSCse75660) • When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you enter the qos account layer2 encapsulation command. Workaround: None.
Caveats • When you configure ip source binding statically on an interface, and then remove linecard on which the interface resides, the entries are not removed from the running configuration. Workaround: Before removing a line card, delete the statically configured ip source binding entries on any of the interfaces on the line card.
Caveats Workarounds: Do one of the following: – Enter spanning-tree portfast then authentication control-direction in on a 802.1X port. – Enter shut then no shut on a 802.1X port. (CSCsv05205) • When you configure two MST instances on two switches, MST information is not properly synchronized to the standby on the second switch. Workaround: None. (CSCsv07019) • Certain Cisco Trusted Security (CTS) SXP connection configuration may not consistently select the best source IP for each SXP connection.
Caveats Workaround: Reconfigure VLAN load balancing with a different configuration, by performing the following task: a. Reconfigure the VLAN load balancing configuration on the desired REP ports. b. Use the shut command on any one REP port in the segment to cause a failure in that segment. c. Use the no-shut on the same port to restore normal REP topology with one ALT port. d. Invoke manual preemption on a primary edge port to obtain VLAN load balancing with the new configuration.
Caveats – Internet Explorer 8 – Mozilla Firefox – Safari (CSCsu37834) • After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands: %SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.101 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8 %SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.
Caveats • When using dynamic policy installation for a client or host that is authenticated on a secure port, the traffic from the client is not permitted even though the permit ip any any command is specified as the dynamic policy for the client. This occurs only if the following conditions are satisfied: – Multi-host mode configured on the port with the authentication host-mode multi-host command. – Default ACL (the IP access-list) configured on the interface specifies deny ip any any.
Caveats – LogRkiosModuleShutdownTemp messages in the log indicate that the supervisor engine critical temperature exceeded the failure threshold. (CSCsk48632) • A Catalyst 4500 series switch with Supervisor Engine 6-E supports a maximum of 32 MTU values system wide. On a switch running Cisco IOS Release 12.2(40)SG, all MTU values configured on a line card are set to default when the module is reset. MTU values are not retained for modules that are physically moved. Workaround: None.
Caveats Workaround: To ensure that the DBL action operates on the default queue, use the queue-limit command to specify an explicit queue size. This command dictates the size range. (CSCso06422) • Uplinks go down when upgrading the ROMMON of an WS-X45-SUP6-E supervisor from version 0.34 to a later version.
Caveats • IPv6 EIGRP routes are not learned through the port channel. Workaround: Unconfigure the port channel and the associated physical port, and reconfigure them. (CSCsq74229) • When a CFM Inward Facing MEP (IFM) is configured on a VLAN that is not allocated on a switch port that is DOWN, the show ethernet cfm maintenance-points local command displays the IFM CC Status as inactive. When you allocate the VLAN, the CC-status remains inactive.
Caveats Resolved Caveats in Cisco IOS Release 12.2(50)SG5 This section lists the resolved caveats in Release 12.2(50)SG5: • Under extremely rare conditions, a WS-X45-SUP6-E, WS-X45-SUP6L-E may silently stop forwarding traffic. This caveat occurs when a register value is corrupted and you subsequently enable a Layer 3 feature. Workaround: None (CSCsz48273) Open Caveats for Cisco IOS Release 12.2(50)SG4 This section lists the open caveats for Cisco IOS Release 12.
Caveats • After an SSO switchover, you may receive a “PM-4-PORT_INCONSISTENT” error message on the switch console if you enter the shutdown command, and then enter the no shutdown command on the port that is in UDLD disable state. This does not affect the switch; the port remains in UDLD disable state. Reentering the shutdown command, and then entering the no shutdown command on the same port will ensure that the error message does not reappear. Workaround: None.
Caveats This situtation could occur for these reasons: – A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch. – The switch administrator enters the shutdown and no shutdown commands on an outgoing interface that has enabled IP unnumbered. The switch receives packets that require redirection; and the destination MAC address is already in ARP table.
Caveats • In SSO mode, when a port channel is created, deleted, and recreated on an active supervisor engine with the same channel number, the standby port channel state goes out of sync. After a switch over, the following message displays: %PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent: Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the port channel, create a new channel.
Caveats • A switch crashes while deleting an expExpressionTable row with SNMP and setting expExpressionEntryStatus to 6. • The switch may reload after destroying the expExpressionTable row via SNMP when you enter the debug management expression evaluator command. Workaround: Disable the debug management expression evaluator command. (CSCsu67323) • Egress traffic may not be allowed if you configure 802.1X as a Unidirectional Controlled Port.
Caveats • If you change the mode of the switch port from CFM-supported mode to CFM-unsupported mode, CFM is disabled automatically. When you reset the mode to supported, the CFM state remains Disabled, as observed in the running configuration of the interface. If you run ISSU runversion from Cisco IOS Release 12.2(44)SG to 12.2(46)SG, you observe a bulk-sync failure. CFM is supported in default switch port mode.
Caveats Workaround: Verify the integrity of the image using the verify /md5 command. Compare the resultant MD5 signature with the signature posted on CCO for that image. (CSCsu36320) • On Supervisor Engine 6-E and Catalyst 4900M, no output is displayed after you enter the verify command without the /md5 parameter on an bootflash image. Workaround: Verify the integrity of the image with the verify /md5 command. Compare the resultant MD5 signature with the signature posted on CCO for that image.
Caveats • Class-map hit counters do not increment on the egress policy-map when it is attached to primary VLAN on private VLAN trunk ports. However, the traffic is properly classified and the actions configured in policy are applied properly. Workaround: None. CSCsy72343 • On a Catalyst 4500 series switch running Cisco IOS Release 12.2(50)SG and later versions, if you enter the clear port-security dynamic interface fastethernet1 command, the switch reloads.
Caveats For this condition to persist, the transmit queues in question must remain congested for a long period of time, and that congestion must be caused by flows that remain belligerent. Workaround: Provided the queue in question is nondefault (queuing actions are not configured in the class-default class of the policymap), detach and reattach the service policy. If this happens on the default queue, modifying and resetting some queuing parameters such as bandwidth and shape resolves the problem.
Caveats Workaround: Enter the show policy-map interface command to find the actual burst value programmed. (CSCsi71036) • When you enter the show policy-map vlan vlan command, unconditional marking actions that are configured on the VLAN are not shown. Workaround: None. If you enter the show policy-map name, however, the unconditional marking actions appear. (CSCsi94144) • Supervisor Engine II-Plus-TS in a Catalyst 4503-E chassis running ROMMON lists the chassis type as Unknown.
Caveats • If FlexLink is applied to a pair of EtherChannels, FlexLink configuration may not be applied after a reboot, provided the backup EtherChannel is defined after the FlexLink configuration. Workaround: Define the backup EtherChannel before applying the flexlink command. (CSCsq13477) • If an EtherChannel is a member of a FlexLink pair, then static MAC addresses configured on the EtherChannel are not moved to the alternate port when the EtherChannel fails (FlexLink failure). Workaround: None.
Caveats – IPv6 ACL contain Ace to match on the ICMP option fields (ICMP Type or ICMP Code). Here are two examples of such non-functioning RACL: IPv6 access list a1 permit icmp any any nd-ns sequence 10 deny ipv6 any any sequence 20 IPv6 access list a2 permit icmp 2020::/96 any nd-ns sequence 10 deny ipv6 any any sequence 20 Workaround: None. CSCtc13297 Resolved Caveats in Cisco IOS Release 12.2(50)SG4 This section lists the resolved caveats in Release 12.
Caveats 001299: .Oct 8 01:51:20.100: %C4K_SWITCHINGENGINEMAN-4-TCAMINTERRUPT: flCam0 aPErr interrupt. errAddr: 0x2B59 dPErr: 1 mPErr: 0 valid: 1 They imply no impact to performance. Workaround: None. (CSCsv17545) • Entering lacp or pagp command on an fa1 management interface in channel-group x or channel-protocol mode causes the active supervisor engine to reload. Port-channel functionality is not supported on the fa1 management interface. This is a configuration error. Workaround: None.
Caveats (CSCta02425) • Cisco IOS Software configured with Authentication Proxy for HTTP(S), Web Authentication or the consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the authentication proxy server or bypass the consent webpage. There are no workarounds that mitigate this vulnerability. This advisory is posted at the following link: http://tools.cisco.
Caveats (CSCsx32444) • When you downgrade a redundant SUP6-E switch via ISSU from Cisco IOS 12.2(50)SG2, the supervisor uplinks stop carrying traffic. All links remain up. Workaround: Reload the shelf. Note A SSO switchover using an earlier release might restore traffic but it would be temporary. (CSCsz17726) Open Caveats for Cisco IOS Release 12.2(50)SG3 This section lists the open caveats for Cisco IOS Release 12.
Caveats • After an SSO switchover, you may receive a “PM-4-PORT_INCONSISTENT” error message on the switch console if you enter the shutdown command, and then enter the no shutdown command on the port that is in UDLD disable state. This does not affect the switch; the port remains in UDLD disable state. Reentering the shutdown command, and then entering the no shutdown command on the same port will ensure that the error message does not reappear. Workaround: None.
Caveats This situtation could occur for these reasons: – A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch. – The switch administrator enters the shutdown and no shutdown commands on an outgoing interface that has enabled IP unnumbered. The switch receives packets that require redirection; and the destination MAC address is already in ARP table.
Caveats • In SSO mode, when a port channel is created, deleted, and recreated on an active supervisor engine with the same channel number, the standby port channel state goes out of sync. After a switch over, the following message displays: %PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent: Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the port channel, create a new channel.
Caveats • When the switch port configured with 802.1X Multi-Domain Authentication (MDA) and Guest VLAN is connected to a non-802.1X supplicant PC through a hub, the port falls back to a guest VLAN. Subsequently, it is stuck in the guest VLAN and ignores all EAPOL traffic from another 802.1X supplicant PC connected to the hub. Workaround: None. (CSCsu42775) • VTP databases do not propagate through promiscuous trunk ports.
Caveats (CSCsv44866) • When you enter the issu loadversion command in a redundant chassis, you might observe a traceback accompanied by a “Bad parent VLAN ID” error message. Workaround: None. (CSCsv59929) • If you change the mode of the switch port from CFM-supported mode to CFM-unsupported mode, CFM is disabled automatically. When you reset the mode to supported, the CFM state remains Disabled, as observed in the running configuration of the interface.
Caveats 01:09:25: %SIGNATURE-4-NOT_PRESENT: %WARNING: Signature not found in file bootflash:cat4500-entservices-mz.122-37.SG1. This symptom may occur when running Cisco IOS Release 12.2(40)SG or later. Workaround: Verify the integrity of the image using the verify /md5 command. Compare the resultant MD5 signature with the signature posted on CCO for that image.
Caveats • Entering lacp or pagp command on an fa1 management interface in channel-group x or channel-protocol mode causes the active supervisor engine to reload. Port-channel functionality is not supported on the fa1 management interface. This is a configuration error. Workaround: None. (CSCsv91302) • The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.
Caveats • AutoQoS cannot be configured on member ports of a port-channel. Switch# sh runn int fa 3/1 channel-group 2 mode on -- Port in etherchannel Switch# conf t Switch(config)# int fa 3/1 Switch(config-if)# auto qos voip trust AutoQoS Error: AutoQoS can not be configured on member port(s) of a port-channel This problem is first seen in Cisco IOS Release 12.2(40)SG. Workaround: Manually apply the configuration that would be generated by Auto QoS. CSCsv03316 • If you are running Cisco IOS Releases 12.
Caveats For this condition to persist, the transmit queues in question must remain congested for a long period of time, and that congestion must be caused by flows that remain belligerent. Workaround: Provided the queue in question is nondefault (queuing actions are not configured in the class-default class of the policymap), detach and reattach the service policy. If this happens on the default queue, modifying and resetting some queuing parameters such as bandwidth and shape resolves the problem.
Caveats Workaround: Enter the show policy-map interface command to find the actual burst value programmed. (CSCsi71036) • When you enter the show policy-map vlan vlan command, unconditional marking actions that are configured on the VLAN are not shown. Workaround: None. If you enter the show policy-map name, however, the unconditional marking actions appear. (CSCsi94144) • Supervisor Engine II-Plus-TS in a Catalyst 4503-E chassis running ROMMON lists the chassis type as Unknown.
Caveats • If FlexLink is applied to a pair of EtherChannels, FlexLink configuration may not be applied after a reboot, provided the backup EtherChannel is defined after the FlexLink configuration. Workaround: Define the backup EtherChannel before applying the flexlink command. (CSCsq13477) • If an EtherChannel is a member of a FlexLink pair, then static MAC addresses configured on the EtherChannel are not moved to the alternate port when the EtherChannel fails (FlexLink failure). Workaround: None.
Caveats aPErr interrupt. errAddr: 0x2947 dPErr: 1 mPErr: 0 valid: 1 001299: .Oct 8 01:51:20.100: %C4K_SWITCHINGENGINEMAN-4-TCAMINTERRUPT: flCam0 aPErr interrupt. errAddr: 0x2B59 dPErr: 1 mPErr: 0 valid: 1 They imply no impact to performance. Workaround: None. (CSCsv17545) • When you downgrade a redundant SUP6-E switch via ISSU from Cisco IOS 12.2(50)SG2, the supervisor uplinks stop carrying traffic. All links remain up. Workaround: Reload the shelf.
Caveats Resolved Caveats in Cisco IOS Release 12.2(50)SG3 This section lists the resolved caveats in Release 12.2(50)SG3: • A Catalyst 4500 E-Series Switch with Supervisor Engine 6-E might crash if you insert/remove a TwinGig converter or boot it with installed TwinGig converters. TwinGig converters are only supported on E-series supervisors and line cards. This bug does not affect systems without installed converters. Workaround: None.
Caveats • After an SSO switchover, you may receive a “PM-4-PORT_INCONSISTENT” error message on the switch console if you enter the shutdown command, and then enter the no shutdown command on the port that is in UDLD disable state. This does not affect the switch; the port remains in UDLD disable state. Reentering the shutdown command, and then entering the no shutdown command on the same port will ensure that the error message does not reappear. Workaround: None.
Caveats This situtation could occur for these reasons: – A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch. – The switch administrator enters the shutdown and no shutdown commands on an outgoing interface that has enabled IP unnumbered. The switch receives packets that require redirection; and the destination MAC address is already in ARP table.
Caveats • In SSO mode, when a port channel is created, deleted, and recreated on an active supervisor engine with the same channel number, the standby port channel state goes out of sync. After a switch over, the following message displays: %PM-4-PORT_INCONSISTENT: STANDBY:Port is inconsistent: Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the port channel, create a new channel.
Caveats • When the switch port configured with 802.1X Multi-Domain Authentication (MDA) and Guest VLAN is connected to a non-802.1X supplicant PC through a hub, the port falls back to a guest VLAN. Subsequently, it is stuck in the guest VLAN and ignores all EAPOL traffic from another 802.1X supplicant PC connected to the hub. Workaround: None. (CSCsu42775) • VTP databases do not propagate through promiscuous trunk ports.
Caveats (CSCsv44866) • When you enter the issu loadversion command in a redundant chassis, you might observe a traceback accompanied by a “Bad parent VLAN ID” error message. Workaround: None. (CSCsv59929) • If you change the mode of the switch port from CFM-supported mode to CFM-unsupported mode, CFM is disabled automatically. When you reset the mode to supported, the CFM state remains Disabled, as observed in the running configuration of the interface.
Caveats 01:09:25: %SIGNATURE-4-NOT_PRESENT: %WARNING: Signature not found in file bootflash:cat4500-entservices-mz.122-37.SG1. This symptom may occur when running Cisco IOS Release 12.2(40)SG or later. Workaround: Verify the integrity of the image using the verify /md5 command. Compare the resultant MD5 signature with the signature posted on CCO for that image.
Caveats • Entering lacp or pagp command on an fa1 management interface in channel-group x or channel-protocol mode causes the active supervisor engine to reload. Port-channel functionality is not supported on the fa1 management interface. This is a configuration error. Workaround: None. (CSCsv91302) • The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.
Caveats • AutoQoS cannot be configured on member ports of a port-channel. Switch# sh runn int fa 3/1 channel-group 2 mode on -- Port in etherchannel Switch# conf t Switch(config)# int fa 3/1 Switch(config-if)# auto qos voip trust AutoQoS Error: AutoQoS can not be configured on member port(s) of a port-channel This problem is first seen in Cisco IOS Release 12.2(40)SG. Workaround: Manually apply the configuration that would be generated by Auto QoS. CSCsv03316 • If you are running Cisco IOS Releases 12.
Caveats For this condition to persist, the transmit queues in question must remain congested for a long period of time, and that congestion must be caused by flows that remain belligerent. Workaround: Provided the queue in question is nondefault (queuing actions are not configured in the class-default class of the policymap), detach and reattach the service policy. If this happens on the default queue, modifying and resetting some queuing parameters such as bandwidth and shape resolves the problem.
Caveats Workaround: Enter the show policy-map interface command to find the actual burst value programmed. (CSCsi71036) • When you enter the show policy-map vlan vlan command, unconditional marking actions that are configured on the VLAN are not shown. Workaround: None. If you enter the show policy-map name, however, the unconditional marking actions appear. (CSCsi94144) • Supervisor Engine II-Plus-TS in a Catalyst 4503-E chassis running ROMMON lists the chassis type as Unknown.
Caveats • If FlexLink is applied to a pair of EtherChannels, FlexLink configuration may not be applied after a reboot, provided the backup EtherChannel is defined after the FlexLink configuration. Workaround: Define the backup EtherChannel before applying the flexlink command. (CSCsq13477) • If an EtherChannel is a member of a FlexLink pair, then static MAC addresses configured on the EtherChannel are not moved to the alternate port when the EtherChannel fails (FlexLink failure). Workaround: None.
Caveats aPErr interrupt. errAddr: 0x2947 dPErr: 1 mPErr: 0 valid: 1 001299: .Oct 8 01:51:20.100: %C4K_SWITCHINGENGINEMAN-4-TCAMINTERRUPT: flCam0 aPErr interrupt. errAddr: 0x2B59 dPErr: 1 mPErr: 0 valid: 1 They imply no impact to performance. Workaround: None. (CSCsv17545) • When you downgrade a redundant SUP6-E switch via ISSU from Cisco IOS 12.2(50)SG2, the supervisor uplinks stop carrying traffic. All links remain up. Workaround: Reload the shelf.
Caveats Resolved Caveats in Cisco IOS Release 12.2(50)SG2 This section lists the resolved caveats in Release 12.2(50)SG2: • Packets for traffic destined to SNAP host might be dropped if the ARP table indicates that the MAC entry is SNAP. Workarounds: 1. Configure a static ARPA entry for host. 2. Upgrade to a future IOS release containing the fix.
Caveats Workaround: Disable and configure QoS, as follows: Switch# conf t Enter configuration commands, one per line. Switch(config)# no qos Switch(config)# qos Switch(config)# end Switch# End with CNTL/Z. CSCsw19087 • On a Catalyst 4500 redundant switch running Cisco IOS Release 12.2(50)SG or 12.2(50)SG1, when 802.1X VVID and port security are configured together on a switch port, the CDP MAC from the non 802.
Caveats • On a Catalyst 4500 series switch running Cisco IOS Release 12.2(50)SG or 12.2(50)SG1, when you configure both 802.1X VVID and port security together on a switch port, then insert a non-802.1X capable Cisco IP phone with LLDP capability and a PC behind it, you might trigger a security violation. The violation is triggered when the PC behind the phone gets authorized on the port before the IP phone sends LLDP packet. Workaround: Turn off LLDP on the switch and Cisco IP phone from Call Manager.
Caveats Service-policy output: p1 Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 police: Per-interface Conform: 9426560 bytes Exceed: 16573440 bytes Workaround: Verify that the MAC addresses being transmitted through the system are learned.
Caveats Switch(config)# no monitor session n source cpu queue all rx Switch(config)# monitor session n source cpu queue (CSCsc94802) • To enable IP CEF (if it is disabled by hardware exhaustion), enter the ip cef distributed command. Workaround: None. (CSCsc11726) • An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port.
Caveats Workarounds: Do one of the following: – After a reload, copy the startup-config to the running-config. – Use a loopback interface as the target of the ip unnumbered command. – Change the CLI configuration so that during bootup the router port is created first. (CSCsq63051) • In SSO mode, when a port channel is created, deleted, and recreated on an active supervisor engine with the same channel number, the standby port channel state goes out of sync.
Caveats – Do not attach routers to PVLAN isolated ports. – Disable IGMP snooping (either globally or on the VLAN). – Do not use a router connected to PVLAN isolated port as a multicast source. (CSCsu39009) • When the switch port configured with 802.1X Multi-Domain Authentication (MDA) and Guest VLAN is connected to a non-802.1X supplicant PC through a hub, the port falls back to a guest VLAN. Subsequently, it is stuck in the guest VLAN and ignores all EAPOL traffic from another 802.
Caveats Workaround: Do one of the following: – Reload the standby switch again with the line card in place. – Remove and reenter the commands on the active supervisor engine. The standby supervisor engine will acquire this change. (CSCsv44866) • When you enter the issu loadversion command in a redundant chassis, you might observe a traceback accompanied by a “Bad parent VLAN ID” error message. Workaround: None.
Caveats • The following system message may appear after you enter the verify command on an image in bootflash. Catalyst-4507# verify bootflash:cat4500-entservices-mz.122-37.
Caveats • After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands: %SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.101 Traceback= 101D9A88 10B76BB0 10B76FE0 10B7A114 10B7A340 1066A678 106617F8 %SM-4-BADEVENT: Event 'eouAAAAuthor' is invalid for the current state 'eou_abort': eou_auth 4.1.0.
Caveats Supervisor Engine 6-E Specific Caveats • Systems running Cisco IOS Release 12.2(40)SG do not support the handling of .1Q packets for software QoS lookup. Workaround: None. (CSCsk66449) • Under some conditions, one or more flows continue to be dropped because of DBL even after DBL has been removed from the service policy. When an output service policy attaches to an interface and if the policy is configured to apply DBL on a queue, the flows that are enqueued are subjected to the DBL algorithm.
Caveats • When the trusted boundary feature is enabled on an interface, no command exists to verify the current operating state. Workaround: None. You cannot explicitly verify the trusted boundary state. However, you can indirectly ascertain this state: The trusted boundary feature ensures that the packet’s CoS/DSCP value is trusted or not. When the interface is not in a trusted state, the CoS/DSCP fields are forced to zero on a received packet.
Caveats The issue is observed only for packets that are logically switched but are internally controlled such that on egress the system is generated by the switch itself. This can happen for certain snooping features such as DAI, IGMP snooping, DHCP snooping, and MLD snooping. This can also happen for IPv4/v6 packets with IP options/ extension headers that need processing in software. Workaround: None. (CSCso96660) • Initially, REP configured with VLAN load balancing (VLB) works correctly.
Caveats • While running Cisco IOS Release 12.2(50)SG or 12.2(50)SG1 and using WS-X4648-GB-RJ45V or WS-X4648-GB-RJ45V+ line cards, on a rare occasion, you will observe the following syslog error message although the PoE line card is functioning correctly: %C4K_ETHPOE-3-POEMICROCONTROLLERWARNING: Switching module in slot [x] needs to be reset. This log message is informational only; it does not reflect a potential problem with the linecard.
Caveats permit icmp 2020::/96 any nd-ns sequence 10 deny ipv6 any any sequence 20 Workaround: None. CSCtc13297 Resolved Caveats in Cisco IOS Release 12.2(50)SG1 This section lists the resolved caveats in Release 12.2(50)SG1: • A switch may reload unexpectedly. On the console or in the crashinfo file, the following message might appear: %SYS-2-WATCHDOG: Process aborted on watchdog timeout, process = Per-Second Jobs.
Caveats Workaround: When using the access-list N permit host hostname command, specify the IP address of the host rather than the hostname (CSCef67489) • In rare instances, when you are using MAC ACL-based policers, the packet match counters in show policy-map interface fa6/1 do not show the packets being matched: clearwater# show policy-map int FastEthernet3/2 Service-policy output: p1 Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name f
Caveats QueueID Old QueueName New QueueName 8 control-packet 11 adj-same-if 13 acl input log rfp-failure 14 acl input forward acl input log Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs.
Caveats • When performing an ISSU upgrade and the versions of the active and standby supervisor engines differ, the following message is seen in the standby supervisor engine console: %XDR-6-XDRINVALIDHDR: XDR for client (CEF push) dropped (slots:2 from slot:3 context:145 length:11) due to: invalid context Workaround: None. This is an informational message. (CSCsi60898) • When traffic is sent on a VLAN ID higher than 3000, the convergence timing caused by a failure exceeds 225ms. Workaround: None.
Caveats • On a switch running Cisco IOS Release12.2(50)SG, supplicants authorized on PVLAN in multi-auth host mode are not moved to an Uauthorized state when the PVLAN is removed. This problem occurs only when a port is configured with PVLAN and 802.1X multi-auth. Workaround: Shut down then reopen the interface. (CSCsr58573) • When you delete and recreate an interface, the tacking process is unable to track its state track. Workaround: Reconfigure tracking on the newly created interface.
Caveats • When two MST instances are configured on two switches, MST information is not properly synchronized to the standby on the second switch. Workaround: None. (CSCsv07019) • Certain Cisco Trusted Security (CTS) SXP connection configuration may not consistently select the best source IP for each SXP connection.
Caveats d. Invoke manual preemption on a primary edge port to obtain VLAN Load Balancing with the new configuration. (CSCsv69853) • When you remove an SFP+ from a OneX converter in a X2 slot, it takes roughly 45 seconds for the system to recognize this. Any commands during this time will indicate that the SFP+ is still present. Reinserting the SFP+ in another port or inserting another SFP+ in the same port can result in Duplicate Seeprom error message.
Caveats • A router may crash when a privilege-level 15 user logs on with the callback or callback-dialstring attribute. 'This problem is seen on all Catalyst 4500 or 4900 chassis running CiscoIOS Release 12.2.(50)SG. The problem occurs when the following conditions are present: – The router is configured with AAA authentication and authorization. – The AAA server runs CiscoSecure ACS 2.4. – The callback or callback-dialstring attribute is configured on the AAA server for the user.
Caveats Workaround: None. (CSCso93282) • During an ISSU upgrade or downgrade from v122_31_sg_throttle to v122_46_sg_throttle, the following error message displays on console of the active supervisor engine: Mar 6 03:28:29.140 EST: %COMMON_FIB-3-FIBHWIDBINCONS: An internal software error occurred. Null0 linked to wrong hwidb Null0 Workaround: None.
Caveats Workaround: None. (CSCsk52542) • On rare occasions, if you use an X2 SR transceiver on a WS-X4706-10GE running Cisco IOS Release 12.2(40)SG, you will observe CRC errors after a reload or power cycle when you insert the card or the X2. Workaround: Reinsert the X2. (CSCsk43618) • When the CPU transmits .1X packet on an interface that has an egress qos policy attached, the packet is not matched and exits without any QoS marking actions.
Caveats This behavior occurs in a redundant switch when the ACTIVE supervisor engine is running IOS, the STANDBY supervisor engine is in rommon, and the STANDBY's rommon is upgraded from version 0.34 or to a later version. The upgrade process will cause the uplinks on the STANDBY supervisor engine to go down but the ACTIVE supervisor engine is unaware of this. Workarounds: To resume normal operation, do one of the following: – Reload both supervisors with the redundancy reload shelf command.
Caveats • When a CFM Inward Facing MEP(IFM) is configured on a VLAN that is not allocated on a switch port that is DOWN, the show ethernet cfm maintenance-points local command displays the IFM CC Status as Inactive. Then, you allocate the VLAN, the CC-status remains Inactive. You only see this symptom if you did not allocate a VLAN before you configure the IFM, then at a later time allocate the same VLAN. Workaround: Unconfigure, then reconfigure the IFM on the port.
Caveats Resolved Caveats in Cisco IOS Release 12.2(50)SG This section lists the resolved caveats in Release 12.2(50)SG: • After a data device is authorized (with dot1x or MAB) on a port configured with Multi-Domain Authentication (MDA), changing the access VLAN causes traffic loss for this device even if no device is connected on the port. It does not affect the traffic from the voice device connected to the port.
Caveats Service policy has to be configured with percentage police, shape, or share values and the link speed is forced to a specific values. For example: Policy-map p1 class-map c1 police rate percent 10 Workaround: Either use the speed auto 10/100/1000 command or the absolute policer, shape, or shape values rather than percentage values. For example: Policy-map p1 class-map c1 police rate 10 mbps (CSCsk56877 • The message “Module M linecard watchdog has expired” appears when the switch boots.
Caveats (CSCsq47116) • Manual Pre-emption is disallowed after you modify a set of blocked VLANs with REP and VLAN load balancing configured. Workaround: Intentionally fail the link between two switches by physically pulling the cable or shutting down the interface. Then, return the links to a normal condition. This is followed by delayed preemption, which you might have already configured.
Caveats Single Supervisor Upgrade - Upgrade from Cisco IOS Release 12.2(46)SG to 12.2(50)SG or later 1. While running 12.2(46)SG, save the configuration to a file in bootflash. Switch# copy running-config bootflash:oldconfig 2. Erase the configuration stored in nvram. Switch# erase nvram: 3. Delete the file containing the ifIndices. Switch# del nvram:ifIndex-table.gz 4. Reload the switch so that it runs Cisco IOS Release 12.2(44)SG1 or a prior release after reloading. 5.
Caveats • Symptoms: Several features within Cisco IOS software are affected by a crafted UDP packet vulnerability. If any of the affected features are enabled, a successful attack will result in a blocked input queue on the inbound interface. Only crafted UDP packets destined for the device could result in the interface being blocked, transit traffic will not block the interface. Cisco has released free software updates that address this vulnerability.
Caveats some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system. In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.
Caveats Workaround: Verify that the MAC addresses being transmitted through the system are learned. (CSCef01798) • After an SSO switchover, you may receive a “PM-4-PORT_INCONSISTENT” error message on the switch console if you enter the shutdown command, then the no shutdown command on the port that is in UDLD error-disable state. This does not affect the switch; the port remains in UDLD error-disable state.
Caveats Workaround: None. (CSCsc11726) • An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port. This could occur for these reasons: – A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch. – This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled.
Caveats Workaround: Enter the shutdoown, then no shutdown commands on the interface after changing the access VLAN on the port. (CSCsk45969) • When traffic is sent on a VLAN ID higher than 3000, the convergence timing caused by a failure exceeds 225ms. Workaround: None. (CSCsm30320) • Manual pre-emption is disallowed after you modify a set of blocked VLANs configured with REP and VLAN load balancing.
Caveats Dual-sup upgrade (ISSU) - Between 12.2(46)SG and other releaes Follow the ISSU process without any changes. Adhere to the following items during the upgrade: 8. Do not save the configuration file to nvram explicitly with write memory or an equivalent command. The issu commitversion command saves the configuration to nvram, which restores the ifIndices stored in nvram. 9. Do not enter the issu abortversion command during the upgrade process.
Caveats Not supported on Supervisor Engine 6-E • With CFM enabled globally as well as on an ingress interface, CFM packets received on the interface are not policed with HWCOPP (HW Control Plane Policing). Workaround: None. (CSCso93282) • The show ip cache verbose flow command does not display the AS path information, when netflow aggregation for origin-as is configured. Workaround: None.
Caveats When an output service-policy is attached to an interface and if the policy is configured to apply DBL on a queue, the flows that are enqueued to the queue are subjected to the DBL algorithm. If one or more flows are classified as belligerent (flows do not back-off in response to drops because of congestion in the queue), those flows continue to be classified as belligerent even when DBL is disabled on that queue.
Caveats Workaround: None. You cannot explicitly check the trusted boundary state. However, you can indirectly determine this state: The trusted boundary feature ensures whether the packet’s COS/DSCP value will b e trusted or not. When the interface is not in a trusted state, the COS/DSCP fields are forced to zero on a received packet. A QoS policy exists on that interface that uses that COS/DSCP value for classification.
Caveats • When you try to modify the allocated link bandwidth for IPv6 EIGRP using the ipv6 bandwidth-percent eigrp as-number percent command, the supervisor engine reloads. If you enable redundancy, the STANDBY supervisor engine changes to ACTIVE, and the reloaded supervisor engine is set to STANDBY. Workaround: None. (CSCso30051) • Uplinks go down when you upgrade the ROMMON of an WS-X45-SUP6-E supervisor from version 0.34 to a later version.
Caveats The issue is observed only for packets that are logically switched through the switch but are internally controlled such that on egress the system generated by the switch itself. This can happen for certain snooping features like DAI, IGMP snooping, DHCP snooping, and MLD snooping. This can also happen for IPv4/v6 packets with IP options/ extension headers that need processing in software. Workaround: None.
Caveats • In Cisco IOS Release 12.2(46)SG, if flexlink is applied to a pair of etherchannels, then flexlink config may not be applied after a reboot, if the backup EtherChannel is defined after the flexlink configuration. Workaround: Define the backup etherchannel before applying the flexlink command. (CSCsq13477) • In Cisco IOS Release 12.
Caveats This issue is resolved in 12.2(50)SG. Workaround: Do not use the qos autoqos macro. When a policy-map is shared on more than one target, it should not use any percentage based actions; police, shape, and bandwidth actions must use absolute values. This requires a different policy-map for each of the four interface speeds supported on the switch - 10M, 100M, 1G, and 10G. So, rather than having a single policy-map as enabled through percentage-based actions, you must create four distinct policy-maps.
Caveats Workaround: Ensure that the REP Admin VLAN and the RSPAN destination VLAN differ. (CSCso12495) • If VLAN load balancing is active, the failure of a segment or the removal of supervisor engine may cause looping in the REP segment. Workaround: None. (CSCsm61748) • Not all combinations of features can be simultaneously supported by the hardware.
Caveats • When a non-default duplex setting is applied to a FastEthernet interface and you upgrade from Cisco IOS Release 12.2(31)SGA to 12.2(40)SG, the duplex settings on FastEthernet settings are lost. The interface reverts to its default duplex setting, and the duplex setting no longer appears in the output of the show running command. Workaround: If non-default duplex settings are in the running configuration, note them prior to upgrading, and reapply them after the upgrade completes.
Caveats 4. Enter the ipv6 enable command to enable IPv6 on the interfaces. 5. Enter the ipv6 mtu mtu-value command to configure IPv6 MTU on your interface. 6. Enter the copy running-config startup-config command to save your recovered configuration. 7. Enter the reload command on the switch to return to ROMMON. 8. From ROMMON, enter the confreg command to process the startup config. 9. Reset the switch to resume normal operation.
Caveats Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 police: Per-interface Conform: 9426560 bytes Exceed: 16573440 bytes Workaround: Verify that the MAC addresses being transmitted through the system are learned.
Caveats Switch(config)# no monitor session n source cpu queue all rx Switch(config)# monitor session n source cpu queue (CSCsc94802) • To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command. Workaround: None. (CSCsc11726) • An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port.
Caveats Workaround: None. This message is an informational message. (CSCsi60913) • When performing an ISSU upgrade and the versions of the active and standby supervisor engines differ, the following message is seen in the standby supervisor engine console: %XDR-6-XDRINVALIDHDR: XDR for client (CEF push) dropped (slots:2 from slot:3 context:145 length:11) due to: invalid context Workaround: None. This is an informational message.
Caveats One feature combination that can trigger this problem is the attempt to combine a QoS policy that matches on cos bits with IPv6 ACL configuration that matches on IPv6 source addresses that partially mask in the lower 48 bits of the address. (IPv6 subnets in the /81 to /127 range will also trigger this behavior if IPv6 multicast routing is enabled.) Workaround: Do not configure feature combinations that conflict.
Caveats When an output service-policy is attached to an interface and if the policy is configured to apply DBL on a queue, the flows that are enqueued to the queue are subjected to the DBL algorithm. If one or more flows are classified as belligerent (flows do not back-off in response to drops because of congestion in the queue), those flows continue to be classified as belligerent even when DBL is disabled on that queue.
Caveats • On rare occasions, if you use an X2 SR transceiver on a WS-X4706-10GE running Cisco IOS Release 12.2(40)SG, you will observe CRC errors after a reload or power cycle when you insert the card or the X2. Workaround: Reinsert the X2. (CSCsk43618) • Control plane policing applied to DHCP traffic as identified by the system class-maps system-cpp-dhcp-cs, system-cpp-dhcp-sc, and system-cpp-dhcp-ss may not be effective. Workaround: None.
Caveats Workaround: Enter the show policy-map interface command to find the actual exceed burst value programmed. (CSCsj44237) • If burst is not explicitly configured for a single rate policer, the show policy-map command displays an incorrect burst value. Workaround: Enter the show policy-map interface command to find the actual burst value programmed. (CSCsi71036) • Executing default interface twice on a port configured with the cisco-phone macro displays the back trace.
Caveats • When we try to modify the allocated link bandwidth for IPv6 EIGRP using the ipv6 bandwidth-percent eigrp as-number percent command, the supervisor engine reloads. If you enable redundancy, the STANDBY supervisor engine changes to ACTIVE, and the reloaded supervisor engine is set to STANDBY. Workaround: None. (CSCso30051) • Uplinks go down when upgrading the rommon of an WS-X45-SUP6-E supervisor from version 0.34 to a later version.
Caveats So, rather than having a single policy-map as enabled through percentage-based actions, you must create four distinct policy-maps. This applies to all shared policy-maps, independent of direction of service-policy. (CSCsr12142) • Attempting to use the nested policy-map feature on Supervisor Engine-6E can cause the switch to reboot. Workaround: Do not use the nested policy-map feature in Cisco IOS Release 12.2(40)SG and 12.2(44)SG.
Caveats The affected power supply experiences a temporary shut down and power supply redundancy is lost. Power for data and chassis is decremented and occasionally the linecard(s) shut down. Also, power for PoE will decrement, causing PDs to shut down and reset. Note If both the units have 110V inputs, they are not affected. (the output current is lower with both 110V input connections, see Power Supply Calculator on CCO, http://tools.cisco.com/cpc/launch.jsp .) Workaround: None.
Caveats • After an SSO switchover, you may receive a “PM-4-PORT_INCONSISTENT” error message on the switch console if you enter the shutdown command, then the no shutdown command on the port that is in UDLD error-disable state. This does not affect the switch; the port remains in UDLD error-disable state. Re-entering the shutdown command, then the no shutdown command on the same port will ensure that the error message does not re-appear. Workaround: None.
Caveats • An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port. This could occur for these reasons: – A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch. – This is also seen if the switch administrator enters the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled.
Caveats Workaround: None. This is an informational message. (CSCsi60898) • If an Cisco IP Phone has an supplicant attached, upon reloading a DUT port configured with MDA and attached to phones and supplicants, the port will not pass traffic. Phone will in an unknown state. Problem is not observed if the phone is a stand alone device. Workarounds: Powercycle the Cisco IP phone.
Caveats Workaround: Do not configure feature combinations that conflict. Currently the above conflict between QoS policies matching on COS bits and IPv6 configuration with partial masking of the lower 48 bits of the source address is the only known conflicting feature combination. If matching on COS bits is required by the QoS policy, architect the IPv6 network using /80 subnets or larger.
Caveats Workaround: Provided the queue in question is non-default (queuing actions are not configured in the class-default class of the policy-map), detach and re-attach the service-policy. If this happens on the default queue, modifying and resetting some queuing parameters like bandwidth/shape fixes the issue. (CSCsk62457 • When an E-series switch encounters either a fan tray failure or a supervisor critical temperature, the chassis shuts off.
Caveats • In policy map, if a queuing class with the bandwidth remaining percent <> command sits before a priority queuing class configuration, the bandwidth remaining percent <> command action is not applied on reload. Workaround: Re-apply the policy-map. (CSCsk75793 • When the CPU transmits .1X packet on an interface that has an egress qos policy attached, the packet is not matched and exits without any QoS marking actions. When a packet is sent to the CPU it may get sent out on some other interface.
Caveats • Executing default interface twice on a port configured with the cisco-phone macro displays the back trace. Workaround: Remove the configuration line by line without entering the default interface command. (CSCsj23103) • When you enter the show policy-map vlan vlan command, unconditional marking actions that are configured on the VLAN are not shown. Workaround: None. However, if you enter the show policy-map name, the unconditional marking actions appear.
Caveats • Uplinks go down when upgrading the rommon of an WS-X45-SUP6-E supervisor from version 0.34 to a later version. This behavior occurs in a redundant switch when the ACTIVE supervisor engine is running IOS, the STANDBY supervisor engine is in rommon, and the STANDBY's rommon is upgraded from version 0.34 or to a later version. The upgrade process will cause the uplinks on the STANDBY supervisor engine to go down but the ACTIVE supervisor engine is unaware of this.
Caveats • Attempting to use the nested policy-map feature on Supervisor Engine-6E can cause the switch to reboot. Workaround: Do not use the nested policy-map feature in Cisco IOS Release 12.2(40)SG and 12.2(44)SG. (CSCsy80664) • Output IPv6 ACLs with Ace to match on the ICMP option fail on a switch. The following conditions may cause a RACL to malfunction: – ACL are applied on the output direction of the interface. – IPv6 ACL contain Ace to match on the ICMP option fields (ICMP Type or ICMP Code).
Caveats c. Configure the interface(s) in the portchannel. • If you configure auto-QoS on a Layer 2 port, change the port to Layer 3, and then remove auto-QoS on the port, the process will not cleanup the QoS service policies on the port due to inconsistency between when auto-QoS was applied versus when it was removed.
Caveats CSCsk70826) • A Cisco IOS device may crash while processing an SSL packet. This can happen during the termination of an SSL-based session. The offending packet is not malformed and is normally received as part of the packet exchange. Cisco has released free software updates that address this vulnerability. Aside from disabling affected services, there are no available workarounds to mitigate an exploit of this vulnerability. This advisory is posted at http://tools.cisco.
Caveats clearwater# show policy-map int FastEthernet3/2 Service-policy output: p1 Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 police: Per-interface Conform: 9426560 bytes Exceed: 16573440 bytes Workaround: Verify that the MAC addresses being transmitted through the system are learned.
Caveats Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs. For example: Switch(config)# no monitor session n source cpu queue all rx Switch(config)# monitor session n source cpu queue (CSCsc94802) • To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command. Workaround: None.
Caveats • The following error message is seen during an ISSU upgrade from Cisco IOS Release 12.2(31)SGA or 12.2(31)SGA1 to Cisco IOS Release 12.2(37)SG or later images: %CHKPT-4-INVALID: Invalid checkpoint client ID (189) Workaround: None. This message is an informational message.
Caveats Workaround: Do not configure feature combinations that conflict. Currently the above conflict between QoS policies matching on COS bits and IPv6 configuration with partial masking of the lower 48 bits of the source address is the only known conflicting feature combination. If matching on COS bits is required by the QoS policy, architect the IPv6 network using /80 subnets or larger.
Caveats Workaround: Provided the queue in question is non-default (queuing actions are not configured in the class-default class of the policy-map), detach and re-attach the service-policy. If this happens on the default queue, modifying and resetting some queuing parameters like bandwidth/shape fixes the issue. (CSCsk62457 • When an E-series switch encounters either a fan tray failure or a supervisor critical temperature, the chassis shuts off.
Caveats Workaround: None. (CSCsk52542) • When a non-default duplex setting is applied to a FastEthernet interface and you upgrade from Cisco IOS Release 12.2(31)SGA to 12.2(40)SG, the duplex settings on FastEthernet settings are lost. The interface reverts to its default duplex setting, and the duplex setting no longer appears in the output of the show running command.
Caveats auto qos voice trust channel-group 10 mode auto This example applies auto-QoS on a port (g2/1) and subsequently makes the port a member of portchannel (10). Workaround: Do not make a port with auto-QoS enabled a member of a portchannel.
Caveats Workaround: Enter the show policy-map interface command. (CSCsi71036) • When a queuing policy is attached to a trunk port configured with a per-port per-VLAN QoS policy, the port-level queuing policy is processed as part of a per-VLAN policy and is rejected on bootup. Queuing policy is supported on a physical interface in the output direction only. Workaround: After bootup, reattach a queuing policy on a physical interface.
Caveats – ACL are applied on the output direction of the interface. – IPv6 ACL contain Ace to match on the ICMP option fields (ICMP Type or ICMP Code). Here are two examples of such non-functioning RACL: IPv6 access list a1 permit icmp any any nd-ns sequence 10 deny ipv6 any any sequence 20 IPv6 access list a2 permit icmp 2020::/96 any nd-ns sequence 10 deny ipv6 any any sequence 20 Workaround: None. CSCtc13297 Resolved Caveats in Cisco IOS Release 12.
Troubleshooting • A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.
Troubleshooting For example, to set the supervisor engine Ethernet port with an IP address 172.16.1.5 and IP mask 255.255.255.0, enter the following command: rommon 2> set interface fa1 172.16.1.5 255.255.255.0 d. Set default gateway for the Ethernet management port on the supervisor engine by entering the following command: set ip route default gateway_ip_address. The default gateway should be directly connected to the supervisor engine Ethernet management port subnet. e.
Related Documentation Related Documentation Although their Release Notes are unique, the 4 platforms (Catalyst 4500, Catalyst 4900, Catalyst ME 4900, and Catalyst 4900M) use the same Software Configuration Guide, Command Reference Guide, and System Message Guide. Refer to the following home pages for additional information: • Catalyst 4500 Series Switch Documentation Home http://www.cisco.com/go/cat4500/docs • Catalyst 4900 Series Switch Documentation Home http://www.cisco.
Notices • Catalyst 4900 release notes are available at: http://www.cisco.com/en/US/products/ps6021/prod_release_notes_list.html • Cisco ME4900 4900 Series Ethernet Switch release notes are available at: http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/release/note/OL_11511.
Notices OpenSSL/Open SSL Project This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). License Issues The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit.
Notices Original SSLeay License: Copyright © 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code.
Notices Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html. Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application.
Notices Release Notes for the Catalyst 4500 Series Switch, Cisco IOS Release 12.2(54)SG Copyright © 1999–2011, Cisco Systems, Inc. All rights reserved. Release Notes for the Catalyst 4500 Series Switch, Cisco IOS Releases 12.2(54)SG to 12.
Notices Release Notes for the Catalyst 4500 Series Switch, Cisco IOS Releases 12.2(54)SG to 12.
