Release Notes for the Catalyst 4900 Series Switch, Cisco IOS Release 12.2(40)SG Current Release 12.2(40)SG—November 13, 2007 Previous Releases 12.2(37)SG1, 12..2(37)SG, 12.2(31)SGA5, 12.2(31)SGA4, 12.2(31)SGA3, 12.2(31)SGA2, 12.2(31)SGA1, 12.2(31)SGA, 12.2(31)SG3, 12.2(31)SG2, 12.2(31)SG1, 12.2(31)SG, 112.2(25)SG4, 2.2(25)SG3, 12.2(25)SG2, 12.2(25)SG1, 12.2(25)SG, 12.2(25)EWA13, 12.2(25EWA12, 12.2(25)EWA11, 12.2(25)EWA10, 12.2(25)EWA9, 12.2(25)EWA8, 12.2(25)EWA7, 12.2(25)EWA6, 12.2(25)EWA5, 12.
Cisco IOS Software Packaging for the Cisco Catalyst 4900 Series • Upgrading the System Software, page 18 • Limitations and Restrictions, page 31 • Caveats, page 36 • Troubleshooting, page 128 • Related Documentation, page 130 • Notices, page 132 • Obtaining Documentation, Obtaining Support, and Security Guidelines, page 134 Cisco IOS Software Packaging for the Cisco Catalyst 4900 Series A new Cisco IOS Software package for Cisco Catalyst 4900 Series switches was introduced in Cisco IOS Softwa
Cisco IOS Software Packaging for the Cisco Catalyst 4900 Series Note • S49ESK9-12237SG—Cisco IOS software for the Catalyst 4900 Series (Enterprise Services image with 3DES) (cat4500-entservicesk9-mz) • S49IPB-12231SGA—Cisco IOS software for the Catalyst 4900 Series (IP Base image) (cat4500-ipbase-mz) • S49IPBK9-12231SGA—Cisco IOS software for the Catalyst 4900 Series (IP Base image with Triple Data Encryption Standard (3DES)) (cat4500-ipbasek9-mz) • S49ES-12231SGA—Cisco IOS software for the Catalys
Catalyst 4900 Series Switch Cisco IOS Release Strategy • S4KL3E-12220EWA—Cisco IOS software for the Catalyst 4900 series switch, enhanced Layer 3 and voice software image including OSPF, IS-IS, and EIGRP, Release 12.2(20)EWA (cat4000-i5s-mz.122-20.EWA) • S4KL3K9-12220EWA—Cisco IOS software for the Catalyst 4900 series switch, with 3DES strong encryption, basic Layer 3 and voice software image (SSHv1, SSHv2, RIPv1, RIPv2, static routes, AppleTalk, and IPX), Release 12.2(20)EWA (cat4000-i9k9s-mz.122-20.
System Requirements Figure 1 Software Release Strategy for the Catalyst 4900 Series Switch Summary of Migration Plan • Customers requiring the latest Cisco Catalyst 4900 Series hardware and software features should migrate to Cisco IOS Software Release 12.2(40)SG. • Cisco IOS Software Release 12.2(31)SGA will continue offering maintenance releases. The latest release from the 12.2(31)SGA maintenance train is 12.2(31)SGA4. • Cisco IOS Software Release 12.
System Requirements Memory Requirements These are the minimum required memory configurations for Cisco IOS software on the Catalyst 4900 series switch: • 256-MB SDRAM DIMM • 64-MB Flash SIMM Supported Hardware The following tables lists the hardware supported on the Catalyst 4900 series switch.
System Requirements Table 2 CWDM SFP Supported Wavelengths Product Number (append with “=” for spares) Product Description CWDM-SFP -1530 Software Release Minimum Recommended Longwave 1530 nm laser single-mode 12.2(20)EWA 12.2(31)SGA4 CWDM-SFP -1550 Longwave 1550 nm laser single-mode 12.2(20)EWA 12.2(31)SGA4 CWDM-SFP -1570 Longwave 1570 nm laser single-mode 12.2(20)EWA 12.2(31)SGA4 CWDM-SFP -1590 Longwave 1590 nm laser single-mode 12.2(20)EWA 12.
System Requirements Table 4 Cisco IOS Software Feature Set for the Catalyst 4900 Series Switch (continued) Layer 2 MAC2 learning, aging, and switching by software Unicast MAC address filtering VMPS3 Client Layer 2 hardware forwarding up to 102 Mpps Layer 2 switch ports and VLAN trunks Spanning-Tree Protocol (IEEE 802.1D) per VLAN 802.1s and 802.
System Requirements Table 4 Cisco IOS Software Feature Set for the Catalyst 4900 Series Switch (continued) Auto QoS Match CoS for non-IPV4 traffic CoS Mutation CEF7 load balancing Hardware-based IP CEF routing at 102 Mpps Up to 128,000 IP routes Up to 32,000 IP host entries (Layer 3 adjacencies) Up to 16,000 IP multicast route entries Up to 55,000 unicast entries Multicast flooding suppression for STP changes Software routing of IPX, AppleTalk, and IPv6 IGMPv1, IGMPv2, and IGMPv3 (Full Support) VRF-lite
System Requirements Table 4 Cisco IOS Software Feature Set for the Catalyst 4900 Series Switch (continued) SCP22 GLBP23 EtherChannel Features Cisco EtherChannel technology - 10/100/1000 Mbps, 10 Gbps Load balancing for routed traffic, based on source and destination IP addresses Load sharing for bridged traffic based on MAC addresses ISL on all EtherChannels IEEE 802.
System Requirements Table 4 Cisco IOS Software Feature Set for the Catalyst 4900 Series Switch (continued) SNMP version 3 (with encryption) DHCP server and relay-agent DHCP snooping DHCP client autoconfiguration DHCP Option 82 Pass Through 802.1X port-based authentication 802.1X with port security 802.1X accounting 802.1X with voice VLAN ID30 802.1X private VLAN assignment 802.1X private guest VLAN 802.1X RADIUS-supplied session timeout 802.1X authentication failure VLAN 802.
System Requirements Table 4 Cisco IOS Software Feature Set for the Catalyst 4900 Series Switch (continued) CNA35 EEM36 1. Hardware-based transparent bridging within a VLAN 2. MAC = Media Access Control 3. VMPS = VLAN Management Policy Server 4. Requires the Catalyst 4900 series switch Supervisor Engine V 5. The ip classless command is not supported as classless routing is enabled by default. 6. PBR = policy-based routing 7. CEF = Cisco Express Forwarding 8.
New and Changed Information – DECnet access list – Protocol type-code access list • Cisco IOS software IPX ACLs: – <1200-1299> IPX summary address access list • ADSL and Dial access for IPv6 • AppleTalk EIGRP (use native AppleTalk routing instead) • Bridge groups • Cisco IOS software-based transparent bridging (also called “fallback bridging”) • Connectionless (CLNS) routing; including IS-IS routing for CLNS. IS-IS is supported for IP routing only.
New and Changed Information • New Hardware Features in Release 12.2(25)SG, page 16 • New Software Features in Release 12.2(25)SG, page 16 • New Hardware Features in Release 12.2(25)EWA, page 17 • New Software Features in Release 12.2(25)EWA, page 17 • New Hardware Features in Release 12.2(25)EW, page 18 • New Software Features in Release 12.2(25)EW, page 18 • New Hardware Features in Release 12.2(20)EWA, page 18 • New Software Features in Release 12.
New and Changed Information • IP Source Guard for Statis Hosts (“Configuring DHCP Snooping, IP Source Guard, and IPSG for Statis Hosts” chapter ) • BGP route-map Continue Support for Outbound Policy For details, locate the feature entry in the Feature Information Table located toward the end of the "Connecting to a Service Provider Using External BGP" module: http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124tcg/tbgp_c/t_brbext.
New and Changed Information New Hardware Features in Release 12.2(31)SG There are no new hardware features in Cisco IOS Release 12.2(31)SG. New Software Features in Release 12.2(31)SG Release 12.2(31)SG provides the following Cisco IOS software features for the Catalyst 4900 series switch: Note The following chapter references are for the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.
New and Changed Information • Time Domain Reflectometry (“Checking Port Status and Connectivity” chapter) New Hardware Features in Release 12.2(25)EWA Release 12.
Upgrading the System Software New Hardware Features in Release 12.2(25)EW There are no new hardware features in Release 12.2(25)EW. New Software Features in Release 12.2(25)EW There are no new software features in Cisco IOS Release 12.2(25)EW New Hardware Features in Release 12.2(20)EWA There are no new hardware features in Cisco IOS Release 12.2(20)EWA. New Software Features in Release 12.2(20)EWA Release 12.
Upgrading the System Software • Upgrading the ROMMON Remotely Using Telnet, page 22 • Upgrading the Cisco IOS Software, page 27 Upgrading the ROMMON from the Console Caution To avoid actions that might make your system unable to boot, read this entire section before starting the upgrade. Note The examples in this section use the programmable read-only memory (PROM) upgrade version 12.2(25r)EWA and Cisco IOS Release 12.2(25)EWA.
Upgrading the System Software Proceed with reload? [confirm] 2d11h: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command . ********************************************************** * * * Welcome to Rom Monitor for WS-C4948-10GE System. * * Copyright (c) 1999-2005 by Cisco Systems, Inc. * * All rights reserved. * * * ********************************************************** Rom Monitor Program Version 12.
Upgrading the System Software Beginning erase of 0x100000 bytes at offset 0x3e00000... Beginning write of prom Done! (0x100000 bytes at offset 0x3e00000)... This could take as little as 30 seconds or up to 2 minutes. Please DO NOT RESET! Verifying... Success! The prom has been upgraded successfully. System will reset itself and reboot within few seconds.... Step 7 Boot the Cisco IOS software image, and enter the show version command to verify that ROMMON has been upgraded to 12.2(25r)EWA.
Upgrading the System Software Upgrading the ROMMON Remotely Using Telnet Caution To avoid actions that might make your system unable to boot, read this entire section before starting the upgrade. Follow this procedure to upgrade your supervisor engine ROMMON to Release 12.2(25r)EWA. This procedure can be used when console access is not available and when the ROMMON upgrade must be performed remotely.
Upgrading the System Software Switch# write Building configuration... Compressed configuration from 3641 to 1244 bytes [OK] Switch# Use the boot system flash bootflash:file_name command to set the BOOT variable. You will use two BOOT commands: one to upgrade the ROMMON and a second to load the Cisco IOS software image after the ROMMON upgrade is complete. Notice the order of the BOOT variables in the example below. At bootup the first BOOT variable command upgrades the ROMMON.
Upgrading the System Software The following example shows the console port output from a successful ROMMON upgrade followed by a system reset. Your Telnet session will be disconnected during the ROMMON upgrade, so you will not see this output. This step could take 2-3 minutes to complete. You will need to reconnect your Telnet session after 2-3 minutes when the Cisco IOS software image and the interfaces are loaded.
Upgrading the System Software System will reset itself and reboot within few seconds.... **** (output truncated) . . . . . ******** The system will autoboot now ******** config-register = 0x102 Autobooting using BOOT variable specified file..... Current BOOT file is --- bootflash:cat4500-ipbase-mz.122-25.EWA Rommon reg: 0x00004180 ########### (output truncated) Exiting to ios...
Upgrading the System Software Cisco IOS Software, Catalyst 4900 L3 Switch Software (cat4500-IPBASE-M), Version 12.2(25)EWA, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Wed 17-Aug-05 17:09 by alnguyen Image text-base: 0x10000000, data-base: 0x11269914 ROM: 12.
Upgrading the System Software Upgrading the Cisco IOS Software Caution To avoid actions that might make your system unable to boot, please read this entire section before starting the upgrade. Before you proceed, observe the following rules for hostname: • Do not expect case to be preserved Uppercase and lowercase characters look the same to many internet software applications.
Upgrading the System Software 6923388 bytes copied in 72.200 secs (96158 bytes/sec) Switch# Step 4 Use the no boot system flash bootflash:file_name command to clear the cat4500-ipbase-mz.122-25.EWA file and to save the BOOT variable. The following example shows how to clear the BOOT variable: Switch# configure terminal Switch(config)# no boot system flash bootflash:cat4500-ipbase-mz.122_25.EWA Switch(config)# exit Switch# write Building configuration...
Upgrading the System Software ********************************************************** * * * Welcome to Rom Monitor for WS-C4948-10GE System. * * Copyright (c) 1999-2005 by Cisco Systems, Inc. * * All rights reserved. * * * ********************************************************** Rom Monitor Program Version 12.2(25r)EWA Supervisor: WS-C4948-10GE Chassis: WS-C4948 Hardware Revisions - Board: 8.3 CPLD Gill: 17 MAC Address IP Address Netmask Gateway TftpServer : : : : : 00-0b-fc-ff-3b-ff 10.5.43.
Upgrading the System Software 0: 12: 24: 36: 62: . . . . . 1: 13: 25: 37: 63: . 2: . 3: . 14: . 15: . 26: . 27: . 38: . 39: . . 4: . 5: . 16: . 17: . 28: . 29: . 40: . 41: Switch Subsystem Memory 1: . 2: . 3: . 4: . 13: . 14: . 15: . 16: . 25: . 26: . 27: . 28: . 37: . 38: . 39: . 40: . 49: . 50: . 51: . Front 1: . 13: . 25: . 37: . Panel 2: . 14: . 26: . 38: . Ports 3: . 15: . 27: . 39: . ... 4: 16: 28: 40: ... 5: 17: 29: 41: . 6: . 7: . 18: . 19: . 30: . 31: . 42: . 43: . 6: . 7: . 18: .
Limitations and Restrictions # # # # # # # ## # ## ## # # ## # # # # ###### # # # # ##### # # # # ##### # # # # # # ## # # # # # # # # ## # # # # # # # # # # ## # # # # # # # # ## # # #### # # # # # ### # #### The following environment variable(s) are set. Setting these environment variables may cause the system to behave unpredictably. "DontShipAllowChassisSimulation" "gdbEnable" Use 'clear platform environment variable unsupported' to clear these variables.
Limitations and Restrictions – Unnumbered interface and Numbered interface in different VRFs • For WCCP version 2, the following are not supported: – GRE encapsulation forwarding method – Hash bucket based assignment method – Redirection on an egress interface (redirection out) – Redirect-list ACL • For IPX software routing, the following are not supported: – NHRP (Next Hop Resolution Protocol) – NLSP – Jumbo Frames • For AppleTalk software routing, the following are not supported: – AURP – AppleTalk
Limitations and Restrictions • When you attempt to run OSPF between a Cisco router and a third party router, the two interfaces might get stuck in the Exstart/Exchange state. This problem occurs when the maximum transmission unit (MTU) settings for neighboring router interfaces do not match. If the router with the higher MTU sends a packet larger than the MTU set on the neighboring router, the neighboring router ignores the packet.
Limitations and Restrictions If this message appears, check that there is network connectivity between the switch and the ACS. You should also check that the switch has been properly configured as an AAA client on the ACS. • The bgp shutdown command is not supported in BGP router configuration mode. Executing this command might produce unexpected results. • A spurious error message appears when an SSH connection disconnects after an idle timeout. Workaround: Disable idle timeouts.
Limitations and Restrictions – Inactive host bindings will appear in the device tracking table when either a VLAN is associated with another port or a port is removed from a VLAN. So, as hosts are moved across subnets, the hosts are displayed in the device tracking table as INACTIVE. – Autostate SVI does not work on EtherChannel. • After the fix for CSCsg08775, a GARP ACL entry is no longer part of the Static CAM area, but there is still a system-defined GARP class in Control Plane Policing (CPP).
Caveats Note The issue above also applies to IPSG with Static Hosts on a PVLAN Host port. Caveats Caveats describe unexpected behavior in Cisco IOS releases. Caveats listed as open in a prior release are carried forward to the next release as either open or resolved. Note All caveats in Release 12.4 also apply to the corresponding 12.4 E releases. Refer to the Caveats for Cisco IOS Release 12.4 publication at the following URL: http://www.cisco.
Caveats Workaround: Re-connect. (CSCsb11964) • After upgrading to Cisco IOS 12.2(31)SG and later releases, some CPU queues configured as SPAN sources and saved in the startup configuration file do not function as they did in the older software release. This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.
Caveats This does not impact performance. Workaround: Issue the no shutdown command. (CSCsg27395) • If the ACL of an SVI interface is too large for the TCAM, ARP replies for the associated VLAN may not be processed. Workaround: Upgrade to Cisco IOS Release 12.2(31)SG or later and resize the TCAM with the access-list hardware region balance command to support the ACL Verify TCAM utilization with the show platform hardware acl statistics utilization brief command.
Caveats Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 police: Per-interface Conform: 9426560 bytes Exceed: 16573440 bytes Workaround: Verify that the MAC addresses being transmitted through the system are learned.
Caveats – Use a different copy protocol. – Set a longer ssh timout. (CSCsc94317) • To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command. Workaround: None. (CSCsc11726) • An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port. This could occur for these reasons: – A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch.
Caveats Resolved Caveats in Cisco IOS Release 12.2(37)SG1 This section lists the resolved caveats in Release 12.2(37)SG1: • Cisco IOS Software has been enhanced with the introduction of additional software checks to signal improper use of data structures. This feature has been introduced in select Cisco IOS Software releases published after April 5, 2007. The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp: May 17 10:01:27.
Caveats This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml (CSCsd81407) • Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features: – Session Initiation Protocol (SIP) – Media Gateway Control Protocol (MGCP) – Signaling protocols H.323, H.
Caveats Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 police: Per-interface Conform: 9426560 bytes Exceed: 16573440 bytes Workaround: Verify that the MAC addresses being transmitted through the system are learned.
Caveats – Use a different copy protocol. – Set a longer ssh timout. (CSCsc94317) • To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command. Workaround: None. (CSCsc11726) • An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port. This could occur for these reasons: – A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch.
Caveats Resolved Caveats in Cisco IOS Release 12.2(37)SG This section lists the resolved caveats in Release 12.2(37)SG: • Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Caveats Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml. Note Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://www.cisco.
Caveats This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.
Caveats Workaround: Remove the IEEE 802.1X configuration from the switch port. (CSCsg10135) • When the same MAC addresses are learned and aged out on different VLANs, the Cat4k Mgmt LoPri process will cause CPU utilization to increase. This does not impact local data switching performance because the LoPri process is of low priority with limited access to the CPU. Workaround: None. (CSCsg76868) • When policing IEEE 802.
Caveats While this problem occurs, traffic drops are displayed under the Dbl-Drop-Queue counter on the output of the show interface counter detail command. Workaround: Disable DBL globally by configuring the no qos dbl command. (CSCsk07525) • When MSDP and OSPF are configured and you issue the no ip routing command, the switch reloads because of memory corruption in one of the pointers used by MSDP. To observe the problem, the MSDP timer must be set to 1.
Caveats Workaround: Verify that the MAC addresses being transmitted through the system are learned. (CSCef01798) • When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up. – If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated.
Caveats • To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command. Workaround: None. (CSCsc11726) • An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port. This could occur for these reasons: – A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch.
Caveats WS-X4548-GB-RJ45V with hardware revision 4.0 is NOT impacted by the problem reported in CSCsf26804 hence PoE health Monitor checks are not applicable to the module. Workaround: None. This caveat is fixed in 12.2(25)EWA11 and 12.2(31)SGA4 software releases. Release 12.2(37)SG is other recommended software release. 12.2(37)SG does not have the fix for CSCsf26804 and hence does not run into CSCsk85158. A linecard replacement is not needed. Do not RMA the module. (CSCsk85158) • When policing IEEE 802.
Caveats Switch# show qos map cos dscp CoS-DSCP Mapping Table CoS: 0 1 2 3 4 5 6 7 -------------------------------DSCP: 0 8 16 26 32 46 48 56 Workaround: None. (CSCsi52529) • If multiple interfaces in the OSPF area have the same IP address (duplicate IP addresses are present in the network) and the IP address is used as a link-state ID of the network LSA, this network LSA might occur in the OSPF database with a high Age: Net Link States (Area 100) Link ID 192.168.22.2 ADV Router 192.168.22.
Caveats • When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up. – If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated. – If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain.
Caveats • An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port. This could occur for these reasons: – A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch. – This is also seen if the switch administrator issues the shutdown and no shutdown commands on an outgoing interface that has IP unnumbered enabled.
Caveats This caveat is fixed in 12.2(25)EWA11 and 12.2(31)SGA4 software releases. Release 12.2(37)SG is other recommended software release. 12.2(37)SG does not have the fix for CSCsf26804 and hence does not run into CSCsk85158. A linecard replacement is not needed. Do not RMA the module. (CSCsk85158) Resolved Caveats in Cisco IOS Release 12.2(31)SGA3 This section lists the resolved caveats in Release 12.
Caveats Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 police: Per-interface Conform: 9426560 bytes Exceed: 16573440 bytes Workaround: Verify that the MAC addresses being transmitted through the system are learned.
Caveats – Use a different copy protocol. – Set a longer ssh timout. (CSCsc94317) • To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command. Workaround: None. (CSCsc11726) • An IP redirect may not be sent out if the outgoing interface on a Catalyst 4500 series switch is an IP unnumbered port. This could occur for these reasons: – A packet requires an IP redirect to an IP unnumbered outgoing port within 3 minutes of booting the Catalyst 4500 series switch.
Caveats • In software releases 12.2(25)EWA10, 12.2(31)SGA2 and 12.2(31)SGA3, PoE Health Monitoring Diagnostic software introduced via CSCsf26804 incorrectly reports PoE errors for module WS-X4548-GB-RJ45V, hardware revision 4.0. (Use the show module command to see the hardware revision of module.) The software reloads the PoE module continuously, and the module will not operate. WS-X4548-GB-RJ45V with hardware revision 4.
Caveats Workaround: Upgrade to Cisco IOS Release 12.2(25)EWA10 or 12.2(31)SGA2. (CSCsi34572) • The server side of the Secure Copy (SCP) implementation in Cisco IOS contains a vulnerability that allows any valid user, regardless of privilege level, to transfer files to and from an IOS device that is configured to be a Secure Copy server. This vulnerability could allow valid users to retrieve or write to any file on the device’s filesystem, including the device’s saved configuration.
Caveats • After upgrading to Cisco IOS 12.2(31)SG and later releases, some CPU queues configured as SPAN sources and saved in the startup configuration file do not function as they did in the older software release. This only impacts a switch that has any of the following queues are configured as SPAN source in releases prior to 12.2(31)SG and saved to startup-config. The SPAN destination would not get the same traffic after upgrading to 12.2(31)SG and later releases.
Caveats • Gigabit IP phones cannot process IEEE 802.1Q tagged CDP packets when 802.1X is configured on a voice VLAN. This causes the phone to continually register and de-register with Call Manager. 100 Mbps IP phones are not affected. Workaround: Remove the IEEE 802.1X configuration from the switch port. (CSCsg10135) • When the same MAC addresses are learned and aged out on different VLANs, the Cat4k Mgmt LoPri process will cause CPU utilization to increase.
Caveats • If you configure ISIS/IPv6 with the passive-interface default and no passive-interface commands, ISIS IIH advertisements will be sent from such interfaces without the local IPv6 address, preventing the formation of adjacencies. Workaround: Remove passive-interface commands from the router isis configuration. (CSCei21664) • GARP-based protocol packets leak through an STP block, potentially leading to a GARP storm in a redundant topology.
Caveats 1. Interface ACL - Configure and attach an access list to every active router interface configured for IP packet processing. Once enabled, the tftp server in IOS listens by default on all interfaces enabled for IP processing. So, the access list needs to deny traffic to every IP address assigned to an active router interface. 2. Control Plane Policing - Configure and apply a CoPP policy. Note CoPP is only available on certain platforms and IOS release trains.
Caveats • When you configure a switch with an IEEE 802.1X Failed Authentication VLAN and IEEE 802.1X supplicants use tunneled EAP methods such as PEAP and EAP-TLS for authentication, the switch attempts to send an EAP Success message on the third consecutive failed authentication attempt rather than an EAP Failure message. This results in erratic supplicant and network behavior. Workaround: Either do not use tunneled EAP methods or disable the authentication failed VLAN.
Caveats Note Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Caveats Switch(config)# monitor session n source cpu queue (CSCsc94802) • If you initiate a scp copy from the console and it is delayed long enough to cause a timeout, the console is disconnected. Workarounds: – Use a different copy protocol. – Set a longer ssh timout. (CSCsc94317) • To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command. Workaround: None.
Caveats Workaround: Cisco IOS versions with the fix for CSCec71950 are not at risk for this issue and no workaround is required. If CSCec71950 is not resolved, see the following Cisco Security Advisory: Crafted IP Option Vulnerability for workaround information: http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.
Caveats Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 police: Per-interface Conform: 9426560 bytes Exceed: 16573440 bytes Workaround: Verify that the MAC addresses being transmitted through the system are learned.
Caveats • If you initiate a scp copy from the console and it is delayed long enough to cause a timeout, the console is disconnected. Workarounds: – Use a different copy protocol. – Set a longer ssh timout. (CSCsc94317) • To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command. Workaround: None.
Caveats Open Caveats in Cisco IOS Release 12.2(31)SG2 This section lists the open caveats in Cisco IOS Release 12.
Caveats QueueID Old QueueName New QueueName 13 acl input log rfp-failure 14 acl input forward acl input log Workaround: After upgrading to 12.2(31)SG and later releases, remove the old SPAN source configuration and reconfigure with the new queue names/IDs.
Caveats Resolved Caveats in Cisco IOS Release 12.2(31)SG2 This section lists the resolved caveats in Release 12.2(31)SG2: • The Cisco Next Hop Resolution Protocol (NHRP) feature in Cisco IOS contains a vulnerability that can result in a restart of the device or possible remote code execution. NHRP is a primary component of the Dynamic Multipoint Virtual Private Network (DMVPN) feature.
Caveats Workaround: Re-connect. (CSCsb11964) • A Catalyst 4900 series switch clears the mac-add-table notif counters when the feature is disabled. Workaround: Re-connect. (CSCsc31540) • After upgrading to Cisco IOS 12.2(31)SG and later releases, some CPU queues configured as SPAN sources and saved in the startup configuration file do not function as they did in the older software release.
Caveats – CSCsd52629/CSCsd34759—VTP version field DoS – CSCse40078/CSCse47765—Integer Wrap in VTP revision – CSCsd34855/CSCei54611—Buffer Overflow in VTP VLAN name Cisco’s statement and further information are available on the Cisco public website at http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml (CCSCsd34759) • The RADIUS attribute 32 is not being sent to the RADIUS server for Cisco IOS Release 12.2(31)SG and beyond. Workaround: Downgrade to Cisco IOS Release 12.
Caveats • When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up. – If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated. – If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain.
Caveats • To enable IP CEF if it is disabled by hardware exhaustion, use the ip cef distributed command. Workaround: None. (CSCsc11726) • Symptoms: The VTP feature in certain versions of Cisco IOS software may be vulnerable to a crafted packet sent from the local network segment which may lead to denial of service condition. Conditions: The packets must be received on a trunk enabled port.
Caveats Open Caveats in Cisco IOS Release 12.2(25)SG4 This section lists the open caveats in Cisco IOS Release 12.2(25)SG4: • Changes to console speed are not updated in ROMMON. If a system is reloaded, you will not see a prompt until Cisco IOS software re-starts. Workaround: None. (CSCee65294) • On a system reload, some of the QoS policies that had previously loaded into the hardware may fail to load due to limited space.
Caveats • When you issue the ip http secure-server command (or if the system reads it from the startup configuration), the device will check for the existence of a persistent self-signed certificate during boot up. – If such a certificate does not exist and the device's hostname and default_domain have been set, then a persistent self-signed certificate will be generated. – If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain.
Caveats Switch# show policy-map int FastEthernet3/2 Service-policy output: p1 Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 police: Per-interface Conform: 9426560 bytes Exceed: 16573440 bytes Workaround: Verify that the MAC addresses being transmitted through the system are learned.
Caveats Resolved Caveats in Cisco IOS Release 12.2(25)SG3 This section lists the resolved caveats in Release 12.2(25)SG3: • Cisco IOS Software has been enhanced with the introduction of additional software checks to signal improper use of data structures. This feature has been introduced in select Cisco IOS Software releases published after April 5, 2007. The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp: May 17 10:01:27.
Caveats • QoS policing will fail if you configure more than 1000 policers on a trunk port and you remove some of the VLANs from the trunk port. Workaround: Use less than 1000 policers.(CSCsa57218) • When Fast Hellos is configured on an interface thru the command ip ospf dead-interval minimal hello-multiplier, the dead-interval can be changed to exceed 1 second with the ip ospf dead-interval keyword.
Caveats Cisco has made free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-IPv6-leak.shtml. (CSCef77013) • The Cisco Next Hop Resolution Protocol (NHRP) feature in Cisco IOS contains a vulnerability that can result in a restart of the device or possible remote code execution.
Caveats Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 police: Per-interface Conform: 9426560 bytes Exceed: 16573440 bytes Workaround: Verify that the MAC addresses being transmitted through the system are learned. (CSCef01798) • When changing the access VLAN ID on a sticky port configured with IPSG and voice VLAN, the secure MAC address counter on this port might become negative. This does not impact the system.
Caveats Workaround: Disable on interfaces where CDP is not necessary. (CSCse85200) • Some (or all) CDP neighbors are invisible. It only happens on releases that include the fix for CSCse85200. When turning on "debug cdp even," the following message appears: CDP-EV: Received item (type : 9) with invalid length 4 Workaround: None.
Caveats Service-policy output: p1 Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 police: Per-interface Conform: 9426560 bytes Exceed: 16573440 bytes Workaround: Verify that the MAC addresses being transmitted through the system are learned. (CSCef01798) • When changing the access VLAN ID on a sticky port configured with IPSG and voice VLAN, the secure MAC address counter on this port might become negative.
Caveats Workaround: Exit, then re-enter interface configuration mode. All commands will be accepted, even after you enter the macro apply command. (CSCsa44632) • Issuing the no ip flow ingress command will not turn off the collection of switched IP flows. Workaround: Use the no ip flow ingress command in conjunction with the no ip flow ingress layer2-switched command. (CSCsa67042) • Modifying a policer may not work if you configure more than 800 policers.
Caveats Open Caveats in Cisco IOS Release 12.2(25)EWA12 This section lists the open caveats in Cisco IOS Release 12.2(25)EWA12: • While configuring Smartport macros via HTTP interactively, a Catalyst 4500 series switch might restart unexpectedly. Workaround: Provide the entire command sequence in the browser "command" area as if you were entering the commands through the CLI. (CSCei76082) • A Catalyst 4500 series switch upgrading to IOS versions 12.2(25)EWA or 12.
Caveats • On a Catalyst 4948 switch running Cisco IOS Release 12.2(31)SGA, after removing and reinserting the fiber cable into the SFP, the link may not come up immediately. Workaround: Either remove and reinsert the SFP or issue a shutdown command followed by the no shutdown command on the affected Catalyst 4948 interface.
Caveats Note Do not enable these commands on a production switch unless instructed by Cisco TAC. *Nov 13 address *Nov 13 address *Nov 13 address *Nov 13 address 12:56:32.066 CLT-1: 00:D0:02:2D:38:1A 12:56:34.030 CLT-1: 00:D0:02:2D:38:1A 12:56:34.046 CLT-1: 00:D0:02:2D:38:1A 12:56:34.
Caveats • A switch running Cisco IOS Release 12.(25)EWA8 and beyond will send in dot1q tagged cdp packets when dot1x is enabled on a voice VLAN port. This might cause gigabit IP phones to send in packets that are untagged, moving the phone into the data VLAN. Workaround: Do either of the following: – Remove dot1x from the port. – Upgrade the IOS image to Cisco IOS 12.2(31)SGA or later.
Caveats Release 12.2(37)SG is other recommended software release. 12.2(37)SG does not have the fix for CSCsf26804 and hence does not run into CSCsk85158. A linecard replacement is not needed. Do not RMA the module. (CSCsk85158) Resolved Caveats in Cisco IOS Release 12.2(25)EWA10 This section lists the resolved caveats in Cisco IOS Release 12.
Caveats Step 2 Determine if the same IP phone works using another line card(s) within the switch. Step 3 Capture show tech-support and show platform chassis module module. Step 4 Reset the linecard by issuing hw-module module module reset or by removing and reinserting the line card. Determine if the IP phone receives power from the switch. Step 5 Capture show tech-support and show platform chassis module module. Step 6 RMA the line card if the problem persists with RMA.
Caveats (CSCsc19259) Open Caveats in Cisco IOS Release 12.2(25)EWA9 This section lists the open caveats in Cisco IOS Release 12.2(25)EWA9: • While configuring Smartport macros via HTTP interactively, a Catalyst 4900 series switch might restart unexpectedly. Workaround: Provide the entire command sequence in the browser "command" area as if you were entering the commands through the CLI. (CSCei76082) • A Catalyst 4900 series switch upgrading to IOS versions 12.2(25)EWA or 12.
Caveats • While either initiating a Secure Shell (SSH) session from a router or copying a file to/from the router via SCP, a router may reload due to software forced crash. Prior to the crash, the router logs a series of %SYS-3-CPUHOG messages and will eventually crash displaying the %SYS-2-WATCHDOG message: *Mar 29 11:29:35.938: %SYS-3-CPUHOG: Task is running for (128004)msecs, more than (2000)msecs (1426/5),process = Virtual Exec.
Caveats Cisco IOS is affected by the following vulnerabilities: – Processing ClientHello messages, documented as Cisco bug ID CSCsb12598 – Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304 – Processing Finished messages, documented as Cisco bug ID CSCsd92405 Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities. This advisory is posted at http://www.cisco.
Caveats • Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device. Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device.
Caveats – Remove dot1x from the port. – Upgrade the IOS image to Cisco IOS 12.2(31)SGA or later. (CSCsg10135) • When hardcoded duplex and speed settings are deleted after an interface shuts down, an "a-" is added to the duplex and speed in the output from the show interface status command. This does not impact performance. Workaround: Issue the no shutdown command. (CSCsg27395) • Reconfiguring a heavily-used policy map on a Catalyst 4900 series switch may cause the switch to crash.
Caveats Messages such as the following would be seen on the console %% Low on memory; try again later If one of the symptoms is observed, capture an output of the show tech command along with 4-5 snapshots of the following commands (over a 10 minute interval) and open a TAC Service request: – show plat cpu packet driver – show plat cpu pack stat – show platform health – show mem summary – show process memory Workaround: “Move” to Cisco IOS Release 12.2(25)EWA6.
Caveats • A Catalyst 4900 series switch running Cisco IOS Release 12.(25)EWA7 will send in dot1q tagged cdp packets when dot1x is enabled on a voice VLAN port. This might cause gigabit IP phones to send in packets that are untagged, moving the phone into the data VLAN. Workaround: Do either of the following: – Remove dot1x from the port. – Upgrade the IOS image to Cisco IOS 12.2(31)SGA or later.
Caveats This issue impacts switches running IOS releasse including and prior to 12.2(31)SGA and 12.2(25)EWA6. Workaround: None. (CSCsg03745) • GARP-based protocol packets leak through the STP block. In a redundant topology, this might lead to a GARP storm. Workaround: Use Hardware Control Plane Policing (CoPP) to police GARP packets. (CSCsg08775) • When the clear arp snmp command is sent to a Catalyst 4900 series switch running Cisco IOS Release 12.2(25)EWA4, the switch may reset.
Caveats • Applying an ACL to a Layer 3 interface on a Catalyst 4900 series switch that is too large to fit entirely in the TCAM, might cause valid arp replies to be installed incorrectly. Workaround: Determine which portion of the TCAM is becoming saturated and resize it accordingly.
Caveats Open Caveats in Cisco IOS Release 12.2(25)EWA6 This section lists the open caveats in Cisco IOS Release 12.2(25)EWA6: • While configuring Smartport macros via HTTP interactively, a Catalyst 4900 series switch might restart unexpectedly. Workaround: Provide the entire command sequence in the browser "command" area as if you were entering the commands through the CLI.
Caveats Workaround: Remove the policy-map from the interface and re-configure a new policy-map without this option. (CSCsc97186) • On a WS-C4948 running Cisco IOS Release 12.2(25)EWA3, you cannot re-set the interface MTU to the default. Workaround: Return the value of "Global Ethernet MTU" to the previous default value.
Caveats Workaround: None (CSCej06004). • The first multicast packet is dropped. Workaround: None (CSCsc51906). • The BOOT variable is not cleared with the no boot system command. Workaround: Check the variable with the show bootvar command before issuing the write memory command. (CSCeg74620). • If an interface is set to “not autonegotiate” from SNMP, and an snmp get is done to query the state of the interface, the correct state is returned.
Caveats Cisco’s statement and further information are available on the Cisco public website at http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml (CCSCsd34759) • Symptoms: A router may crash if it receives a packet with a specific crafted IP option as detailed in Cisco Security Advisory: Crafted IP Option Vulnerability: http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml Conditions: This DDTS resolves a symptom of CSCec71950.
Caveats Open Caveats in Cisco IOS Release 12.2(25)EWA5 This section lists the open caveats in Cisco IOS Release 12.2(25)EWA5: • A QoS policing fails if you configure more than 1000 policers on a trunk port and you remove some of the VLANs from the trunk port. Workaround: Use less than 1000 policers. (CSCsa57218) • On a Supervisor Engine V10-GE, when there are lot of flows in the system, an error message is logged to SYSLOG indicating that the netflow hardware table is full.
Caveats Please verify the following problem conditions to confirm the occurrence of this problem: – Issue the show interface module/port status command; it displays the Connected state – Issue the show platform hardware interface GigabitEthernet module/port all; it indicates that the MAC state is “Down” and that the rxInReset flag is set to “True” Workaround: Reload the switch.
Caveats Open Caveats in Cisco IOS Release 12.2(25)EWA4 This section lists the open caveats in Cisco IOS Release 12.2(25)EWA4: • If you enter the default interface command at the interface level, then at the interface configuration level, any command you enter after a macro apply command is not accepted. The Help(?) feature shows only two options: exit and help. Workaround: Exit, then re-enter interface configuration mode. All commands are accepted, even after you enter the macro apply command.
Caveats Workaround: Remove, reconfigure and reinstall policers, or, use less than 800 policers. (CSCsa66422) • The dot1x default command does not restore the defaults for the dot1x max-reauth-req and dot1x timeout reauth server commands. Workaround: Restore these default values manually. (CSCeh97513) • After vty is set to “never,” it cannot be released with the clear line XX command. Workaround: Reload the system. (CSCei26830) Note • Always exit the global configuration mode before a switchover.
Caveats This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml. (CSCei61732) Open Caveats in Cisco IOS Release 12.2(25)EWA3 This section lists the open caveats in Cisco IOS Release 12.2(25)EWA3: • Changes to console speed are not updated in ROMMON. If a system is reloaded, you will not see a prompt until Cisco IOS software re-starts. Workaround: None.
Caveats Class-map: class-default (match-any) 410 packets Match: any 410 packets Workaround: Either enter a shutdown/no shutdown on the port or detach and reapply the service policy. (CSCef30883) • When changing the access VLAN ID on a sticky port configured with IPSG and voice VLAN, the secure MAC address counter on this port might become negative. This does not impact the system. Workaround: Avoid enabling IPSG on sticky ports that are configured with VVID.
Caveats • In rare instances, when you are using MAC ACL-based policers, the packet match counters in show policy-map interface fa6/1 do not show the packets being matched: Switch# show policy-map int FastEthernet3/2 Service-policy output: p1 Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 police: Per-interface Conform: 9426560 bytes Exceed: 16573440 bytes Workaround: Verify that the MAC addresses being transmitted through the
Caveats Resolved Caveats in Cisco IOS Release 12.2(25)EWA2 This section lists the resolved caveats in Release 12.2(25)EWA2: • If the switch receives an unlearned source MAC address after a security violation, memory is consumed in creating a security violation-related SNMP trap for each source MAC address. If the switch receives several unlearned source MAC addresses at a very high rate, considerable memory is consumed to ensure that the SNMP traps are generated and sent out correctly.
Caveats Workaround: In previous releases of Cisco IOS, CPU utilization was computed incorrectly. This defect has been fixed in Cisco IOS Release 12.2(25)EWA2 resulting in slightly higher CPU utilization being reported under similar load conditions as compared to previous releases. (CSCsb19391) This is not a problem and a workaround is unnecessary. • A QoS service-policy cannot be attached to a port or VLAN if routing is not configured on the system.
Caveats Workaround: Verify that the MAC addresses being transmitted through the system are learned. (CSCef01798) • If you enter the default interface command at the interface level, then at the interface configuration level, any command you enter after a macro apply command is not accepted. The Help(?) feature will show only two options: exit and help. Workaround: Exit, then re-enter interface configuration mode. All commands will be accepted, even after you enter the macro apply command.
Caveats For example, the intent of the following command sequence is to drop packets with source or destination IP address 20.4.1.2 on the SPAN destination port Gigabit Ethernet 6/5: Switch(config)# Switch(config)# Switch(config)# Switch(config)# access-list 1 deny 20.4.1.
Caveats The removal of NetFlow Feature Acceleration does not affect any other aspects of Netflow operation, for example Access-list processing. The features are separate and distinct. Cisco Express Forwarding (CEF) supercedes the deprecated NetFlow Feature Acceleration.
Caveats Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 police: Per-interface Conform: 9426560 bytes Exceed: 16573440 bytes Workaround: Verify that the MAC addresses being transmitted through the system are learned. (CSCef01798) • If you enter the default interface command at the interface level, then at the interface configuration level, any command you enter after a macro apply command is not accepted.
Caveats • If you configure a SPAN session and then apply a SPAN ACL filter to the session, the packets that should be dropped according to the ACL definition are still sent out the SPAN destination port. For example, the intent of the following command sequence is to drop packets with source or destination IP address 20.4.1.2 on the SPAN destination port Gigabit Ethernet 6/5: Switch(config)# Switch(config)# Switch(config)# Switch(config)# access-list 1 deny 20.4.1.
Caveats • When the access VLAN of an access port is converted into an RSPAN VLAN, the show interface and show interface inactive commands indicate that the interface is up and connected. This problem is strictly cosmetic; the interface is no longer forwarding traffic. Workaround: None. (CSCsa44090) • When a Catalyst 4900 series switch exhausts the packet buffers and can no longer receive packets, the Rx-No_pkt_Buff field in the output of the show platform interface all command may not get updated.
Caveats • In rare instances, when you are using MAC ACL-based policers, the packet match counters in show policy-map interface fa6/1 do not show the packets being matched: Switch# show policy-map int FastEthernet3/2 Service-policy output: p1 Class-map: c1 (match-all) 0 packets<--------It stays at '0' despite of traffic being received Match: access-group name fnacl21 police: Per-interface Conform: 9426560 bytes Exceed: 16573440 bytes Workaround: Verify that the MAC addresses being transmitted through the
Caveats • When a switchport configured with port security is converted from an access to a promiscuous port, the port security configuration is lost. The show interface command will show that port security is no longer configured. Workaround: After converting a switchport with port security to a promiscuous port, apply the port security interface command again.
Caveats Resolved Caveats in Cisco IOS Release 12.2(20)EWA4 This section lists the resolved caveats in Release 12.2(20)EWA4: • Some (or all) CDP neighbors are invisible. It only happens on releases that include the fix for CSCse85200. When turning on "debug cdp even," the following message appears: CDP-EV: Received item (type : 9) with invalid length 4 Workaround: None.
Caveats Workaround: Disable idle timeouts. (CSCec30214) Release Notes for the Catalyst 4900 Series Switch, Cisco IOS Release 12.
Caveats Resolved Caveats in Cisco IOS Release 12.2(20)EWA3 This section lists the resolved caveats in Release 12.2(20)EWA3: • Through normal software maintenance processes, Cisco is removing deprecated functionality from the OS boot routine. These changes have no impact on system operation or feature availability. (CSCei76358) Open Caveats in Cisco IOS Release 12.2(20)EWA2 This section lists the open caveats in Cisco IOS Release 12.2(20)EWA2: • Changes to console speed are not updated in ROMMON.
Caveats • A spurious error message appears when an SSH connection disconnects after an idle timeout. Workaround: Disable idle timeouts. (CSCec30214) Resolved Caveats in Cisco IOS Release 12.2(20)EWA1 This section lists the resolved caveats in Release 12.2(20)EWA1: • NetFlow Feature Acceleration has been deprecated and removed from Cisco IOS. The global command ip flow-cache feature-accelerate will no longer be recognized in any IOS configuration.
Troubleshooting Resolved Caveats in Cisco IOS Release 12.2(20)EWA This section lists the resolved caveats in Release 12.2(20)EWA: • The DHCP snooping database agent has a maximum of 8192 entries. If the number of DHCP bindings learned by the system exceeds this number, the entries in the database agent will be cleared out, the entries in hardware will be retained, and switching will continue. However, upon reload, bindings and connectivity will be lost. Workaround: None.
Troubleshooting To boot from ROMMON, perform the following tasks while in ROMMON mode: a. Ensure that the Ethernet management port is physically connected to the network. b. Verify that bootloader environment is not set by entering the unset bootldr command. c. Set IP address of the Ethernet management port on the supervisor engine by entering the following command: set interface fa1 ip_address>
Related Documentation Related Documentation These sections describe the documentation available for the Cisco IOS software for the Catalyst 4900 series switch. These publications consist of hardware and software installation guides, Cisco IOS configuration and command references, system error messages, feature modules, and other publications. Documentation is available electronically or in printed form.
Related Documentation Release 12.2 Documentation Set The following table describes the contents of the Cisco IOS Release 12.2 software documentation set, which is available in electronic form and orderable in printed form.
Notices Books Major Topics • Cisco IOS Switching Services Configuration Guide • Cisco IOS Switching Services Command Reference • New Features in 12.2-Based Limited Lifetime Releases • New Features in Release 12.2 T • Release Notes (release note and caveat documentation for 12.
Notices 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)”. 4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org. 5.
Obtaining Documentation, Obtaining Support, and Security Guidelines The word ‘cryptographic’ can be left out if the routines from the library being used are not cryptography-related. 4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson (tjh@cryptsoft.com)”.
Obtaining Documentation, Obtaining Support, and Security Guidelines This document is to be used in conjunction with the documents listed in the “Related Documentation” section. CCVP, the Cisco Logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.
Obtaining Documentation, Obtaining Support, and Security Guidelines Release Notes for the Catalyst 4900 Series Switch, Cisco IOS Release 12.
