cc/td/doc/product/lan/cat6000
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

Release Notes for Cisco IOS Release 12.2 SX on the Catalyst 6500 Series MSFC

Contents

Chronological List of Releases

Hierarchical List of Releases

Supported Hardware

CAT6000-MSFC3

CAT6000-MSFC2A

CAT6000-MSFC2

Service Modules

FlexWAN and Enhanced FlexWAN Modules

FlexWAN Module Port Adapters

Unsupported Hardware

Feature Sets

Features Set Guidelines and Restriction

Feature Sets in Release 12.2(18)SXF and Rebuilds

Feature Sets in Release 12.2(17d)SXB Rebuilds

Feature Sets in Release 12.2(17a)SX Rebuilds (Deferred)

Feature Sets in Release 12.2(14)SX Rebuilds (Deferred)

New Features

New Features in Release 12.2(18)SXF10

New Features in Release 12.2(18)SXF9

New Features in Release 12.2(18)SXF8

New Features in Release 12.2(18)SXF7

New Features in Release 12.2(18)SXF6

New Features in Release 12.2(18)SXF5

New Features in Release 12.2(18)SXF4

New Features in Release 12.2(18)SXF3

New Features in Release 12.2(18)SXF2

New Features in Release 12.2(18)SXF

New Features in Release 12.2(17d)SXB11a

New Features in Release 12.2(17d)SXB11

New Features in Release 12.2(17d)SXB10

New Features in Release 12.2(17d)SXB9

New Features in Release 12.2(17d)SXB8

New Features in Release 12.2(17d)SXB7

New Features in Release 12.2(17d)SXB6

New Features in Release 12.2(17d)SXB5

New Features in Release 12.2(17d)SXB4

New Features in Release 12.2(17d)SXB3

New Features in Release 12.2(17d)SXB2

New Features in Release 12.2(17d)SXB1

New Features in Release 12.2(17a)SX4

New Features in Release 12.2(17a)SX2

New Features in Release 12.2(17a)SX1

New Features in Release 12.2(14)SX2

Features From Earlier Releases

Unsupported Features and Commands

Limitations and Restrictions

MSFC Limitations and Restrictions

FlexWAN Module Limitations and Restrictions

Caveats

Caveats in Release 12.2(18)SXF and Rebuilds

Caveats in Release 12.2(17d)SXB Rebuilds

Caveats in Release 12.2(17a)SX Rebuilds

Caveats in Release 12.2(14)SX2

Troubleshooting Information

Related Documentation

Platform-Specific Documents

Cisco Feature Navigator

Cisco IOS Software Documentation Set

Obtaining Documentation, Obtaining Support, and Security Guidelines


Release Notes for Cisco IOS Release 12.2 SX on the Catalyst 6500 Series MSFC


July 16, 2007


NoteThis publication applies to these platforms:

CAT6000-MSFC3

CAT6000-MSFC2A (not supported in all releases)

CAT6000-MSFC2 (not supported in all releases)

Use this publication if you are running the Catalyst operating system on the supervisor engine and Cisco IOS Release 12.2 SX on the Multilayer Switch Feature Card (MSFC). If you are running Cisco IOS software on both the supervisor engine and the MSFC, refer to the Release Notes for Cisco IOS Release 12.2 SX on the Catalyst 6500 and Cisco 7600 Supervisor Engine and MSFC publication at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/ol_4164.htm


The most current release notes for Release 12.2 SX are available on Cisco.com at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_1/ol_4563.htm

This publication describes the features, modifications, and caveats for Release 12.2 SX on the Catalyst 6500 series MSFC. For features, modifications, and caveats for the Catalyst operating system, refer to the Catalyst operating system Release Notes at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/ol_4498.htm

Contents

This publication consists of these sections:

Chronological List of Releases

Hierarchical List of Releases

Supported Hardware

Unsupported Hardware

Feature Sets

New Features

Unsupported Features and Commands

Limitations and Restrictions

Caveats

Troubleshooting Information

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines

Chronological List of Releases


NoteSee the "Feature Sets" section for information about which releases are deferred.

See the "Hierarchical List of Releases" section for information about parent releases.


This is a chronological list of the 12.2SX releases for the CAT6000-MSFC3, CAT6000-MSFC2A, and CAT6000-MSFC2 platforms:

16 Jul 2007—Release 12.2(18)SXF10

21 May 2007—Release 12.2(18)SXF9

07 Mar 2007—Release 12.2(18)SXF8

30 Nov 2006—Release 12.2(18)SXF7

22 Sep 2006—Release 12.2(18)SXF6

10 Jul 2006—Release 12.2(18)SXF5

17 Apr 2006—Release 12.2(17d)SXB11a

27 Mar 2006—Release 12.2(18)SXF4

16 Feb 2006—Release 12.2(18)SXF3

20 Jan 2006—Release 12.2(18)SXF2

17 Nov 2005—Release 12.2(17d)SXB11

12 Sep 2005—Release 12.2(18)SXF

16 Aug 2005—Release 12.2(17d)SXB10

21 Jul 2005—Release 12.2(17d)SXB9

02 May 2005—Release 12.2(17d)SXB8

01 Mar 2005—Release 12.2(17d)SXB7

21 Dec 2004—Release 12.2(17d)SXB6

01 Nov 2004—Release 12.2(17d)SXB5

07 Sep 2004—Release 12.2(17d)SXB4

17 Aug 2004—Release 12.2(17d)SXB3

21 Jul 2004—Release 12.2(17d)SXB2

01 Jun 2004—Release 12.2(17d)SXB1

23 Apr 2004—Release 12.2(17a)SX4

22 Apr 2004—Release 12.2(17b)SXA2 (no MSFC3 images)

05 Mar 2004—Release 12.2(17d)SXB (no MSFC3 images)

05 Mar 2004—Release 12.2(17a)SX3 (no MSFC3 images)

29 Jan 2004—Release 12.2(17a)SX2

31 Dec 2003—Release 12.2(17b)SXA (no MSFC3 images)

30 Oct 2003—Release 12.2(17a)SX1

06 Oct 2003—Release 12.2(17a)SX (no MSFC3 images)

01 Jul 2003—Release 12.2(14)SX2

28 May 2003—Release 12.2(14)SX1 (no MSFC3 images)

14 Apr 2003—Release 12.2(14)SX (no MSFC3 images)

Hierarchical List of Releases


Note See the "Feature Sets" section for information about which releases are deferred.


These releases support the hardware listed in "Supported Hardware" section:

Release 12.2(18)SXF10 (16 Jul 2007)—Rebuild based on Release 12.2(18)SXF9.

Release 12.2(18)SXF9 (21 May 2007)—Rebuild based on Release 12.2(18)SXF8.

Release 12.2(18)SXF8 (07 Mar 2007)—Rebuild based on Release 12.2(18)SXF7.

Release 12.2(18)SXF7 (30 Nov 2006)—Rebuild based on Release 12.2(18)SXF6.

Release 12.2(18)SXF6 (22 Sep 2006)—Rebuild based on Release 12.2(18)SXF5.

Release 12.2(18)SXF5 (10 Jul 2006)—Rebuild based on Release 12.2(18)SXF4.

Release 12.2(18)SXF4 (27 Mar 2006)—Rebuild based on Release 12.2(18)SXF3.

Release 12.2(18)SXF3 (16 Feb 2006)—Rebuild based on Release 12.2(18)SXF2.

Release 12.2(18)SXF2 (20 Jan 2006)—Rebuild based on Release 12.2(18)SXF.

Release 12.2(18)SXF (12 Sep 2005)—Based on Release 12.2(18)SXE3. Includes all fixes in 12.2(18)SXE3, Release 12.2(18)SXD6, and Release 12.2(17d)SXB10.

Release 12.2(17d)SXB11a (17 Apr 2006)—Rebuild based on Release 12.2(17d)SXB11.

Release 12.2(17d)SXB11 (17 Nov 2005)—Rebuild based on Release 12.2(17d)SXB10.

Release 12.2(17d)SXB10 (16 Aug 2005)—Rebuild based on Release 12.2(17d)SXB9.

Release 12.2(17d)SXB9 (21 Jul 2005)—Rebuild based on Release 12.2(17d)SXB8.

Release 12.2(17d)SXB8 (24 Apr 2005)—Rebuild based on Release 12.2(17d)SXB7.

Release 12.2(17d)SXB7 (01 Mar 2005)—Rebuild based on Release 12.2(17d)SXB6.

Release 12.2(17d)SXB6 (21 Dec 2004)—Rebuild based on Release 12.2(17d)SXB5.

Release 12.2(17d)SXB5 (01 Nov 2004)—Rebuild based on Release 12.2(17d)SXB4.

Release 12.2(17d)SXB4 (07 Sep 2004)—Rebuild based on Release 12.2(17d)SXB3.

Release 12.2(17d)SXB3 (17 Aug 2004)—Rebuild based on Release 12.2(17d)SXB2.

Release 12.2(17d)SXB2 (21 Jul 2004)—Rebuild based on Release 12.2(17d)SXB1.

Release 12.2(17d)SXB1 (01 Jun 2004)—Rebuild based on Release 12.2(17d)SXB, Release 12.2(17b)SXA, and Release 12.2(17a)SX4.

Release 12.2(17a)SX4 (23 Apr 2004)—Rebuild based on Release 12.2(17a)SX2.

Release 12.2(17a)SX2 (29 Jan 2004)—Rebuild based on Release 12.2(17a)SX1.

Release 12.2(17a)SX1 (30 Oct 2003)—Rebuild based on Release  12.2(14)SX2 and on Release 12.2(17a).

For information about Release 12.2(17a), refer to these publications on Cisco.com:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/index.htm

Release 12.2(14)SX2 (01 Jul 2003)—Rebuild based on Release 12.2(14)S.

For information about Release 12.2(14)S, refer to these publications on Cisco.com:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122s/index.htm

For more information about the Cisco IOS software release process, refer to the Cisco IOS Software Releases: Product Bulletin #537 on Cisco.com at this URL:

http://www.cisco.com/warp/public/cc/cisco/mkt/ios/rel/prodlit/537_pp.htm

This publication does not describe features that are available in Release 12.2, Release 12.2 T, Release 12.2 S, or other Release 12.2 early deployment releases.

For a list of the Release 12.2 caveats that apply to Release 12.2 SX, see the "Caveats" section and refer to this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/xprn122/index.htm

For a list of the Release 12.2 S caveats that apply to Release 12.2 SX, see the "Caveats" section and refer to this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/122srn.htm

For general product information about the Catalyst 6500 series switches, refer to the Catalyst 4000, 5000, and 6000 Family Software Product Bulletin (URL below). For general information about Release 12.2 SX, refer to the Product Bulletin at this URL:

http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/

Supported Hardware


Note Refer to the Catalyst 6500 operating system Release Notes for information about the hardware supported by the Catalyst operating system on the Supervisor Engine 720. Refer to this publication:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/ol_4498.htm


CAT6000-MSFC3

CAT6000-MSFC2

Service Modules

FlexWAN and Enhanced FlexWAN Modules

FlexWAN Module Port Adapters

CAT6000-MSFC3


Note With Cisco IOS software Release 12.2(18)SXF and later releases, the minimum MSFC ROMMON version is 12.2(17r)S1. See this document for more information:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/ol_4497.htm


Product Number
(append "=" for spares)
Product Description
Minimum Software Version
MSFC3 on Supervisor Engine 720-3BXL (WS-SUP720-3BXL)

Not applicable

Multilayer Switch Feature Card 3 (MSFC3)

64-MB bootflash device

1-GB DRAM

12.2(17d)SXB1

MSFC3 on Supervisor Engine 720-3B (WS-SUP720-3B)

Not applicable

Multilayer Switch Feature Card 3 (MSFC3)

64-MB bootflash device

512-MB DRAM

12.2(17d)SXB1

MSFC3 on Supervisor Engine 720 (WS-SUP720)

Not applicable

Multilayer Switch Feature Card 3 (MSFC3)

64-MB bootflash device

512-MB DRAM

12.2(14)SX2


CAT6000-MSFC2A

Product Number
(append "=" for spares)
Product Description
Minimum Software Version
MSFC2A on Supervisor Engine 32

Not applicable

Multilayer Switch Feature Card 2A (MSFC2A)

64-MB bootflash device

256-MB DRAM

MSFC2A on WS-SUP32-GE

12.2(17d)SXB8

MSFC2A on WS-SUP32-10GE

12.2(17d)SXB9


CAT6000-MSFC2

Product Number
(append "=" for spares)
Product Description
Minimum Software Version
MSFC2 on Supervisor Engine 2

Not applicable

Multilayer Switch Feature Card 2 (MSFC2)

32-MB bootflash device

256-MB DRAM

12.2(18)SXF


Service Modules


Note Other service modules are supported on the supervisor engines in Catalyst 6500 operating system software releases. Refer to the Catalyst 6500 operating system Release Notes for more information:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/ol_4498.htm


Content Services Gateway (CSG) Module

Application-Oriented Networking Module

SSL Services Module

Content Switching Module

Content Services Gateway (CSG) Module

Product ID
(append "=" for spares)
Product Description
Minimum Software Version
WS-SVC-CSG-1

Content Services Gateway (CSG) Module

 

With MSFC3 on Supervisor Engine 720

12.2(18)SXF

 

With MSFC2 on Supervisor Engine 2

12.2(17d)SXB1

Note

MSFC2A on Supervisor Engine 32 does not support WS-SVC-CSG-1.

WS-SVC-CSG-1 runs its own software—Refer to this publication for more information:

http://www.cisco.com/univercd/cc/td/doc/product/wireless/moblwrls/csg/index.htm

See the WS-SVC-CSG-1 software release notes for information about the minimum required WS-SVC-CSG-1 software version.


Application-Oriented Networking Module

Product ID
(append "=" for spares)
Product Description
Minimum Software Versions
WS-SVC-AON-1-K9

Application-Oriented Networking (AON) Module

With MSFC3 on Supervisor Engine 720

12.2(18)SXF

With MSFC2 on Supervisor Engine 2

12.2(18)SXF

Note

MSFC2A on Supervisor Engine 32 does not support WS-SVC-AON-1-K9.

WS-SVC-AON-1-K9 runs its own software—See this publication:

http://www.cisco.com/univercd/cc/td/doc/product/aon/index.htm


SSL Services Module

Product Number
(append "=" for spares)
Product Description
Minimum Software Version

WS-SVC-SSL-1

SSL Services Module

With MSFC3 on Supervisor Engine 720

12.2(17a)SX1

With MSFC2A on Supervisor Engine 32

12.2(17d)SXB7

With MSFC2 on Supervisor Engine 2

12.2(18)SXF


Content Switching Module

Product Number
(append "=" for spares)
Product Description
Minimum Software Version

WS-X6066-SLB-APC

Content Switching Module

With MSFC3 on Supervisor Engine 720

12.2(17a)SX1

With MSFC2 on Supervisor Engine 2

12.2(18)SXF

Note MSFC2A on Supervisor Engine 32 does not support WS-X6066-SLB-APC.


FlexWAN and Enhanced FlexWAN Modules

Product Number
(append "=" for spares)
Product Description
Minimum Software Version
WS-X6582-2PA

Enhanced FlexWAN Module

With MSFC3 on Supervisor Engine 720

12.2(18)SXF

With MSFC2A on Supervisor Engine 32

12.2(18)SXF

With MSFC2 on Supervisor Engine 2

12.2(18)SXF

WS-X6182-2PA

FlexWAN Module

With MSFC3 on Supervisor Engine 720

Note Requires software release 8.2(1) or later on the Supervisor Engine 720.

12.2(17a)SX1

With MSFC2 on Supervisor Engine 2

12.2(18)SXF

Note

WS-X6182-2PA is not supported with MSFC2A on Supervisor Engine 32.

WS-X6182-2PA and WS-X6582-2PA do not maintain state when an NSF with SSO switchover occurs.


FlexWAN Module Port Adapters

Product Number
(append "=" for spares)
Product Description
Minimum Software Version
PA-2FE

2-port Fast Ethernet Port Adapter (supported only in WS-X6582-2PA)

12.2(18)SXF

PA-1FE

1-port Fast Ethernet Port Adapter (supported only in WS-X6582-2PA)

12.2(18)SXF

PA-POS-1OC3

1-port Packet over SONET OC3c/STM1 Port Adapter

12.2(18)SXF

PA-POS-2OC3

2-port Packet over SONET OC3c/STM1

12.2(17d)SXB1

SFPs for PA-POS-2OC3
 POM-OC3-MM

Short range, multimode fiber

12.2(17d)SXB1

 POM-OC3-SMIR

Intermediate range, single-mode fiber

12.2(17d)SXB1

 POM-OC3-SMLR

Long range, single-mode fiber

12.2(17d)SXB1

PA-A6-OC3MM

1-port ATM OC-3c/STM-1 multimode port adapter, enhanced

12.2(17d)SXB1

PA-A6-OC3SMI

1-port ATM OC-3c/STM-1 single-mode (IR) port adapter, enhanced

12.2(17d)SXB1

PA-A6-OC3SML

1-port ATM OC-3c/STM-1 single-mode (LR) port adapter, enhanced

12.2(17d)SXB1

PA-A6-T3

1-port ATM DS3 port adapter, enhanced

12.2(17d)SXB1

PA-A6-E3

1-port ATM E3 port adapter, enhanced

12.2(17d)SXB1

PA-POS-OC3MM
PA-POS-OC3SMI
PA-POS-OC3SML

Packet over SONET (OC-3)

12.2(17a)SX1

PA-A3-OC3MM
PA-A3-OC3SMI
PA-A3-T3
PA-A3-OC3SML
PA-A3-E3
PA-A3-8T1IMA
PA-A3-8E1IMA

ATM with traffic shaping

Note These port adapters do not support LANE when installed in the FlexWAN module.

12.2(17a)SX1

PA-T3
PA-T3+
PA-2T3
PA-2T3+
PA-E3
PA-2E3
PA-MC-T3
PA-MC-E3
PA-MC-2T3+

T3/E3 (clear-channel and channelized)

12.2(17a)SX1

PA-4T+
PA-8T-V35
PA-8T-X21
PA-8T-232
PA-MC-2E1/120
PA-MC-8T1
PA-MC-8E1/120
PA-MC-2T1
PA-MC-4T1

T1/E1

12.2(17a)SX1

PA-4E1G/75
PA-4E1G/120

T1/E1

12.2(17a)SX1

PA-MC-8TE1+

Multichannel T1/E1 8PRI

Note This port adapter does not support ISDN PRI when installed in the FlexWAN module.

12.2(17a)SX1

PA-H
PA-2H

HSSI

12.2(17a)SX1

PA-MC-STM-1

Multichannel STM-1

12.2(17a)SX1


Unsupported Hardware

Release 12.2 SX images for the MSFC3, MSFC2A, and MSFC2 do not support:

Optical Service Modules (OSMs)

Shared Port Adapter (SPA) Interface Processors (SIPs)

Shared Port Adapters (SPAs)

Feature Sets

Features Set Guidelines and Restriction

Feature Sets in Release 12.2(18)SXF and Rebuilds

Feature Sets in Release 12.2(17d)SXB Rebuilds

Feature Sets in Release 12.2(17a)SX Rebuilds (Deferred)

Feature Sets in Release 12.2(14)SX Rebuilds (Deferred)

Features Set Guidelines and Restriction

The MSFC3 does not require a bootloader image.

The MSFC2A does not require a bootloader image.

The MSFC2 does not require a bootloader image.

You can boot MSFC3 images from bootflash, sup-disk0, sup-disk1, or sup-bootflash.

You can boot MSFC2A images from bootflash, sup-disk0, or sup-bootdisk.

You can boot MSFC2 images from bootflash, sup-disk0 or sup-bootflash.

The FlexWAN module is not supported with Supervisor Engine 720 and software release 8.1(1).

Release 12.2 SX includes Cisco strong encryption images. Cisco strong encryption images are subject to U.S. and local country export, import, and use laws. The country and class of user eligible to receive and use Cisco encryption solutions are limited. Refer to this URL for more information:

http://www.cisco.com/cgi-bin/Software/Crypto/crypto_main.pl

With releases earlier than Release 12.2(18)SXF, use of the EGP, BGP4, and IS-IS routing protocols requires the additional purchase of the InterDomain Routing Feature License (FR-IRC6).

Many TFTP implementations cannot transfer 16 MB or larger files. To transfer 16 MB or larger files, you might need to use FTP or rcp. Refer to this online publication for procedures:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ffun_c/ffcprt2/fcf008.htm

With releases earlier than Release 12.2(18)SXF, the k9 images support the IPSec Network Security feature (configured with the crypto ipsec command) in software and Secure Shell (SSH) access.

For information about the firewall images, which support Cisco IOS software firewall features, see "New Features in Release 12.2(14)SX2" section.

Feature Sets in Release 12.2(18)SXF and Rebuilds

These sections describe the feature sets in Release 12.2(18)SXF:

Feature Set Descriptions

MSFC3 Images in Release 12.2(18)SXF and Rebuilds

MSFC2A Images in Release 12.2(18)SXF and Rebuilds

MSFC2 Images in Release 12.2(18)SXF and Rebuilds

Feature Set Descriptions

This section lists all of the features that are unique to each feature set and some of the features that are common to all feature sets. See the "New Features" section for a more complete list of supported features.

Feature Name
IP
Base
IP
Services
Advanced
IP Services
Enterprise
Services
Advanced
Enterprise
Services

Firewall Feature Set

       
X

TCP Intercept

       
X

VRF Lite

 
X
X
 
X

DECNet

     
X
X

ISO CLNS

     
X
X

Novell IPX

     
X
X

SLB

   
X
X
X

BGP4

 
X
X
X
X

MBGP

 
X
X
X
X

Bidirectional PIM

 
X
X
X
X

EIGRP

 
X
X
X
X

IS-IS

 
X
X
X
X

MSDP

 
X
X
X
X

NetFlow

 
X
X
X
X

OSPF

 
X
X
X
X

PBR

 
X
X
X
X

EIGRP Stub Routing

X
X
X
X
X

HSRP

X
X
X
X
X

IGMP

X
X
X
X
X

IPSec Triple DES Encryption (3DES)

X
X
X
X
X

PIMv1, PIMv2

X
X
X
X
X

RIPv1, RIPv2

X
X
X
X
X

MSFC3 Images in Release 12.2(18)SXF and Rebuilds

These sections describe the MSFC3 images:

MSFC3 Advanced Enterprise Services Feature Set for Release 12.2(18)SXF and Rebuilds

MSFC3 Enterprise Services for Release 12.2(18)SXF and Rebuilds

MSFC3 IP Services Feature Set for Release 12.2(18)SXF and Rebuilds

MSFC3 Advanced Enterprise Services Feature Set for Release 12.2(18)SXF and Rebuilds

Image Filename and Size in Bytes
Description, Platform, and Product ID

c6msfc3-adventerprisek9_wan-mz.122-18.SXF10 (28,281,828)
c6msfc3-adventerprisek9_wan-mz.122-18.SXF9  (28,267,012)
c6msfc3-adventerprisek9_wan-mz.122-18.SXF8  (27,734,680)
c6msfc3-adventerprisek9_wan-mz.122-18.SXF7  (27,724,496)
c6msfc3-adventerprisek9_wan-mz.122-18.SXF6  (27,713,508)
c6msfc3-adventerprisek9_wan-mz.122-18.SXF5  (27,699,032)
c6msfc3-adventerprisek9_wan-mz.122-18.SXF4  (27,006,156)
c6msfc3-adventerprisek9_wan-mz.122-18.SXF3  (27,000,984)
c6msfc3-adventerprisek9_wan-mz.122-18.SXF2  (26,998,920)
c6msfc3-adventerprisek9_wan-mz.122-18.SXF   (26,911,924)

Note This is a limited-access strong encryption image.

IOS ADVANCED ENTERPRISE SERVICES SSH
CAT6000-MSFC3: SM3AEK9-12218SXF


MSFC3 Enterprise Services for Release 12.2(18)SXF and Rebuilds

Image Filename and Size in Bytes
Description, Platform, and Product ID

c6msfc3-entservicesk9_wan-mz.122-18.SXF10 (28,281,688)
c6msfc3-entservicesk9_wan-mz.122-18.SXF9  (28,267,744)
c6msfc3-entservicesk9_wan-mz.122-18.SXF8  (27,734,436)
c6msfc3-entservicesk9_wan-mz.122-18.SXF7  (27,724,752)
c6msfc3-entservicesk9_wan-mz.122-18.SXF6  (27,713,420)
c6msfc3-entservicesk9_wan-mz.122-18.SXF5  (27,699,232)
c6msfc3-entservicesk9_wan-mz.122-18.SXF4  (27,006,116)
c6msfc3-entservicesk9_wan-mz.122-18.SXF3  (27,002,564)
c6msfc3-entservicesk9_wan-mz.122-18.SXF2  (26,998,840)
c6msfc3-entservicesk9_wan-mz.122-18.SXF   (26,911,164)

Note This is a limited-access strong encryption image.

IOS ENTERPRISE SERVICES SSH
CAT6000-MSFC3: SM3ESK9-12218SXF


MSFC3 IP Services Feature Set for Release 12.2(18)SXF and Rebuilds

Image Filename and Size in Bytes
Description, Platform, and Product ID

c6msfc3-ipservicesk9_wan-mz.122-18.SXF10 (28,280,532)
c6msfc3-ipservicesk9_wan-mz.122-18.SXF9  (28,267,992)
c6msfc3-ipservicesk9_wan-mz.122-18.SXF8  (27,734,000)
c6msfc3-ipservicesk9_wan-mz.122-18.SXF7  (27,724,560)
c6msfc3-ipservicesk9_wan-mz.122-18.SXF6  (27,711,892)
c6msfc3-ipservicesk9_wan-mz.122-18.SXF5  (27,698,668)
c6msfc3-ipservicesk9_wan-mz.122-18.SXF4  (27,006,316)
c6msfc3-ipservicesk9_wan-mz.122-18.SXF3  (27,001,568)
c6msfc3-ipservicesk9_wan-mz.122-18.SXF2  (26,999,288)
c6msfc3-ipservicesk9_wan-mz.122-18.SXF   (26,912,632)

Note This is a limited-access strong encryption image.

IOS IP SERVICES SSH
CAT6000-MSFC3: SM3ISK9-12218SXF

c6msfc3-ipservices_wan-mz.122-18.SXF10 (27,165,200)
c6msfc3-ipservices_wan-mz.122-18.SXF9  (27,153,120)
c6msfc3-ipservices_wan-mz.122-18.SXF8  (26,645,176)
c6msfc3-ipservices_wan-mz.122-18.SXF7  (26,635,212)
c6msfc3-ipservices_wan-mz.122-18.SXF6  (26,624,144)
c6msfc3-ipservices_wan-mz.122-18.SXF5  (26,611,988)
c6msfc3-ipservices_wan-mz.122-18.SXF4  (25,911,072)
c6msfc3-ipservices_wan-mz.122-18.SXF3  (25,910,120)
c6msfc3-ipservices_wan-mz.122-18.SXF2  (25,906,628)
c6msfc3-ipservices_wan-mz.122-18.SXF   (25,821,508)

IOS IP SERVICES
CAT6000-MSFC3: SM3IS-12218SXF


MSFC2A Images in Release 12.2(18)SXF and Rebuilds

These sections describe the MSFC2A images:

MSFC2A Advanced Enterprise Services Feature Set for Release 12.2(18)SXF and Rebuilds

MSFC2A Enterprise Services for Release 12.2(18)SXF and Rebuilds

MSFC2A IP Services Feature Set for Release 12.2(18)SXF and Rebuilds

MSFC2A IP Base Feature Set for Release 12.2(18)SXF and Rebuilds

MSFC2A Advanced Enterprise Services Feature Set for Release 12.2(18)SXF and Rebuilds

Image Filename and Size in Bytes
Description, Platform, and Product ID

c6msfc2a-adventerprisek9_wan-mz.122-18.SXF10 (18,492,856)
c6msfc2a-adventerprisek9_wan-mz.122-18.SXF9  (18,480,540)
c6msfc2a-adventerprisek9_wan-mz.122-18.SXF8  (17,968,884)
c6msfc2a-adventerprisek9_wan-mz.122-18.SXF7  (17,966,324)
c6msfc2a-adventerprisek9_wan-mz.122-18.SXF6  (17,955,764)
c6msfc2a-adventerprisek9_wan-mz.122-18.SXF5  (17,944,344)
c6msfc2a-adventerprisek9_wan-mz.122-18.SXF4  (17,634,516)
c6msfc2a-adventerprisek9_wan-mz.122-18.SXF3  (17,628,260)
c6msfc2a-adventerprisek9_wan-mz.122-18.SXF2  (17,628,832)
c6msfc2a-adventerprisek9_wan-mz.122-18.SXF   (17,498,136)

Note This is a limited-access strong encryption image.

IOS ADVANCED ENTERPRISE SERVICES SSH
CAT6000-MSFC2A: SM2AAEK9-12218SXF


MSFC2A Enterprise Services for Release 12.2(18)SXF and Rebuilds

Image Filename and Size in Bytes
Description, Platform, and Product ID

c6msfc2a-entservicesk9_wan-mz.122-18.SXF10 (18,493,392)
c6msfc2a-entservicesk9_wan-mz.122-18.SXF9  (18,480,144)
c6msfc2a-entservicesk9_wan-mz.122-18.SXF8  (17,969,000)
c6msfc2a-entservicesk9_wan-mz.122-18.SXF7  (17,966,052)
c6msfc2a-entservicesk9_wan-mz.122-18.SXF6  (17,955,656)
c6msfc2a-entservicesk9_wan-mz.122-18.SXF5  (17,944,904)
c6msfc2a-entservicesk9_wan-mz.122-18.SXF4  (17,634,304)
c6msfc2a-entservicesk9_wan-mz.122-18.SXF3  (17,628,616)
c6msfc2a-entservicesk9_wan-mz.122-18.SXF2  (17,628,420)
c6msfc2a-entservicesk9_wan-mz.122-18.SXF   (17,497,620)

Note This is a limited-access strong encryption image.

IOS ENTERPRISE SERVICES SSH
CAT6000-MSFC2A: SM2AESK9-12218SXF


MSFC2A IP Services Feature Set for Release 12.2(18)SXF and Rebuilds

Image Filename and Size in Bytes
Description, Platform, and Product ID

c6msfc2a-ipservicesk9_wan-mz.122-18.SXF10 (18,492,996)
c6msfc2a-ipservicesk9_wan-mz.122-18.SXF9  (18,480,156)
c6msfc2a-ipservicesk9_wan-mz.122-18.SXF8  (17,968,836)
c6msfc2a-ipservicesk9_wan-mz.122-18.SXF7  (17,965,076)
c6msfc2a-ipservicesk9_wan-mz.122-18.SXF6  (17,954,896)
c6msfc2a-ipservicesk9_wan-mz.122-18.SXF5  (17,945,872)
c6msfc2a-ipservicesk9_wan-mz.122-18.SXF4  (17,633,836)
c6msfc2a-ipservicesk9_wan-mz.122-18.SXF3  (17,627,468)
c6msfc2a-ipservicesk9_wan-mz.122-18.SXF2  (17,627,200)
c6msfc2a-ipservicesk9_wan-mz.122-18.SXF   (17,497,184)

Note This is a limited-access strong encryption image.

IOS IP SERVICES SSH
CAT6000-MSFC2A: SM2AISK9-12218SXF


MSFC2A IP Base Feature Set for Release 12.2(18)SXF and Rebuilds

Image Filename and Size in Bytes
Description, Platform, and Product ID

c6msfc2a-ipbasek9_wan-mz.122-18.SXF10 (18,492,664)
c6msfc2a-ipbasek9_wan-mz.122-18.SXF9  (18,480,472)
c6msfc2a-ipbasek9_wan-mz.122-18.SXF8  (17,968,668)
c6msfc2a-ipbasek9_wan-mz.122-18.SXF7  (17,966,368)
c6msfc2a-ipbasek9_wan-mz.122-18.SXF6  (17,955,480)
c6msfc2a-ipbasek9_wan-mz.122-18.SXF5  (17,943,648)
c6msfc2a-ipbasek9_wan-mz.122-18.SXF4  (17,633,500)
c6msfc2a-ipbasek9_wan-mz.122-18.SXF3  (17,628,244)
c6msfc2a-ipbasek9_wan-mz.122-18.SXF2  (17,627,752)
c6msfc2a-ipbasek9_wan-mz.122-18.SXF   (17,497,584)

Note This is a limited-access strong encryption image.

IOS IP BASE SSH
CAT6000-MSFC2A: SM2AIBK9-12218SXF

c6msfc2a-ipbase_wan-mz.122-18.SXF10 (17,377,028)
c6msfc2a-ipbase_wan-mz.122-18.SXF9  (17,365,520)
c6msfc2a-ipbase_wan-mz.122-18.SXF8  (16,875,736)
c6msfc2a-ipbase_wan-mz.122-18.SXF7  (16,875,072)
c6msfc2a-ipbase_wan-mz.122-18.SXF6  (16,867,004)
c6msfc2a-ipbase_wan-mz.122-18.SXF5  (16,857,904)
c6msfc2a-ipbase_wan-mz.122-18.SXF4  (16,537,380)
c6msfc2a-ipbase_wan-mz.122-18.SXF3  (16,535,088)
c6msfc2a-ipbase_wan-mz.122-18.SXF2  (16,534,280)
c6msfc2a-ipbase_wan-mz.122-18.SXF   (16,407,708)

IOS IP BASE
CAT6000-MSFC2A: SM2AIB-12218SXF


MSFC2 Images in Release 12.2(18)SXF and Rebuilds

These sections describe the MSFC2 images:

MSFC2 Advanced Enterprise Services Feature Set for Release 12.2(18)SXF and Rebuilds

MSFC2 Enterprise Services for Release 12.2(18)SXF and Rebuilds

MSFC2 IP Services Feature Set for Release 12.2(18)SXF and Rebuilds

MSFC2 Advanced Enterprise Services Feature Set for Release 12.2(18)SXF and Rebuilds

Image Filename and Size in Bytes
Description, Platform, and Product ID

c6msfc2-adventerprisek9_wan-mz.122-18.SXF10 (27,687,328)
c6msfc2-adventerprisek9_wan-mz.122-18.SXF9  (27,674,072)
c6msfc2-adventerprisek9_wan-mz.122-18.SXF8  (27,148,800)
c6msfc2-adventerprisek9_wan-mz.122-18.SXF6  (27,127,876)
c6msfc2-adventerprisek9_wan-mz.122-18.SXF5  (27,116,288)
c6msfc2-adventerprisek9_wan-mz.122-18.SXF4  (26,421,828)
c6msfc2-adventerprisek9_wan-mz.122-18.SXF3  (26,417,032)
c6msfc2-adventerprisek9_wan-mz.122-18.SXF2  (26,415,072)
c6msfc2-adventerprisek9_wan-mz.122-18.SXF   (26,329,004)

Note This is a limited-access strong encryption image.

IOS ADVANCED ENTERPRISE SERVICES SSH
CAT6000-MSFC2: SM2AEK9-12218SXF


MSFC2 Enterprise Services for Release 12.2(18)SXF and Rebuilds

Image Filename and Size in Bytes
Description, Platform, and Product ID

c6msfc2-entservicesk9_wan-mz.122-18.SXF10 (27,687,156)
c6msfc2-entservicesk9_wan-mz.122-18.SXF9  (27,674,252)
c6msfc2-entservicesk9_wan-mz.122-18.SXF8  (27,148,396)
c6msfc2-entservicesk9_wan-mz.122-18.SXF7  (27,142,360)
c6msfc2-entservicesk9_wan-mz.122-18.SXF6  (27,126,732)
c6msfc2-entservicesk9_wan-mz.122-18.SXF5  (27,116,052)
c6msfc2-entservicesk9_wan-mz.122-18.SXF4  (26,421,764)
c6msfc2-entservicesk9_wan-mz.122-18.SXF3  (26,417,700)
c6msfc2-entservicesk9_wan-mz.122-18.SXF2  (26,415,520)
c6msfc2-entservicesk9_wan-mz.122-18.SXF   (26,327,936)

Note This is a limited-access strong encryption image.

IOS ENTERPRISE SERVICES SSH
CAT6000-MSFC2: SM2ESK9-12218SXF


MSFC2 IP Services Feature Set for Release 12.2(18)SXF and Rebuilds

Image Filename and Size in Bytes
Description, Platform, and Product ID

c6msfc2-ipservicesk9_wan-mz.122-18.SXF10 (27,687,832)
c6msfc2-ipservicesk9_wan-mz.122-18.SXF9  (27,673,588)
c6msfc2-ipservicesk9_wan-mz.122-18.SXF8  (27,148,864)
c6msfc2-ipservicesk9_wan-mz.122-18.SXF7  (27,142,580)
c6msfc2-ipservicesk9_wan-mz.122-18.SXF6  (27,127,644)
c6msfc2-ipservicesk9_wan-mz.122-18.SXF5  (27,115,620)
c6msfc2-ipservicesk9_wan-mz.122-18.SXF4  (26,420,920)
c6msfc2-ipservicesk9_wan-mz.122-18.SXF3  (26,417,216)
c6msfc2-ipservicesk9_wan-mz.122-18.SXF2  (26,415,852)
c6msfc2-ipservicesk9_wan-mz.122-18.SXF   (26,329,172)

Note This is a limited-access strong encryption image.

IOS IP SERVICES SSH
CAT6000-MSFC2: SM2ISK9-12218SXF

c6msfc2-ipservices_wan-mz.122-18.SXF10 (26,574,184)
c6msfc2-ipservices_wan-mz.122-18.SXF9  (26,562,292)
c6msfc2-ipservices_wan-mz.122-18.SXF8  (26,059,444)
c6msfc2-ipservices_wan-mz.122-18.SXF7  (26,048,608)
c6msfc2-ipservices_wan-mz.122-18.SXF6  (26,039,120)
c6msfc2-ipservices_wan-mz.122-18.SXF5  (26,028,416)
c6msfc2-ipservices_wan-mz.122-18.SXF4  (25,331,480)
c6msfc2-ipservices_wan-mz.122-18.SXF3  (25,327,848)
c6msfc2-ipservices_wan-mz.122-18.SXF2  (25,326,336)
c6msfc2-ipservices_wan-mz.122-18.SXF   (25,242,076)

IOS IP SERVICES
CAT6000-MSFC2: SM2IS-12218SXF


Feature Sets in Release 12.2(17d)SXB Rebuilds

MSFC3 Images in Release 12.2(17d)SXB Rebuilds

MSFC2A Images in Release 12.2(17d)SXB Rebuilds

MSFC3 Images in Release 12.2(17d)SXB Rebuilds

Enterprise Feature Set for Release 12.2(17d)SXB Rebuilds

IP Feature Set for Release 12.2(17d)SXB Rebuilds

Enterprise Feature Set for Release 12.2(17d)SXB Rebuilds

Features

Wire speed Layer 3 switching (routing) for IP (routing protocols include RIPv1, RIPv2, OSPF, IGRP, EIGRP, EGP, BGP4, and IS-IS; multicast routing protocols include PIM version 1 and 2, MBGP/MSDP, IGMP, and RGMP)

IPX routing in software on the MSFC

AppleTalk Phase 1/2, DECnet Phase IV, and VINES routing in software on the MSFC

DECnet Phase V and CLNS/OSI routing in software on the MSFC

MSFC3 Images

Image Filename and Size in Bytes
Platform, Description, and Orderable Product Number
(Installed; append "=" for spare on shippable media.)

Supports FlexWAN, firewall, and SSHv2/3DES:
c6msfc3-jk9o3sv-mz.122-17d.SXB11a (19,874,316)
c6msfc3-jk9o3sv-mz.122-17d.SXB11 (19,873,776)
c6msfc3-jk9o3sv-mz.122-17d.SXB10 (19,875,900)
c6msfc3-jk9o3sv-mz.122-17d.SXB9  (19,870,368)
c6msfc3-jk9o3sv-mz.122-17d.SXB8  (19,869,152)
c6msfc3-jk9o3sv-mz.122-17d.SXB7 (deferred)
c6msfc3-jk9o3sv-mz.122-17d.SXB6 (deferred)
c6msfc3-jk9o3sv-mz.122-17d.SXB5 (deferred)
c6msfc3-jk9o3sv-mz.122-17d.SXB4 (deferred)
c6msfc3-jk9o3sv-mz.122-17d.SXB3 (deferred)
c6msfc3-jk9o3sv-mz.122-17d.SXB2 (deferred)
c6msfc3-jk9o3sv-mz.122-17d.SXB1 (deferred)

Note This is a limited-access Cisco strong encryption image.

CAT6000-MSFC3 IOS ENT FW W/SSH/3DES:
S6M3AK9H-12217SXB

Supports FlexWAN and SSHv2/3DES:
c6msfc3-jk9sv-mz.122-17d.SXB11a (19,681,140)
c6msfc3-jk9sv-mz.122-17d.SXB11 (19,681,080)
c6msfc3-jk9sv-mz.122-17d.SXB10 (19,680,404)
c6msfc3-jk9sv-mz.122-17d.SXB9  (19,676,092)
c6msfc3-jk9sv-mz.122-17d.SXB8  (19,676,772)
c6msfc3-jk9sv-mz.122-17d.SXB7 (deferred)
c6msfc3-jk9sv-mz.122-17d.SXB6 (deferred)
c6msfc3-jk9sv-mz.122-17d.SXB5 (deferred)
c6msfc3-jk9sv-mz.122-17d.SXB4 (deferred)
c6msfc3-jk9sv-mz.122-17d.SXB3 (deferred)
c6msfc3-jk9sv-mz.122-17d.SXB2 (deferred)
c6msfc3-jk9sv-mz.122-17d.SXB1 (deferred)

Note This is a limited-access Cisco strong encryption image.

CAT6000-MSFC3 IOS ENT W/SSH/3DES:
S6M3AK9-12217SXB


IP Feature Set for Release 12.2(17d)SXB Rebuilds

Features

Includes FR-IRC6

Wire speed Layer 2 switching (bridging)

Wire speed Layer 3 switching (routing) for IP (routing protocols include RIPv1, RIPv2, OSPF, IGRP, EIGRP, EGP, BGP4, and IS-IS; multicast routing protocols include PIM version 1 and 2, MBGP/MSDP, IGMP, and RGMP)

MSFC3 Images

Image Filename and Size in Bytes
Platform, Description, and Orderable Product Number
(Installed; append "=" for spare on shippable media.)

Supports FlexWAN and SSHv2/3DES:
c6msfc3-pk9sv-mz.122-17d.SXB11a (18,093,696)
c6msfc3-pk9sv-mz.122-17d.SXB11 (18,092,628)
c6msfc3-pk9sv-mz.122-17d.SXB10 (18,094,720)
c6msfc3-pk9sv-mz.122-17d.SXB9  (18,089,360)
c6msfc3-pk9sv-mz.122-17d.SXB8  (18,089,352)
c6msfc3-pk9sv-mz.122-17d.SXB7 (deferred)
c6msfc3-pk9sv-mz.122-17d.SXB6 (deferred)
c6msfc3-pk9sv-mz.122-17d.SXB5 (deferred)
c6msfc3-pk9sv-mz.122-17d.SXB4 (deferred)
c6msfc3-pk9sv-mz.122-17d.SXB3 (deferred)
c6msfc3-pk9sv-mz.122-17d.SXB2 (deferred)
c6msfc3-pk9sv-mz.122-17d.SXB1 (deferred)

Note This is a limited-access Cisco strong encryption image.

CAT6000-MSFC3 IOS IP W/SSH/3DES:
S6M3ZK9-12217SXB

Supports FlexWAN:
c6msfc3-psv-mz.122-17d.SXB11a (17,083,924)
c6msfc3-psv-mz.122-17d.SXB11 (17,084,108)
c6msfc3-psv-mz.122-17d.SXB10 (17,083,124)
c6msfc3-psv-mz.122-17d.SXB9  (17,081,600)
c6msfc3-psv-mz.122-17d.SXB8  (17,081,760)
c6msfc3-psv-mz.122-17d.SXB7 (deferred)
c6msfc3-psv-mz.122-17d.SXB6 (deferred)
c6msfc3-psv-mz.122-17d.SXB5 (deferred)
c6msfc3-psv-mz.122-17d.SXB4 (deferred)
c6msfc3-psv-mz.122-17d.SXB3 (deferred)
c6msfc3-psv-mz.122-17d.SXB2 (deferred)
c6msfc3-psv-mz.122-17d.SXB1 (deferred)

CAT6000-MSFC3 IOS IP:
S6M3Z-12217SXB


MSFC2A Images in Release 12.2(17d)SXB Rebuilds

IOS Enterprise Services Features Set

IOS IP Services Features Set

IOS IP Base Features Set

IOS Enterprise Services Features Set

Features

Wire speed Layer 3 switching (routing) for IP (routing protocols include RIPv1, RIPv2, OSPF, IGRP, EIGRP, EGP, BGP4, and IS-IS; multicast routing protocols include PIM version 1 and 2, MBGP/MSDP, IGMP, and RGMP)

IPX routing in software on the MSFC

AppleTalk Phase 1/2, DECnet Phase IV, and VINES routing in software on the MSFC

DECnet Phase V and CLNS/OSI routing in software on the MSFC

MSFC2A Images

Image Filename and Size in Bytes
Platform, Description, and Orderable Product Number
(Installed; append "=" for spare on shippable media.)

c6msfc2a-jk9sv-mz.122-17d.SXB11a (22,050,712)
c6msfc2a-jk9sv-mz.122-17d.SXB11 (22,049,656)
c6msfc2a-jk9sv-mz.122-17d.SXB10 (22,051,496)
c6msfc2a-jk9sv-mz.122-17d.SXB9  (22,045,424)
c6msfc2a-jk9sv-mz.122-17d.SXB8  (22,044,528)
c6msfc2a-jk9sv-mz.122-17d.SXB7 (deferred)

Note This is a limited-access Cisco strong encryption image.

CAT6000-MSFC2A IOS ENTERPRISE SERVICES SSH:
SM2AESK9-12217SXB


IOS IP Services Features Set

Features

Includes FR-IRC6

Wire speed Layer 2 switching (bridging)

Wire speed Layer 3 switching (routing) for IP (routing protocols include RIPv1, RIPv2, OSPF, IGRP, EIGRP, EGP, BGP4, and IS-IS; multicast routing protocols include PIM version 1 and 2, MBGP/MSDP, IGMP, and RGMP)

MSFC2A Images

Image Filename and Size in Bytes
Platform, Description, and Orderable Product Number
(Installed; append "=" for spare on shippable media.)

c6msfc2a-pk9sv-mz.122-17d.SXB11a (20,462,668)
c6msfc2a-pk9sv-mz.122-17d.SXB11 (20,462,944)
c6msfc2a-pk9sv-mz.122-17d.SXB10 (20,463,560)
c6msfc2a-pk9sv-mz.122-17d.SXB9  (20,459,468)
c6msfc2a-pk9sv-mz.122-17d.SXB8  (20,458,600)
c6msfc2a-pk9sv-mz.122-17d.SXB7 (deferred)

Note This is a limited-access Cisco strong encryption image.

CAT6000-MSFC2A IOS IP SERVICES SSH:
SM2AIPSK9-12217SXB


IOS IP Base Features Set

Image Filename and Size in Bytes
Platform, Description, and Orderable Product Number
(Installed; append "=" for spare on shippable media.)

c6msfc2a-pk9sv-mz.122-17d.SXB11a (20,462,668)
c6msfc2a-pk9sv-mz.122-17d.SXB11 (20,462,944)
c6msfc2a-pk9sv-mz.122-17d.SXB10 (20,463,560)
c6msfc2a-pk9sv-mz.122-17d.SXB9  (20,459,468)
c6msfc2a-pk9sv-mz.122-17d.SXB8  (20,458,600)
c6msfc2a-pk9sv-mz.122-17d.SXB7 (deferred)

Note This is a limited-access Cisco strong encryption image.

CAT6000-MSFC2A IOS IP BASE SSH:
SM2AIPBK9-12217SXB

c6msfc2a-jsv-mz.122-17d.SXB11a (21,206,444)
c6msfc2a-jsv-mz.122-17d.SXB11 (21,206,516)
c6msfc2a-jsv-mz.122-17d.SXB10 (21,208,712)
c6msfc2a-jsv-mz.122-17d.SXB9  (21,203,152)

CAT6000-MSFC2A IOS IP BASE:
SM2AIPB-12217SXB


Feature Sets in Release 12.2(17a)SX Rebuilds (Deferred)

Release 12.2(17a)SX and rebuilds are deferred.

Feature Sets in Release 12.2(14)SX Rebuilds (Deferred)

Release 12.2(14)SX and rebuilds are deferred.

New Features

These sections describe the new features:

New Features in Release 12.2(18)SXF10

New Features in Release 12.2(18)SXF9

New Features in Release 12.2(18)SXF8

New Features in Release 12.2(18)SXF7

New Features in Release 12.2(18)SXF6

New Features in Release 12.2(18)SXF5

New Features in Release 12.2(18)SXF4

New Features in Release 12.2(18)SXF3

New Features in Release 12.2(18)SXF2

New Features in Release 12.2(18)SXF

New Features in Release 12.2(17d)SXB11a

New Features in Release 12.2(17d)SXB11

New Features in Release 12.2(17d)SXB10

New Features in Release 12.2(17d)SXB9

New Features in Release 12.2(17d)SXB9

New Features in Release 12.2(17d)SXB7

New Features in Release 12.2(17d)SXB6

New Features in Release 12.2(17d)SXB5

New Features in Release 12.2(17d)SXB4

New Features in Release 12.2(17d)SXB3

New Features in Release 12.2(17d)SXB2

New Features in Release 12.2(17d)SXB1

New Features in Release 12.2(17a)SX4

New Features in Release 12.2(17a)SX2

New Features in Release 12.2(17a)SX1

New Features in Release 12.2(14)SX2

Features From Earlier Releases

New Features in Release 12.2(18)SXF10

These sections describe the new features in Release 12.2(18)SXF10, 16 Jul 2007:

New Hardware Features in Release 12.2(18)SXF10

New Software Features in Release 12.2(18)SXF10

New Hardware Features in Release 12.2(18)SXF10

None.

New Software Features in Release 12.2(18)SXF10

None.

New Features in Release 12.2(18)SXF9

These sections describe the new features in Release 12.2(18)SXF9, 21 May 2007:

New Hardware Features in Release 12.2(18)SXF9

New Software Features in Release 12.2(18)SXF9

New Hardware Features in Release 12.2(18)SXF9

None.

New Software Features in Release 12.2(18)SXF9

None.

New Features in Release 12.2(18)SXF8

These sections describe the new features in Release 12.2(18)SXF8, 07 Mar 2007:

New Hardware Features in Release 12.2(18)SXF8

New Software Features in Release 12.2(18)SXF8

New Hardware Features in Release 12.2(18)SXF8

None.

New Software Features in Release 12.2(18)SXF8

None.

New Features in Release 12.2(18)SXF7

These sections describe the new features in Release 12.2(18)SXF7, 30 Nov 2006:

New Hardware Features in Release 12.2(18)SXF7

New Software Features in Release 12.2(18)SXF7

New Hardware Features in Release 12.2(18)SXF7

None.

New Software Features in Release 12.2(18)SXF7

None.

New Features in Release 12.2(18)SXF6

These sections describe the new features in Release 12.2(18)SXF6, 22 Sep 2006:

New Hardware Features in Release 12.2(18)SXF6

New Software Features in Release 12.2(18)SXF6

New Hardware Features in Release 12.2(18)SXF6

None.

New Software Features in Release 12.2(18)SXF6

None.

New Features in Release 12.2(18)SXF5

These sections describe the new features in Release 12.2(18)SXF5, 10 Jul 2006:

New Hardware Features in Release 12.2(18)SXF5

New Software Features in Release 12.2(18)SXF5

New Hardware Features in Release 12.2(18)SXF5

None.

New Software Features in Release 12.2(18)SXF5

None.

New Features in Release 12.2(18)SXF4

These sections describe the new features in Release 12.2(18)SXF4, 27 Mar 2006:

New Hardware Features in Release 12.2(18)SXF4

New Software Features in Release 12.2(18)SXF4

New Hardware Features in Release 12.2(18)SXF4

None.

New Software Features in Release 12.2(18)SXF4

None.

New Features in Release 12.2(18)SXF3

These sections describe the new features in Release 12.2(18)SXF3, 16 Feb 2006:

New Hardware Features in Release 12.2(18)SXF3

New Software Features in Release 12.2(18)SXF3

New Hardware Features in Release 12.2(18)SXF3

None.

New Software Features in Release 12.2(18)SXF3

None.

New Features in Release 12.2(18)SXF2

These sections describe the new features in Release 12.2(18)SXF2, 20 Jan 2006:

New Hardware Features in Release 12.2(18)SXF2

New Software Features in Release 12.2(18)SXF2

New Hardware Features in Release 12.2(18)SXF2

None.

New Software Features in Release 12.2(18)SXF2

None.

New Features in Release 12.2(18)SXF

These sections describe the new features in Release 12.2(18)SXF, 12 Sep 2005:

New Hardware Features in Release 12.2(18)SXF

New Software Features in Release 12.2(18)SXF

New Hardware Features in Release 12.2(18)SXF

Multilayer Switch Feature Card 2 (MSFC2) on Supervisor Engine 2

Enhanced FlexWAN Module with these MSFCs and Supervisor Engines:

MSFC3 on Supervisor Engine 720

MSFC2A on Supervisor Engine 32

MSFC2 on Supervisor Engine 2

2-port Fast Ethernet Port Adapter (supported only in WS-X6582-2PA)

1-port Fast Ethernet Port Adapter (supported only in WS-X6582-2PA)

1-port Packet over SONET OC3c/STM1 Port Adapter

New Software Features in Release 12.2(18)SXF


NoteThe MSFC2 supports the features introduced in earlier releases for the MSFC3 and MSFC2A.

Software release 8.5(1) introduces hardware acceleration for some MSFC features. When upgrading from software release 8.4(x) to software release 8.5(1), there are no issues with MSFC features that were already configured and running. In addition to NAT, features such as reflexive ACLs and Context Based Access Control ( CBAC) can work in hardware as long as there is no flow mask conflict. A feature will work in hardware unless the feature needs a flow mask that is in conflict with another feature such as NDE or QoS microflow policer. (Refer to the Catalyst software release notes for information about NDE and QoS.)

Hardware acceleration is also introduced in software release 8.5(1) for WCCP and TCP intercept. These MSFC features can coexist with NDE if there is no flow mask conflict. The ACL manager attempts to merge the flow mask requirements of different features. The basic idea is to allocate a new flow mask only for a strict flow mask requirement that is incompatible with already allocated flow masks. NDE does not have a strict flow mask requirement, so the flow mask for NDE can be moved up.

To use the hardware acceleration functionality for NAT, if a flow mask has been configured for NDE (enter the show mls command to display flow masks), you need to perform the following steps:

1. Enter the set mls flow null command.

2. The MSFC needs to request a flow mask. This is accomplished by reconfiguring the specific MSFC feature.

NDE will fail if any of the following events occur:

—Hardware-accelerated NAT is enabled.

—Two or more features with conflicting flow masks have been configured on the switch.

Conversely, once NDE is successfully configured, NAT cannot be configured to work in hardware and two different features with conflicting flow mask requirements cannot be configured on the switch.


Nonstop Forwarding with Stateful Switchover (NSF with SSO) redundancy, with support for these NSF with SSO features:

Nonstop Forwarding (NSF) for BGP

Nonstop Forwarding (NSF) for EIGRP

Nonstop Forwarding (NSF) for IS-IS

Nonstop Forwarding (NSF) for OSPF


Note NSF with SSO redundancy is supported with software release 8.5(1) and later releases.

The FlexWAN module ( WS-X6182-2PA) and Enhanced FlexWAN module ( WS-X6582-2PA) do not maintain state when an NSF with SSO switchover occurs.


Refer to this publication for information about NSF with SSO redundancy:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_5/confg_gd/nsf_sso.htm

WCCP 2.0 Layer 2 PFC redirection (supported with MSFC3, MSFC2A, and MSFC2)—See this publication:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/wccp.htm

With a PFC3, hardware-assisted TCP intercept—See this publication:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfdenl.htm

With a PFC3, hardware-assisted IP-in-IP tunneling and generic routing encapsulation (GRE) tunneling—The PFC3 supports the following tunnel commands:

tunnel destination

tunnel mode gre

tunnel mode ipip

tunnel source

tunnel ttl

tunnel tos

Other supported types of tunneling run in software on the MSFC3. The PFC3 does not provide hardware acceleration for tunnels configured with the tunnel key command.

The tunnel ttl command (default 255) sets the TTL of encapsulated packets.

The tunnel tos command, if present, sets the ToS byte of a packet when it is encapsulated. If the tunnel tos command is not present and QoS is not enabled, the ToS byte of a packet sets the ToS byte of the packet when it is encapsulated. If the tunnel tos command is not present and QoS is enabled, the ToS byte of a packet as modified by PFC QoS sets the ToS byte of the packet when it is encapsulated.

To configure GRE Tunneling and IP in IP Tunneling, refer to these publications:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/finter_c/icflogin.htm

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/finter_r/irfshoip.htm

To configure the tunnel tos and tunnel ttl commands, refer to this publication:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s17/12s_tos.htm

Note the following information about tunnels:

Each hardware-assisted tunnel must have a unique source. Hardware-assisted tunnels cannot share a source even if the destinations are different. Use secondary addresses on loopback interfaces or create multiple loopback interfaces. (CSCdy72539)

Each tunnel interface uses one internal VLAN.

Each tunnel interface uses one additional router MAC address entry per router MAC address.

The PFC3A does not support any PFC QoS features on tunnel interfaces.

The PFC3B and PFC3BXL support PFC QoS features on tunnel interfaces.

The PFC3 does not support GRE tunnel encapsulation and de-encapsulation of multicast traffic.

The MSFC supports tunnels configured with egress features on the tunnel interface. Examples of egress features are output Cisco IOS ACLs, NAT and PAT (for inside to outside translation), TCP intercept, context-based access control (CBAC), and encryption.

With a PFC3, hardware-assisted Network Address Translation (NAT) and Port Address Translation (PAT) for IPv4 unicast and multicast traffic—Note the following information about hardware-assisted NAT:

A PFC3A on a Supervisor Engine 720 does not support NAT or PAT for UDP traffic.


Note PFC3B and PFC3BXL modes support NAT and PAT for UDP traffic.


The PFC3 does not support NAT or PAT for multicast traffic.

The PFC3 does not support NAT or PAT configured with a route map that specifies length.

When you configure NAT or PAT and NDE on an interface, the PFC3 sends all traffic in fragmented packets to the MSFC3 to be processed in software. (CSCdz51590)

In software release 8.5(1) and later releases, with a large number of NetFlow entries in the NetFlow table, statistics may not be received by the MSFC if the NAT timeout value expires. The configurable timeout value determines when a translation times out after a period of nonuse. If the NAT timeout value expires, NetFlow entries are dropped resulting in shortcuts needing to be reinstalled. The recommended value for the NAT timer on the MSFC is 600 seconds and is configured using the following commands:

ip nat translation timeout value

ip nat translation tcp-timeout value

ip nat translation udp-timeout value

With the NetFlow table full and a 600 second timeout value configured on the MSFC, there should be no dropped NetFlow entries.

To configure NAT or PAT, refer to the Cisco IOS IP Configuration Guide, Release 12.2, "IP Addressing and Services," "Configuring IP Addressing," "Configuring Network Address Translation," at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/ipcprt1/1cfipadr.htm

For information about configuring NAT or PAT with route maps, refer to this publication:

http://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/prodlit/1195_pp.htm

To prevent a significant volume of NAT or PAT traffic from being sent to the MSFC, due to either a DoS attack or a misconfiguration, enter the mls rate-limit unicast acl {ingress | egress} command on a VLAN interface, as described in this publication:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_1/msfc_cr/index.htm

(CSCea23296)

ATM VC access trunk emulation—See this publication:

http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/cfgnotes/flexport/combo/index.htm

On VLAN interface, Multi-VRF for CE Routers (VRF Lite) with IPv4 forwarding between VRFs interfaces, IPv4 ACLs, and IPv4 HSRP.


Note Multi-VRF for CE Routers (VRF Lite) with the Supervisor Engine 720 supports multi-VRF CE functionality with EIGRP, OSPF, BGP and RIPv2 routing protocols running on a per VRF basis. Static routes are also supported. Also supported on WAN ports.


Distributed network-based application recognition (dNBAR) on FlexWAN module interfaces—See this publication:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/dtnbarad.htm

ATM Cell Loss Priority (CLP) Setting on FlexWAN module ATM interfaces—See this publication:

http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/cfgnotes/flexport/combo/features.htm

Distributed MLPPP (dMLPPP) on FlexWAN module interfaces—See this publication:

http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/cfgnotes/flexport/combo/features.htm

Inverse Multiplexing over ATM (IMA) on FlexWAN module interfaces—See this publication:

http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/cfgnotes/flexport/combo/features.htm

QoS: ingress shaping on FlexWAN module interfaces—See this publication:

http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/cfgnotes/flexport/combo/index.htm

Packet classification based on layer 3 packet length on FlexWAN module interfaces—See this publication:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftmchpkt.htm

Shortcut-consistency checker (requires software release 8.5(1) or later)—The mls ip multicast consistency-check command checks the multicast route table and the multicast-hardware entries for consistency and corrects any inconsistencies. See the Catalyst 6500 Series MSFC Cisco IOS Command Reference, 12.2SX, at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_1/msfc_cr/index.htm

New Features in Release 12.2(17d)SXB11a

These sections describe the new features in Release 12.2(17d)SXB11a, 17 Apr 2006:

New Hardware Features in Release 12.2(17d)SXB11a

New Software Features in Release 12.2(17d)SXB11a

New Hardware Features in Release 12.2(17d)SXB11a

None.

New Software Features in Release 12.2(17d)SXB11a

None.

New Features in Release 12.2(17d)SXB11

These sections describe the new features in Release 12.2(17d)SXB11, 17 Nov 2005:

New Hardware Features in Release 12.2(17d)SXB11

New Software Features in Release 12.2(17d)SXB11

New Hardware Features in Release 12.2(17d)SXB11

None.

New Software Features in Release 12.2(17d)SXB11

None.

New Features in Release 12.2(17d)SXB10

These sections describe the new features in Release 12.2(17d)SXB10, 16 Aug 2005:

New Hardware Features in Release 12.2(17d)SXB10

New Software Features in Release 12.2(17d)SXB10

New Hardware Features in Release 12.2(17d)SXB10

None.

New Software Features in Release 12.2(17d)SXB10

None.

New Features in Release 12.2(17d)SXB9

These sections describe the new features in Release 12.2(17d)SXB9, 21 Jul 2005:

New Hardware Features in Release 12.2(17d)SXB9

New Software Features in Release 12.2(17d)SXB9

New Hardware Features in Release 12.2(17d)SXB9

None.

New Software Features in Release 12.2(17d)SXB9

None.

New Features in Release 12.2(17d)SXB8

These sections describe the new features in Release 12.2(17d)SXB8, 02 May 2005:

New Hardware Features in Release 12.2(17d)SXB8

New Software Features in Release 12.2(17d)SXB8

New Hardware Features in Release 12.2(17d)SXB8

None.

New Software Features in Release 12.2(17d)SXB8

None.

New Features in Release 12.2(17d)SXB7

These sections describe the new features in Release 12.2(17d)SXB7, 01 Mar 2005:

New Hardware Features in Release 12.2(17d)SXB7

New Software Features in Release 12.2(17d)SXB7

New Hardware Features in Release 12.2(17d)SXB7

Initial support for the CAT6000-MSFC2 on the Supervisor Engine 32.

New Software Features in Release 12.2(17d)SXB7

None.


Note The MSFC2A supports the features introduced in earlier releases for the MSFC3.


New Features in Release 12.2(17d)SXB6

These sections describe the new features in Release 12.2(17d)SXB6, 21 Dec 2004:

New Hardware Features in Release 12.2(17d)SXB6

New Software Features in Release 12.2(17d)SXB6

New Hardware Features in Release 12.2(17d)SXB6

None.

New Software Features in Release 12.2(17d)SXB6

None.

New Features in Release 12.2(17d)SXB5

These sections describe the new features in Release 12.2(17d)SXB5, 01 Nov 2004:

New Hardware Features in Release 12.2(17d)SXB5

New Software Features in Release 12.2(17d)SXB5

New Hardware Features in Release 12.2(17d)SXB5

None.

New Software Features in Release 12.2(17d)SXB5

None.

New Features in Release 12.2(17d)SXB4

These sections describe the new features in Release 12.2(17d)SXB4, 07 Sep 2004:

New Hardware Features in Release 12.2(17d)SXB4

New Software Features in Release 12.2(17d)SXB4

New Hardware Features in Release 12.2(17d)SXB4

None.

New Software Features in Release 12.2(17d)SXB4

None.

New Features in Release 12.2(17d)SXB3

These sections describe the new features in Release 12.2(17d)SXB3, 17 Aug 2004:

New Hardware Features in Release 12.2(17d)SXB3

New Software Features in Release 12.2(17d)SXB3

New Hardware Features in Release 12.2(17d)SXB3

None.

New Software Features in Release 12.2(17d)SXB3

None.

New Features in Release 12.2(17d)SXB2

These sections describe the new features in Release 12.2(17d)SXB2, 21 Jul 2004:

New Hardware Features in Release 12.2(17d)SXB2

New Software Features in Release 12.2(17d)SXB2

New Hardware Features in Release 12.2(17d)SXB2

None.

New Software Features in Release 12.2(17d)SXB2

None.

New Features in Release 12.2(17d)SXB1

These sections describe the new features in Release 12.2(17d)SXB1, 01 Jun 2004:

New Hardware Features in Release 12.2(17d)SXB1

New Software Features in Release 12.2(17d)SXB1

New Hardware Features in Release 12.2(17d)SXB1

MSFC3 on Supervisor Engine 720-3BXL (see the "CAT6000-MSFC3" section)

MSFC3 on Supervisor Engine 720-3B (see the "CAT6000-MSFC3" section)

These FlexWAN port adapters:

2-port Packet-over-SONET OC-3c/STM-1 (PA-POS-2OC3)

PA-A6-OC3MM 1-port ATM OC-3c/STM-1 multimode port adapter, enhanced

PA-A6-OC3SMI 1-port ATM OC-3c/STM-1 single-mode (IR) port adapter, enhanced

PA-A6-OC3SML 1-port ATM OC-3c/STM-1 single-mode (LR) port adapter, enhanced

PA-A6-T3 1-port ATM DS3 port adapter, enhanced

PA-A6-E3 1-port ATM E3 port adapter, enhanced

New Software Features in Release 12.2(17d)SXB1

Support for IGMP version 3 snooping with Multicast Multilayer Switching (MMLS) in software release 8.3(1)—Refer to this publication:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/ol_4498.htm

Gateway Load Balancing Protocol (GLBP)—Refer to this publication:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122s/122snwft/release/122s14/fs_glbp2.htm

Bidirectional Protocol Independent Multicast (PIM) in software—Refer to this publication:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/ipcpt3/1cfbipim.htm

Link Fragmentation and Interleaving (LFI) for Frame Relay and ATM Virtual Circuits on FlexWAN module interfaces—Refer to this publication:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/ftdlfi2.htm

RFC 1889 Compressed Real-Time Protocol (cRTP) on FlexWAN module interfaces—Refer to this publication:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt6/qcfcrtp.htm

Voice over Frame Relay (VoFR) FRF.11and FRF.12 on FlexWAN module interfaces—Refer to this publication:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fvvfax_c/vvfvofr.htm


Note Because the Catalyst 6500 series switches do not support voice modules, they can act only as a VoFR tandem switch when FRF.11 or FRF.12 is configured on the FlexWAN.


Low Latency Queueing (LLQ) and Class-based Weighted Fair Queueing (CBWFQ) on MLPPP FlexWAN module links—Refer to this publication:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/index.htm

Multilink Frame Relay (FRF.16) on FlexWAN module interfaces—Refer to this publication:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122s/122snwft/release/122s14/fs_mfr.htm

New Features in Release 12.2(17a)SX4

These sections describe the new features in Release 12.2(17a)SX4, 23 Apr 2004:

New Hardware Features in Release 12.2(17a)SX4

New Software Features in Release 12.2(17a)SX4

New Hardware Features in Release 12.2(17a)SX4

None.

New Software Features in Release 12.2(17a)SX4

None.

New Features in Release 12.2(17a)SX2

These sections describe the new features in Release 12.2(17a)SX2, 29 Jan 2004:

New Hardware Features in Release 12.2(17a)SX2

New Software Features in Release 12.2(17a)SX2

New Hardware Features in Release 12.2(17a)SX2

None.

New Software Features in Release 12.2(17a)SX2

None.

New Features in Release 12.2(17a)SX1

These sections describe the new features in Release 12.2(17a)SX1, 30 Oct 2003:

New Hardware Features in Release 12.2(17a)SX1

New Software Features in Release 12.2(17a)SX1

New Hardware Features in Release 12.2(17a)SX1

FlexWAN module (WS-X6182-2PA)—Refer to this publication for more information:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/cfgnotes/flexwan/index.htm

SSL Services Module (WS-SVC-SSL-1)—Refer to this publication for more information:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/ol_3396.htm

Content Switching Module (WS-X6066-SLB-APC)—Refer to these publications:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/78_12569.htm

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/78_14716.htm

New Software Features in Release 12.2(17a)SX1

None.

New Features in Release 12.2(14)SX2

These sections describe the new features in Release 12.2(14)SX2, 01 Jul 2003:

New Hardware Features in Release 12.2(14)SX2

New Software Features in Release 12.2(14)SX2

New Hardware Features in Release 12.2(14)SX2

Initial support of the CAT6000-MSFC3.

New Software Features in Release 12.2(14)SX2

PFC3 hardware support for policy-based routing (PBR) route-map sequences that use the match ip address, set ip next-hop, and set ip default next-hop PBR commands.

To configure PBR, refer this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt1/qcfpbr.htm


NoteIf the MSFC address falls within the range of a PBR ACL, traffic addressed to the MSFC is policy routed in hardware instead of being forwarded to the MSFC. To prevent policy routing of traffic addressed to the MSFC, configure PBR ACLs to deny traffic addressed to the MSFC. (CSCse86399)

The PFC3 does not support Unicast RPF check for policy-based routing (PBR) traffic. (CSCea53554)


PFC3 hardware support for Unicast Reverse Path Forwarding (RPF) Check—To configure unicast RPF check, see the "Configuring Unicast Reverse Path Forwarding Check" section.

Interior Border Gateway Protocol (IBGP) multipath—Refer to this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122s/122snwft/release/122s14/fsbgpls.htm

Features From Earlier Releases

The standby delay minimum reload interface command configures the delay period before the initialization of HSRP groups. Use the no form of this command to disable the delay period.

This is the syntax of the command:

standby delay minimum [min_delay] reload [reload_delay]
no standby delay minimum [min_delay] reload [reload_delay]

These are the variable parameters:

min_delay—(Optional) Minimum time, in seconds, to delay HSRP group initialization after an interface comes up. This minimum delay period applies to all subsequent interface events.

reload_delay—(Optional) Time, in seconds, to delay after the router has reloaded. This delay period applies only to the first interface-up event after the router has reloaded.

The default minimum delay is 1 second; the default reload delay is 5 seconds.

If the active router fails or is removed from the network, the standby router automatically becomes the new active router. If the former active router comes back online, you can control whether it takes over as the active router by using the standby preempt command.

Even if the standby preempt command is not configured, the former active router resumes the active role after it reloads and comes back online. Use the standby delay minimum reload command to set a delay period for HSRP group initialization. This command provides time for the packets to get through before the router resumes the active role.

We recommend that you use the standby delay minimum reload command if the standby timers command is configured in milliseconds or if HSRP is configured on a VLAN interface of a switch.

In most configurations, the default values provide sufficient time for the packets to get through, and you do not need to configure longer delay values.

The delay is canceled if an HSRP packet is received on an interface.

Support for the mls ip reflect-threshold, mls ip delete-threshold, and mls ip install-threshold commands.

New commands for Protocol Independent Multicast (PIM) scalability and convergence enhancements:

[no] ip multicast rpf interval command

[no] ip multicast rpf triggered {min | max} command

With this command, you can change the periodic polling of the routing tables so that PIM joins are triggered only when there are changes in the routing tables.

Support for RADIUS load balancing and Virtual Private Network (VPN) load balancing.

Single router mode (SRM) redundancy.

Support for source-specific multicast with IGMPv3, IGMP v3lite, and URD. For complete information and procedures, refer to this URL:

http//www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t5/dtssm5t.htm

The highest value for the maximum-paths command has been raised from six to eight.

The alt keyword is optional with the standby [group_number] ip [ip_address [secondary]] command. Without the alt keyword, the same HSRP IP address and HSRP group is configured on a given interface for both MSFCs in the chassis. You can enter the alt keyword if desired. If you enter the alt keyword, you must configure the same HSRP IP address on both the designated and nondesignated MSFC.

Secure Shell Version 1 with 3DES encryption. Refer to these URLs:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t1/sshv1.htm

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t3/sshv1c.htm

Mobile IP—Refer to this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c/ipcprt1/1cdmobip.htm

Private VLAN support—The following applies to private VLAN support:

Enter the show pvlan command to display information about private VLANs.


Note The show pvlan command displays information about private VLANs only when the primary private VLAN is up.


Entering the set pvlan mapping or the clear pvlan mapping commands on the supervisor engine generates MSFC syslog messages as follows:

%PV-6-PV_MSG:Created a private vlan mapping, Primary 100, Secondary 101
%PV-6-PV_MSG:Created a private vlan mapping, Primary 200, Secondary 201
%PV-6-PV_MSG:Purged a private vlan mapping, Primary 100, Secondary 101

Enter the interface vlan command to configure Layer 3 parameters only for primary private VLANs.

On the supervisor engine, you cannot create isolated or community VLANs using VLAN numbers for which the interface vlan commands have been entered on the MSFC.

ARP entries learned on Layer 3 private VLAN interfaces are sticky ARP entries. (We recommend that you display and verify private VLAN interface ARP entries.)

For security reasons, private VLAN interface sticky ARP entries do not age out. Connecting new equipment with the same IP address generates a message and the ARP entry is not created.

Because the private VLAN interface ARP entries do not age out, you must manually remove private VLAN interface ARP entries if a MAC address changes.

You can add or remove private VLAN ARP entries manually as follows:

Router(config)# no arp 11.1.3.30
IP ARP:Deleting Sticky ARP entry 11.1.3.30

Router(config)# arp 11.1.3.30 0000.5403.2356 arpa
IP ARP:Overwriting Sticky ARP entry 11.1.3.30, hw:00d0.bb09.266e by hw:0000.5403.2356

Some commands clear and recreate private VLAN mapping as follows:

Router(config)# xns routing
Router(config)#
%PV-6-PV_MSG:Purged a private vlan mapping, Primary 100, Secondary 101
%PV-6-PV_MSG:Purged a private vlan mapping, Primary 100, Secondary 102
%PV-6-PV_MSG:Purged a private vlan mapping, Primary 100, Secondary 103
%PV-6-PV_MSG:Created a private vlan mapping, Primary 100, Secondary 101
%PV-6-PV_MSG:Created a private vlan mapping, Primary 100, Secondary 102
%PV-6-PV_MSG:Created a private vlan mapping, Primary 100, Secondary 103

Data-link switching plus (DLSw+)

Configuring Unicast Reverse Path Forwarding Check

Cisco IOS Firewall Feature Set

Local Proxy ARP

Jumbo Frame Feature on the MSFC

ARP on STP Topology Change Notification

Router-Port Group Management Protocol

Configuring Unicast Reverse Path Forwarding Check

These sections describe configuring Cisco IOS Unicast Reverse Path Forwarding Check (unicast RPF check):

Understanding Unicast RPF Check Support

Configuring Unicast RPF Check

Understanding Unicast RPF Check Support

For a complete explanation of how unicast RPF check works, refer to this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf/scfrpf.htm

The PFC3 provides hardware support for unicast RPF check of traffic from multiple interfaces.

With strict-method unicast RPF check, the PFC3 supports two parallel paths for all prefixes in the routing table, and up to four parallel paths for prefixes reached through any of four user-configurable RPF interface groups (each interface group can contain four interfaces).

With loose-method unicast RPF check (also known as exist-only method), the PFC3 supports up to eight reverse-path interfaces (the Cisco IOS software is limited to eight reverse paths in the routing table).

There are four methods of performing unicast RPF check in Cisco IOS:

Strict unicast RPF check

Strict unicast RPF check with allow-default

Loose unicast RPF check

Loose unicast RPF check with allow-default

You configure unicast RPF check on a per-interface basis, but the PFC3 supports only one Unicast RPF method for all interfaces that have unicast RPF check enabled. When you configure an interface to use a Unicast RPF method that is different from the currently configured method, all other interfaces in the system that have unicast RPF check enabled use the new method.


NoteIf you configure unicast RPF check to filter with an ACL, the PFC3 determines whether or not traffic matches the ACL. The PFC3 sends the traffic denied by the RPF ACL to the MSFC for the unicast RPF check. Packets permitted by the ACL are forwarded in hardware without a unicast RPF check.

Because the packets in a denial-of-service attack typically match the deny ACE and are sent to the MSFC for the unicast RPF check, they can overload the MSFC.

The PFC3 provides hardware support for traffic that does not match the unicast RPF check ACL, but that does match an input security ACL.

ACL-based unicast RPF check is processed in software on the MSFC. (CSCdz35099)

The PFC3 does not support unicast RPF check for policy-based routing (PBR) traffic. (CSCea53554)


Configuring Unicast RPF Check

These sections describe how to configure unicast RPF check:

Configuring the Unicast RPF Check Mode

Configuring the Multiple-Path Unicast RPF Check Mode

Enabling Self-Pinging

Configuring the Unicast RPF Check Mode

There are two unicast RPF check modes:

Strict check mode, which verifies that the source IP address exists in the FIB table and verifies that the source IP address is reachable through the input port.

Exist-only check mode, which only verifies that the source IP address exists in the FIB table.


Note The most recently configured mode is automatically applied to all ports configured for unicast RPF check.


To configure unicast RPF check mode, perform this task:

 
Command
Purpose

Step 1 

Router(config)# interface vlan vlan_ID

Selects an interface to configure.

Note Based on the input interface, unicast RPF check verifies the best return path before forwarding the packet on to the next destination.

Step 2 

Router(config-if)# ip verify unicast source reachable-via {rx | any} [allow-default] [list]

Configures the unicast RPF check mode.

Router(config-if)# no ip verify unicast

Reverts to the default unicast RPF check mode.

Step 3 

Router(config-if)# exit

Exits interface configuration mode.

Step 4 

Router# show mls cef ip rpf

Verifies the configuration.


Note When you enter the ip verify unicast source reachable-via command, the unicast RPF check mode changes on all ports in the switch.


When configuring the unicast RPF check mode, note the following syntax information:

Use the rx keyword to enable strict check mode.

Use the any keyword to enable exist-only check mode.

Use the allow-default keyword to allow use of the default route for RPF verification.

Use the list option to identify an access list.

If the access list denies network access, spoofed packets are dropped at the port.

If the access list permits network access, spoofed packets are forwarded to the destination address. Forwarded packets are counted in the interface statistics.

If the access list includes the logging action, information about the spoofed packets is sent to the log server.

This example shows how to enable Unicast RPF exist-only check mode on VLAN interface 100:

Router(config)# interface vlan 100
Router(config-if)# ip verify unicast source reachable-via any
Router(config-if)# end
Router#

This example shows how to enable Unicast RPF strict check mode on VLAN interface 200:

Router(config)# interface vlan 200
Router(config-if)# ip verify unicast source reachable-via rx
Router(config-if)# end
Router#

This example shows how to verify the configuration:

Router# show running-config interface vlan 200 | begin 200
interface Vlan 200
ip address 42.0.0.1 255.0.0.0
ip verify unicast reverse-path
no cdp enable
end
Router# show running-config interface vlan 100 | begin 100
interface Vlan 100
ip address 41.0.0.1 255.0.0.0
ip verify unicast reverse-path (RPF mode on g4/1 also changed to strict-check RPF mode)
no cdp enable
end

Configuring the Multiple-Path Unicast RPF Check Mode

To configure the multiple-path unicast RPF check mode, perform this task:

 
Command
Purpose

Step 1 

Router(config)# mls ip cef rpf mpath {punt | pass | interface-group}

Configures the multiple-path unicast RPF check mode.

Step 2 

Router(config)# no mls ip cef rpf mpath {punt | interface-group}

Returns to the default (mls ip cef rpf mpath punt).

Step 3 

Router(config)# end

Exits configuration mode.

Step 4 

Router# show mls cef ip rpf

Verifies the configuration.

When configuring multiple-path unicast RPF check, note the following syntax information:

punt (default)—The PFC3 performs the unicast RPF check in hardware for up to two interfaces per prefix. Packets arriving on any additional interfaces are redirected (punted) to the MSFC for unicast RPF check in software.

pass—The PFC3 performs the unicast RPF check in hardware for single-path and two-path prefixes. unicast RPF check is disabled for packets coming from multipath prefixes with three or more reverse-path interfaces (these packets always pass the unicast RPF check).

interface-group—The PFC3 performs the unicast RPF check in hardware for single-path and two-path prefixes. The PFC3 also performs the unicast RPF check for up to four additional interfaces per prefix through user-configured multipath unicast RPF check interface groups. unicast RPF check is disabled for packets coming from other multiple-path prefixes that have three or more reverse-path interfaces (these packets always pass the unicast RPF check).

This example shows how to configure multiple-path unicast RPF check:

Router(config)# mls ip cef rpf mpath punt

Configuring Multiple-Path Interface Groups

To configure multiple-path unicast RPF check interface groups, perform this task:

 
Command
Purpose

Step 1 

Router(config)# mls ip cef rpf interface-group [0 | 1 | 2 | 3] interface1 [interface2 [interface3 [interface4]]]

Configures a multiple-path RPF interface group.

Step 2 

Router(config)# mls ip cef rpf interface-group group_number

Removes an interface group.

Step 3 

Router(config)# end

Exits configuration mode.

Step 4 

Router# show mls cef ip rpf

Verifies the configuration.

This example shows how to configure interface group 2:

Router(config)# mls ip cef rpf interface-group 2 vlan 100 vlan 102 vlan 102 vlan 103

Enabling Self-Pinging

With unicast RPF check enabled, by default the switch cannot ping itself.

To enable self-pinging, perform this task:

 
Command
Purpose

Step 1 

Router(config)# interface vlan vlan_ID

Selects the interface to configure.

Step 2 

Router(config-if)# ip verify unicast source reachable-via any allow-self-ping

Enables the switch to ping itself or a secondary address.

Router(config-if)# no ip verify unicast source reachable-via any allow-self-ping

Disables self-pinging.

Step 3 

Router(config-if)# exit

Exits interface configuration mode.

This example shows how to enable self-pinging:

Router(config)# interface vlan 100
Router(config-if)# ip verify unicast source reachable-via any allow-self-ping
Router(config-if)# end

Cisco IOS Firewall Feature Set

These sections describe the Cisco IOS Firewall feature set on the Catalyst 6500 series switches:

Cisco IOS Firewall Feature Set Support Overview

Guidelines and Restrictions

Configuring CBAC on Catalyst 6500 Series Switches

Cisco IOS Firewall Feature Set Support Overview

The Firewall feature set images for the MSFC3 support these Cisco IOS Firewall features:

Context-based Access Control (CBAC)

Port-to-Application Mapping (PAM)

Authentication Proxy

The Firewall feature set images are shown in the "Feature Sets" section.

Refer to the Cisco IOS Security Configuration Guide, Release 12.1, "Traffic Filtering and Firewalls" online publications:

The "Cisco IOS Firewall Overview" chapter at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scdfirwl.htm

The "Configuring Context-Based Access Control" chapter at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scdcbac.htm

The "Configuring Authentication Proxy" chapter at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scdauthp.htm

The Cisco IOS Security Command Reference publication at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_r/index.htm

The following features are supported both with and without the use of a Cisco IOS firewall image:

Standard access lists and static extended access lists

Lock-and-key (Dynamic Access Lists)

IP session filtering (Reflexive Access Lists)

Security server support

Network address translation

Neighbor router authentication

Event logging

User authentication and authorization


Note Catalyst 6500 series switches do not support the Cisco IOS Firewall intrusion detection system (IDS) feature, which is configured with the ip audit command.


Guidelines and Restrictions

On other platforms, if you enter the ip inspect command on an interface, CBAC modifies ACLs on other interfaces to permit the inspected traffic to flow through the network device. On Catalyst 6500 series switches, you must enter the mls ip inspect commands to permit traffic through any ACLs that would deny the traffic through other interfaces. See the "Configuring CBAC on Catalyst 6500 Series Switches" section.

Reflexive ACLs and CBAC have conflicting flow mask requirements. When CBAC is configured, reflexive ACLs are processed in software on the MSFC3.

CBAC is incompatible with VACLs. CBAC and VACLs can both be configured on the switch but not in the same subnet (VLAN).


Note The IDSM uses VACLs to select traffic. To use the IDSM in a subnet where CBAC is configured, enter the mls ip ids acl_name interface command, where acl_name is configured to select traffic for the IDSM.


Redundancy on the Catalyst 6500 series switches does not support CBAC. You can configure CBAC with high availability on the supervisor engine and HSRP on the MSFC3, but no CBAC state information is preserved.

To inspect Microsoft NetMeeting (2.0 or greater) traffic, turn on both h323 and tcp inspection.

To inspect web traffic, turn on tcp inspection. To avoid reduced performance, do not turn on http inspection to block Java.


Note QoS and CBAC do not interact or interfere with each other.


Configuring CBAC on Catalyst 6500 Series Switches

CBAC requires additional configuration on the Catalyst 6500 series switches.

On a network device other than a Catalyst 6500 series switch, when interfaces are configured to deny traffic, CBAC permits traffic to flow bidirectionally through the interface configured with the ip inspect command and also any other interface that the traffic must go through, as shown in this example:

Router(config)# ip inspect name permit_ftp ftp
Router(config)# interface vlan 100
Router(config-if)# ip inspect permit_ftp in
Router(config-if)# ip access-group deny_ftp_a in
Router(config-if)# ip access-group deny_ftp_b out
Router(config-if)# exit
Router(config)# interface vlan 200
Router(config-if)# ip access-group deny_ftp_c in
Router(config-if)# ip access-group deny_ftp_d out
Router(config-if)# exit
Router(config)# interface vlan 300
Router(config-if)# ip access-group deny_ftp_e in
Router(config-if)# ip access-group deny_ftp_f out
Router(config-if)# end

If the FTP session enters on VLAN 100 and must leave on VLAN 200, CBAC permits the FTP traffic through ACLs deny_ftp_a, deny_ftp_b, deny_ftp_c, and deny_ftp_d. If another FTP session enters on VLAN 100 and must leave on VLAN 300, CBAC permits the FTP traffic through ACLs deny_ftp_a, deny_ftp_b, deny_ftp_e, and deny_ftp_f.

On a Catalyst 6500 series switch, when interfaces are configured to deny traffic, CBAC permits traffic to flow bidirectionally only through the interface configured with the ip inspect command. You must configure other interfaces with the mls ip inspect command.

If the FTP session enters on VLAN 100 and must leave on VLAN 200, CBAC on a Catalyst 6500 series switch permits the FTP traffic only through ACLs deny_ftp_a and deny_ftp_b. To permit the traffic through ACLs deny_ftp_c and deny_ftp_d, you must enter the mls ip inspect deny_ftp_c and mls ip inspect deny_ftp_d commands, as shown in this example:

Router(config)# mls ip inspect deny_ftp_c
Router(config)# mls ip inspect deny_ftp_d

With the configuration in the example, FTP traffic cannot leave on VLAN 300 unless you enter the mls ip inspect deny_ftp_e and mls ip inspect deny_ftp_f commands.

Enter the show fm insp [detail] command to verify the configuration. The show fm insp [detail] command displays the list of ACLs and interfaces on which CBAC is configured and the status (ACTIVE or INACTIVE), as shown in this example:

Router# show fm insp
interface:Vlan305(in) status :ACTIVE
acl name:deny
interfaces:
Vlan305(out):status ACTIVE

On VLAN 305, inspection is active in the inbound direction and there is no ACL. ACL deny is applied on VLAN 305 in the outbound direction and inspection is active.

Use the detail keyword to display all of the flow information.

If a VACL is configured on the interface before configuring CBAC, the status displayed is INACTIVE; otherwise, it is ACTIVE. If all PFC resources are already in use, the command displays BRIDGE followed by the number of failed currently active NetFlow requests that have been sent to the MSFC3 for processing.

Local Proxy ARP

The local proxy ARP feature allows the MSFC to respond to ARP requests for IP addresses within a subnet where normally no routing is required. With the local proxy ARP feature enabled, the MSFC responds to all ARP requests for IP addresses within the subnet and forwards all traffic between hosts in the subnet. Use this feature only on subnets where hosts are intentionally prevented from communicating directly with each other by the configuration on the switch to which they are connected.

The local proxy ARP feature is disabled by default. Use the ip local-proxy-arp interface configuration command to enable the local proxy ARP feature on an interface. Use the no ip local-proxy-arp interface configuration command to disable the feature. ICMP redirects are disabled on interfaces where the local proxy ARP feature is enabled.

To use the local proxy ARP feature, enable the IP proxy ARP feature. The IP proxy ARP feature is enabled by default. Refer to this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c/ipcprt1/1cdipadr.htm

Jumbo Frame Feature on the MSFC

With an MSFC, you can configure the MTU size on VLAN interfaces to support routing of jumbo frames.

To configure the MTU value, perform this task:

 
Command
Purpose

Step 1 

Router(config)# interface vlan vlan_ID

Accesses VLAN interface configuration mode.

Step 2 

Router(config-if)# mtu mtu_size

Configures the MTU size. Valid values are from 64 to 17952 bytes.

Note Set the MTU size no larger than 9216, which is the size supported by the supervisor engine.

Step 3 

Router# show interface vlan 111

Verifies the configuration.

This example shows how to set the MTU size on a VLAN interface and verify the configuration:

Router(config)# interface vlan 111
Router(config-if)# mtu 9216
Router(config-if)# end
Router# show interface vlan 111 | include MTU
MTU 9216 bytes, BW 1000000 Kbit, DLY 10 usec,
Router#

Configure support for jumbo frames on the supervisor engine as described in the "Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching" chapter of the Catalyst 6500 Series Software Configuration Guide.

ARP on STP Topology Change Notification

The ARP on STP topology change notification feature ensures that excessive flooding does not occur when the MSFC receives a topology change notification (TCN) from the supervisor engine. The feature causes the MSFC to send ARP requests for all the ARP entries belonging to the VLAN interface where the TCN is received. When the ARP replies come back, the PFC learns the MAC entries, which were lost as a result of the topology change. If the MSFC learns the entries immediately following a topology change, excessive flooding is prevented later. No configuration is required on the MSFC. This feature works with supervisor engine software release 5.4(2) or later.

Router-Port Group Management Protocol

These sections describe the Router-Port Group Management Protocol (RGMP):

Overview

Restrictions

Configuration Tasks

Overview

RGMP constrains multicast traffic that exits through ports to which disinterested multicast routers are connected. To effectively constrain traffic, RGMP must be supported on both the switches and the routers in the network.


Note CGMP and IGMP snooping constrain multicast traffic that exits through switch ports to which hosts are connected. They do not constrain traffic that exits through ports to which one or more multicast routers are connected.


Restrictions

The following restrictions apply to RGMP on the MSFC:

RGMP supports PIM sparse mode only.

RGMP does not support PIM dense mode. RGMP explicitly supports the two AutoRP groups in dense mode by not restricting traffic to those groups but by flooding it to all router ports. For this reason, you should configure PIM sparse-dense mode. If you configure groups other than the AutoRP groups for dense mode, their traffic will not be correctly forwarded through router ports that have been enabled for RGMP.

You must enable IGMP snooping on the switch.

To effectively constrain multicast traffic with RGMP, connect RGMP-enabled routers to separate ports on RGMP-enabled switches.

RGMP only constrains traffic that exits through ports on which it detects an RGMP-enabled router. If a non-RGMP enabled router is detected on a port, that port receives all multicast traffic.

RGMP does not support directly connected sources in the network. A directly connected source will send traffic into the network without signaling this through RGMP or PIM. This traffic will not be received by an RGMP-enabled router unless the router already requested receipt of that group through RGMP. This restriction applies to hosts and to functions in routers that source multicast traffic, such as the ping and mtrace commands, and multicast applications that source multicast traffic, such as UDPTN.

RGMP supports directly connected receivers in the network. Traffic to these receivers will be restricted by IGMP snooping, or if the receiver is a router itself, by PIM and RGMP. CGMP is not supported in networks where RGMP is enabled on routers. Enabling RGMP and CGMP on a router interface is mutually exclusive. If RGMP is enabled on an interface, CGMP is silently disabled or vice versa.

The following properties of RGMP are the same as for IGMP snooping:

RGMP restricts traffic based on the multicast group, not on the sender's IP address.

If spanning tree topology changes occur in the network, the state is not flushed as it is with CGMP.

RGMP does not restrict traffic for the multicast groups 224.0.0.x (x = 0...255), allowing PIMv2 BSR to be used in an RGMP-controlled network.

RGMP in Cisco switches operates on MAC addresses, not on the IP multicast addresses. Because more than one IP multicast addresses are mapped to one MAC address (refer to RFC 1112), RGMP does not restrict traffic between different IP multicast groups that map to the same MAC address.

The capability of the switch to restrict traffic is limited by its CAM table capacity.

Configuration Tasks


Step 1 Establish an appropriate topology on the VLANs where you want to use RGMP.

Step 2 Enable RGMP on the switch:

Switch> (enable) set igmp enable
Switch> (enable) set rgmp enable

The first command enables IGMP snooping, and the second enables RGMP. Enabling these features on the switch is a global configuration. RGMP has no effect in those VLANs where there is not at least a single router also configured for RGMP.

Step 3 Enable RGMP on each interface that has a topology appropriate for RGMP:

Router(config)# vlan-interface 10
Router(config-if)# ip rgmp

Step 4 Monitor RGMP on the switch:

Switch> (enable) show rgmp group [mac_addr] [vlan_id]
Switch> (enable) show rgmp group count [vlan_id]
Switch> (enable) show rgmp statistics [vlan_id]
Switch> (enable) clear rgmp statistics
Switch> (enable) show multicast router [igmp | rgmp] [mod/port] [vlan_id]
Switch> (enable> show multicast protocol status

Step 5 Monitor RGMP on the MSFC:

router(enable)# debug ip rgmp [name_or_group_address]


Unsupported Features and Commands

IOS-SLB

MPLS

IPv6

OSPFv3

In Release 12.2(18)SXF and later releases, these QoS interface commands are no longer supported on FlexWAN interfaces:

traffic shape

priority-group

custom-queue-list

tx-queue-limit

Limitations and Restrictions

These sections describe limitations and restrictions:

MSFC Limitations and Restrictions

FlexWAN Module Limitations and Restrictions

MSFC Limitations and Restrictions

IPSec in software on the MSFC is supported only for administrative connections to Catalyst 6500 series switches and Cisco 7600 series routers.

In a redundant configuration, if you enter the RSA key on the active MSFC, a prompt also appears on the redundant MSFC console. If you do not respond to the prompt on the redundant MSFC console, the RSA key is not created on the redundant MSFC, and upon switchover the newly active MSFC might not have an RSA key or might not have the most recent RSA key.

Workaround: Respond to the prompt on the redundant MSFC console or change the RSA key after the first SRM switchover. (CSCeb54304)

In Catalyst software releases where caveat CSCeb54315 is not resolved, if you enter the set acllog ratelimit command on the Supervisor Engine 720, NAT does not work on the MSFC.

In Catalyst software releases where caveat CSCeb37469 is not resolved, with a redundant Supervisor Engine 720 installed, the active MSFC3 boots twice.

Do not configure input features (for example, policy routing) on tunnel interfaces. (CSCea50523)

For multicast flows, the PFC does not provide Layer 3 switching on output interfaces with MTU sizes smaller than the flow's input interface MTU size.

Workaround: Configure the same MTU size on both the input and output interfaces. (CSCds42685)

Before you can enable SRM on the MSFC, high availability must be enabled on the supervisor engine. Failure to do so might result in unexpected system behavior. (CSCdu78927)

With SRM configured, IP traffic is software switched by the MSFC for several minutes after a switchover to the redundant supervisor engine and MSFC. (CSCdv25906)

When the outgoing interface list for group G traffic transitions to null on a last-hop multicast router, the router sends a (*,G) prune message to the PIM neighbor toward the rendezvous point (RP) to stop the flow of group G traffic (if any) down the shared tree. The last-hop multicast router does not send an (S,G) prune message to stop the flow of traffic down the shortest path tree (SPT). The transition of the outgoing interface list to null does not trigger an (S,G) prune message. (S,G) prune messages are triggered by the arrival of (S,G) traffic.

If the last-hop multicast router is a Catalyst 6500 series switch, traffic is forwarded by the PFC3. In most cases, RPF-MFD is installed for the (S,G) entries. The MSFC does not see the multicast traffic flowing down the SPT and does not send any traffic-triggered (S,G) prunes to stop the flow of traffic down the SPT. This situation does not have any adverse effect on the MSFC because the PFC3 processes and drops the unwanted (S,G) traffic. (CSCdu40065)

Integrated routing and bridging (IRB) and concurrent routing and bridging (CRB) have deliberately been disabled on the Catalyst 6500 series switches. Layer 2 VLANs and VLAN interfaces should be used for normal bridging and interVLAN routing. Bridge groups are supported only to bridge nonrouted protocols. (CSCdz21959)

Catalyst 6500 series switches do not support remote source-route bridging (RSRB).

With MISTP configured on the supervisor engine, use only the vlan-bridge or dec Spanning Tree Protocols for bridge groups on the MSFC. We recommend the vlan-bridge Spanning Tree Protocol. With MISTP configured on the supervisor engine, the MSFC does not support the IEEE Spanning Tree Protocol. This restriction does not apply to PVST+ or MISTP-PVST+. (CSCdr99236, CSCds09253)

Use the same Spanning Tree Protocol on all devices that are bridging between VLANs.

IP unreachable messages and IP redirects are automatically disabled if you configure secondary addresses on a VLAN to avoid out-of order packets when packets are routed between two subnets on the same VLAN. (CSCdr84706)

The MSFC does not support the MultiNode Load Balancing (MNLB) forwarding agent of the MNLD feature set for LocalDirector. (CSCdr65433)

The ip multicast rate-limit command is not supported on Catalyst 6500 series switch LAN ports. Refer to the "Configuring QoS" chapter of the Catalyst 6500 Series Software Configuration Guide for information about policing. (CSCds22281)

If you are using the Catalyst 6500 series switch to handle thousands of IPX flows that might all arrive in simultaneous bursts, we recommend that you enter the following command to avoid excessive CPU load:

Router(config)# ipx route-cache inactivity-timeout 1 100

This command sets the IPX cache inactivity timeout to 1 minute and the maximum invalidations per minute to 100.

To boot a system image stored on the supervisor engine Flash PC card, at least one VLAN interface must be configured and be active.

At power up or manual reset, you must configure the MSFC to boot from its bootflash (or the supervisor engine's Flash PC card; however, bootflash is preferred). When you reset the supervisor engine through either a power up or a manual reset, the MSFC cannot boot from a TFTP server on the network. However, when the supervisor engine is up and the port over which the network is being accessed is in forwarding state, you can boot the MSFC from a TFTP server on the network.

By default, the MSFC sends Internet Control Message Protocol (ICMP) unreachable messages when a packet is denied by an access group; these access-group-denied packets are not dropped in hardware but are bridged to the MSFC so it can generate the ICMP-unreachable message. To drop access-group-denied packets in hardware, you must disable ICMP unreachable messages using the no ip unreachables interface configuration command. The ip unreachables command is enabled by default.

When using the Network Address Translation (NAT) router feature on the MSFC, with certain configurations, packets traversing the NAT outside interface might be software routed instead of being shortcut, regardless of whether they should or should not be translated. Ideally, for packets traversing the NAT outside interface, you would want only those packets requiring NAT to be software routed. Cisco IOS software will only translate traffic in software that is traversing from NAT inside interfaces to NAT outside interfaces and vice versa.

By making the ACL used for NAT more specific, you can limit the software-handled packets to only those requiring NAT translation.

For example, if you use a general ACL (such as permit ip any any) to specify the traffic that requires NAT, then all traffic inbound or outbound on the NAT outside interface will be software routed (including traffic not originating or destined to NAT inside interfaces). If it is possible to use a more specific ACL (such as permit ip 10.1.1.0 0.0.0.255 any), then only the NAT outside traffic matching that ACL will be software routed. This traffic will still be software routed regardless of whether it is originating or destined to NAT inside interfaces. By making the ACL more specific, you can limit the amount of traffic that is software routed due to the NAT ACL.

When configuring ACLs on an interface with the tcam priority {high | low | normal} configuration command, entering high Ternary Content Addressable Memory (TCAM) priority gives ACLs on that interface higher priority for getting into the TCAM over ACLs of interfaces with lower (low or normal) priority.

If the ACLs on an interface with high priority exceed the capacity of the TCAM, the ACLs for interfaces with low priority are not be inserted into the TCAM until all high-priority ACLs can fit in the TCAM.

You can configure VLAN access control lists (VACLs) on the switch to apply to all packets that are routed into or out of a VLAN or that are bridged within a VLAN. VACLs are used strictly for security packet filtering and redirecting traffic to specific physical switch ports. Unlike Cisco IOS ACLs, VACLs are not defined by direction (input or output). For more information, refer to the "Configuring Access Control Lists" chapter of the Catalyst operating system Catalyst 6500 Series Software Configuration Guide.

MAC address-based Cisco IOS ACLs are not supported for packets shortcut in hardware. MAC address-based Cisco IOS ACLs will be applied on software-switched packets. MAC address-based access control can be supported in hardware for non-IP/IPX packets using VACLs. We recommend that you use VACLs to do MAC-addressed-based ACLs.

Broadcast-to-multicast translation used with the multicast helper command does not work if a flow is hardware switched.

If you enable multicast routing globally, then you should also enable multicast routing (using the ip pim command) on all Layer 3 interfaces on which you anticipate receiving IP multicast traffic. This command causes the packets to be sent to the process-switching level for creating the route entry. However, if you disable multicast routing on the RPF interface, the entry cannot be created and the packet is dropped. Exceeding the source-traffic rate that can be handled by the process level can have an undesirable impact on the system. For instance, HSRP timers can expire on a standby router and cause HSRP flapping.

This message indicates delivery acknowledgment timeouts:

SCP-4-DACK_TIMEOUT_MSG:SCP delivery ack timeout for opcode=118

When a delivery acknowledgment timeout occurs for opcode 118 (that is, multicast MLS SCP messages), then the impact on performance depends on whether MMLS is in IDLE or ACTIVE state. You can determine the state by entering the show mls ip multicast statistics command. If MMLS is active, the message is only a warning and can be ignored. If MMLS is idle, this message is displayed:

Multicast MLS is disabled due to internal messaging error

The feature is disabled on the MSFC. You must disable and reenable the IGMP feature on the supervisor engine before reenabling MMLS on the MSFC.

After enabling PIM on an interface, you need to enter the ip mroute-cache command on the interface to enable multicast fast switching. If you have "no ip mroute-cache" configured, multicast packets that are not hardware switched will go to a process level. This process increases the load on the router. Software fast switching is useful for flows that can only be partially hardware switched.

The scheduler allocate command is enabled by default to provide adequate process level cycles under heavy switching loads. (CSCdp90088)

Topology changes that occur in MISTP spanning tree instances on the supervisor engine are not detected by the VLAN-bridge or DEC Spanning Tree Protocols. MISTP spanning tree instances do not detect topology changes in VLAN-bridge or DEC spanning tree instances. Spanning tree instances that fail to detect topology changes in adjoining spanning tree instances do not age out address tables, which can then result in some loss of connectivity while stale address table entries age out (typically, within the standard aging time of 300 seconds). MISTP-PVST+ mode detects topology changes in IEEE STP bridge groups. (CSCds19906)

In a redundant configuration, IP access lists can prevent the MSFC from pinging its own interface IP address or the interface HSRP IP address. (CSCdp77698)

Fast-switched IP multicast traffic that matches a permit access list entry with the log keyword is dropped. Fast switching of IP multicast packets is enabled by default. (CSCds28581)

For the Response Time Reporter (RTR) agent to send out traps, enter the rtr reaction-configuration 2 timeout-enable action-type traponly command. (CSCdz58158)

A border router that is positioned between a protocol independent multicast (PIM) dense mode router and a PIM sparse mode router might not register some indirectly connected sources. This problem occurs for traffic that is on an ingress interface configured with the ip pim dense-mode proxy-register command.

Workaround: Disable the multicast routing cache on the incoming interface. This action will cause packets to be process-switched in software on the MSFC instead of fast-switched. (CSCek39668)

If the MSFC address falls within the range of a PBR ACL, traffic addressed to the MSFC is policy routed in hardware instead of being forwarded to the MSFC. To prevent policy routing of traffic addressed to the MSFC, configure PBR ACLs to deny traffic addressed to the MSFC. (CSCse86399)

FlexWAN Module Limitations and Restrictions

The FlexWAN module does not support IPX CEF for PFC2 or IPX multilayer switching (MLS) with Release 12.1(6)E and earlier.

To use the interfaces on the FlexWAN module, you must enable IP routing on the MSFC. (CSCdp34896)

Named access lists are not supported on the FlexWAN module.

Caveats

Caveats in Release 12.2(18)SXF and Rebuilds

Caveats in Release 12.2(17d)SXB Rebuilds

Caveats in Release 12.2(17a)SX Rebuilds

Caveats in Release 12.2(14)SX2


NoteAll caveats resolved in Release 12.2(17a) are also resolved in Release 12.2(17a)SX1, Release 12.2(17a)SX2, and Release 12.2(17a)SX4. Refer to this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/xprn122/index.htm

All caveats in Release 12.2(14)S also apply to Release 12.2(14)SX2. Refer to the "Caveats" section in the Cross-Platform Release Notes for Cisco IOS Release 12.2 S publication:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/122srn.htm#1008788

If you have a Cisco.com account that supports access to the Bug Toolkit, you can search for the most current Release 12.2SX caveat information at this URL:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs


Caveats in Release 12.2(18)SXF and Rebuilds

Temporary List of Caveats Resolved in Release 12.2(18)SXF10

Resolved Caveats in Release 12.2(18)SXF10

General Caveats in Release 12.2(18)SXF and Rebuilds

FlexWAN Caveats in Release 12.2(18)SXF and Rebuilds

Service Module Caveats in Release 12.2(18)SXF


Note The caveat information for Release 12.2(18)SXF and rebuilds is being updated frequently.


Temporary List of Caveats Resolved in Release 12.2(18)SXF10

The caveats listed here will be migrated to the resolved caveat sections as soon as possible:

CSCef34800—BGP changes to accept max value for MED attribute

CSCef66939—VRF aware SNMP may generate trap with incorrect address

CSCeg43753—Router crashes at bgp_vpnv4_revise_route_update - corrupt PC & Sig10

CSCeg58039—BGP: changing the max-paths value may cause a crash

CSCeh65692—Align Spurious memory access errors

CSCeh74715—SNMPv1 should not send traps with counter64

CSCei07548—ocsp response timestamps are mishandled

CSCei52830—Banner command sync is broken by CSCin86483

CSCei85164—OCSP fails when timezone is configured

CSCej32124—no mls verify commands doesnt take effect on standby supervisor

CSCek37222—FR-flat:classification is broken in class-default with random-detect

CSCek39364—CLI: HA Standby router reloads while unconfiguring atm bundle

CSCek54572—crash at ace_create_cm_head_node

CSCek57760—IP MTU of GRE tunnel not used by SPA-IPSEC

CSCek66164—show command pipeline redirect into rcp crashes the router

CSCek68265—Major alarm on active caused syst. shutdn instead of swover to stdby

CSCek75394—High CPU after enabling MPLS on interface

CSCek77954—test platform firm get cu-sfp-phy print-reg <port> <reg-no>

CSCsa75285—WS-X6582-2PA crashing cisco7600 when booting up with PA-MC-STM-1SMI

CSCsb13358—failaction gtp purge doesnt delete some gtp stickies when probe fail

CSCsb14543—t/b pm_port_counters_lock on module reset of active supervisor

CSCsb23106—7206vxr with NPE-G1 bus error crash when OIR PA-2T3+

CSCsb26631—Memory leak - ATM_PVCTRAP process

CSCsb54857—ATM shaping parameters removed from ATM vc-class for IMA upon bootup

CSCsb57042—%SYS-SP-3-OVERRUN at test_hm_diag_scratch_regs

CSCsb63652—bgp aggregate-address results in high BGP Router process utilization

CSCsb96034—Traffic down for too long after SSO switchover

CSCsc11689—Configure/Unconfigure PACL may cause memory leak.

CSCsd13491—show memory statistics history displays wrong values in processor pool

CSCsd33992—%PM-SP-STDBY-3-INTERNALERROR: when boot up

CSCsd41237—vrf import map is not working

CSCsd43344—Rainier ION: isis-nsf info doesnt sync with standby in SSO mode

CSCsd52225—BGP soft-reconfiguration keeps the old next-hop

CSCsd72747—nssa summary to null0 disappears after clearipro*''

CSCsd77207—Bidir traffic changed from HW to SW switch after add 200 sub-inf quickly

CSCsd79536—Standby RP crashes once at reload after installing set of patches

CSCsd82778—bootflash: bf_io_devctl: DEVCTL error 19 Error May Log During Bootup

CSCsd87810—IOS tftp server should not differentiate between / and backslash in path

CSCse22161—RP pool Memory corruption SXF4 - checkheaps_process/validblock crash

CSCse54191—CSM fails over when incorrect HSRP group fails

CSCse69002—Accounting of auth failure doesntworkwithsomeswitches'

CSCse91962—prefix stays in BGP table with RD 0:0 even after vrfsRDisconfigured'

CSCse98369—class-default bandwidth percent 100% - SPA ATM fails

CSCse98795—bus error while printing access-list

CSCse98807—Traceback, Process=SNMP Timers, %SCHED-3-STUCKMTMR during regression

CSCsf18752—mls ip slb search wildcard rp breaks gtp slb if 2 sfarms are confgd

CSCsf23115—SUP720 does not recognize FAN2 after one of fans failed.

CSCsf32449—Sup720 MVPN PE - Tunnel does not come back up after reload

CSCsg02323—CAT6500 accessible via 127.0.0.x loopback addresses

CSCsg05873—Buffer leak with SNA Focalpoint PU consuming middle buffers with NMVTs

CSCsg06577—'Desc ordr internal vlan allocation' brings up sup with major diag error

CSCsg07870—SIERRA: crash seen on switchover at pf_redun_sync_port_asic_on_swover

CSCsg14026—Routers/Switches forward traffic destined to Class E Addresses

CSCsg16272—Catalyst6500 LinkDown snmp trap does not generate while performing OIR

CSCsg30355—OIR of redundant sup w/ CatOS crash the Cat6500 System running IOS

CSCsg30875—wccp blocking telnet to router

CSCsg40567—Memory leak found with malformed tls/ssl packets in http core process

CSCsg52336—Crash at ospf_flush_area_summary_lsa after noipvrf'ofunassignedvrf'

CSCsg55237—L2 flooding stops when new MAC address entries are learnt

CSCsg92670—7600 : MLS FIB frozen, Sanity Check of MLS FIB s/w structures failed

CSCsh20211—Complete'diagsfailTestNetflowInlineRewritetestonServiceModules'

CSCsh31939—c2w1:ciscoFtpClientMIB:Get & Set opration cause process deadlock & crash

CSCsh34872—SIERRA:With mls mpls recirc configd primary internal vlan has vpn-num

CSCsh36377—SIERRA:crypto connect cmd not updated in standby RP for ATM subif

CSCsh37957—IPsec MIB entries not populated, IKE entries seem OK

CSCsh38728—Show int displays half even if port is hard coded to full

CSCsh39318—10K / PRE-2 crashes at %MROUTE-4-ROUTELIMIT

CSCsh54951—PBR: TCAM incorectly programmed when match statement is NOT used

CSCsh61061—VPM-SM:ISAKMP Lifetimes do not replicate correctly in interchassis setup

CSCsh61119—c10k High CPU in collection process

CSCsh62565—SSH keys regenerated every hour cause route flaps due to high CPU load

CSCsh68976—memory leak at xcvr_idprom when executing show hw-module all tranceiver

CSCsh77220—SSO failover causes certain configs being removed

CSCsh80008—BGP: soft reconfiguration inbound and neighbor weight has no effect

CSCsh94882—Unity client not initiating mode config should be rejected

CSCsh98343—WCCP redirect-list and mask-acl merge results in wrong redirect info

CSCsh98909—VRRP traffic not hardware switched on Sup2/MSFC2

CSCsh99351—Packet reflection on EoMPLS links

CSCsi00173—Bus error at crypto_ipsec_unlock_peer

CSCsi02885—OSM-1CHOC12/T1-SI incrementing abort, interface administrativel

CSCsi05251—bus error crash at get_rateinterval_from_service_policy at subint delete

CSCsi12289—FWSM Does Not Display Correct Timezone for DST

CSCsi15191—BOM messages observed while activation of rollback on stndby supervisor

CSCsi16904—VPN-SPA does not send ISAKMP packet with notification payload included

CSCsi22502—installer imf.tar file not being zipped creates uninstallable image

CSCsi33554—Connected net for virtual-template is not created in vrf routing table

CSCsi40628—Dual RSPAN session causes loop between 2 6500 chassis

CSCsi41791—Leak: SPA-IPSEC-2G crash-> No More Free Buffers ; SPA_IPSEC-3-PWRCYCLE'

CSCsi42270—IOS-SLB Radius Server LB may not mark a real as failed

CSCsi42517—SRB Crashes when upgrading from SXF to SRB with SLB stateful config

CSCsi45422—iprouting.iosproc process reloads when making changes to static routes

CSCsi45840—ARP requests for HSRP virtual IP may fail after switchport cmd is used

CSCsi52209—7600-sip-600 crash at PXF-DFC1-2-FAULT: T0 OHB Exception: SLIP FIFO full

CSCsi60125—Hosts receive TCP RST due to incorrect NAT translation on cat6k

CSCsi62559—SPD classifies OSPF IP Precedence 0 as priority

CSCsi64204—SXF:SIP400:ATMSPA Noticeable delay in output of show int atm command

CSCsi69350—Newly active crashed on upgrading rp rommon @ emt_call

CSCsi76192—r3:show wism status not populated until standby up after SSO

CSCsi77774—On ION,Telnet on VRF interface is allowed irrespective of vrf-also keywo

CSCsi78162—SNASw %DATACORRUPTION-1-DATAINCONSISTENCY messages

CSCsi86396—Duplicate ifIndex may be used when deleting / creating subinterfaces

CSCsi90011—User Auth after Machine Auth causes dot1x security violation

CSCsi91875—Cat6k crashes when unconfiguring vserver during snmp poll

CSCsi97192—Vrf Agg label is not programmed in vpn-cam, SP thinks it as Ipv6 Agg lab

CSCsi99930—%Error opening slavedisk0:/sierra (Cluster chain broken on file)

CSCsj01891—%SYS-SP-3-OVERRUN at test_hm_diag_scratch_regs

CSCsj04905—IOS-SLB: FWLB sticky config not get removed

CSCsj16292—DATACORRUPTION-1-DATAINCONSISTENCY: copy error

CSCsj23211—Complete'diagsfailTestNetflowInlineRewritetestonServiceModules'

CSCsj23579—Invalid memory action (malloc) @ SSO Switchover

CSCsj27811—EOBC buffer leak

CSCsj28277—Sup720 ignores IGMPv3 report if first group in Exclude list is 224.0.0.x

CSCsj30444—SUP-2 Router crashes after boot UP

CSCsj40706—incorrect ifIndex from multi HC OID Get to various cards

CSCsj47546—POS: Back out changes done via CSCek15662.

CSCsj60722—TestNetflowInlineRewrite: diag failure on bootup on WS-X6148A-GE-TX.

Resolved Caveats in Release 12.2(18)SXF10

CSCsg70474—Resolved in Release 12.2(18)SXF10

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

General Caveats in Release 12.2(18)SXF and Rebuilds

Open General Caveats in Release 12.2(18)SXF10

Resolved General Caveats in Release 12.2(18)SXF10

Resolved General Caveats in Release 12.2(18)SXF9

Resolved General Caveats in Release 12.2(18)SXF8

Resolved General Caveats in Release 12.2(18)SXF7

Resolved General Caveats in Release 12.2(18)SXF6

Resolved General Caveats in Release 12.2(18)SXF5

Resolved General Caveats in Release 12.2(18)SXF4

Resolved General Caveats in Release 12.2(18)SXF3

Resolved General Caveats in Release 12.2(18)SXF2

Resolved General Caveats in Release 12.2(18)SXF

Open General Caveats in Release 12.2(18)SXF10

When you boot an image that supports Secure Shell (SSH), you can ignore these messages:

No serial number found

(CSCeb55044)

Resolved General Caveats in Release 12.2(18)SXF10


Note Caveats will be migrated to this section from the "Temporary List of Caveats Resolved in Release 12.2(18)SXF10" section as soon as possible.


CSCsj44081; resolved in Release 12.2(18)SXF10

Cisco IOS Software has been enhanced with the introduction of additional software checks to signal improper use of data structures.

This feature has been introduced in select Cisco IOS Software releases published after April 5, 2007.

Details:

The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp

May 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error

The error message is then followed by a traceback.

Recommended Action

Collect show tech-support command output and open a service request with the Technical Assistance Center (TAC) or designated support organization.

Resolved General Caveats in Release 12.2(18)SXF9

CSCsc19259—Resolved in Release 12.2(18)SXF9.

The server side of the Secure Copy (SCP) implementation in Cisco IOS contains a vulnerability that allows any valid user, regardless of privilege level, to transfer files to and from an IOS device that is configured to be a Secure Copy server. This vulnerability could allow valid users to retrieve or write to any file on the device's filesystem, including the device's saved configuration. This configuration file may include passwords or other sensitive information.

The Cisco IOS Secure Copy Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the Cisco IOS Secure Copy Server service are not affected by this vulnerability.

This vulnerability does not apply to the Cisco IOS Secure Copy Client feature.

This advisory is posted at

http://www.cisco.com/warp/public/707/cisco-sa-20070808-scp.shtml.

CSCeb21064, CSCsd81407—Resolved in Release 12.2(18)SXF9.

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

When you add a /31 netmask route, the new netmask does not overwrite an existing /32 CEF entry. This problem is resolved in Release 12.2(18)SXF9. A facility has been provided to periodically validate prefixes derived from adjacencies in the FIB against prefixes originating from the RIB. To enable the validation, you must enter the ip cef table adjacency-prefix validate global configuration command. (CSCea53765)

A RADIUS virtual server does not forward RADIUS accounting on and off packets to the real servers when the RADIUS sticky feature is not configured. The client never receives response packets for the RADIUS accounting on and off packets. This problem is resolved in Release 12.2(18)SXF9. (CSCse34615)

A reload occurs when you enter the show route-map command in one VTY session and remove several route maps at the same time in another session. This problem is resolved in Release 12.2(18)SXF9. (CSCsa46154)

An INVALIDTCB error message might be displayed after a Telnet session terminates. This problem does not affect performance. This problem is resolved in Release 12.2(18)SXF9. (CSCef13860)

A reload might occur with the following message:

%SYS-3-BAD_RESET: Questionable reset of process 123 on tty33 -Process= "TTY Daemon", ipl= 0, pid= 127
-Traceback= 8091FF44 8090E060 8090EE34 80EA71A0 805B77F8 805BAC1C

This problem is resolved in Release 12.2(18)SXF9. (CSCsd42600)

With Auto-RP configured in a multicast environment, the Rendezvous Point (RP) mappings might get purged from the cache and cause a temporary loss of multicast connectivity. This problem occurs when the RP drops Auto-RP announce messages. This problem is resolved in Release 12.2(18)SXF9. (CSCsd16043)

An OSPF autonomous system boundary router (ASBR) might have No Label as its outgoing label for a peer ASBR interface address. This problem occurs under the following conditions:

An ISP network (ISP network A) has two ASBRs that peer with one ASBR in another ISP network (ISP network B).

IGP routing (OSPF or any other IGP) is configured between the ASBRs in ISP network A.

A BGP session between one ASBR in ISP network A and the ASBR in ISP network B goes up and down.

After about 5 minutes, all the routes that are reachable from the ASBRs in ISP network A and the ASBR in ISP network B have No Label as their outgoing label.

Workaround: Enter the clear ip route network command.

This problem is resolved in Release 12.2(18)SXF9. (CSCsd40153)

When you use the passive-interface default command on an OSPF interface, the command is incorrectly applied to the VRF OSPF interfaces. The no passive-interface default command is not applied to the VRF OSPF interfaces. This problem is resolved in Release 12.2(18)SXF9. (CSCsc52057)

High CPU utilization and a reload might occur when a RIP host route is assigned to an interface while the same host route is advertised from another router. This situation might occur when you enter the ip address negotiated command on a PPP link.

Workaround: Use a route-map to block the advertised route.

This problem is resolved in Release 12.2(18)SXF9. (CSCsg42246)

The following message and a traceback might be displayed after you enter the bgp regexp deterministic command:

%SYS-4-REGEXP: new engine: regexp compilation had failed.
-Process= "BGP Router", ipl= 0, pid= 172

This problem is resolved in Release 12.2(18)SXF9. (CSCsd59610)

When an IPv4 prefix list is used in a redistribute command for ISIS, a change in the prefix list may take up to 15 minutes to propagate to the routing table and neighbor routing tables.

Workaround: You can cause a change to take effect immediately by entering the no redistribute route-map command followed by the redistribute route-map command for the ISIS router process.

This problem is resolved in Release 12.2(18)SXF9. (CSCsb07279)

High CPU utilization might occur when the Web Cache Communication Protocol (WCCP) is communicating with three or more Cisco Wide Area Application Services (WAAS) appliances. This problem is resolved in Release 12.2(18)SXF9. (CSCuk61773)

After SNMP has been configured on an MSFC3, saving the configuration reduces the free space in NVRAM. Removing the SNMP configuration does not change the behavior. This problem is resolved in Release 12.2(18)SXF9. (CSCsb01373)

Spurious memory accesses might occur with authentication proxy to a RADIUS server when an access list is downloaded for the connection. These memory accesses are cosmetic and have no performance impact. This problem is resolved in Release 12.2(18)SXF9. (CSCsh35311)

Resolved General Caveats in Release 12.2(18)SXF8

A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

The vulnerable cryptographic library is used in the following Cisco products:

Cisco IOS, documented as Cisco bug ID CSCsd85587

Cisco IOS XR, documented as Cisco bug ID CSCsg41084

Cisco PIX and ASA Security Appliances, documented as Cisco bug ID CSCse91999

Cisco Unified CallManager, documented as Cisco bug ID CSCsg44348

Cisco Firewall Service Module (FWSM)

This vulnerability is also being tracked by CERT/CC as VU#754281.

Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.


Note Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.


This problem is resolved in Release 12.2(18)SXF8. (CSCsd85587)

A Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.


Note Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.


A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.

This problem is resolved in Release 12.2(18)SXF8. (CSCsb12598, CSCsb40304, CSCsd92405)

A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device.

There are workarounds available for this vulnerability.

This advisory is posted at

http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtml

This problem is resolved in Release 12.2(18)SXF8. (CSCsf28840)

When polling the SNMP MIB object slbstickyobjectable, SNMP goes into a loop. No SNMP transactions take place and a loss of contact with SNMP devices may occur. This problem is resolved in Release 12.2(18)SXF8. (CSCeh54725)

When an ACL is configured on an egress interface to deny all IP packets, multicast packets might be routed to the MSFC instead of being fast dropped. This problem is resolved in Release 12.2(18)SXF7. (CSCej83614, CSCsg76239)

The interface-type and interface-number arguments are not supported in the BGP and the RIP distribute-list address family configuration commands. This problem is resolved in Release 12.2(18)SXF8. (CSCed84633)

A bus error and a reload might occur when you enter the show bgp ipv6 network command on a system configured with BGP. This problem is resolved in Release 12.2(18)SXF8. (CSCef84062)

When an EIGRP internal route goes down and is deleted from the EIGRP topology table, the route may remain in the routing table. This problem is resolved in Release 12.2(18)SXF8. (CSCsa49922)

A reload may occur when you remove the IS-IS configuration at the interface level or the router level. This problem occurs when the following conditions are present:

The router is configured with NSF with SSO redundancy mode.

The isis protocol shutdown interface configuration command is enabled on the interface.

You enter an interface configuration command that enables IS-IS, such as the isis command, the clns command, or the ipv6 router isis command, before you enter a router configuration command, such as the net command.

Remove the IS-IS configuration at the interface or router level.

Workaround: Remove the isis protocol shutdown interface configuration command before you remove IS-IS from the interface or router level.

This problem is resolved in Release 12.2(18)SXF8. (CSCsb34032)

Local Area Mobility (LAM) may be unable to resolve a Mobile-IP learned CEF /32 host entry even though there is a valid ARP entry. The MLS entry drops packets forwarded to this destination. This problem is resolved in Release 12.2(18)SXF8. (CSCse06752)

When you use the neighbor default-originate command to configure a BGP advertisement of the default route, the advertisement might be ignored by a BGP neighbor. This problem occurs when the default route is learned from another source, such as a BGP or IGP neighbor. This problem is resolved in Release 12.2(18)SXF8. (CSCsf20947)

Some SNMP traps might be sent to SNMP hosts that the traps are not configured on. This problem is resolved in Release 12.2(18)SXF8. (CSCse56676)

A software-forced reload occurs when you enter the tacacs-server administration command, and then you enter the no tacacs-server administration command. This problem is resolved in Release 12.2(18)SXF8. (CSCse65726)

A reload might occur when you redirect the show tech-support command with a long regular expression. This problem is resolved in Release 12.2(18)SXF8. (CSCse97422)

This bug documents the deprecation and removal of the Cisco IOS FTP Server feature. This problem is resolved in Release 12.2(18)SXF8. (CSCsg16908)

You cannot create any more AAA lists after you have created 50 authentication lists, 7 authorization lists, and 7 accounting lists. This problem is resolved in Release 12.2(18)SXF8. (CSCsg43322)

BGP does not withdraw routes for a prefix when the distribute-list out service policy or the prefix-list out service policy is applied to a peer-group. The problem occurs when there are multiple members in the peer-group and at least one of the members does not exist. This problem is resolved in Release 12.2(18)SXF8. (CSCsg46638)

After a change in routing topology, the bidirectional PIM rendezvous point does not get updated correctly in the hardware tables. The bidirectional PIM multicast flows will be switched in software. This situation occurs if the ACL that is used to statically configure the rendezvous point does not have any wildcard entries. This problem is resolved in Release 12.2(18)SXF8. (CSCsg73179)

A default route might not be generated when you enter the OSPF default-information originate command. This problem occurs when you have used the bgp redistribute-internal command to redistribute the default route from iBGP to OSPF. This problem is resolved in Release 12.2(18)SXF8. (CSCsg11830)

Learned Hot Standby Router Protocol (HSRP) groups appear in the SNMP HSRP MIB. Only configured HSRP groups should appear. This problem is resolved in Release 12.2(18)SXF8. (CSCsg49987)

The mls ip cef rpf hw-enable-rpf-acl command, which is supported in Cisco IOS MSFC images, is not supported in the Catalyst operating system. The command has been removed from Release 12.2(18)SXF8 and later releases of the MSFC images. This problem is resolved in Release 12.2(18)SXF8. (CSCsh44288)

A DHCP relay agent might incorrectly broadcast DHCP offer and DHCP acknowledge messages when the DHCP broadcast flag is set to 0. This problem occurs after you have configured the Ethernet subinterfaces as IP unnumbered interfaces. This problem is resolved in Release 12.2(18)SXF8. (CSCsb27868)

A system might stop responding when you copy a small file to the system. This problem occurs after you configure an ATA file system, and then perform a reload. This problem is resolved in Release 12.2(18)SXF8. (CSCek42751)

A route refresh request might not uninstall all the current routes from the BGP table. This problem occurs if a BGP neighbor is sending withdraw messages when you issue a route refresh request. This problem is resolved in Release 12.2(18)SXF8. (CSCek48274)

A memory corruption and a reload occurs when you enter the no tacacs-server administration command and you have not entered the tacacs-server administration command. This problem is resolved in Release 12.2(18)SXF8. (CSCsd49317)

CEF might not work for packets that traverse both a GRE and an IPIP tunnel. The problem only occurs when packets arrive on one tunnel and are software switched out to another tunnel. This problem is resolved in Release 12.2(18)SXF8. (CSCeg03019)

A software-forced reload might occur when you initiate a Secure Shell (SSH) session from the system, or when you use SCP to copy a file to or from the system. Before the reload, the system logs a series of %SYS-3-CPUHOG messages, and then a %SYS-2-WATCHDOG message. This problem is resolved in Release 12.2(18)SXF8. (CSCsb54378)

This problem is resolved in Release 12.2(18)SXF8. (CSCsg21429) native OSM

When you remove a permit entry from an ACL that is associated with a route map used in BGP redistribution, the following message is displayed:

Error: can not find acl. Abort.

This problem does not occur if the route map is not associated with BGP. This problem is resolved in Release 12.2(18)SXF8. (CSCsg26492)

When you enter the router ospf xxx command, you are prompted for a distribute-list option. There should be a similar distribute-list option when you enter the router ospf xxx vrf yyy command. This problem is resolved in Release 12.2(18)SXF8. (CSCsg33571)

When multiple SSH sessions are connected to the same device, a session cannot be resumed after another one has been disconnected.

Workaround: Reload the system to clear this problem.

This problem is resolved in Release 12.2(18)SXF8. (CSCsd76601)

When you enter the neighbor 10.1.1.1 default-originate command on a BGP peer that is a member of a peer group, the command is incorrectly rejected, and the following message is displayed:

% Invalid command for a peer-group member

This problem is resolved in Release 12.2(18)SXF8. (CSCse24873)

Stale paths for a prefix might not be removed from the BGP table. This problem occurs when the neighbor {ip-address | peer-group-name} soft-reconfiguration inbound command is configured for each peer and BGP updates for the prefix are received from the peers. A BGP peer resets when the number of BGP paths reaches the maximum of 255. This problem is resolved in Release 12.2(18)SXF8. (CSCsg55209)

A bus error and a reload might occur on a system configured with authentication proxy for HTTP. This problem is resolved in Release 12.2(18)SXF8. (CSCeg02918)

ARP entries that are associated with the default interface are unneccessarily refreshed when state changes occur on other interfaces. This problem is resolved in Release 12.2(18)SXF8. (CSCsd59023)

A bus error and a reload might occur when two users connect through Telnet ports and run TCL scripts. This problem is resolved in Release 12.2(18)SXF8. (CSCsb46223)

The SNMP counter cbQosCMDropPkt might remain at zero while the output of the show policy-map command shows a positive value. This problem is resolved in Release 12.2(18)SXF8. (CSCsg51724)

ISIS protocol packets may get dropped under stress conditions because they are classified as low priority. This problem is resolved in Release 12.2(18)SXF8. (CSCsf26043)

With RCP enabled, a reload might occur when the system receives a spoofed RCP packet that contains a specific data content. This problem is resolved in Release 12.2(18)SXF8. (CSCse05736)

When you enter the copy ftp disk_device: command, the copy operation may fail and cannot be terminated. Any other copy commands may fail, and a TCP VTY session, used to troubleshoot the situation may fail and cannot be terminated. This problem occurs when the FIN flag is set in the initial ESTAB message from a neighbor. This problem is resolved in Release 12.2(18)SXF8. (CSCek12203)

A reload might occur when you concurrently access the route map. This problem will reproduce when you enter the show route-map command from the console and leave the output at the More prompt, and then you update the route map by using TFTP to update a configuration file. This problem is resolved in Release 12.2(18)SXF8. (CSCec76468)

The following messages might be displayed because of a memory leak in the IPC buffer pool:

%IPC-5-WATERMARK: 25642 messages pending in xmt for the port Primary RFS Server Port(10000.C) from source seat 2150000
%SYS-2-MALLOCFAIL: Memory allocation of 4268 bytes failed from 0x9F32944, alignment 32

This problem is resolved in Release 12.2(18)SXF8. (CSCek64188)

During a switchover, the newly active routing processor might reload in a configuration where no ISSU support exists. As the switchover occurs, the newly active SP tries to communicate with the old standby RP, which causes problems with other IPC traffic. This problem is resolved in Release 12.2(18)SXF8. (CSCsh23981)

Resolved General Caveats in Release 12.2(18)SXF7

CSCse68138—Resolved in Release 12.2(18)SXF7.

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

The Network Time Protocol (NTP) might enter a loop and not be able to synchronize the system clock with an NTP server. This problem occurs when two NTP servers are used for time synchronization, and when their NTP reply packets arrive out of order during the synchronization.

Workaround: Configure only one NTP server.

This problem is resolved in Release 12.2(18)SXF7. (CSCsc50986)

Web Cache Communication Protocol (WCCP) for service 90 goes up and down, and causes a loss of WCCP service. This problem occurs when services 81, 82, and 90 are configured. The packet traces indicate that the router is sometimes responding to "Here_I_Am" messages from the cache with "I_See_You" messages that contain an incorrect destination IP address. This problem is resolved in Release 12.2(18)SXF7. (CSCsd20327)

The IOS SNMP process might stop responding when it is frequently polled for the ciscoEnhancedMemPoolMIB group of CISCO-ENHANCED-MEMPOOL-MIB. The process will eventually respond, but then will stop again. This problem is resolved in Release 12.2(18)SXF7. (CSCsd29469)

An address error and a reload might occur when traffic is passing over a GRE tunnel interface that has MTU path Discovery configured. This problem is resolved in Release 12.2(18)SXF7. (CSCsf05479)

TCL standard input and output operations (such as puts) may not display text on the current terminal line or may not display text at all. This problem affects the stdout and the stderr streams and occurs when more than one user is logged into the device. This problem is resolved in Release 12.2(18)SXF7. (CSCsf07232)

When an EBGP peer sends an advertisement with a label attached, and then you use the clear ip bgp neighbor_address soft in command to perform a BGP soft reconfiguration, all filtered prefixes are stored as an explicit-null (0) label or no label is stored at all.

Workaround: Use the clear ip bgp neighbor_address command or the clear ip bgp neighbor_address soft out command to force the neighbor to resend updates.

This problem is resolved in Release 12.2(18)SXF7. (CSCei32930)

A reload might occur when a routing event causes a Reverse Path Forwarding (RPF) interface to become an interface configured as a multicast boundary. This problem is resolved in Release 12.2(18)SXF7. (CSCse92050)

After an RPR+ or an SSO switchover, the newly active MSFC never advertises an OSPF maximum metric when the following conditions are present:

The redundant MSFC is configured with RPR+ or SSO (non-NSF).

The standby MSFC is in the Standby-Hot state.

You use the max-metric router-lsa command to prevent other routers from preferring the router as an intermediate hop in their shortest path first (SPF) calculations.

This problem is resolved in Release 12.2(18)SXF7. (CSCsf99057)

A memory leak and a memory allocation failure (MALLOCFAIL) might occur when an SNMP trap is sent to a VRF destination. The output of the show processes memory command indicates that the memory that is held by one of the processes continues to increase. This problem occurs in a configuration in which at least one VRF destination has the snmp-server host command enabled. This problem is resolved in Release 12.2(18)SXF7. (CSCeh85133)

A memory leak and a memory allocation failure (MALLOCFAIL) might occur when a PE router continually loses and regains connections to many BGP neighbors. When you enter the show memory dead command, the entry displayed for "TCP CB" shows the memory currently allocated for connections that no longer exist. This problem is resolved in Release 12.2(18)SXF7. (CSCsb50606)

Unbalanced load sharing occurs when you configure an equal-cost multipath (ECMP) in a single hop topology. This problem occurs in releases where the fix for CSCsc81300 is present. This problem is resolved in Release 12.2(18)SXF7. (CSCsg26450)

After an NBAR policy map is removed from an interface, CPU HOG messages and a reload might occur if the following two conditions occur:

You configure and then remove a class map which includes the match protocol rtp video command and the match protocol rtp audio command.

You configure and then remove the ip nbar protocol-discovery command on the interface.

This problem is resolved in Release 12.2(18)SXF7. (CSCsd37025)

Spurious accesses might occur while processing Web Cache Communication Protocol (WCCP) traffic. This problem is resolved in Release 12.2(18)SXF7. (CSCsf03986)

DECnet does not set the burned-in MAC address (BIA) on interfaces configured with a DECnet cost. This problem is resolved in Release 12.2(18)SXF7. (CSCsg01823)

A reload might occur when NAT processes a packet based on the destination port instead of the packet type. This problem is resolved in Release 12.2(18)SXF7. (CSCei93982)

When you change the OSPF administrative distance, the null0 route that was generated with the summary address command is removed from the routing table. This problem is resolved in Release 12.2(18)SXF7. (CSCse89119)

When a system configured with NTP authentication does not sychronize with an NTP server, it is still allowed to become an NTP client. This problem is resolved in Release 12.2(18)SXF7. (CSCse55004)

After network convergence occurs there may be a loss of connectivity in some areas of the network for appproximately 5 seconds. This problem occurs because an OSPF Area Border Router (ABR) deletes type 3 LSAs after it receives an aged-out type 2 LSA. This problem is resolved in Release 12.2(18)SXF7. (CSCsg16748)

While you are entering show commands on multiple VTY sessions, an address error and a reload might occur when you change a BGP configuration . This problem is resolved in Release 12.2(18)SXF7. (CSCei29944)

If you enter the no logging event link-status interface configuration command, and then reload the system, the command information is lost. This problem is resolved in Release 12.2(18)SXF7. (CSCsg00845)

The CISCO-IF-EXTENSION-MIB objects cieIfInPktRate, cieIfInOctetRate, and cieIfOutOctetRate are not suported. This problem is resolved in Release 12.2(18)SXF7. (CSCsg32222)

When NAT is configured in an overlapping network, the IP address inside a DNS reply message sent from the name server is not translated at the NAT router. This problem occurs when you have entered the ip nat outside source command. This problem is resolved in Release 12.2(18)SXF7. (CSCsc78813)

The CISCO-ENTITY-ALARM-MIB might not place alarms in the ceAlarmTable object and the ceAlarmlist objects. This problem occurs when you shut down an interface that is connected to a peer device. This problem is resolved in Release 12.2(18)SXF7. (CSCsd49133)

When a link goes up and down, and line errors occur on that link, the following message might be displayed:

%HYPERION-4-HYP_RESET: Hyperion Error Interrupt

This problem occurs when the link is configured on a PA-MC-STM1 port adapter installed in an Enhanced FlexWAN module. This problem is resolved in Release 12.2(18)SXF7. (CSCsd69480)

If you enter the ip nbar protocol-discovery interface configuration command on an interface that is not physically on a FlexWAN module a bus error exception and a reload might occur . This problem is resolved in Release 12.2(18)SXF7. (CSCsf08368)

Resolved General Caveats in Release 12.2(18)SXF6

An MSFC2 running data-link switching (DLSw) might report alignment corrections after creating a DLSw link. This problem is resolved in Release 12.2(18)SXF6. (CSCsb82048)

When you connect to a Cisco IOS Secure Copy (SCP) server, and then you specify a full path consisting of one or more directories for the destination-url parameter in the copy scp:destination-url command, the following message is displayed:

%scp: error: unexpected filename: /tmp/test %Error writing scp://root@172.18.124.187//tmp/test (Permission denied)

Workaround: Specify the destination IP address in the command. The file will be placed in the top level of the destination file directory. Move the file internally into the desired directory.

This problem is resolved in Release 12.2(18)SXF6. (CSCsb62045)

Static routes that are configured with a name that includes an embedded space are not recognized after a reload. This problem is resolved in Release 12.2(18)SXF6. (CSCee77180)

A Virtual Router Redundancy Protocol (VRRP) master virtual router might respond to an ARP request to the IP address of the virtual router with its interface MAC address. This problem occurs after you enter the shutdown command and then the no shutdown command on the master virtual router VRRP interface. This problem is resolved in Release 12.2(18)SXF6. (CSCeg51303)

The Cisco Appliance Server Architecture (CASA) routing agent might cause high CPU utilization. This problem occurs when oversubscribed CASA client traffic is switched in software and placed on the IP input queue with a large number of wildcard updates from the host. This problem is resolved in Release 12.2(18)SXF6. (CSCse29465)

A reload might occur when you use Web Cache Communication Protocol (WCCP) Layer 2 redirection and mask assignment mode with a host-based standard ACL as a WCCP redirect ACL. This problem is resolved in Release 12.2(18)SXF6. (CSCsa77785)

Some objects in newly created rows of ciscoFlashCopyTable and ciscoFlashMiscOpTable cannot be read. Objects become readable after you set their values. This problem is resolved in Release 12.2(18)SXF6. (CSCdy11174)

You can enter the logging source-interface interface-type interface-number command without errors occuring, but this command does not work. Syslog packets will continue to use the address of the interface that transmitted them. This problem is resolved in Release 12.2(18)SXF6. (CSCse23548)

A memory leak might occur when you use the ip pgm router command to configure PGM router assist on GRE tunnel interfaces. This problem is resolved in Release 12.2(18)SXF6. (CSCse09435)

For wildcard updates, the debug ip casa packet command might display incorrect values for the IP address and protocol. This problem is resolved in Release 12.2(18)SXF6. (CSCse45427)

If more than 1500 NAT configuration statements are entered into a Telnet or Console session, a memory leak might occur. This problem is resolved in Release 12.2(18)SXF6. (CSCse51577)

The cbQosCMDrop MIB counters are reset when you enter the clear counters command. This problem is resolved in Release 12.2(18)SXF6. (CSCse62117)

An ICMP or an IGMP ACE that uses the fragment keyword in a numbered ACL is rejected during a reload. This problem is resolved in Release 12.2(18)SXF6. (CSCei26931)

The system might suspend indefinitely when you use the clear adjacency command to clear and repopulate the adjacency table. This problem is resolved in Release 12.2(18)SXF6. (CSCej42121)

If you configure a network access server (NAS) for login authentication by entering the aaa authentication login default none command or the aaa authentication login default local command, an AAAA-3-NOREG message and a traceback might be displayed when you log in. This situation occurs because no TACACS or RADIUS group has been configured. You need to configure the NAS for login authentication by using the aaa authentication login default group radius command or the aaa authentication login default group tacacs+ command. This problem is resolved in Release 12.2(18)SXF6. (CSCse45735)

An HTTP request packet that is received during the initialization of the Cisco IOS firewall authentication proxy feature is not processed correctly. This situation causes the initialization to fail.

Workaround: Enter the ip http auth aaa command to initialize the Cisco IOS firewall authentication proxy feature manually.

This problem is resolved in Release 12.2(18)SXF6. (CSCse61025)

When all cache engines in a Web Cache Communication Protocol (WCCP) service group are lost, traffic is processed in software instead of being switched in hardware. This problem is resolved in Release 12.2(18)SXF6. (CSCse69713)

Port numbers for self-originated TCP connections are determined by using an incremental method which causes them to be too easy to predict. Any self-originated TCP connection that uses non-well-known port numbers is subject to this behavior. This problem is resolved in Release 12.2(18)SXF6. (CSCee32814)

A reload might occur during initialization on a system configured for SSO switchover that has the snmp mib notification-log default command enabled. This problem is resolved in Release 12.2(18)SXF6. (CSCsc14034)

Redistributed routes might not be advertised if they traverse an ISIS IPv4 VRF-enabled interface that goes up and down. This problem occurs when the redistributing router reloads. This problem is resolved in Release 12.2(18)SXF6. (CSCsc37212)

The order in which attributes are sent from an AAA server determines which privilege levels are assigned to the users. This process can affect the operation of the RADIUS server and conflicts with RFC 2865 Section 5. This problem is resolved in Release 12.2(18)SXF6. (CSCsd71301)

Memory leaks and a reload might occur on an active supervisor engine when invalid Data Link Switching (DLSw) peers are defined. Memory leaks also occur on a standby supervisor engine whenever DLSw is configured. This problem is resolved in Release 12.2(18)SXF6. (CSCsf16715)

An enable authentication request might be sent erroneously to the AAA server group that was configured for login authentication. This problem is resolved in Release 12.2(18)SXF6. (CSCsd95752)

A Reverse Path Forwarding (RPF) entry created by an (S,G) RPT-bit prune for a particular source might not change when the RPF interface receives an (S,G) S-bit join for the same source. This problem is resolved in Release 12.2(18)SXF6. (CSCsd49955)

When NAT is configured, all NetBIOS TCP 139 traffic is process switched in software, which causes high CPU utilization. This problem is resolved in Release 12.2(18)SXF6. (CSCsd69052)

A PIM border router that is positioned between a PIM dense-mode cloud and a PIM sparse-mode cloud may fail to send triggered security associations (SAs) for sources in the PIM dense-mode cloud that are not directly connected. This problem occurs on the PIM router when these conditions occur:

The router is configured with the ip pim dense-mode proxy-register list command.

The router is elected as the rendezvous point for groups specified in the proxy-register list command.

The router is performing Anycast-RP using Multicast Source Discovery Protocol (MSDP).

This problem is resolved in Release 12.2(18)SXF6. (CSCse20714)

Memory corruption and a reload might occur when Extended Authentication (Xauth) is enabled and client sessions are brought down. This problem is resolved in Release 12.2(18)SXF6. (CSCsf03566)

BGP may fail to establish a peer with another router when an output service policy is configured on an interface and the policy limits the bandwidth to 199 kbps for packets that have the IP precedence value set to 6. This problem is resolved in Release 12.2(18)SXF6. (CSCeg26728)

When you unconfigure IPX GRE, a reload might occur. This problem is resolved in Release 12.2(18)SXF6. (CSCee71850)

Memory corruption might occur when overlapping Multicast Listener Discovery (MLD) join reports are sent from the same port. This problem is resolved in Release 12.2(18)SXF6. (CSCsd94439)

Reverse Telnet might not function correctly when you enable AAA authentication over an asynchronous line and you attempt to establish a reverse Telnet connection over the same asynchronous line. AAA authentication incorrectly interprets TCP data whose destination is the reverse Telnet process as input. The TCP data fails to reach the reverse Telnet, which causes a login failure for reverse Telnet. This problem is resolved in Release 12.2(18)SXF6. (CSCsd23056)

Default load sharing is unequal over redundant routes and cannot be configured to single-stage load sharing. This problem affects IPv4 forwarding. This problem is resolved in Release 12.2(18)SXF6. (CSCse50503)

Resolved General Caveats in Release 12.2(18)SXF5

CSCsc60249—Resolved in Release 12.2(18)SXF5.

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

Cisco Catalyst 6500 series systems that are running certain versions of Cisco IOS are vulnerable to an attack from a Multiprotocol Label Switching (MPLS) packet. Only the systems that are running in Hybrid Mode Catalyst OS (CatOS) software on the Supervisor Engine and Cisco IOS software on the Multilayer Switch Feature Card (MSFC) or running with Cisco IOS Software Modularity are affected.

MPLS packets can only be sent from the local network segment.

A Cisco Security Advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070228-mpls.shtml.

This problem is resolved in Release 12.2(18)SXF5. (CSCsd37415)

Processing a specially crafted IPv6 Type 0 Routing header can crash a device running Cisco IOS software. This vulnerability does not affect IPv6 Type 2 Routing header which is used in mobile IPv6. IPv6 is not enabled by default in Cisco IOS.

Cisco has made free software available to address this vulnerability for affected customers.

There are workarounds available to mitigate the effects of the vulnerability. The workaround depends on if Mobile IPv6 is used and what version on Cisco IOS is being currently used.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml

This problem is resolved in Release 12.2(18)SXF5. (CSCsd40334)

The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition.

This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the Cisco IOS device will not trigger this vulnerability.

Cisco has made free software available to address this vulnerability for affected customers.

This issue is documented as Cisco bug ID CSCek37177.

There are workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml

This problem is resolved in Release 12.2(18)SXF5. (CSCek37177)

Symptoms: A router may crash if it receives a packet with a specific crafted IP option as detailed in Cisco Security Advisory: Crafted IP Option Vulnerability:

http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml

Conditions: This DDTS resolves a symptom of CSCec71950. Cisco IOS with this specific DDTS are not at risk of crash if CSCec71950 has been resolved in the software.

Workaround: Cisco IOS versions with the fix for CSCec71950 are not at risk for this issue and no workaround is required. If CSCec71950 is not resolved, see the following Cisco Security Advisory: Crafted IP Option Vulnerability for workaround information:

http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml

This problem is resolved in Release 12.2(18)SXF5 (CSCek26492)

Symptoms: The VTP feature in certain versions of Cisco IOS software may be vulnerable to a crafted packet sent from the local network segment which may lead to denial of service condition.

Conditions: The packets must be received on a trunk enabled port.

Further Information: On the 13th September 2006, Phenoelit Group posted an advisory containing three vulnerabilities:

VTP Version field DoS

Integer Wrap in VTP revision

Buffer Overflow in VTP VLAN name

These vulnerabilities are addressed by Cisco IDs:

CSCsd52629/CSCsd34759—VTP version field DoS

CSCse40078/CSCse47765—Integer Wrap in VTP revision

CSCsd34855/CSCei54611—Buffer Overflow in VTP VLAN name

Cisco's statement and further information are available on the Cisco public website at http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml

This problem is resolved in Release 12.2(18)SXF5. (CCSCsd34759)

Symptoms: The VTP feature in certain versions of Cisco IOS software is vulnerable to a locally-exploitable buffer overflow condition and potential execution of arbitrary code. If a VTP summary advertisement is received with a Type-Length-Value (TLV) containing a VLAN name greater than 100 characters, the receiving switch will reset with an Unassigned Exception error.

Conditions: The packets must be received on a trunk enabled port, with a matching domain name and a matching VTP domain password (if configured).

Further Information: On the 13th September 2006, Phenoelit Group posted an advisory containing three vulnerabilities:

VTP Version field DoS

Integer Wrap in VTP revision

Buffer Overflow in VTP VLAN name

These vulnerabilities are addressed by Cisco IDs:

CSCsd52629/CSCsd34759—VTP version field DoS

CSCse40078/CSCse47765—Integer Wrap in VTP revision

CSCsd34855/CSCei54611—Buffer Overflow in VTP VLAN name

Cisco's statement and further information are available on the Cisco public website at http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml

This problem is resolved in Release 12.2(18)SXF5. (CSCsd34855)

The Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions feature in specific versions of Cisco IOS software is vulnerable to a remotely-exploitable buffer overflow condition.

Devices that do not support, or are not configured for Firewall Authentication Proxy for FTP and/or Telnet Services are not affected.

Devices configured with only Authentication Proxy for HTTP and/or HTTPS are not affected.

Only devices running certain versions of Cisco IOS are affected.

Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.

This advisory will be posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml

This problem is resolved in Release 12.2(18)SXF5. (CSCsa54608)

If OSPF is enabled on an interface, and then the configuration is changed to redistribute a connected route on this interface with a route map, then the route may not be redistributed correctly. This problem occurs only if the route map is used as a parameter with the redistribute command. This problem is resolved in Release 12.2(18)SXF5. (CSCee81606)

A reload might occur when the OSPF-MIB table ospfExtLsdbTable is queried with an SNMP walk. Alignment errors might occur when you enter the show alignment command because of this same problem. This problem is resolved in Release 12.2(18)SXF5. (CSCef11304)

A system might not withdraw a BGP route from an iBGP peer. This problem occurs when you enter the BGP neighbor-specific clear ip bgp neighbor-address soft out command for a member of the system's peer group, and then changes occur to the outbound policy of that member. This problem is resolved in Release 12.2(18)SXF5. (CSCeg52659)

An established Point to Point Tunneling Protocol (PPTP) connection fails when Network Address Translation (NAT) or Port Address Translation (PAT) translates a new PPTP Call ID incorrectly. This problem occurs when NAT dynamic overload is configured. This problem is resolved in Release 12.2(18)SXF5. (CSCeh35083, CSCsd56549)

Outbound ACLs that are applied to SVIs have no affect on traffic from Layer 3 interfaces. This problem is resolved in Release 12.2(18)SXF5. (CSCsd03882)

A Hot Standby Router Protocol (HSRP) active router does not respond to an ARP request for a virtual IP address. This problem might occur when the same HSRP virtual IP address is misconfigured on different HSRP groups on different routers. This problem is resolved in Release 12.2(18)SXF5 (CSCsd80754)

When you enter the IOS IP service level agreement (SLA) configuration command rtr restart to restart a probe, the probe is restarted and operates normally, but when you enter the show rtr configuration command, the following message is displayed:

Status of Entry (SNMP RowStatus): notInService

This problem is resolved in Release 12.2(18)SXF5. (CSCsa61284)

If traffic loss occurs when there is a high volume of broadcast traffic, the input broadcast counter increments and the input counter does not increment. Because the value of the SNMP ifHCInUCastPkts MIB object is the difference between the input counter and the input broadcast counter, the value of ifHCInUCastPkts might become negative. This problem is resolved in Release 12.2(18)SXF5. (CSCsc62574)

Automatic detection of inline power does not work on WS-X6196-RJ-21 switching modules, and the following message is displayed:

%C6K_POWER-SP-4-PD_NOLINKUP: The device connected to 1/37 is powered up but
its link is not up in 5 seconds. Therefore, power is withdrawn from the port

This problem is resolved in Release 12.2(18)SXF5. (CSCek30589)

An OSPF route is lost after an interface goes up and down. This problem occurs when all of the following conditions are present:

A point-to-point interface such as a POS interface goes up and down briefly (shorter than 500 ms).

The neighbor does not notice the interface going up and down, so the neighbor's interface remains up.

The OSPF adjacency goes down and comes back up very quickly (the total time is shorter than 500 ms).

OSPF runs an SPF during this period and, based on the transient adjacency information, removes routes through this adjacency.

The OSPF LSA generation is delayed because of LSA throttling. When the LSA throttle timer expires and the LSA is built, the LSA appears unchanged.

Workarounds:

Increase the carrier-delay time for the interface to about 1 second or longer.

Use an LSA build time shorter than the time that it takes for an adjacency to come up completely.

This problem is resolved in Release 12.2(18)SXF5. (CSCsc07467)

When an inter-area, external, or not-so-stubby area (NSSA) route is learned using a link state update that follows the initial database synchronization, the route may not be added to the routing table by a partial shortest path first (SPF) computation even though the LSA is installed in the link state database. This problem occurs when a large number of type 3, type 5, or type 7 LSAs are advertised and withdrawn.

Workaround: A subsequent full SPF computation causes the route to be added.

This problem is resolved in Release 12.2(18)SXF5. (CSCsc10494)

OSPF might update and originate a new version of a link-state advertisement (LSA) when it should remove the LSA. This problem occurs on the originating router when it receives a self-originated aged out LSA before it can remove this LSA from its database. This problem might also occur when a neighbor calculates that it has a newer copy of the LSA from the originating router and sends the expired LSA to the originating router.

Workaround: Enter the clear ip ospf process command.

This problem is resolved in Release 12.2(18)SXF5. (CSCei45669)

A Dynamic Host Configuration Protocol (DHCP) agent might fail to write DHCP database information to an ATA file system. This problem is resolved in Release 12.2(18)SXF5. (CSCed93425)

The OSPF MIB objects whose syntax is IpAddress have the incorrect syntax of INTEGER in a trap notification. This problem is resolved in Release 12.2(18)SXF5. (CSCee47792)

The following message and a traceback may appear when Response Time Reporter (RTR) is configured:

%SCHED-3-SEMLOCKED: IP RTR Probe MaxName attempted to lock a semaphore, already locked by itself

This problem is resolved in Release 12.2(18)SXF5. (CSCei85359)

An SNMP walk might not complete. This problem occurs because the MIB object identifiers (OIDs) are out of order. This problem is resolved in Release 12.2(18)SXF5. (CSCsb34180)

A DHCP snooping-enabled system can include information about itself in client-originated DHCP packets that the system forwards to a DHCP server. The system accomplishes this by using the Dynamic Host Configuration Protocol (DHCP) relay agent information option (option 82). If the DHCP server does not handle the option 82 data properly, and sends a DHCP reply with malformed option 82 data, the DHCP snooping-enabled system might reload. This problem is resolved in Release 12.2(18)SXF5. (CSCeh21210)

When Intermediate System-to-Intermediate System (ISIS) is configured, only one adjacency might be shown in the output of the show clns interface command, even though the show clns neighbors command might correctly display all the neighbors that are connected to the interface. When this situation occurs, and any one of the neighbors on a segment goes down, all routing updates may be lost. The single adjacency is torn down and routing stops because there are no adjacencies, even though the output of the show clns neighbors command still shows that the neighbors are up. This problem occurs when an adjacency goes down while it is still in the INIT state because the adjacency counter is incorrectly decremented.

Workarounds:

Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the interface that reports only one adjacency.

Enter the clear clns neighbors command.

This problem is resolved in Release 12.2(18)SXF5. (CSCsc63871)

An invalid IP header checksum might be calculated for a multipoint generic routing encapsulation (MGRE) broadcast message. This problem occurs when two clients are connected to the same service set identifier (SSID) and one of the clients sends a broadcast message. The message traverses a GRE tunnel, and then a rebroadcast is generated to reach other nodes. In this situation, the checksum is not recalculated and is invalid, which causes the message to be dropped. This problem is resolved in Release 12.2(18)SXF5. (CSCsd42850)

In a WCCP redirect ACL list, ACEs that are configured with the log keyword are not programmed into the ternary content addressable memory (TCAM) table. This problem is resolved in Release 12.2(18)SXF5. (CSCsd28870)

An AutoFail trap is generated when an NMS application polls with an invalid SNMP VLAN name. The appropriate response is an UNKNOWN_CONTEXT_NAME error. This problem is resolved in Release 12.2(18)SXF5. (CSCsc85922)

When establishing a DLSw Ethernet redundancy master and slave relationship, two devices never receive LLC frames transmitted one another. This problem is resolved in Release 12.2(18)SXF5. (CSCsd55300)

The ipMRouteInterfaceOutMcastOctets MIB object counters do not increment. This problem is resolved in Release 12.2(18)SXF5. (CSCsd37537)

When a NetFlow shortcut is established to perform Network Address Translation (NAT) in hardware, the hardware cannot parse and perform the translation on the Simple Client Control Protocol (SCCP) portion of a TCP packet. This problem is resolved in Release 12.2(18)SXF5. (CSCsd37634)

An SNMP get or walk fails to find a value for the MIB object dsx1FarEndInterval. This problem occurs because the dsx1FarEndInterval MIB table is not populated after the first three entries. This problem is resolved in Release 12.2(18)SXF5. (CSCsc90782)

When BGP receives an update that has an inferior metric route compared to a previously received route for multiple equal-cost routes, the BGP table is updated correctly but the routing table is not. This situation prevents the old path from being deleted from the routing table. This problem is resolved in Release 12.2(18)SXF5. (CSCsb36755)

High CPU utilization might occur on a Supervisor Engine 720 or a Supervisor Engine 32 when the IP spoofing feature is configured on a cache engine and WCCP redirection is configured in the egress direction. IP-spoofed packets coming from the cache engine, whose destination is either the client or the server, are switched in software instead of hardware.

Workaround: Use the ip wccp service redirect in command for both the inbound and the outbound interfaces.

This problem is resolved in Release 12.2(18)SXF5. (CSCsb61021)

The point of local repair (PLR) router erroneously resets the Local protection desired flag in the SESSION_ATTRIBUTE object of a path message, which it sends to a merge point that has inbound fast reroute (FRR) enabled. If this flag resets, a merge point that does not run Cisco IOS removes the protected label switch path (LSP). This problem is resolved in Release 12.2(18)SXF5. (CSCek35484)

The BGP table and CEF forwarding table may have mismatched labels for prefixes that are learned from a remote PE router. This problem occurs on a PE router when an eBGP session goes up and down or a route goes up and down on the remote PE router. A new label for the prefix is learned from the remote PE router, but forwarding may not update properly.

Workaround: There is no workaround. Enter the clear ip route vrf vrf-name network command on the PE router to remove the mismatched labels.

This problem is resolved in Release 12.2(18)SXF5. (CSCsc94359)

A reload might occur when open shortest path first (OSPF) inter-area route changes occur. This problem occurs when incremental shortest path first (iSPF) is configured. This problem is resolved in Release 12.2(18)SXF5. (CSCsd84489)

Setting the rttMonCtrlOperState MIB object rttmonCtrlAdminStatus to active does not cause the probe to become active. This problem is resolved in Release 12.2(18)SXF5. (CSCin62031)

When the source MAC address of NAT traffic changes, the corresponding NAT CEF entry is not updated and return traffic is sent to the old MAC address. This problem occurs with static or dynamic NAT. This problem is resolved in Release 12.2(18)SXF5. (CSCsd71047)

Timer expired tracebacks might occur when a system has a large number of RIP neighbors and short update timers configured. This problem is resolved in Release 12.2(18)SXF5. (CSCef17647)

A remote-originated LSA received over an OSPF demand circuit may change from DoNotAge to aging when the OSPF process on the far end of the link goes up and down. This problem is resolved in Release 12.2(18)SXF5. (CSCej89011)

When you enter the distribute-list interface command in a global RIP routing context, and the interface that is specified in the command is a VRF interface, the command fails and the following error message appears:

% The interface is not in the same VRF as the process

You cannot configure another way to filter networks received in updates through a VRF interface because the distribute-list interface command is not implemented in the IPv4 VRF address family. This occurs in releases where the fix for CSCee32557 is present.

Workaround: Enter the distribute-list extended-ACL-reference command in which the source-part of the extended ACL specifies the prefixes and the destination part matches the IP address of the RIP neighbor.

This problem is resolved in Release 12.2(18)SXF5. (CSCeg16631)

With DLSw Ethernet Redundancy configured, circuits might be established through the passive switch. This problem is resolved in Release 12.2(18)SXF5. (CSCse17611)

A bus error and a reload may occur when you enter a command while the command buffer is full of white space. This problem occurs when you enter a partial command, and then you use the tab key while the command buffer is full. This problem is resolved in Release 12.2(18)SXF5. (CSCsd32923)

DHCP forwarding might forward DHCP requests that have a source address of 0.0.0.0. This problem is resolved in Release 12.2(18)SXF5. (CSCec10091)

A reload might occur when SNMP queries the CISCO-SYSLOG-MIB object clogHistoryEntry. This problem is resolved in Release 12.2(18)SXF5. (CSCee24395)

The ciscoIpMRouteIfInMcastOctets MIB object identifier (OID) counter is a 64-bit counter but functions like a 32-bit counter and resets to zero at a much smaller number than expected. This problem is resolved in Release 12.2(18)SXF5. (CSCsc69155)

When a static ARP entry asssociated with a VRF interface is deleted, the VRF adjacency is not cleared. Packets sent from the VRF interface continue to use the old destination MAC address. This condition persists until the adjacency is resolved. This problem is resolved in Release 12.2(18)SXF5. (CSCsa76455)

With a RADIUS authentication server configured, AAA authentication generates unexpected accounting start records, which results in unreliable accounting records. This problem is resolved in Release 12.2(18)SXF5. (CSCsa99158)

The following message might display when you configure 4 VRFs with 1000 routes each, and then you enter the clear ip bgp * command:

%FIB-4-FIBCBLK: Missing cef table for tableid 2829 during Table removal event

This problem is resolved in Release 12.2(18)SXF5. (CSCea71711)

When you enter the maximum-paths ibgp number command to configure 10-Gigabit Ethernet links and BGP adjacencies, memory corruption and a reload might occur. This problem is resolved in Release 12.2(18)SXF5. (CSCek45564)

Some UDP packets that have the Terminal Access Controller Access Control System (TACACS) port (49) as their destination might remain suspended in the interface queue. This problem occurs when TACACS+ is configured. This problem is resolved in Release 12.2(18)SXF5. (CSCsb11698)

When a hardware interface goes down, packets in the egress direction are processed in software. This situation might cause high CPU usage during heavy traffic until routing and CEF updates occur in the routing table. This problem is resolved by setting the default TCAM action to deny processing of egress traffic when the interface is down instead of bridging the traffic. Traffic that is dropped before the routing table updates will generate ICMP unreachable responses to the sender. The lost packets can be retransmitted until the routing tables have been updated. The number of ICMP unreachable messages generated is subject to the current ICMP unreachable rate-limiting configuration. This problem is resolved in Release 12.2(18)SXF5. (CSCsd96511)

Resolved General Caveats in Release 12.2(18)SXF4

The SNMP ifAdminStatus state for the ATM layer or the ATM Adaptation Layer 5 (AAL5) of an ATM interface or subinterface might go down. This situation can occur without entering a shutdown command, and prevents SNMP from monitoring the proper status of the ATM interfaces. This problem is resolved in Release 12.2(18)SXF4. (CSCsb12329)

When a Reverse Path Forwarding (RPF) change affects approximately 30,000 multicast routes, a CPUHOG message might be displayed. This problem is resolved in Release 12.2(18)SXF4. (CSCek26627)

When the SNMP ifOperStatus MIB object for an interface that is a member of a multilink group is placed in the down state, the ifStackStatus entry that links the interface to the multilink group interface is removed from the IF-MIB. This problem is resolved in Release 12.2(18)SXF4. (CSCeh62084)

A vulnerability exists within the Cisco IOS Authentication, Authorization, and Accounting (AAA) command authorization feature, where command authorization checks are not performed on commands executed from the Tool Command Language (TCL) exec shell. This may allow authenticated users to bypass command authorization checks in some configurations resulting in unauthorized privilege escalation.

Devices that are not running AAA command authorization feature, or do not support TCL functionality are not affected by this vulnerability. This vulnerability is present in all versions of Cisco IOS that support the tclsh command.

Workaround: This advisory with appropriate workarounds is posted at http://www.cisco.com/warp/public/707/cisco-response-20060125-aaatcl.shtml.

This particular vulnerability only affected Cisco IOS versions 12.3(4)T trains and onwards. (12.3 Mainline is not affected) Please refer to the Advisories "Software Versions and Fixes" table for the first fixed release of Cisco IOS software.

This problem is resolved in Release 12.2(18)SXF4. (CSCsd28570)

Virtual Router Redundancy Protocol (VRRP) does not function correctly with proxy ARP. The master and backup routers both transmit a proxy ARP reply, and the backup router replies with a burned-in address (BIA) instead of a virtual MAC address. This problem is resolved in Release 12.2(18)SXF4. (CSCsc47919)

Multinode Load Balancing (MNLB) affinity is installed with an incorrect dispatch address that does not match the Cisco Appliance Server Architecture (CASA) update received by the CASA forward agent. This problem is resolved in Release 12.2(18)SXF4. (CSCsc72066)

When using Auto-RP, the PIM Group-to-RP mappings time out when the up time value displayed by the show ip pim rp mapping command is less than 30 minutes. This problem occurs when two upstream routers flood Auto-RP discovery messages (group 224.0.1.40) to multiple downstream routers over more than one VLAN, and the downstream routers are leaf routers (such as access switches). This problem is resolved in Release 12.2(18)SXF4. (CSCeh67947)

A reload might occur when the output of the show ip pim mdt bgp command is being displayed. This problem occurs when withdraws for a MDT source group are received by PIM from BGP and you enter the show ip pim mdt bgp command. This problem is resolved in Release 12.2(18)SXF4. (CSCei27448)

After you enter the clear arp command, high CPU utilization might occur and the console might not respond for approximately 30 seconds might occur This problem occurs on a system configured with many (approximately 2000) static ARP entries. This problem is resolved in Release 12.2(18)SXF4. (CSCsa64947)

If you use a route map that includes the set weight command in the inbound policy, the route map cache for software reconfiguration is not created when a BGP peer is initialized. This problem is resolved in Release 12.2(18)SXF4. (CSCsa68988)

BGP does not advertise all of the routes to a peer that sends a route-refresh request. This symptom is observed under the following conditions:

The system is in the process of converging all of its peers and has updates ready in the output queue for the peer.

The peer sends a route-refresh request. This may occur when you enter the clear ip bgp * soft in command on the peer or when a VRF is added to the peer.

The system processes the route-refresh request from the peer while the system still has updates in the output queue for the peer.

In this situation, all of the prefixes are lost that are advertised by the unsent updates in the output queue for the peer. This problem is resolved in Release 12.2(18)SXF4. (CSCsc59089)

High CPU usage might occur and the BGP table versions of BGP peers are reset to zero. This problem occurs when you update a complex policy when there is a complex configuration of BGP peers present. This problem is resolved in Release 12.2(18)SXF4. (CSCsc73436)l

When a VRF route is redistributed into the MP-BGP cloud, a routing loop may occur for the prefix that represents the VRF route between the EIGRP cloud and the MP-BGP cloud. This problem occurs on a device that functions as a PE router when the following conditions are present:

The router has EIGRP configured on the link to a CE router.

The router has a static VRF route that is redistributed into the configuration that is defined by the address-family vrf vrf-name command and that is part of the BGP routing process.

This problem is resolved in Release 12.2(18)SXF4. (CSCsc76327)

A tcb_isvalid traceback might occur in the TCP remote shell process for a link from a remote shell (RSH) or a remote copy protocol (RCP) server to an RSH or an RCP client. This problem is resolved in Release 12.2(18)SXF4. (CSCeg61169)

If you enter the set ip next-hop in-vrf command in the import map, routes that were distributed from one VRF instance to another do not appear in the VRF routing table, even though they do appear in the Border Gateway Protocol (BGP) VRF table. This problem is resolved in Release 12.2(18)SXF4. (CSCsc67367)

Resolved General Caveats in Release 12.2(18)SXF3

For a system configured as an IP HTTP server, tracebacks and a reload might occur during HTTP transactions with URL tokens greater than 128 characters long. A token is a string delimited by slashes in a URL. This problem is resolved in Release 12.2(18)SXF3. (CSCeg62070)

EIGRP-specific Extended Communities might be corrupted and shown as 0x0:0:0 when EIGRP-specific Extended Community 0x8800 is received over an IPv4 EBGP session. This problem is resolved in Release 12.2(18)SXF3. (CSCec12299)

A "no such instance" SNMP exception might be returned for an SNMP get request if DFC modules are installed. This problem is resolved in Release 12.2(18)SXF3. (CSCsc39902)

Resolved General Caveats in Release 12.2(18)SXF2

An autonomous system boundary router (ASBR) that is running open shortest path first (OSPF) and is configured with the area area_id nssa default-information-originate command, might continue to advertise a default route in a not-so-stubby area (NSSA) even after the default Border Gateway Protocol (BGP) route has been withdrawn and removed from the routing table. This problem is resolved in Release 12.2(18)SXF2. (CSCsc03828)

DLSw circuits are established over the same peer connection when DLSw load balancing is configured and when there are multiple peers that have the dlsw icanreach mac-address mac_addr command enabled with the same remote MAC address for the mac_addr argument. This problem is resolved in Release 12.2(18)SXF2. (CSCsa45750)

Duplicate interface index numbers might be assigned to tunnel interfaces when Protocol Independent Multicast (PIM) and multicast distribution tree (MDT) tunnels are created. These duplicate interface index numbers might prevent traffic from being forwarded from these multicast interfaces. This situation might cause a reload with a bus error when these tunnels are deleted and recreated. This problem is resolved in Release 12.2(18)SXF2. (CSCei80699)

The clear ip bgp update-group [index-group | ip-address] command clears all the Border Gateway Protocol (BGP) peers, including members of other update groups. This problem is resolved in Release 12.2(18)SXF2. (CSCsb24535)

In certain LAN topologies, the PIM assert mechanism can cause an upstream router to erroneously remove downstream interfaces from output interface lists. When this situation occurs, it causes multicast traffic to be dropped. This problem occurs when two or more upstream routers with routes to the same rendezvous point or traffic source are connected to the same LAN segment as two different downstream routers. The problem occurs when the two downstream routers select different upstream routers as their next hop. This problem is resolved in Release 12.2(18)SXF2. (CSCeh17756)

When the cpim MIB object family in the CISCO-PIM-MIB is queried with an SNMP walk, the output of MIB entry cpimLastErrorRP is truncated. This problem is resolved in Release 12.2(18)SXF2. (CSCef65806)

Data Link Switching (DLSw) circuits might not connect using DLSw Ethernet redundancy. This problem occurs when DLSw Ethernet redundancy is configured with the following commands where the local-mac and remote-mac values are the same real MAC addresses of the remote host:

dlsw transparent switch-support

dlsw transparent map local-mac local-mac

remote-mac remote-mac

If both DLSw routers are rebooted, clients can immediately establish a session with the remote host through one of these DLSw routers using the real MAC address. This real circuit is outside of Ethernet redundancy, and until the circuit is disconnected, Ethernet redundancy cannot be established. This problem is resolved in Release 12.2(18)SXF2. (CSCeh18295)

A router that is configured with thousands of RIP routes might reload when multiple links go down and up. This problem is resolved in Release 12.2(18)SXF2. (CSCdv07156)

DLSw load balancing using the circuit-count configuration does not distribute circuits evenly. This problem occurs when all the circuits attempt to connect at the same time. Configure the dlsw load-balance round-robin command initially, start DLSw, and then configure using dlsw load-balance circuit-count. This problem is resolved in Release 12.2(18)SXF2. (CSCeh18390)

A reload might occur when you enter the default-information originate RIP routing information command and you enter the clear ip route EXEC command. This problem is resolved in Release 12.2(18)SXF2. (CSCej21891)

When Network Address Translation (NAT) is configured, TCP translations do not time out properly when the TCP session is closed in a normal way.

Workaround: Lower the global NAT translation timeout period using the ip nat translation tcp-timeout seconds command.

This problem is resolved in Release 12.2(18)SXF2. (CSCsa51150)

SNMP AuthenticationFailure traps are being sent out with a source IP address of 0.0.0.0. This problem is resolved in Release 12.2(18)SXF2. (CSCsb67916)

A reload might occur because of a memory corruption or a CPUHOG condition. This problem occurs in a configuration with a large LSA with 64 parallel links that have OSPFv3 enabled in broadcast mode and when all the links with a neighbor router go up and down. This problem is resolved in Release 12.2(18)SXF2. (CSCsb74588)

If the software accesses an ARP table that is corrupted, a bus error and a reload might occur. The ARP table gets corrupted when a process accessing the table is suspended and then resumed. This problem is resolved in Release 12.2(18)SXF2. (CSCea34586)

An OSPF autonomous system boundary router (ASBR) configured with the area area-id nssa default-information originate command might continue to advertise a default route on an not-so-stubby area (NSSA) even after the default BGP route has been withdrawn and removed from the routing table. This problem is resolved in Release 12.2(18)SXF2. (CSCsc03828)

BGP updategroup selection for peers that are in nonprivate autonomous systems that use the remove-private-as features, needs to be improved to optimize convergence time and flexibility of neighbor configuration. This problem is resolved in Release 12.2(18)SXF2. (CSCei53226)

Port Address Translation (PAT) with overload traffic might be routed in software. This problem is resolved in Release 12.2(18)SXF2. (CSCsc18728)

A TCP session fails to time out because it is suspended in the FINWAIT1 state. The following message is displayed:

%TCP-6-BADAUTH: No MD5 digest from x.x.x.x to y.y.y.y(179) (RST)

This problem occurs in a BGP configuration that is connected to a non-Cisco router after the BGP authentication password has been changed. This problem is resolved in Release 12.2(18)SXF2. (CSCsb51019)

When a parallel link comes up between two routers running OSPF that have iSPF enabled, routes may not be installed over this new added parallel link. This problem is resolved in Release 12.2(18)SXF2. (CSCsa79783)

A loopback interface in a VRF cannot be routed when there is a nonhost static route pointing to the loopback interface in the global routing table. This problem occurs in a VRF-lite configuration. This problem is resolved in Release 12.2(18)SXF2. (CSCsc50692)

A reload might occur when a system regenerates SSH RSA keys under low memory conditions. This problem is resolved in Release 12.2(18)SXF2. (CSCee32606)

When a Reverse Path Forwarding (RPF) change occurs, a bidirectional PIM convergence may take up to 10 seconds. This problem is resolved in Release 12.2(18)SXF2. (CSCeh93087)

A configuration is not saved when you enter the do write memory command from configuration mode, change the running configuration, exit the configuration mode, and then do a reload. This problem is resolved in Release 12.2(18)SXF2. (CSCsb89834)

A system configured with EIGRP might experience a memory leak in the EIGRP Work Ent process. This process ID name is actually EIGRP Work Entry, but it is truncated by nearby data entries that are very large and corrupt the ID string. You can use the show process memory command to display the process ID names and determine if this problem has occurred. This problem is resolved in Release 12.2(18)SXF2. (CSCsa99924)

Simultaneously reading Advanced Technology Attachment (ATA) file directory entries from different processes(example, two vty sessions) might cause data corruption. This problem is resolved in Release 12.2(18)SXF2. (CSCej42935)

When SNMP traps are generated, the show alignment command displays spurious memory access and tracebacks. This problem is resolved in Release 12.2(18)SXF2. (CSCsa53394)

Some vendors might generate LSAs with a mix of ones and zeros for the LSA ID when they advertise OSPF external routes with the same network address but a different network mask. These LSA IDs are not recognized by Cisco IOS software. This problem is resolved in Release 12.2(18)SXF2. (CSCei65553)

A reload might occur when two or more Telnet or console sessions are open and the following events occur:

In one session, you enter the show ip as-path-access-list acl-number command, and the output pauses at the --more-- prompt when there is more than one page output.

In another session, you enter the no ip as-path access-list acl-number command and use the same acl-number argument in the show ip as-path-access-list acl-number command.

In the first session, you type in enter or space in the first session to display the rest of the show command output.

This problem is resolved in Release 12.2(18)SXF2. (CSCec75641)

On a Supervisor Engine 720 configured with a PCMCIA Compact Flash Memory device, if you attempt to write a crashinfo file to the PCMCIA, a reload could occur. You can configure the PCMCIA to collect the crashinfo file; it will also be used if the bootflash is full. This problem is resolved in Release 12.2(18)SXF2. (CSCeh44660)

A system might drop a TCP connection when there is high traffic. This situation occurs when the remote end of a TCP connection is oversubscribed with a high traffic rate, the remote end advertises a zero window. When the remote end processes some data, the window re-opens and the new window is advertised. If the transmitter has buffered data to send to the receiving device, the system might drop the TCP connection. This problem is resolved in Release 12.2(18)SXF2. (CSCsc39357)

Multicast networks running PIM sparse mode might experience high CPU utilization and instabilities with a multicast group count of approximately 10,000 members, if all multicast routes are traversing the same interface. This problem will most likely occur during physical or logical topology change events. This problem is resolved in Release 12.2(18)SXF2. (CSCsc76666)

When RIP is configured with MD5 interface authentication, the received packets always fail the authentication check. This problem is resolved in Release 12.2(18)SXF2. (CSCsb79895)

If you enter the ip default-network command, the show ip route command does not display the default gateway. This problem is resolved in Release 12.2(18)SXF2. (CSCed87897)

A (*,G) prune is not processed on a nondesignated router when there is a link (link A) to a PIM neighbor and a backup router that has a link (link B) to another PIM neighbor. When you shut down link A and bring up link B, the outgoing interface list (OIL) of the DR router is Null on (S,G) but on its PIM neighbor, the OIL on (S, G) still points to link A. PIM does not prune link A for 3 minutes. This problem is resolved in Release 12.2(18)SXF2. (CSCsb61487)

Members of a BGP update group might have different versions of BGP tables, which could prevent BGP from removing networks that do not have a path. This problem is resolved in Release 12.2(18)SXF2. (CSCsb09852)

A bus error and a reload might occur on a system configured with SNMP views. This problem occurs if the views are being polled by SNMP while they are being changed or updated, which happens when the running configuration is updated. This problem is resolved in Release 12.2(18)SXF2. (CSCsc82214)

In a topology with multiple multicast forwarding devices sharing the same physical medium, if one of the forwarding devices reloads, then a Catalyst 6500 switch or a Cisco 7600 router acting as the other forwarding device might fail to forward some traffic. This problem is resolved in Release 12.2(18)SXF2. (CSCei13579)

Resolved General Caveats in Release 12.2(18)SXF

CSCin95836—Resolved in Release 12.2(18)SXF.

The Cisco Next Hop Resolution Protocol (NHRP) feature in Cisco IOS contains a vulnerability that can result in a restart of the device or possible remote code execution.

NHRP is a primary component of the Dynamic Multipoint Virtual Private Network (DMVPN) feature.

NHRP can operate in three ways: at the link layer (Layer 2), over Generic Routing Encapsulation (GRE) and multipoint GRE (mGRE) tunnels and directly on IP (IP protocol number 54). This vulnerability affects all three methods of operation.

NHRP is not enabled by default for Cisco IOS.

This vulnerability is addressed by Cisco bug IDs CSCin95836 for non-12.2 mainline releases and CSCsi23231 for 12.2 mainline releases.

This advisory is posted at

http://www.cisco.com/warp/public/707/cisco-sa-20070808-nhrp.shtml.

Cisco Catalyst 6500 series systems that are running certain versions of Cisco IOS are vulnerable to an attack from a Multiprotocol Label Switching (MPLS) packet. Only the systems that are running in Hybrid Mode Catalyst OS (CatOS) software on the Supervisor Engine and Cisco IOS software on the Multilayer Switch Feature Card (MSFC) or running with Cisco IOS Software Modularity are affected.

MPLS packets can only be sent from the local network segment.

A Cisco Security Advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070228-mpls.shtml.

This problem is resolved in Release 12.2(18)SXF. (CSCef90002)

Symptoms: A vulnerability exists within the Cisco IOS Authentication, Authorization, and Accounting (AAA) command authorization feature, where command authorization checks are not performed on commands executed from the Tool Command Language (TCL) exec shell. This may allow authenticated users to bypass command authorization checks in some configurations resulting in unauthorized privilege escalation.

Conditions: Devices that are not running AAA command authorization feature, or do not support TCL functionality are not affected by this vulnerability.

This vulnerability is present in all versions of Cisco IOS that support the tclsh command.

Workaround: This advisory with appropriate workarounds is posted at

http://www.cisco.com/warp/public/707/cisco-response-20060125-aaatcl.shtml

This problem is resolved in Release 12.2(18)SXF. (CSCeh73049)

Multiple Cisco products contain vulnerabilities in the processing of IPSec IKE (Internet Key Exchange) messages. These vulnerabilities were identified by the University of Oulu Secure Programming Group (OUSPG) "PROTOS" Test Suite for IPSec and can be repeatedly exploited to produce a denial of service.

Cisco has made free software available to address this vulnerability for affected customers. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

This advisory is posted at

http://www.cisco.com/warp/customer/707/cisco-sa-20051114-ipsec.shtml.

This problem is resolved in Release 12.2(18)SXF. (CSCed94829)

In IP packets with the IP options field populated, the IP type of service (ToS) byte might be truncated to a 3-bit long field. This problem deletes 3 bits of the 6-bit DSCP value and causes incorrect QoS operation. This problem is resolved in Release 12.2(18)SXF. (CSCed93264)

When the HSRP MIB is polled and there are HSRP groups configured on subinterfaces, an error such as "OID not increasing" might occur on the device that is polling the router. In some cases, a CPUHOG traceback may occur on a router when the HSRP MIB is polled, especially when a lot of interfaces are configured but HSRP is not configured at all. This problem is resolved in Release 12.2(18)SXF. (CSCed52163)

With the service compress-config command or the boot config command in the configuration, a reload because of a bus error and stack overflow or stack corruption might occur if the configuration is larger than the NVRAM size and you enter the show config command simultaneously with the write terminal or show running-config command. This problem is resolved in Release 12.2(18)SXF. (CSCed45942)

You might see high CPU utilization if you enter the logging synchronous command. This problem is resolved in Release 12.2(18)SXF. (CSCed16920)

If you configure DLSw Ethernet redundancy on a VLAN interface, OSPF and HSRP stop working. This problem is resolved in Release 12.2(18)SXF. (CSCed14392)

Following a high availability switchover or a reload of the designated router, you can ignore these messages:

vrrp: IP address ip_address is already in a group
vrrp: Cannot set IP address for this group

This problem is resolved in Release 12.2(18)SXF. (CSCeb14745)

If two OSPF routing areas generate the same link-state advertisement (LSA) for a route and the route is known on the Area Border Router (ABR) as an intra-area route, a summary LSA might not be generated on the ABR if the route goes up and down. This problem is resolved in Release 12.2(18)SXF. (CSCeg62496)

With bridging configured, the MSFC might send ARP messages for local addresses to other subnets. This problem is resolved in Release 12.2(18)SXF. (CSCeg04110)

With multiple equal-cost routes exiting on different interfaces, a Resource ReSerVation Protocol (RSVP) reservation may initially be made on the wrong interface. This problem is resolved in Release 12.2(18)SXF. (CSCdt12296)

When a protected interface comes up and a new label switch path (LSP) is generated, a `Path Tear' message may be ignored for an old LSP at a merge point. As a result, the LSP is not torn down. This problem is resolved in Release 12.2(18)SXF. (CSCea64025)

With many configured tunnels, the output from the debug ip rsvp resv privileged EXEC command might be excessive and cause an indefinite pause or a reload. This problem is resolved in Release 12.2(18)SXF. (CSCeb60432)

In a system with redundant supervisor engines, if you modify the configuration file on the active supervisor engine, these changes may not be saved in the configuration file for the standby supervisor engine. This problem is resolved in Release 12.2(18)SXF. (CSCeb70508)

The ip radius source-interface subinterface-name vrf vrf-name command forces the IP address of a specified interface to be used for all outgoing Remote Authentication Dial In User Service (RADIUS) packets on a per-VRF basis. This command has no effect in certain configurations. In these cases, packets are forwarded through the global ip radius source-interface. If no interface is configured, packets are forwarded through the interface IP address that points to the RADIUS server. This problem is resolved in Release 12.2(18)SXF. (CSCec21537)

RADIUS packets use the outgoing interface's phyiscal address as the RADIUS packet source instead of the interface configured by software commands. This problem is resolved in Release 12.2(18)SXF. (CSCec72111)

A Simple Network Management Protocol (SNMP) request sent to a VPN routing and forwarding (VRF) instance uses the wrong source address in the reply. This problem is resolved in Release 12.2(18)SXF. (CSCee92763)

When an EXEC session is at the "More" prompt, the session fails to time out. This problem is resolved in Release 12.2(18)SXF. (CSCef35192)

A redundant MSFC might reload with the following error message when you reload the active supervisor engine:

%RSP-3-IPC: slave could not create named port port in use

This problem is resolved in Release 12.2(18)SXF. (CSCef78145)

An interface configured with routed sub-interfaces and 802.1Q encapsulation does not receive Cisco Discovery Protocol (CDP) packets if the native VLAN is configured as other then VLAN1. This problem is resolved in Release 12.2(18)SXF. (CSCeg02753)

The memory leak might occur on a BGP router configured to redistribute into Enhanced Interior Gateway Routing Protocol (EIGRP) that has no network statement. This problem is resolved in Release 12.2(18)SXF. (CSCeg06612)

A supervisor engine may reload while a multiple number of ATM commands are being executed simultaneously on one ATM Virtual Circuit (VC) from different sessions. This problem occurs in a large configuration and is resolved in Release 12.2(18)SXF. (CSCdw25402)

When a VPN client acquires a login popup window and attempts to log in, the following popup windows are not displayed after the username and password. This problem is resolved in Release 12.2(18)SXF. (CSCef07048)

The following messages can occur on a standby MSFC when a LDP Management Information Base (MIB) walk is performed on the active MSFC if it is configured with an ATM interface:

00:03:02: %ALIGN-3-SPURIOUS: Spurious memory access made at 0x4065AE98 reading 0x0 00:03:02: %ALIGN-3-TRACE: -Traceback= 4065AE98 4050BFD0 40496270 40497670 404E9908 4050EE6C 402B6D60 402B287C

This problem is resolved in Release 12.2(18)SXF. (CSCeg03837)

RSVP ResvConfirm messages are dropped when multiple equal cost paths are present in the network. This problem is resolved in Release 12.2(18)SXF. (CSCef32588)

A system reloads when the name of the Embedded Event Manager (EEM) Tool Command Language (TCL) Policy is longer than 12 characters.This problem is resolved in Release 12.2(18)SXF. (CSCeh25105)

Routes may be unexpectedly removed from the routing table.

This problem occurs when you use Intermediate System-to-Intermediate System (ISIS) to advertise IP prefixes and you enter a distance command that changes the overall configuration but keeps a subset of the prefixes at the same distance as in the previous configuration. The routes to that subset of IP prefixes may get automatically removed from the routing table.

Two examples of this behavior, when starting with a distance 115 ip for ISIS, are as follows:

router isis
distance 255 ip
distance 115 ip

or

router isis
distance 115 0.0.0.0 255.255.255.255

Workaround: For all prefixes, make sure that the distance command alters the distance.

This problem is resolved in Release 12.2(18)SXF. (CSCeh00090)

During a Non-Stop Forwarding (NSF) MSFC switchover, the convergence may be delayed up to 5 minutes. This problem occurs when a open shortest path first (OSPF) Database Description (DBD) exchange error occurs while the adjacency is brought up.

Workaround: Enter the clear ip ospf process command on the affected system.

This problem is resolved in Release 12.2(18)SXF. (CSCeh09588)

When there is a user configured "deny ip any any" in the Web Cache Communication Protocol (WCCP) redirect access control list (ACL) and many WCCP service groups are being serviced, the traffic associated with some service groups is not redirected to CE routers. This problem is resolved in Release 12.2(18)SXF. (CSCeh85087)

If you enter the header-compression iphc-format command, compressed Real-Time Protocol (RTP) errors may occur and half of the packets are dropped. These drops are counted as output drops on the interface. This problem is resolved in Release 12.2(18)SXF. (CSCeh23943)

Currently you can only enter eight authentication, authorization, and accounting (AAA) authentication login and authorization network commands into a configuration. The following messages display when you add a ninth command:

%AAAA-3-NOFREELISTS: % AAA: No free authentication lists for "login"
or:
% AAA: No free authorization lists for "network".

This problem is resolved in Release 12.2(18)SXF. (CSCeh74440)

If you set the HSRP MAC address to the same value as the interface MAC address and then remove this configuration, the interface MAC address might get removed from the interface address filter. This problem is resolved in Release 12.2(18)SXF. (CSCeh05654)

VPN client authentication fails when you attempt to use New personal identification number (PIN) mode or Next Token mode. Authentication is successful if you avoid New PIN mode and Next Token mode. The problem occurs when you authenticate using Token card / ACEserver through RADIUS in New PIN mode, or Next Token mode has been turned on because you entered an incorrect password, consecutively. This problem is resolved in Release 12.2(18)SXF. (CSCeh35849)

A VRF ping fails to reach an OSPF neighbor interface when the platform on which the ping originates and the OSPF neighbor interface are connected by an OSPF sham link that is used for interconnecting traffic between two VPN sites. This problem is resolved in Release 12.2(18)SXF. (CSCeg51291)

Multicast Source Discovery Protocol (MSDP) does not create an (S,G) state and does not trigger (S,G) joins for the relevant entries in the MSDP cache when Internet Group Management Protocol (IGMP) modifies the (*,G) o-list from null to non-null. This problem is resolved in Release 12.2(18)SXF. (CSCeh01390)

The Multiprotocol Border Gateway Protocol (MP-BGP) network entries counter increases above the actual number of reachable networks.

This problem occurs in a nonconverged environment. The correct number of network entries is restored when there is a period of BGP stability that lasts for appproximately 1 minute or more because BGP is able to converge and the scanner has time to run and collect the old network entries. However, if there is continuous churning and BGP is only able to converge for a few seconds before new updates arrive, old BGP network entries are not cleaned up, causing the MP-BGP network entries counter to increase above the actual number of reachable networks. This problem is resolved in Release 12.2(18)SXF. (CSCeh16989)

CEF adjacencies are not established if you configure Internet Engineering Task Force Frame Relay encapsulation (encap Frame Relay IETF) on a serial interface. This problem is resolved in Release 12.2(18)SXF. (CSCeh35068)

Tracebacks might occur during initialization of a system configured with distributed Link Fragmentation and Interleaving over Leased Lines (dLFIoLL) MLP-QoS. This problem is resolved in Release 12.2(18)SXF. (CSCeh42292)

A system may stop receiving multicast traffic. This problem occurs rarely during convergence when a system receives a Join message on an Reverse Path Forwarding (RPF) interface and when a downstream router converges faster than the first router that receives the Join message.

In this situation, the system does not populate the RPF interface into the outgoing interface list (OIL) (the OIL remains null) because the old SP tree has already been pruned by the downstream router. When the RPF interface of the system changes to the new path later, it does not trigger a Join message toward the multicast source until the system receives the next periodic Join message from the downstream router and populates the OIL. Multicast traffic stops temporarily but no longer than the periodic Join message interval. This problem is resolved in Release 12.2(18)SXF. (CSCeh47667)

A stale non-best path multipath remains in the Routing Information Base (RIB) after the path information changes, and BGP does not consider the stale path part of the multipath. This problem occurs on a system that has the soft-reconfiguration inbound command enabled and only when BGP Multipath Loadsharing is enabled for three or more paths (the number-of-paths argument of the maximum-paths number-of-paths command has a value of three or more).

Workaround: Disable the soft-reconfiguration inbound command for the neighbor sessions for which BGP Multipath Loadsharing is enabled or reduce the maximum number of paths for BGP Multipath Loadsharing to two paths.

This problem is resolved in Release 12.2(18)SXF. (CSCeh53906)

When a Web Cache Communication Protocol (WCCP) service is enabled, Mask Assignment is configured as the assignment method, and five or more caches are in the service group, protocol messages sent to the cache may overflow and cause memory corruption and a reload. This problem is resolved in Release 12.2(18)SXF. (CSCeh56916)

A file in an Advanced Technology Attachment (ATA) file system may become corrupted by any command that extends the file such as the show interfaces ethernet | append disk0:file command. When this situation occurs, the output of the dir command or of the show command will not list the file. This problem is resolved in Release 12.2(18)SXF. (CSCeh91772)

BGP next-hop information is not redistributed as expected by the OSPF routing protocol. This problem is resolved in Release 12.2(18)SXF. (CSCeh92012)

When Compressed Real-Time Protocol (cRTP) errors occur, half of the cRTP packets are dropped. These drops are counted as output drops on the interface. This problem is resolved in Release 12.2(18)SXF. (CSCei02826)

With BGP configured, conditional advertisement of the default route that is connected to a route map does not work when you enter the neighbor default-originate command. This problem is resolved in Release 12.2(18)SXF. (CSCei06089)

The following error message may be generated on a system that is configured with a large number of interfaces:

Error adding idb to <listtype> idb list

Where listtype can be a list name such as macaddr. This problem is resolved in Release 12.2(18)SXF. (CSCsa80223)

After a switchover, for approximately 10 to 15 seconds, traffic for OSPF routes may be suspended. This problem is resolved in Release 12.2(18)SXF. (CSCsa95973)

A system may lock for a long period of time while several instances of the following message are displayed:

%CWAN_RP-4-SEMAHOG: Process 74 (MIP Mailbox)hogging CCB BLK Sema 10! calling proc 221 (IFCOM Msg Hdlr)

This problem is resolved in Release 12.2(18)SXF. (CSCin79495)

When you change the Next Hop Resolution Protocol (NHRP) mapping configuration, an incorrect NHRP cache entry and incorrect crypto socket entry may occur. When you change the NHRP static mapping entry by entering the ip nhrp map command the NHRP cache entry is not updated with the new mappings, and the crypto socket entry will be incorrect.

Workaround: To change the NHRP static mapping configuration, remove the NHRP mapping entry by entering the no ip nhrp map command and then add the NHRP mapping entry by entering the ip nhrp map command.

This problem is resolved in Release 12.2(18)SXF. (CSCsb03192)

An ISIS routing protocol redistribute protolcol command is not synchronized to a redundant MSFC, and routes that are dependent on this command will fail after a switchover. This problem is resolved in Release 12.2(18)SXF. (CSCin65241)

If you erase NVRAM with write erase and then enter a write mem command, the system may reload. Warning messages are displayed when the configuration is saved before the reload. This problem is resolved in Release 12.2(18)SXF. (CSCsa86572)

A reload can occur when an interface is configured to run ISIS, and then later changed to a passive interface. This problem is resolved in Release 12.2(18)SXF. (CSCsa90719)

ISIS authentication on point-to-point LAN interfaces may stop functioning after a reload. This problem is resolved in Release 12.2(18)SXF. (CSCsa51095)

The service tcp-keepalive-in command sent from a Supervisor Engine 720 fails to generate a TCP keepalive every 60 seconds to a remote peer to prevent Telnet sessions from timing out. This problem is resolved in Release 12.2(18)SXF. (CSCsa57888)

When configuring a static Address Resolution Protocol (ARP) entry in conjunction with Network Address Translation (NAT), the static ARP configuration may be incorrectly removed. This situation occurs when the ARP entry corresponds to an address that collides with an address configured for NAT and the NAT entry times out. This problem is resolved in Release 12.2(18)SXF. (CSCsa73847)

Spurious memory accesses might occur when the cbQosREDTailDropByte64 or cbQosREDRandomDropByte64 MIB objects (belonging to the CISCO-CLASS-BASED-QOS-MI) are polled using SNMP. This problem is resolved in Release 12.2(18)SXF. (CSCdz84448)

The multicast rate counter is not updated properly in the show ip mroute active command output. This problem is resolved in Release 12.2(18)SXF. (CSCsa94063)

Spurious memory accesses occur when a link goes down and up. This problem is resolved in Release 12.2(18)SXF. (CSCsb23906)

After a switchover, a reload may occur when you enter the no snmp-server command. This problem is resolved in Release 12.2(18)SXF. (CSCsb44308)

Entering the ip multicast longest-match command fails to cause Reverse Path Forwarding (RPF) checks to function correctly in response to Protocol Independent Multicast (PIM) bootstrap router (BSR) messages. This problem is resolved in Release 12.2(18)SXF. (CSCsa79597)

The ip routing protocol purge interface command is not configurable. This problem is resolved in Release 12.2(18)SXF. (CSCsb18066)

The following error messages might appear on the console and in the log:

%SCHED-3-THRASHING: Process thrashing on watched message event.
-Process= "TTY Background", ipl= 6, pid= 20
-Traceback= 801BA4D4 801BA798 80114D94 801CEF34

This message indicates a situation that does not appear to affect any system service. The system generates these log messages when you enter the terminal monitor command and encounter excessive SSH traffic (such as debug messages). This problem is resolved in Release 12.2(18)SXF. (CSCdy80670)

An attempt to make an active FTP connection to a Linux FTP server will fail and the following message will result:

425 Can't build data connection: connection refused.

This problem is resolved in Release 12.2(18)SXF. (CSCeg06261)

Some statics may not get redistributed into a VRF through RIPv2 protocol during a switchover. This problem is resolved in Release 12.2(18)SXF. (CSCeh20051)

The identification field in all TACACS+ packets is always 0 when the synchronize (SYN) flag is set and the TACACS+ packet goes through a filewall to the AAA server. The firewall interprets this 0 identification field as a Fragment Overlap Attack and drops additional new connections. This problem is resolved in Release 12.2(18)SXF. (CSCeh48684)

Some labels may be missing in the output of an LSP traceroute. This problem is resolved in Release 12.2(18)SXF. (CSCsb38242)

A login authentication fails to appear as default after a VTY is configured. This problem is resolved in Release 12.2(18)SXF. (CSCsa91175)

A reload might occur if you attempt to resequence an ACL. This problem occurs when you delete a few ACEs and then immediately enter the ip access-list resequence access-list-name starting-sequence-number increment command. This problem is resolved in Release 12.2(18)SXF. (CSCsa50971)

ACL counters might display twice as many matches than actually exist. This problem occurs only when class maps are nested because the rate-limit llq classify command is configured along with class-based classification. When the ACL counters are used in policies with these class maps, the counts are included once for each of the classifications when displaying accounting output for the show policy interface command. Twice as many packets appear to have entered the network and are matched on these ACLs. This problem is resolved in Release 12.2(18)SXF. (CSCee56209)

A Response Time Reporter (RTR) DNS probe might fail when the target name is a fully qualified DNS name, and the IP domain list with a corresponding domain name is configured. This problem is resolved in Release 12.2(18)SXF. (CSCef59378)

An SNMP walk might fail, and then display these messages:

transmission.ds1.dsx1FarEndIntervalTable.dsx1FarEndIntervalEntry.dsx1Far
EndIntervalIndex.1
19.7 119
transmission.ds1.dsx1FarEndIntervalTable.dsx1FarEndIntervalEntry.dsx1Far
EndIntervalIndex.1
19.8 119
transmission.ds1.dsx1FarEndIntervalTable.dsx1FarEndIntervalEntry.dsx1Far
EndIntervalIndex.1
19.9 119
. . .

This problem is resolved in Release 12.2(18)SXF. (CSCeg39518)

If an intermittent multicast source is inactive for 3.5 minutes, (S,G) entries in the MSDP cache might become inconsistent with a neighbor's cache which can cause multicast packet loss. This problem is resolved in Release 12.2(18)SXF. (CSCsb23433)

The RIB removes routes whose next hop lies on an interface that has gone down. If the route is an OSPF route and the link goes down and up so quickly that the topology appears unchanged to OSPF, the SPF will not be run and the routes will not be repopulated. This problem is resolved in Release 12.2(18)SXF. (CSCei13040)

In GRE-based forwarding mode, WCCP unnecessarily uses a software cache that increases MSFC CPU utilization. This problem is resolved in Release 12.2(18)SXF. (CSCsb18740)

An OSPF interface may show a connected route as an OSPF route after the connected network goes up and down or is shutdown. This problem is resolved in Release 12.2(18)SXF. (CSCsa70039)

When NHRP receives an invalid packet, it attempts to reply to the sender with an error message that contains part of the original packet. This situation might result in a large memory allocation and a traceback, memory alignment errors, address access errors, and possibly a system reload. This problem is resolved in Release 12.2(18)SXF. (CSCin95836)

When RSVP sends an updated path message to reflect a modification in its QoS request, the updated path message may not get forwarded by a downstream RSVP-aware router. This situation occurs when the downstream router has two RSVP features configured at the same time: local policy and refresh reduction. This problem is resolved in Release 12.2(18)SXF. (CSCei65865)

When Data Link Switching Plus (DLSw+) is configured with VRF, the local-peer address can belong to any VRF. But DLSw+ will react as if belonged to the main VRF. This problem is resolved in Release 12.2(18)SXF. (CSCea48658)

A reload might occur when PIM traffic is on the network. This problem will probably occur during initialization, but could occur anytime an interface goes up and down while receiving PIM traffic. This problem is resolved in Release 12.2(18)SXF. (CSCeh15639)

The show ip rsvp interface interface command displays the wrong allocated bandwidth value. This problem occurs when either a TE tunnel or an RSVP reservation is present, and if the bandwidth is changed while tunnel or reservation is up/up. This problem is resolved in Release 12.2(18)SXF. (CSCec26696)

When using the no ip-next-hop-self setting, EIGRP routes in the routing table state might retain old information even though the EIGRP topology database has been updated. This problem is resolved in Release 12.2(18)SXF. (CSCee19880)

A system configured with a summary address, which is also an OSPF not-so-stubby area (NSSA) area border router (ABR), might incorrectly age out and flush the summary address. This occurs when NSSA external type 1 or type 2 routes are present. This problem is resolved in Release 12.2(18)SXF. (CSCsb28595)

A system runs out of memory if configured with at least 15,000 Virtual Private LAN Service (VPLS) virtual circuits and all the LDP session go up and down several times. This problem is resolved in Release 12.2(18)SXF. (CSCsb50995)

If you enter the no ip vrf vrf_name command, this message might be displayed:

%FIB-4-FIBCBLK: Missing cef table for tableid 1 during CEF table change event.

This problem occurs in simple configurations with no routing protocols configured. This problem is resolved in Release 12.2(18)SXF. (CSCee26209)

After you enter shutdown and no shutdown commands on an interface, there might be long delays between ARP requests and subsequent long delays in traffic flow under these circumstances:

Multiple subinterfaces belonging to different VRFs are configured on one interface.

All the VRFs have the same address on each subinterface and are recursive static.

All the VRFs are handling traffic destined to the same address that is reachable through a static route.

This problem is resolved in Release 12.2(18)SXF. (CSCef93058)

The distance command may affect the OSPF path selection algorithm between two paths learned within one OSPF process. The problem occurs when the same IP prefix originates from two different devices and there is a nondefault administrative distance for one of those two devices, which can cause an unpredictable best route selection for the prefix. This problem is resolved in Release 12.2(18)SXF. (CSCeh46993)

The snmpEnginetime MIB counter resets when the sysUptime MIB counter reaches its maximum value and starts counting from zero again. This problem is resolved in Release 12.2(18)SXF. (CSCeh49492)

Enhanced Interior Gateway Routing Protocol (EIGRP) unicast routes cannot be prefered over the default IP multicast static route (mroute). This problem is resolved in Release 12.2(18)SXF. (CSCeh50392)

Broadcast packets are not translated to multicast packets when you use the ip multicast helper-map broadcast command. This problem is resolved in Release 12.2(18)SXF. (CSCei33038)

ISIS fails to age LSP versions out of the ISIS local RIB. This situation leaves old routes with out-of-date metrics in the routing table. When a route fails, the old routes are used, which causes routing loops and ignores better alternate routes. This problem is resolved in Release 12.2(18)SXF. (CSCei58655)

You may see spurious traceback messages on a standby MSFC. These spurious traceback messages are caused by FIB interface entries that do not have corresponding interface entries. This problem is resolved in Release 12.2(18)SXF. (CSCsa97101)

An egress ACL that denies all UPD packets for a range of Layer 4 port numbers drops all multicast traffic if you apply it to an interface configured to support PIM. This problem is resolved in Release 12.2(18)SXF. (CSCsb06413)

An inbound ACL may cause WCCP redirection to fail with the loss of all redirected traffic. This problem is resolved in Release 12.2(18)SXF. (CSCsb26773)

The ip msdp filter-sa-request command incorrectly rejects standard ACLs, and displays this message:

This command only accepts named extended IP access-lists.

This problem is resolved in Release 12.2(18)SXF. (CSCsb29318)

After you delete a path on an LSP end router of a tunnel to a neighbor, the neighbor reloads. For this problem to occur, the following conditions must occur in this order:

If you enter the shutdown command followed by the no shutdown command on the tunnel headend, the tunnel headend sends a path by RSVP to a neighbor. This problem occurs when the Resv message is delayed.

There is only one path to the destination under this session.

At the neighbor, the cleanup timer expires for the path before the Resv message arrives.

The path is deleted in cleanup and the RSVP Reservation State Block (RSB) data structure is damaged.

This damaged date structure is accessed and the neighbor reloads.

This problem is resolved in Release 12.2(18)SXF. (CSCei16615)

The output of the show memory summary command is corrupt. This problem is resolved in Release 12.2(18)SXF. (CSCec21114)

A reload might occur when you enter the write memory command. This situation occurs on a system that has the snmp mib community-map command configured with a very long community string (40 characters) followed by an engine ID. The situation may also occur when the long community string is removed from the configuration. The situation does not occur when you enter the copy running-config startup-config EXEC command. This problem is resolved in Release 12.2(18)SXF. (CSCee83917)

In releases where caveat CSCef46191 is resolved, attempts to open a Telnet connection may result in a "No Free TTYs" message even though many TTYs are available. This problem occurs after simultaneous Telnet requests. This problem is resolved in Release 12.2(18)SXF. (CSCeg15044)

A reload might occur. To see this problem, you must configure at least 100 VRFs on two PEs and a point-to-point GRE tunnel for each VRF. This generates approximately 140 multicast routes per vrf. The bus error occurs when you delete all the tunnels and all the VRFs. This problem is resolved in Release 12.2(18)SXF. (CSCsb06233)

A Cisco device, running IOS and enabled for Intermediate System-to-Intermediate System (IS-IS) routing protocol, may reset with a SYS-2-WATCHDOG error from a specifically crafted malformed IS-IS packet. The IS-IS protocol is not enabled by default. The IS-IS crafted malformed IS-IS Packet that requires processing will not be forwarded across a Level 2 boundary. The specifically crafted malformed IS-IS packet would require local attachment to either a Level 1 or Level 2 router. A Cisco device receiving the malformed IS-IS packet will forward the malformed packet to its neighbors, and may reset.

Workaround: There is no workaround. Enabling IS-IS Authentication is seen as a best practice, and can be leveraged as a mitigation technique.

This problem is resolved in Release 12.2(18)SXF. (CSCeh61778)

The following traceback may be seen when an iBGP prefix changes to an aggregate route (either connected or BGP aggregate) without reinitializing the interface:

3d03h: %BGP-3-PER_VRF_AGGR: pervrfaggr label: invalid intag, intag=0 type=5 for
vpn1:10.10.10.10/255.255.255.255

This message is informational, indicating that the Tag Forwarding Information Base (TFIB) is requesting a label and and may be ignored. This error message indicates that this TFIB request can be ignored because this is a per-vrf-aggr entry that will get assigned a per-vrf-aggr label. This problem is resolved in Release 12.2(18)SXF. (CSCeh85817)

With BGP configured, a reload can occur after a switchover. This problem is resolved in Release 12.2(18)SXF. (CSCsb69773)

A reload might occur when receiving a TACACS+ packet that has its header length set to zero. This problem is resolved in Release 12.2(18)SXF1. (CSCef77265)

An I/O memory corruption might occur and cause a reload when you use Telnet, reverse Telnet, rsh, or other vty-based applications (for example: a vty-based application used to access a service module). This problem is resolved in Release 12.2(18)SXF. (CSCeh47169)

Higher than normal CPU utilization might be experienced in the BGP I/O process if BGP neighbors go up and down and generate a high volume of BGP updates. This problem is resolved in Release 12.2(18)SXF. (CSCeg07274)

A Telnet, SSH, or CONSOLE session might suspend operation when you enter the show policy-map command or the show class-map command, or while configuring various modular QoS features. This problem occurs when one terminal session leaves these commands at the More prompt. Other terminal sessions may suspend operation while configuring modular QOS features or executing other show policy-map or show class-map commands before the command in the original session has completed. This problem is resolved in Release 12.2(18)SXF. (CSCed71844)

After you configure an HSRP standby IP address on a VLAN interface and then remove the interface by entering the no interface vlan vlan_ID command, you cannot reuse the IP address. This problem is resolved in Release 12.2(18)SXF. (CSCee91509)

Network Address Translation (NAT) does not work with WCCP configured. This problem is resolved in Release 12.2(18)SXF. (CSCeb28941)

When you use an snmpget command for an interface index below .1.3.6.1.2.1.31.1.1.1.6, the system responds with the following information:

ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCInOctets.12 : VARBIND EXCEPTION: No Such Instance.

However, an snmpwalk executes successfully for an interface index below .1.3.6.1.2.1.31.1.1.1.6. This problem is resolved in Release 12.2(18)SXF. (CSCef79968)

A CPUHOG message might display when the system is configured with 200 multicast groups and processing traffic from 2000 hosts. This problem does not affect performance. This problem is resolved in Release 12.2(18)SXF. (CSCdy64412)

The output counters in the show frame-relay pvc maplist command are not being updated. This problem is resolved in Release 12.2(18)SXF. (CSCec08821)

A Label Distribution Protocol (LDP) tunnel might continue to go up and down after an SSO switchover. This problem is resolved in Release 12.2(18)SXF. (CSCsb15156)

Several IPC-5-WATERMARK messages might be displayed when several IP communications (IPC) messages are displayed. This problem occurs when interfaces go up and down or route changes occur. This problem is resolved in Release 12.2(18)SXF. (CSCeh62781)

If an empty ACL is specified when configuring a bidirectional PIM rendezvous point, a catchall (*,G/m) (that is, *, 224/4) entry is not installed in the hardware FIB table, even though software will use the rendezvous point IP address for the entire multicast address range (that is, 224/4). This problem is resolved in Release 12.2(18)SXF. (CSCsb05822)

CPUHOG messages and tracebacks might occur on an OSPF Area Border Router (ABR) that is generating and removing a large number of Type 3 summary link-state advertisements (LSAs) because of routes going up and down. This problem is resolved in Release 12.2(18)SXF. (CSCsb36550)

FlexWAN Caveats in Release 12.2(18)SXF and Rebuilds

Open FlexWAN Caveats in Release 12.2(18)SXF10

Resolved FlexWAN Caveats in Release 12.2(18)SXF9

Resolved FlexWAN Caveats in Release 12.2(18)SXF8

Resolved FlexWAN Caveats in Release 12.2(18)SXF7

Resolved FlexWAN Caveats in Release 12.2(18)SXF6

Resolved FlexWAN Caveats in Release 12.2(18)SXF5

Resolved FlexWAN Caveats in Release 12.2(18)SXF4

Resolved FlexWAN Caveats in Release 12.2(18)SXF3

Resolved FlexWAN Caveats in Release 12.2(18)SXF2

Resolved FlexWAN Caveats in Release 12.2(18)SXF

Open FlexWAN Caveats in Release 12.2(18)SXF10

None.

Resolved FlexWAN Caveats in Release 12.2(18)SXF10


Note Caveats will be migrated to this section from the "Temporary List of Caveats Resolved in Release 12.2(18)SXF10" section as soon as possible.


Resolved FlexWAN Caveats in Release 12.2(18)SXF9

A bus error and a reload might occur while processing dNBAR traffic. This problem is resolved in Release 12.2(18)SXF9. (CSCsc93633)

Frame Relay (FR) traffic shaping with a child policy and hierarchical QoS configured does not work. Traffic does not respond to backward explicit congestion notifications (BECNs) or forward explicit congestion notifications (FECNs). This problem is resolved in Release 12.2(18)SXF9. (CSCsi01422)

CPUHOG messages and a reload because of a watchdog timeout might occur while processing heavy Frame Relay broadcast traffic. This problem is resolved in Release 12.2(18)SXF9. (CSCsa72748)

A reload might occur when receiving IPX traffic on a GRE tunnel interface while bringing up GRE tunnels. This problem occurs when the IPX traffic ingresses over an Enhanced FlexWAN module. This problem is resolved in Release 12.2(18)SXF9. (CSCsb44267)

An address error and a reload might occur in a topology with a multipoint GRE tunnel configured. This occurs when a T3 interface goes up and down when the CPU usage is 100 percent. This problem is resolved in Release 12.2(18)SXF9. (CSCsg47462)

Large or variable latency might occur in low-latency queuing traffic on a FlexWAN module E1 interface that is part of a channelized STM-1 link. This problem is resolved in Release 12.2(18)SXF9. (CSCsg92954)

Resolved FlexWAN Caveats in Release 12.2(18)SXF8

With fair queuing configured on a T1 serial interface port adapter in a FlexWAN module, the show interface command might display a large number of output drops when there are no errors and no QoS drops. This problem is resolved in Release 12.2(18)SXF8. (CSCsh31306)

With a PA-MC-STM1 port adapter, in some topologies the clock source line command does not work and is not saved in the configuration. This problem is resolved in Release 12.2(18)SXF8. (CSCef56327)

With a tunnel configured to use an ATM interface, one end of the tunnel cannot ping the other end until you bring either end of the tunnel interface down and up. This problem is resolved in Release 12.2(18)SXF8. (CSCse40423)

Frame Relay adaptive shaping might not shape traffic to the expected rate. This problem occurs when adaptive shaping is configured on an interface in the egress direction and 60-kpps backward explicit congestion notifications (BECNs) are received on the interface. This problem is resolved in Release 12.2(18)SXF8. (CSCsd56696)

A reload might occur when you use a script to configure 500 operation and maintenance (OAM) managed peer-to-peer (P2P) subinterfaces on an ATM port adapter. This problem is resolved in Release 12.2(18)SXF8. (CSCdy11156)

A 1-port E3 serial port adapter (PA-E3) that is configured with scramble enabled might report rxLOF and txRAI errors after the remote end of the link is reloaded. When this problem occurs, the link does not come up. This problem is resolved in Release 12.2(18)SXF8. (CSCsa91863)

Resolved FlexWAN Caveats in Release 12.2(18)SXF7

A reload might occur when you attach or remove service policies on virtual interfaces or when these virtual interfaces go up and down. This problem occurs for a configuration of 100 MLPPPoATM interfaces configured for distributed link fragmentation and interleaving (dLFI), compressed Real-Time Protocol (cRTP) and quality of service (QoS). This problem is resolved in Release 12.2(18)SXF7. (CSCsf11353)

A reload might occur when a serial interface of a neighbor is brought up. This problem occurs when some interfaces are configured for PIM but the interface connecting to the neighbor is not configured for PIM, and when the serial interface that is brought up on the neighbor is configured for PIM. This problem is resolved in Release 12.2(18)SXF7. (CSCuk57037)

An Operation, Administration, and Maintenance (OAM)-enabled ATM permanent virtual circuit (PVC) might remain down when an interface cable is quickly pulled out and plugged back in, or when you enter the shutdown command and then you enter the no shutdown command on the interface. This problem is resolved in Release 12.2(18)SXF7. (CSCea26450)

When you configure IP RTP header-compression (IPHC) on a system that is configured with distributed link fragmentation and interleaving over ATM (dLFIoATM), packets are dropped. This problem is resolved in Release 12.2(18)SXF7. (CSCse87618)

When you use the ATM pvc command to configure an ATM PVC, the PVC will not come up. This problem is resolved in Release 12.2(18)SXF7. (CSCsd19880)

Resolved FlexWAN Caveats in Release 12.2(18)SXF6

An ATM permanent virtual circuit (PVC) configured to support ATM operation, administration, and maintenance (OAM) might not pass traffic. This problem is resolved in Release 12.2(18)SXF6. (CSCei39688)

When you stop bit error rate testing (BERT) or if BERT exceeds the time interval, the BERT status shows that BERT is still running and can no longer be stopped. You also cannot restart BERT. This problem is resolved in Release 12.2(18)SXF6. (CSCek28561)

When QoS low latency queueing (LLQ) is configured, latency remains high for an ATM PVC that has a bandwidth higher than 14 Mbps. This problem is resolved in Release 12.2(18)SXF6. (CSCsc00993)

A reload might occur after displaying an ALIGN-1-FATAL message. This problem occurs after you modify a service policy on an ATM subinterface or a permanent virtual circuit (PVC). This problem is resolved in Release 12.2(18)SXF6. (CSCse02510)

IMA member link state on a PA-A3-8T1/8E1 port adapter might be down when the IMA group interface is up. When you enter the show ip interface brief command, the line protocol state of the member link is displayed. This problem is resolved in Release 12.2(18)SXF6. (CSCse64269)

When you configure routing protocols that use multicast packets for updating (for example, OSPF) on an ATM interface, pings might fail across the interface. This problem occurs when you enter the clear cef linecard command. This problem is resolved in Release 12.2(18)SXF6. (CSCeh32595)

Ping might fail on interfaces over a PA-MC-STM1 port adapter after you remove and reconfigure the PA-MC-STM1 controller. This problem is resolved in Release 12.2(18)SXF6. (CSCsc20064)

An address error and a reload might occur on a system configured with an Enhanced FlexWAN module. This problem occurs when you administratively bring down a serial interface on a PA-E3, and then bring it back up. This problem is resolved in Release 12.2(18)SXF6. (CSCse54611)

Resolved FlexWAN Caveats in Release 12.2(18)SXF5

A Frame Relay interface might change the encapsulation on Frame Relay (FR) frames from Internet Engineering Task Force (IETF) encapsulation to Cisco encapsulation under these conditions:

Network Address Translation (NAT) or a reflexive ACL is configured on a Frame Relay permanent virtual circuit (FR PVC).

There is ingress and egress TCP traffic.

In an FRF.8 environment, this change in the encapsulation causes end-to-end TCP sessions to fail because an intermediate device drops the Cisco-encapsulated Frame Relay frames. This problem is resolved in Release 12.2(18)SXF5. (CSCsd58552)

The alarm LED on the PA-MC-8TE1+ stays on even if all the ports on the PA are shutdown. This problem is resolved in Release 12.2(18)SXF5. (CSCsd14307)

A bus error and a reload might occur when adding a shaper and policer under the same policy map, and then removing the policer and adding it back again. This problem occurs when POS switching modules are configured. This problem is resolved in Release 12.2(18)SXF5. (CSCsc26237)

All the Enhanced FlexWAN modules configured on a system might reload when one of the modules reloads. This problem is resolved in Release 12.2(18)SXF5. (CSCsc30268)

A FlexWAN module might reload when there are multilink bundles with Compressed Real-Time Protocol (cRTP) configured on them. This problem is resolved in Release 12.2(18)SXF5. (CSCsd34741)

The port ID advertised by Cisco Discovery Protocol (CDP) might not correspond to the value of the SNMP ifName object on some interface types. These interface types include PoS, portchannel, and FastEthernet subinterfaces. This problem is resolved in Release 12.2(18)SXF5. (CSCef78565)

The SNMP IF MIB object ifInOctets might have a negative value for a multilink PPP interface. This problem occurs after all of these actions have occurred:

The multilink interface goes up and down several times.

The member links go up and down several times.

A CPE router connected to the multilink interface reloads.

This problem is resolved in Release 12.2(18)SXF5. (CSCsc33562)

A FlexWAN module might reload when service policy maps are configured. This problem is resolved in Release 12.2(18)SXF5. (CSCsa68661)

Egress Simple Network Management Protocol (SNMP) counters do not update on PA-2FE or PA-1FE port adapter Fast Ethernet subinterfaces for distributed Cisco Express Forwarding (dCEF) traffic. This problem occurs when the ingress and egress interfaces are not on the same module. This problem is resolved in Release 12.2(18)SXF5. (CSCec87736)

Resolved FlexWAN Caveats in Release 12.2(18)SXF4

In a distributed link fragmentation and interleaving over ATM (dLFIoATM) configuration, packets ingressing on an ATM FlexWAN interface with ATM Cell Loss Priority (CLP) will not be decoded correctly. This situation requires that the packets to be routed in software on the MSFC instead of being Layer 3 switched in hardware. This problem is resolved in Release 12.2(18)SXF4. (CSCsb97950)

FlexWAN modules might reload on a system that is configured with Modular QoS CLI (MQC). This problem occurs when the physical interface is in the UP state and the following conditions occur:

An input policy and output policy map are already attached to an ATM or Frame Relay PVC. When you attach the same policy map to the main interface, an error message is generated and the configuration is rejected.

You remove the policy map from the PVC and attach the same policy map to the main interface.

You remove the policy map from the main interface.

All FlexWAN modules will reload even though there is no traffic processing when these conditions occur. This problem is resolved in Release 12.2(18)SXF4. (CSCsb12969)

When you enter the fair-queue command for a FlexWAN interface, the command is not saved in the running configuration and is lost after a reload. This problem is resolved in Release 12.2(18)SXF4. (CSCee58986)

When a QoS policy map has more than one priority queue attached to more than one ATM VC or ATM LFI VC, traffic might stop flowing in the priority queues or a reload might occur. This problem is resolved in Release 12.2(18)SXF4. (CSCsd19203)

A link to an EIGRP neighbor established over an ATM IMA interface might fail because of an authentication failure even though EIGRP authentication is not configured. This problem is resolved in Release 12.2(18)SXF4. (CSCeg77104)

ATM OAM PVCs on a FlexWAN module or an Enhanced FlexWAN module might fail to transmit packets after a reload of the system or an OIR of the switching module. This situation occurs because the OAM packets are not processed and remain in the output queues. This problem occurs with a PA-A3-OC3 port adapter that is configured with a service policy. This problem is resolved in Release 12.2(18)SXF4. (CSCsd71119)

Resolved FlexWAN Caveats in Release 12.2(18)SXF3

A FlexWAN module reloads continuously if it has a service policy that is attached to a Frame Relay data-link connection identifier (DLCI), and the service policy has fair queueing configured. This problem occurs on a system configured with Frame Relay framentation. This problem is resolved in Release 12.2(18)SXF3 (CSCsc95511)

MAC addresses are not flushed when an associated permanent virtual circuit (PVC) goes down. This problem is resolved in Release 12.2(18)SXF3 (CSCsd01885)

Resolved FlexWAN Caveats in Release 12.2(18)SXF2

RIPv2 routes do not age out or flush in the routing table after you shut down an ATM interface. However, these routes correctly flush from the RIP database. This problem is resolved in Release 12.2(18)SXF2. (CSCeg12616)

With a PA-MC-8E1 port adapter, performance might be impaired if you configure Real-Time Protocol (RTP) Header compression on multilink PPP interfaces. This problem is resolved in Release 12.2(18)SXF2. (CSCeg47659)

ATM multipoint bridging might stop working when there is a mismatch in the FPD version of the Enhanced FlexWAN module ROMMON software. This problem is resolved in Release 12.2(18)SXF2. (CSCsb31368)

The PA-T3+ or PA-2T3+ port adapters do not always correctly delay the signalling of errors on a link. A system will go down when it receives two Alarm Indication Signal (AIS) bursts of less than one second each, separated by less than one second. This problem is resolved in Release 12.2(18)SXF2. (CSCsb27358)

With two FlexWAN ATM permanent virtual circuits (PVCs) configured, it might not be possible to send traffic at the contracted rate for both PVCs without packet drops occuring. This problem is resolved in Release 12.2(18)SXF2. (CSCec17185)

A system configured with a FlexWAN or an Enhanced FlexWAN module might experience memory allocation errors if it has a large QoS configuration. This problem is resolved in Release 12.2(18)SXF2. (CSCsb80590)

A memory leak occurs when a FlexWAN module equipped with an ATM PA-A3 port adapter is removed. If the module is reinstalled, the loss stops. Otherwise the system will eventually run out of memory and reload. This problem is resolved in Release 12.2(18)SXF2. (CSCsc44237)

In a redundant topology with SONET controllers present and configured with Multi-router automatic protection switching (APS), while protection is active, an SSO switchover might cause an inconsistent state for a packet-over-SONET (POS) APS interface. When you enter the show aps command, the status for the interface changes from inactive on the slave to interface down after the switchover. This problem is resolved in Release 12.2(18)SXF2. (CSCin46297)

When querying the cbQosCMStatsTable of the CISCO-CLASS-BASED-QOS-MIB, values returned for byte and bit rate statistics are always zero. The output of the show policy-map interface command indicates that these statistics are not zero. This problem occurs on FlexWAN, Enhanced FlexWAN and SPA port adapters. This problem is resolved in Release 12.2(18)SXF2. (CSCsc04015)

With Frame Relay local switching configured on a FlexWAN, an Enhanced FlexWAN, or a SIP interface, when the DLCI becomes inactive or active on one of the local-switching configured interfaces, a second local-switching configured interface might go up and down. This problem occurs when the WAN interface is configured as data terminal equipment (DTE). This problem is resolved in Release 12.2(18)SXF2. (CSCsc31921)

Some ATM PVCs that are marked for deletion might not be deleted. This problem is resolved in Release 12.2(18)SXF2. (CSCsc62474)

A reload occurs when configuring an ATM multipoint subinterface and an ATM PVC discovery is enabled on that subinterface. This problem occurs when you have already configured some ATM subinterfaces and you have already enabled ATM PVC discovery on these interfaces. This problem is resolved in Release 12.2(18)SXF2. (CSCsc49134)

An Enhanced FlexWAN module might reload with VRF, MLPPP, and QoS configured. This problem is resolved in Release 12.2(18)SXF2. (CSCsc98510)

A serial interface might remain configured in an MFR bundle link after the serial interface has been removed. This problem is resolved in Release 12.2(18)SXF2. (CSCsb67941)

ATM protocol data units (PDUs) might stop ingressing over a WS-X6582-2PA Enhanced FlexWAN module. All of the VCs configured on the ATM interface lose connectivity. This problem is resolved in Release 12.2(18)SXF2. (CSCsb85049)

Resolved FlexWAN Caveats in Release 12.2(18)SXF

Serial interfaces on a PA-MC-8TE1+ port adapter that are configured as part of a channel group continue to process packets when the interface is in the "admindown" state. The counters in the output of the show interfaces serial command might increment when the serial interface is shut down. This problem is resolved in Release 12.2(18)SXF. (CSCin78325)

In a nonredundant configuration with a single Supervisor Engine 2, the FlexWAN module interfaces do not appear in the SNMP ifTable. This problem is resolved in Release 12.2(18)SXF. (CSCec40868)

If you enter the ip verify unicast reverse-path interface configuration command on ATM subinterfaces, some ingress traffic is dropped. This problem is resolved in Release 12.2(18)SXF. (CSCdt51547)

With Link Fragmentation and Interleaving configured on a port adapter, the FlexWAN module might reload if link flaps occur while traffic is flowing. This problem is resolved in Release 12.2(18)SXF. (CSCin88026)

When high traffic levels go through the FlexWAN module interfaces that are configured for Quality of Service (QoS), a Route Processor Redundancy Plus (RPR+) switchover may cause the module to pause indefinitely. This problem is resolved in Release 12.2(18)SXF. (CSCeh84740)

When you attempt to bring up a multilink interface, the interface may go up and down continuously on one side. Also, when the master link of the Multilink PPP (MLP) bundle interface goes down, traffic may stop flowing through the multilink interface. This situation occurs on a system that has non-channelized serial port adapters, such as a 4-port enhanced serial port adapter (PA-4T+) or an 8-port serial port adapter (PA-8T), and that is configured for distributed MLP. This problem is resolved in Release 12.2(18)SXF. (CSCin44386)

When you enter the shut and no shut interface commands on an ATM subinterface, the state of an associated permanent virtual circuit (PVC) will be UP on an active supervisor engine and INAC on the standby supervisor engine. This problem exists with a large number of PVCs configured(for example, 500). This problem is resolved in Release 12.2(18)SXF. (CSCin79468)

Incorrect reassembly drops might occur on a dMLP ingress interface that has interleaving configured. This situation occurs on a PA-MC-STM-1 port adapter when more than two DS0 members are part of an dMLP bundle that is configured for interleaving. This problem is resolved in Release 12.2(18)SXF. (CSCin91163)

A FlexWAN module configured to support dMLFR may reload when you enter the microcode reload command in the global configuration mode. This problem is resolved in Release 12.2(18)SXF. (CSCin91381)

PPP packets are dropped while running software compression under heavy traffic. This problem is resolved in Release 12.2(18)SXF. (CSCsa47223)

When a serial link is removed from a multilink bundle by entering the no ppp multilink command in the serial link configuration, the link remains at the line protocol down state and does not recover. This problem is resolved in Release 12.2(18)SXF. (CSCei09755)

A FlexWAN module configured with a PA-MC-8TE1 port adapter detects loss of signal (LOS) after a reload, and then does not recover. This problem is resolved in Release 12.2(18)SXF. (CSCsb21867)

All low-priority traffic is dropped over a distributed Link Fragmentation and Interleaving over Frame Relay (dLFIoFR) link on a system that is configured with an Enhanced FlexWAN module. This situation occurs when all of the traffic is flowing at the full line rate and some low-priority traffic has to be fragmented. This problem is resolved in Release 12.2(18)SXF. (CSCsb25607)

The Class-Based Quality of Service Management Information Base (CBQoSMIB) MIB displays large random values for the class of service (CoS) monitoring MIBs such as the following objects in the cbQoSCMStatsTable table:

.1.3.6.1.4.1.9.9.166.1.15.1.1.3 = cbQosCMDropByte64
.1.3.6.1.4.1.9.9.166.1.15.1.1.6 = cbQosCMPrePolicyByte64
.1.3.6.1.4.1.9.9.166.1.15.1.1.10 = cbQosCMPostPolicyByte64
.1.3.6.1.4.1.9.9.166.1.15.1.1.14 = cbQosCMDropPkt64

This problem is resolved in Release 12.2(18)SXF. (CSCdv87113)

With serial FlexWAN interfaces configured, you might see these messages and be unable to make a Telnet connection:

%SYS-3-CPUHOG: Task is running for (4984)msec more than (2000) msec (12/1),
process = Serial Background
Traceback= 402AA8DC 4029F00C 402AD7D0 419C81C0 41A25CF4 4002AE50

This problem is resolved in Release 12.2(18)SXF. (CSCeg04325)

In a multi-router automatic protection switching (APS) configuration with working routers and protect routers and traffic flowing through the active working router, if the working router is powered off, the protect becomes the active router and starts forwarding traffic with minimal packet loss. When the working router is reloaded, the protect router switches to the working router (before the working router's forwarding path is up), causing significant traffic loss. This problem is resolved in Release 12.2(18)SXF. (CSCsa93725)

When an MFR bundle goes down and up, all links associated with the bundle fail to recover line protocol. This problem occurs in a configuration that includes a PA-8T-V35 2 port adapter. The output of the show frame-relay multilink command displays port 0 as "HW state = up, link state = Add_sent" and will never recovers. This problem is resolved in Release 12.2(18)SXF. (CSCsb48015)

With a WS-X6182-2PA FlexWAN module installed, you might see messages similar to these about spurious accesses from the FlexWAN module:

SLOT 4/0: May 27 08:24:49: %ALIGN-3-SPURIOUS: Spurious memory access
made at 0x60336D
44 reading 0x44
SLOT 4/0: May 27 08:24:49: %ALIGN-3-TRACE: -Traceback= 60336D44
6021AFB0 6021C948 00000000 00000000 00000000 00000000 00000000

This problem is resolved in Release 12.2(18)SXF. (CSCsb09250)

After an OIR has been performed, the show cef linecard command might report an entry in the Forwarding Information Base (FIB) Table marked "table-disabled" for a FlexWAN module in slot 13. This problem is resolved in Release 12.2(18)SXF. (CSCsa70188)

On a system configured with an Enhanced FlexWAN module and a PA-2CT3 port adapter, if the traffic rate becomes high enough to induce input overrun errors, the input rate degrades by approximately 50 percent. This problem is resolved in Release 12.2(18)SXF. (CSCei51155)

A reload might occur during heavy traffic over FlexWAN channelized port adapters and the port adapters go up and down. This problem occurs when the port adapters are configured with MFR. This problem is resolved in Release 12.2(18)SXF. (CSCeh34067)

When you load or unload a packet description language module (PDLM), the port map configuration is removed from the running configuration. This problem is resolved in Release 12.2(18)SXF. (CSCea65031)

If traffic shaping is configured, and then the data-link connection identifier (DLCI) for a Frame Relay permanent virtual circuit (PVC) is modified, traffic-shaping tracebacks are displayed. This problem occurs when the Frame Relay local management interface (LMI) feature is enabled. This problem occurs only when the DLCI for the Frame Relay PVC is modified with a single configuration command. This does not occur when an installed DLCI is unconfigured and a new DLCI is configured. This problem is resolved in Release 12.2(18)SXF. (CSCeh17470)

On an Enhanced FlexWAN module configured with a PA-MC-T3+ and PA-MC-2T3+ port adapter, traffic flow might be interrupted for 1 microsecond, followed by a display of this message:

%HYPERION-4-HYP_RESET: Hyperion Error Interrupt. Resetting ASIC.

This problem is resolved in Release 12.2(18)SXF. (CSCsb07696)

When NetFlow switching and AAA network security services are configured on a Supervisor Engine 720, memory fragmentation may occur in the I/O memory pool of the FlexWAN module. This problem is resolved in Release 12.2(18)SXF. (CSCsa70104)

OSPF hello packets may not be received by an Enhanced FlexWAN Fast Ethernet port adapter interface after a peer's interface has gone up and down. This situation occurs because the OSPF MAC entry is deleted during the link up and down event. This problem is resolved in Release 12.2(18)SXF. (CSCsb65340)

If IEEE 802.1q encapsulation is configured on FlexWAN Ethernet interfaces, routes might not propagate. If this situation occurs, when you enter the show interface command for these interfaces, giant packets are shown to have been recieved on these interfaces. This problem is resolved in Release 12.2(18)SXF. (CSCsb54233)

A reload might occur on a system configured with a FlexWAN module with a channelized T1/E1 port adapter installed. This problem occurs after 5 or 6 hours of bidirectional voice over IP (VoIP) traffic through a multiple link point-to-point protocol (MLPPP) bundle link. A buffer leak eventually causes a memory allocation error to occur. This problem is resolved in Release 12.2(18)SXF. (CSCei86192)

When IP RTP header-compression (IPHC) is configured on an interface on bay 1 of a FlexWAN or an Enhanced FlexWAN module, the IPHC counters do not update. This problem is resolved in Release 12.2(18)SXF. (CSCeh97017)

With Bridge Control Protocol (BCP) configured on a FlexWAN interface, the interface does not become part of STP after an OIR removal and reinsertion. This problem is resolved in Release 12.2(18)SXF. (CSCei02695)

The FIB table might become disabled or the output interface may become stop processing on an A3 ATM port adapter when six subinterfaces with six virtual templates are configured. The problem occurs in a distributed link fragmentation and interleaving over ATM (dLFIoATM) configuration.

Workaround: Reload the microcode or perform an OIR to recover the A3 ATM port adapter.

This problem is resolved in Release 12.2(18)SXF. (CSCei08458)

An SVI for a VLAN carrying 1483 or 1490 multipoint bridging (MPB) traffic fails to forward multicast packets over a link in the VLAN. This problem occurs when the SVI is associated with a port adapter on a FlexWAN module. This problem is resolved in Release 12.2(18)SXF. (CSCei16701)

Packets generated on a system might not be classified on a FlexWAN, Enhanced FlexWAN or SPA for dMLP or dMLFR interfaces. This problem is resolved in Release 12.2(18)SXF. (CSCsa56959)

An ATM interface on a FlexWAN or an Enhanced FlexWAN port adapter stops transmitting when you add or remove a QoS service policy on the interface. This problem is resolved in Release 12.2(18)SXF. (CSCsb01188)

You might see CWAN_RP-3-SEMAHOG messages and tracebacks or CMDTIMEOUT messages and tracebacks. This problem is resolved in Release 12.2(18)SXF. (CSCin54713)

When you use the show controller command to display the serial interface counters, they may stop incrementing for the input and output rate and the input and output packet counts. This problem occurs on a system configured with a PA-MC-E3 or a PA-MC-8E1 port adapter. The problem does not effect traffic flow. This problem is resolved in Release 12.2(18)SXF. (CSCsa46643)

A response time reporter (RTR) probe does not report input or output packets for serial interfaces of PA-MC-8T1, PA-MC-8E1/120, and PA-MC-8TE1+ port adapters. This problem is resolved in Release 12.2(18)SXF. (CSCee82681)

If you perform an OIR on a PA-MC-STM-1 port adapter that is configured to support automatic protection switching (APS), a CBUS-3-CCBCMDFAIL1 message might display. This problem is resolved in Release 12.2(18)SXF. (CSCeg06570)

Egress control plane traffic might get dropped for a distributed Multilink PPP (dMLP) or a distributed multilink Frame Relay (dMFR) interface. This problem occurs only when the multilink interface is oversubscribed. PPP control packets are processed differently and never dropped.

Workarounds:

Reduce the traffic rate.

Apply some type of queueing mechanism on the interface.

This problem is resolved in Release 12.2(18)SXF. (CSCin96524)

Ping fails when you remove a member link from MLP, and then reconfigure the link. This problem occurs when invalid shim header messages are displayed:

Serial2/1/3/27:13 packet droped: Invalid Shim Header Serial2/1/3/27:13 packet droped: Invalid Shim Header

This problem is resolved in Release 12.2(18)SXF. (CSCei06406)

Service Module Caveats in Release 12.2(18)SXF

Open Service Module Caveats in Release 12.2(18)SXF10

Resolved Service Module Caveats in Release 12.2(18)SXF9

Resolved Service Module Caveats in Release 12.2(18)SXF8

Resolved Service Module Caveats in Release 12.2(18)SXF7

Resolved Service Module Caveats in Release 12.2(18)SXF6

Resolved Service Module Caveats in Release 12.2(18)SXF5

Resolved Service Module Caveats in Release 12.2(18)SXF4

Resolved Service Module Caveats in Release 12.2(18)SXF3

Resolved Service Module Caveats in Release 12.2(18)SXF2

Resolved Service Module Caveats in Release 12.2(18)SXF

Open Service Module Caveats in Release 12.2(18)SXF10

None.

Resolved Service Module Caveats in Release 12.2(18)SXF10


Note Caveats will be migrated to this section from the "Temporary List of Caveats Resolved in Release 12.2(18)SXF10" section as soon as possible.


Resolved Service Module Caveats in Release 12.2(18)SXF9

None.

Resolved Service Module Caveats in Release 12.2(18)SXF8

When you install a new CSM module, a reload might occur during configuration synchronization. This problem is resolved in Release 12.2(18)SXF8. (CSCsg01366)

Resolved Service Module Caveats in Release 12.2(18)SXF7

A CPUHOG message and a reload might occur when a CSG refund policy has more than 10 entries. This problem is resolved in Release 12.2(18)SXF7. (CSCej78221)

Resolved Service Module Caveats in Release 12.2(18)SXF6

An SNMP walk does not find Content Services Gateway (CSG) user information for a CSG module installed in slot 1. If you add a second user group and an accounting service to a configuration in prepaid mode, the CSG cannot retrieve the MIB quota server statistics properly either with a manual MIB walk or with SNMP messaging for a CSG module installed in slot 1. This situation occurs with all the quota servers that are configured on both of the configured user groups. This problem is resolved in Release 12.2(18)SXF6. (CSCsa95306)

When you use the retcode imap rc-start rc-end command to configure Content Services Gateway (CSG) refunding, and then you enter a command to write the startup-config and the running-config files, the retcode rc-start rc-end command is saved in the startup-config and the running-config files. This configuration can only be removed with the no retcode imap rc-start rc-end command. You cannot delete it with the no retcode rc-start rc-end command. You cannot overwrite the configuration with a new retcode command for imap. After a reload, the whole configuration is missing in the running-config file, and refunding is not configured for IMAP. This problem is resolved in Release 12.2(18)SXF6. (CSCse69748)

A configuration synchronization check for active and standby CSMs might fail for configurations that contain the following subcommands: script, ARP, variable, match, failaction, NAT client, probe, domain, and url-hash. When you use these subcommands and then you change configurations only in the active or the standby CSM, the module might incorrectly display synchronized configurations as being out of synchronization, and display configurations that are out of synchronization as being synchronized. This problem is resolved in Release 12.2(18)SXF6. (CSCek22782)

Resolved Service Module Caveats in Release 12.2(18)SXF5

Cisco Catalyst 6000, 6500 series and Cisco 7600 series that have a Network Analysis Module installed are vulnerable to an attack, which could allow an attacker to gain complete control of the system. Only Cisco Catalyst systems that have a NAM on them are affected. This vulnerability affects systems that run Cisco IOS or Catalyst Operating System (CatOS).

Cisco has made free software available to address this vulnerability for affected customers.

A Cisco Security Advisory for this vulnerability is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070228-nam.shtml

This problem is resolved in Release 12.2(18)SXF5. (CSCsd75273, CSCse52951)

When Unicast Flood Protection (UFP) is enabled, CSM redundancy between devices will periodically transition without any connectivity loss between the devices. This problem is resolved in Release 12.2(18)SXF5. (CSCsc51357)

Unnecessary reloads of a CSM might occur under heavy traffic when the CSM does not respond to ICP keepalive messages. ICP keepalives are sent every two seconds, and the CSM is reloaded if it does not respond to three ICP messages. The fix is to reload the CSM if it does not respond to six ICP messages.

Workaround: No workaround. ICP keepalives are not configurable.

This problem is resolved in Release 12.2(18)SXF5. (CSCek28863)

A configuration synchronization on a CSM might fail and print a time-out message. This problem occurs when the CSM is processing slow path traffic. This problem is resolved in Release 12.2(18)SXF5. (CSCse54041)

Resolved Service Module Caveats in Release 12.2(18)SXF4

None.

Resolved Service Module Caveats in Release 12.2(18)SXF3

None.

Resolved Service Module Caveats in Release 12.2(18)SXF2

A reload might occur when you enter the clear counters command. This problem occurs if the system is configured with a CSM module that has gone down, and an Remote Procedure Call (RPC) from the supervisor engine has timed out. This problem is resolved in Release 12.2(18)SXF2. (CSCsb79031)

After a reload, URL match statements are missing from the CSG configuration. When you enter the ip csg map map-name url command. This problem is resolved in Release 12.2(18)SXF2. (CSCsb66799)

The sticky database is corrupted if you use the same cookie name when you change the CSM sticky cookie insert configuration, for a virtual server, from dynamic cookie to cookie insert. A corrupted sticky database only partially displays when you enter the show module csm slot sticky [groups | client ip_address] command, and session persistency cannot continue. To correct this problem, all configurations related to the sticky group must be removed and the CSM must be rebooted. This problem is resolved in Release 12.2(18)SXF2. (CSCsc05838)

A high CPU load might cause the IP Communications (IPC) ports on the MSFC to fail to open. This situation prevents communication between the Cisco Express Forwarding (CEF) and a service module. A FIBDISABLE error message is displayed. This problem is resolved in Release 12.2(18)SXF2. (CSCsb44220)

With redundant CSMs, the CSM with the largest priority value is the primary CSM in the fault-tolerant pair when the modules are both operating. That priority is based on whether certain CSMs interfaces are available. The availability of those interfaces is monitored through a process called interface tracking. In some cases, the hardware interface descriptor block (HWIDB is not updated. This situation causes the priority value of a CSM to not be adjusted even when a tracked interface goes down. This problem occurs when a link associated with that interface goes up and down several times very quickly. This problem is resolved in Release 12.2(18)SXF2. (CSCsb43860)

Resolved Service Module Caveats in Release 12.2(18)SXF

The show module csm slot sticky command corrupts the display of the real server IP address. This problem is resolved in Release 12.2(18)SXF. (CSCsa77410)

Caveats in Release 12.2(17d)SXB Rebuilds

General Caveats in Release 12.2(17d)SXB Rebuilds

FlexWAN Module Caveats in Release 12.2(17d)SXB Rebuilds

Service Module Caveats in Release 12.2(17d)SXB Rebuilds

General Caveats in Release 12.2(17d)SXB Rebuilds

Open General Caveats in Release 12.2(17d)SXB11a

Resolved General Caveats in Release 12.2(17d)SXB11a

Resolved General Caveats in Release 12.2(17d)SXB11

Resolved General Caveats in Release 12.2(17d)SXB10

Resolved General Caveats in Release 12.2(17d)SXB9

Resolved General Caveats in Release 12.2(17d)SXB8

Resolved General Caveats in Release 12.2(17d)SXB7

Resolved General Caveats in Release 12.2(17d)SXB6

Resolved General Caveats in Release 12.2(17d)SXB5

Resolved General Caveats in Release 12.2(17d)SXB4

Resolved General Caveats in Release 12.2(17d)SXB3

Resolved General Caveats in Release 12.2(17d)SXB2

Resolved General Caveats in Release 12.2(17d)SXB1

Open General Caveats in Release 12.2(17d)SXB11a

When you boot an image that supports Secure Shell (SSH), you can ignore these messages:

No serial number found

(CSCeb55044)

Resolved General Caveats in Release 12.2(17d)SXB11a

None.

Resolved General Caveats in Release 12.2(17d)SXB11

Cisco routers and switches running Cisco IOS or Cisco IOS XR software may be vulnerable to a remotely exploitable crafted IP option Denial of Service (DoS) attack. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet containing a specific crafted IP option in the packet's IP header. No other IP protocols are affected by this issue.

Cisco has made free software available to address this vulnerability for affected customers.

There are workarounds available to mitigate the effects of the vulnerability.

This vulnerability was discovered during internal testing. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml

This problem is resolved in Release 12.2(17d)SXB11. (CSCec71950)

Symptoms: A router may crash if it receives a packet with a specific crafted IP option as detailed in Cisco Security Advisory: Crafted IP Option Vulnerability:

http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml

Conditions: This DDTS resolves a symptom of CSCec71950. Cisco IOS with this specific DDTS are not at risk of crash if CSCec71950 has been resolved in the software.

Workaround: Cisco IOS versions with the fix for CSCec71950 are not at risk for this issue and no workaround is required. If CSCec71950 is not resolved, see the following Cisco Security Advisory: Crafted IP Option Vulnerability for workaround information:

http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml

This problem is resolved in Release 12.2(17d)SXB11 (CSCek26492)

Passwords and other sensitive information should not be sent to Access Control Server (ACS) logs. When command accounting is enabled, the full text of each command is sent to an ACS server. This information is sent to the server encrypted, but the server decrypts the packets and logs these commands in plain text. This problem is resolved in Release 12.2(17d)SXB11. (CSCed09685)

Resolved General Caveats in Release 12.2(17d)SXB10

Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.

Cisco has made free software available that includes the additional integrity checks for affected customers.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml.

This problem is resolved in Release 12.2(17d)SXB10. (CSCei61732)

Through normal software maintenance processes, Cisco is removing deprecated functionality. These changes have no impact on system operation or feature availability. These changes are implemented in Release 12.2(17d)SXB10. (CSCei76358)

Resolved General Caveats in Release 12.2(17d)SXB9

Symptoms: A vulnerability exists within the Cisco IOS Authentication, Authorization, and Accounting (AAA) command authorization feature, where command authorization checks are not performed on commands executed from the Tool Command Language (TCL) exec shell. This may allow authenticated users to bypass command authorization checks in some configurations resulting in unauthorized privilege escalation.

Conditions: Devices that are not running AAA command authorization feature, or do not support TCL functionality are not affected by this vulnerability.

This vulnerability is present in all versions of Cisco IOS that support the tclsh command.

Workaround: This advisory with appropriate workarounds is posted at

http://www.cisco.com/warp/public/707/cisco-response-20060125-aaatcl.shtml

This problem is resolved in Release 12.2(17d)SXB9. (CSCeh73049)

In IP packets with the IP options field populated, the IP type of service (ToS) byte might be truncated to a 3-bit long field. This problem deletes 3 bits of the 6-bit DSCP value and causes incorrect QoS operation. This problem is resolved in Release 12.2(17d)SXB9. (CSCed93264)

Receipt of a Border Gateway Protocol (BGP) Autonomous System (AS) path with a length that is equal to or greater than 255 might reset the BGP session. This problem is resolved in Release 12.2(17d)SXB9. (CSCeh13489)

Following a high availability switchover or a reload of the designated router, you can ignore these messages:

vrrp: IP address ip_address is already in a group
vrrp: Cannot set IP address for this group

This problem is resolved in Release 12.2(17d)SXB9. (CSCeb14745)

PA-MC-8TE1+ port adapters fail to check and drop invalid packets with a datagram size of one byte. This problem is resolved in Release 12.2(17d)SXB9. (CSCin78324)

An update in a bidirectional rendezvous point (Bidir RP) cache during a designated forwarder (DF) election might result in an erroneous path cost. This problem is resolved in Release 12.2(17d)SXB9. (CSCeh95160)

When you enter the interface loopback command to create a new virtual interface or when you enter the tag-switching command, the Network Time Protocol (NTP) configuration might be altered to use an invalid source interface. This problem is resolved in Release 12.2(17d)SXB9. (CSCdx86562)

The logging snmp-authfail command is enabled by default. This problem is resolved in Release 12.2(17d)SXB9. (CSCeb71693)

Resolved General Caveats in Release 12.2(17d)SXB8

If you configure multiple IP service level agreement (SLA) jitter probes to send packets to the same destination IP address and port number, and you turn the responder router off and back on, the probes show traffic loss (displayed as the packetMIA value) that is equal to the probe's number of packets minus one. This problem is resolved in Release 12.2(17d)SXB8. (CSCeg64124)

On an MSFC3, the show version command might display an incorrect cause for a reload. This problem is resolved in Release 12.2(17d)SXB8. (CSCeg55846)

Modifying the configuration of statically configured bidirectional PIM rendezvous points (RPs) can cause very high CPU utilization. This problem is resolved in Release 12.2(17d)SXB8. (CSCef36367)

Resolved General Caveats in Release 12.2(17d)SXB7

A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).

These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:

1. Attacks that use ICMP "hard" error messages.

2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks.

3. Attacks that use ICMP "source quench" messages.

Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.

Multiple Cisco products are affected by the attacks described in this Internet draft.

Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.

The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.

This problem is resolved in Release 12.2(17d)SXB7. (CSCef60659, CSCef44225, CSCsa59600, CSCef44699, CSCef61610)

When there is a unicast routing loop and when a static multicast route has been configured, a Reverse Path Forwarding (RPF) lookup might cause a reload because of a stack overflow. This problem is resolved in Release 12.2(17d)SXB7. (CSCeb51147)

A reload might occur if you perform Simple Network Management Protocol (SNMP) get operations on Open Shortest Path First (OSPF) MIBs. This problem is resolved in Release 12.2(17d)SXB7. (CSCeb40561)

A reload might occur when Optimized Edge Routing (OER) and BGP dampening are both configured and OER injects a route that does not exist in the routing information base (RIB). This problem is resolved in Release 12.2(17d)SXB7. (CSCed63876)

The inner time-to-live (TTL) field is not decremented properly in tunneled traffic. This problem is resolved in Release 12.2(17d)SXB7. (CSCee30816)

In rare situations, with a mix of Link State Advertisements (LSAs) that travel throughout the Autonomous System (Types 5 and 11) and LSAs that travel within a particular open shortest path first (OSPF) area (Types 1, 2, 3, 4, 6, 7, 9 and 10), a reload might occur. This problem is resolved in Release 12.2(17d)SXB7. (CSCef93215)

With TCP header compression configured, the TCP packet length is incorrect after decompression. This problem is resolved in Release 12.2(17d)SXB7. (CSCeg08344)

With OSPF configured, a reload might occur if you simultaneously deconfigure OSPF in one administrative session and configure it in another administrative session. This problem is resolved in Release 12.2(17d)SXB7. (CSCeg19442)

Resolved General Caveats in Release 12.2(17d)SXB6

A reload might occur if one process is writing to NVRAM and another process is reading from NVRAM and the read fails. This problem is resolved in Release 12.2(17d)SXB6. (CSCec63011)

Traffic loss might occur if you configure a loopback interface with an IP address that is already in use elsewhere in the network and there are multiple paths to the prefix. This problem is resolved in Release 12.2(17d)SXB6. (CSCee85152)

Boot failure might occur when there are more than 256 different policy maps attached as service policies. This problem is resolved in Release 12.2(17d)SXB6. (CSCee24349)

Over an SSHv2 connection, the output from a command that displays many lines of text pauses until you press a key. This problem is resolved in Release 12.2(17d)SXB6. (CSCef61978)

Unicast routing updates might not be sent to RIP static neighbors. This problem is resolved in Release 12.2(17d)SXB6. (CSCed63342)

In a PE configuration, you might see "TOOBIG" messages and a traceback. This problem is resolved in Release 12.2(17d)SXB6. (CSCee95708)

When a Layer 3 VLAN interface is configured as an OSPF nonbroadcast network and a polling interval is configured for every OSPF neighbor, unnecessary ARPs are sent. This problem is resolved in Release 12.2(17d)SXB6. (CSCed26217)

Resolved General Caveats in Release 12.2(17d)SXB5

Cisco Catalyst 6500 series systems that are running certain versions of Cisco IOS are vulnerable to an attack from a Multiprotocol Label Switching (MPLS) packet. Only the systems that are running in Hybrid Mode Catalyst OS (CatOS) software on the Supervisor Engine and Cisco IOS software on the Multilayer Switch Feature Card (MSFC) or running with Cisco IOS Software Modularity are affected.

MPLS packets can only be sent from the local network segment.

A Cisco Security Advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070228-mpls.shtml.

This problem is resolved in Release 12.2(17d)SXB5. (CSCef90002)

Cisco Internetwork Operating System (IOS) Software release trains 12.2T, 12.3 and 12.3T may contain vulnerabilities in processing certain Internet Key Exchange (IKE) Xauth messages when configured to be an Easy VPN Server.

Successful exploitation of these vulnerabilities may permit an unauthorized user to complete authentication and potentially access network resources.

This advisory will be posted to http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml

This problem is resolved in Release 12.2(17d)SXB5. (CSCin82407)

A Cisco device running Cisco IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DoS) attack from a malformed BGP packet. Only devices with the command `bgp log-neighbor-changes' configured are vulnerable. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet.

If a malformed packet is received and queued up on the interface, this bug may also be triggered by other means which are not considered remotely exploitable such as the use of the command `show ip bgp neighbors' or running the command `debug ip bgp <neighbor> updates' for a configured bgp neighbor.

Cisco has made free software available to address this problem.

For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml

This problem is resolved in Release 12.2(17d)SXB5. (CSCee67450)

With Open Shortest Path First (OSPF) configured, but with the limit retransmissions non-dc disable configuration command not configured, retransmission counters might not be reset when a neighbor is terminated. This problem is resolved in Release 12.2(17d)SXB5. (CSCec29953)

In rare situations, intensive SNMP polling might use all available I/O memory. This problem is resolved in Release 12.2(17d)SXB5. (CSCeg11566)

In a redundant configuration, the running-config file might not be synchronized between the designated router (DR) and the nondesignated router (NDR). This problem is resolved in Release 12.2(17d)SXB5. (CSCef37026)

With a default route configured, a reload might occur if you enter the clear ip route * command. This problem is resolved in Release 12.2(17d)SXB5. (CSCee35125)

With OSPF configured between a PE router and a CE router, when there is an import map configured on the PE router, there are no routes from the CE router in the BGP route table. This problem is resolved in Release 12.2(17d)SXB5. (CSCed81317)

There is no response to SNMP requests and memory use increases until tracebacks occur. This problem is resolved in Release 12.2(17d)SXB5. (CSCed52841)

If a BGP peer group member establishes itself more slowly than other peer group members and becomes active while other members of the peer group are already converging, the recently established peer group member might not advertise routes that were sent to the other members. This problem is resolved in Release 12.2(17d)SXB5. (CSCea64725)

Resolved General Caveats in Release 12.2(17d)SXB4

A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).

These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:

1. Attacks that use ICMP "hard" error messages.

2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks.

3. Attacks that use ICMP "source quench" messages.

Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.

Multiple Cisco products are affected by the attacks described in this Internet draft.

Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.

The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.

This problem is resolved in Release 12.2(17d)SXB4. (CSCed78149)

Resolved General Caveats in Release 12.2(17d)SXB3

PIM does not remove interfaces from the (S,G) output interface list when it receives a (*,G) prune message if the interfaces were added to the (S,G) output interface list because of a (*,G) join message. This problem is resolved in Release 12.2(17d)SXB3. (CSCee04368)

Occasionally, CEF mistakes the state of an active interface and does not forward traffic to what it sees as an inactive interface. This problem is resolved in Release 12.2(17d)SXB3. (CSCdt38401)

Resolved General Caveats in Release 12.2(17d)SXB2

In a multicast virtual private network (MVPN) environment with a provider edge (PE) router configuration and with the ip pim register-rate-limit global configuration command enabled, PIM register messages might not be sent for the default multicast distribution tree (MDT) to its rendezvous point (RP). This situation prevents PE routers from establishing PIM adjacencies with other PE routers in the MVPN. This problem is resolved in Release 12.2(17d)SXB2. (CSCea59359)

A sparse mode multicast router in static rendezvous point (RP) mode configured without the override keyword changes from static RP mode to bidirectional mode if it receives an "AutoRP" message advertising multicast groups in bidirectional mode. This problem is resolved in Release 12.2(17d)SXB2. (CSCea86164)

Traffic flow might be interrupted because of unserviced interrupts, as indicated by these messages:

%MISTRAL-3-RESET: Resetting Mistral due to excessive unserviced interrupts
%MISTRAL-3-INFO2: Interrupt Hi reg=0x00000001(0x00000001)
%MISTRAL-3-INFO2: Interrupt Lo reg=0x00000000(0x00000000)

This problem is resolved in Release 12.2(17d)SXB2. (CSCee72193)

An OSPF designated router does not generate a network link-state advertisement (LSA) for a broadcast network when another interface on the designated router has an administratively shutdown interface with a duplicate address configured with the OSPF passive-interface command. This problem is resolved in Release 12.2(17d)SXB2. (CSCea35186)

If you enter the mls ip multicast stub command on a VLAN interface that is configured with a secondary IP address, the RACL that is automatically loaded into the TCAM on the PFC does not contain a permit statement for the secondary IP address. This problem is resolved in Release 12.2(17d)SXB2. (CSCee88700)

The time-to-live value (TTL value) might not be decremented correctly in tunnel traffic. This problem is resolved in Release 12.2(17d)SXB2. (CSCea77189)

With bidirectional PIM configured, when the designated forwarder (DF) fails and the nondesignated forwarder takes over, "pim cpuhog" messages are seen on the nondesignated forwarder. This problem is resolved in Release 12.2(17d)SXB2. (CSCea49566)

When you enter an snmpwalk command on a loopback interface, there are no results. This problem is resolved in Release 12.2(17d)SXB2. (CSCdz27562)

When the maximum-paths eibgp command or maximum-paths ibgp command is configured, the withdraw message of a multipath (not bestpath) from a BGP neighbor deletes the path from the BGP table but it does not uninstall the route from the IP routing table. This problem is resolved in Release 12.2(17d)SXB2. (CSCed60800)

Following a reload, an OSPF designated router (DR) might fail to regenerate the network link-state advertisement (LSA) when there is a shutdown interface with the same interface address in the OSPF area. This problem is resolved in Release 12.2(17d)SXB2. (CSCee36721)

If you enter a shutdown command on a VLAN interface where you have disabled the spanning tree protocol with the bridge-group group_id spanning-disabled interface command, the spanning tree protocol is enabled after you enter a no shutdown command. This problem is resolved in Release 12.2(17d)SXB2. (CSCec84887)

TCP FIN and RST packets might be dropped, which causes a 3- to 4-second delay in retrieving web content, if a hardware-switched TCP connection carrying more than 1,000 packets per second is load balanced through Cisco IOS Firewall Load Balancing. This problem is resolved in Release 12.2(17d)SXB2. (CSCed38956)

When buffer allocation failures occur while free I/O memory is low, Protocol Independent Multicast (PIM) join messages might not be sent. This problem is resolved in Release 12.2(17d)SXB2. (CSCec40377)

A reload might follow receipt of a corrupt CPD packet. This problem is resolved in Release 12.2(17d)SXB2. (CSCec25430)

A reload might occur when you enter a show command that is related to IP multicast if the "more" prompt has been displayed for a long period of time. This problem is resolved in Release 12.2(17d)SXB2. (CSCea81029)

Protocol Independent Multicast (PIM) join messages might not be sent when buffer allocation failures occur and when the I/O memory is low. This problem is resolved in Release 12.2(17d)SXB2. (CSCec40377)

Configured static multicast routes may be ignored in the Reverse Path Forwarding (RPF) calculation. This problem is resolved in Release 12.2(17d)SXB2. (CSCeb57662)

A reload might occur if the output of a show command is left at the "More" prompt for an extended period and you attempt to resume display of the command output. This problem is resolved in Release 12.2(17d)SXB2. (CSCee89232)

If there are more than 50 files on the flash card, access from CiscoView Device Manager (CVDM) might cause a reload. This problem is resolved in Release 12.2(17d)SXB2. (CSCef07965)

Resolved General Caveats in Release 12.2(17d)SXB1

If you configure aggressive OSPF hello timers and dead timers, then during periods of high CPU utilization, OSPF packets are not processed, resulting in OSPF declaring OSPF neighbors to be inoperative ("down"). This problem is resolved in Release 12.2(17d)SXB1. (CSCec42160)

When fragmenting MPLS traffic, a reload might occur after display of a "SYS-2-GETBUF" message. This problem is resolved in Release 12.2(17d)SXB1. (CSCeb16876)

Certain release trains of Cisco Internetwork Operating System (IOS), when configured to use the Cisco IOS Secure Shell (SSH) server in combination with Terminal Access Controller Access Control System Plus (TACACS+) as a means to perform remote management tasks on Cisco IOS devices, may contain two vulnerabilities that can potentially cause Cisco IOS devices to exhaust resources and reload. Repeated exploitation of these vulnerabilities can result in a Denial of Service (DoS) condition. Use of SSH with Remote Authentication Dial In User Service (RADIUS) is not affected by these vulnerabilities.

Cisco has made free software available to address these vulnerabilities for all affected customers. There are workarounds available to mitigate the effects of the vulnerability (see the "Workarounds" section of the full advisory for details.)

This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml.

This problem is resolved in Release 12.2(17d)SXB1. (CSCed65285, CSCed65778)

When you enter the undebug all privileged EXEC command, all traffic might stop that passes through an encrypted generic routing encapsulation (GRE) tunnel that is secured via IP Security (IPSec) and that is using Cisco Express Forwarding (CEF) switching. This problem is resolved in Release 12.2(17d)SXB. (CSCec86420)

The Supervisor Engine 720 may fail to detect an OIR of the Compact Flash and reset. This problem is resolved in Release 12.2(17d)SXB1. (CSCec68645)

A redundant MSFC will reset if NBAR and single router mode (SRM) is configured. This problem is resolved in Release 12.2(17d)SXB1. (CSCec40719)

The MSFC might not boot when the supervisor engine restarts. This problem is resolved in Release 12.2(17d)SXB1. (CSCec39937)

Traffic incorrectly might be dropped if you apply a Catalyst operating system security access control list (ACL) to a VLAN that does not have a Layer 3 VLAN interface configured. This problem is resolved in Release 12.2(17d)SXB1. (CSCec00570)

Cisco products running Cisco IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and Cisco IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities. Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS). There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at:

http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml

This problem is resolved in Release 12.2(17d)SXB1. (CSCea19885, CSCea32240, CSCea33065, CSCea36231, CSCea46342, CSCea51076, CSCea51030, CSCea54851, CSCdx76632, CSCdx77253, CSCdw14262, CSCdx40184, CSCed28873, CSCdt50932, CSCdy61597, CSCeb78836, CSCin56408)

With certain configurations, a reload might occur when you enter the show cdp entry * protocol command. This problem is resolved in Release 12.2(17d)SXB1. (CSCed40563)

When using both IPX RIP and IPX EIGRP on a router, any external IPX routes from RIP or connected routes enabled for RIP may not appear in the routing table or the EIGRP topology table of adjacent routers. (CSCee02786)

With a "-p" image, you can configure only 5 VTY lines. This problem is resolved in Release 12.2(17d)SXB1: you can configure 16 VTY lines with a "-p" image. (CSCee37163)

There is a 2-second delay between the time that a join is sent towards the multicast source and the time that the first packet of the multicast stream is forwarded towards the multicast receiver. This problem is resolved in Release 12.2(17d)SXB1. (CSCee28288)

A reload might occur if management software uses SNMP to copy the running-config file to the startup-config file, and then repeatedly polls the ccCopyState Object Identifier (OID) very quickly without waiting for ccCopyState to return a value, and immediately sets the ccCopyEntryRowStatus OID to "destroy" (integer 6). This problem is resolved in Release 12.2(17d)SXB1. (CSCed81154)

Abnormally terminated FTP transfers might cause a small memory leak. This problem is resolved in Release 12.2(17d)SXB1. (CSCec55147)

With OSPF configured, a memory leak might occur. This problem is resolved in Release 12.2(17d)SXB1. (CSCea80169)

The Cisco IOS Firewall authentication proxy feature might reject a connection. This problem is resolved in Release 12.2(17d)SXB1. (CSCea33481)

OSPF area border routers (ABRs) might continue to generate summary link-state advertisements (LSAs) for obsolete non-backbone intra-area routes. This problem is resolved in Release 12.2(17d)SXB1. (CSCee36622)

Receiving CDP packets with a host name that is 256 or more characters long might cause a memory leak in the CDP process. This problem is resolved in Release 12.2(17d)SXB1. (CSCin67568)

After Cisco IOS ACLs have been updated dynamically or after responding dynamically to an IDS signature, a reload might occur following attempts to access a low-memory address. This problem is resolved in Release 12.2(17d)SXB1. (CSCed35253)

With an IP multicast router directly connected to both a source and a receiver, and when the shortest path tree (SPT) threshold is configured as infinite, (S,G) entries are deleted every minute, which may cause packet loss about once per minute. This problem is resolved in Release 12.2(17d)SXB1. (CSCeb30338)

A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.

All Cisco products which contain TCP stack are susceptible to this vulnerability.

This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.

A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.

This problem is resolved in Release 12.2(17d)SXB1. (CSCed93836, CSCdz84583, CSCed27956, CSCed38527)

Many memory allocation failure (MALLOCFAIL) messages might occur for a Cisco Discovery Protocol (CDP) process:

%SYS-2-MALLOCFAIL: Memory allocation of -1732547824 bytes failed from x605111F0, pool Processor, alignment 0
-Process= "CDP Protocol", ipl= 0, pid= 42
-Traceback= 602D5DF4 602D78A0 605111F8 60511078 6050EC88 6050E684 602D0E2C 602D0E18

This problem is resolved in Release 12.2(17d)SXB1. (CSCdz32659)

The show controller serial command output is not complete. This problem is resolved in Release 12.2(17b)SXB1. (CSCin60835)

FlexWAN Module Caveats in Release 12.2(17d)SXB Rebuilds

Open FlexWAN Module Caveats in Release 12.2(17d)SXB11a

Resolved FlexWAN Module Caveats in Release 12.2(17d)SXB11a

Resolved FlexWAN Module Caveats in Release 12.2(17d)SXB11

Resolved FlexWAN Module Caveats in Release 12.2(17d)SXB10

Resolved FlexWAN Module Caveats in Release 12.2(17d)SXB9

Resolved FlexWAN Module Caveats in Release 12.2(17d)SXB8

Resolved FlexWAN Module Caveats in Release 12.2(17d)SXB7

Resolved FlexWAN Module Caveats in Release 12.2(17d)SXB6

Resolved FlexWAN Module Caveats in Release 12.2(17d)SXB5

Resolved FlexWAN Module Caveats in Release 12.2(17d)SXB4

Resolved FlexWAN Module Caveats in Release 12.2(17d)SXB3

Resolved FlexWAN Module Caveats in Release 12.2(17d)SXB2

Resolved FlexWAN Module Caveats in Release 12.2(17d)SXB1

Open FlexWAN Module Caveats in Release 12.2(17d)SXB11a

FlexWAN interfaces do not support GRE tunnels. (CSCin76086)


Note CSCin76086 is not seen in later releases.


Resolved FlexWAN Module Caveats in Release 12.2(17d)SXB11a

None.

Resolved FlexWAN Module Caveats in Release 12.2(17d)SXB11

None.

Resolved FlexWAN Module Caveats in Release 12.2(17d)SXB10

None.

Resolved FlexWAN Module Caveats in Release 12.2(17d)SXB9

None.

Resolved FlexWAN Module Caveats in Release 12.2(17d)SXB8

With OSPF routing configured, and with default routes learned from multiple autonomous system boundary routers (ASBRs) as equal cost paths, reconfiguring the cost of one of the interfaces for the default routes does not correctly update the routing table. This problem is resolved in Release 12.2(17d)SXB8. (CSCee16068)

Resolved FlexWAN Module Caveats in Release 12.2(17d)SXB7

Bundle interfaces on PA-A3-8T1IMA and PA-A3-8E1IMA port adapters are inactive after a switchover to a redundant Supervisor Engine 720. This problem is resolved in Release 12.2(17d)SXB7. (CSCeg00667, CSCin74636)

The distributed Weighted Fair Queuing (dWFQ) fair-queue interface command is not saved in the running-config file. This problem is resolved in Release 12.2(17d)SXB7. (CSCed51640)

If you configure distributed link fragmentation and interleaving (dLFI) over a leased line, Multilink PPP (MLP), and QoS, a FlexWAN module might reload if you remove a service policy from a multilink interface or when a member link is removed from the multilink interface while heavy traffic is being processed. This problem is resolved in Release 12.2(17d)SXB7. (CSCee72906)

With a multilink interface configured for fragmentation and interleaving, traffic loss might occur following an RPR+ switchover. With a multilink interface that has members from non-channelized port adapters, traffic loss might occur if any of the member links flaps. This problem is resolved in Release 12.2(17d)SXB7. (CSCeg57219)

Routing protocol hello and update packets and ATM operation and maintenance (OAM) packets might be dropped if a FlexWAN egress interface is congested. This problem is resolved in Release 12.2(17d)SXB7. (CSCin76078)

With Multilink Frame Relay (FRF.16) configured on bundled FlexWAN serial links, traffic loss occurs for packets smaller than 512 bytes. This problem is resolved in Release 12.2(17d)SXB7. (CSCsa47020)

Resolved FlexWAN Module Caveats in Release 12.2(17d)SXB6

When you modify the configuration of a serial interface, you might see messages similar to these:

%INTERFACE_API-3-NODESTROYSUBBLOCK: The HWIDB subblock named COPS_PR was not removed
-Traceback=

This problem is resolved in Release 12.2(17d)SXB6. (CSCin65698)

When you send larger than fragment-sized packets from a multilink interface that has a traffic-shaping class configured and that is configured for fragmentation, traffic loss occurs when the queue size increases to the queue limit. This problem is resolved in Release 12.2(17d)SXB6. (CSCef66517)

The PA-2T3+ port adapter does not delay for two seconds before bringing down the T3 controller in the event of an alarm as required by the ANSI T1.231 specification. This problem is resolved in Release 12.2(17d)SXB6. (CSCee70591)

The PA-MC-2T3+ port adapter does not delay for two seconds before bringing down the T3 controller in the event of an alarm as required by the ANSI T1.231 specification. This problem is resolved in Release 12.2(17d)SXB6. (CSCee49862)

In releases where caveat CSCec15517 is resolved, permanent virtual circuits (PVCs) might be unstable. This problem is resolved in Release 12.2(17d)SXB6. (CSCee22810)

Packet-over-SONET (POS) Automatic Protection Switching (APS) does not work on PA-MC-STM-1 port adapters. This problem is resolved in Release 12.2(17d)SXB6. (CSCef49330)

Resolved FlexWAN Module Caveats in Release 12.2(17d)SXB5

If a module OIR occurs during the configuration synchronization process, a redundant MSFC3 might reload. If the startup-config file contains more than 1,000 ATM PVCs, a redundant MSFC3 might reload during the configuration synchronization process. This problem is resolved in Release 12.2(17d)SXB5. (CSCin75182)

Resolved FlexWAN Module Caveats in Release 12.2(17d)SXB4

When other modules have large configurations, an E1 controller on a PA-MC-8TE1+ port adapter might not be active following a reload. This problem is resolved in Release 12.2(17d)SXB4. (CSCin78110)

Resolved FlexWAN Module Caveats in Release 12.2(17d)SXB3

With QoS configured on FlexWAN ports, spurious memory accesses and alignment errors might occur. This problem is resolved in Release 12.2(17d)SXB3. (CSCed69233)

With SRM redundancy configured, a reload might occur when you configure a virtual-template interface. This problem is resolved in Release 12.2(17d)SXB3. (CSCin77443)

Resolved FlexWAN Module Caveats in Release 12.2(17d)SXB2

You can attach a service policy that contains invalid configuration to an interface. If you apply a Frame Relay map class with both input policing and output queuing to a DLCI twice, the FlexWAN module might reload. This problem is resolved in Release 12.2(17d)SXB2. (CSCin52060)

Multilink Frame Relay (MFR) interface member links that were added after the first link do not work. This problem is resolved in Release 12.2(17d)SXB2. (CSCin72180)

The line protocol of a multilink Frame Relay (MFR) interface on a PA-MC-2T3+ port adapter might go down if you enter shutdown and no shutdown commands on the MFR interface. This problem is resolved in Release 12.2(17d)SXB2. (CSCin75779)

With a Frame Relay permanent virtual circuit (PVC) policy configured, a reload might occur when you enter the show policy-map interface EXEC command. This problem is resolved in Release 12.2(17d)SXB2. (CSCec15517)

Resolved FlexWAN Module Caveats in Release 12.2(17d)SXB1

In releases where CSCdz32751 is resolved, ignore error messages about Cisco IOS fair queuing being disabled on low-speed serial interfaces. This problem is resolved in Release 12.2(17d)SXB1. (CSCec28505)

On a PA-A3 port adapter with dCBWFQ configured, when one bandwidth class is congested, there might be extra latency in another bandwidth class that is not congested. This problem is resolved in Release 12.2(17d)SXB1. (CSCeb61825)

When a Tributary Unit Alarm Indication Signal (TU-AIS) is inserted for an E1 tributary on a PA-MC-STM-1 port adapter in a Synchronous Payload Envelope (SPE), packet corruption might occur on the adjacent E1. This problem is resolved in Release 12.2(17d)SXB1. (CSCea66218)

With heavy traffic through a PA-MC-T3 or PA-MC-E3 port adapter, a FlexWAN module might reload. This problem is resolved in Release 12.2(17d)SXB1. (CSCin62978)

A FlexWAN module is not detected during the boot process, which causes it to be ignored during the startup configuration process. This problem is resolved in Release 12.2(17d)SXB1. (CSCed00781)

Ignore messages from a 1-port multichannel STM-1 port adapter (PA-MC-STM-1) that reports a large number of degraded minutes on an E1 controller. For example, after 15 minutes of operation since startup, 35,000,000 degraded minutes might be reported and these values might increase every second. Code violations might also be reported. This problem is resolved in Release 12.2(17d)SXB1. (CSCec08973)

Output queue packet drops might occur on the priority queue of an E1 serial interface on a 1-port multichannel E3 port adapter (PA-MC-E3), after which the E1 serial interface becomes congested. This problem is resolved in Release 12.2(17d)SXB1. (CSCeb34203)

The FlexWAN module might corrupt very small Frame Relay packets (for example, 2-byte X.25 SABM packets). This problem is resolved in Release 12.2(17d)SXB1. (CSCec59440)

Operation, Administration, and Maintenance (OAM) permanent virtual circuits (PVC) on PA-A3-8T1IMA or PA-A3-8E1IMA interfaces are not active after an OIR. This problem is resolved in Release 12.2(17d)SXB1. (CSCin65182)

If you repeatedly add and remove an ingress service policy from a FlexWAN interface, a policer in an egress service policy on the same interface might stop counting packets. This problem is resolved in Release 12.2(17d)SXB1. (CSCee23845)

A memory leak occurs when you remove ATM virtual circuits (VCs). This problem is resolved in Release 12.2(17d)SXB1. (CSCee04747)

Service Module Caveats in Release 12.2(17d)SXB Rebuilds

Open Service Module Caveats in Release 12.2(17d)SXB11a

Resolved Service Module Caveats in Release 12.2(17d)SXB11a

Resolved Service Module Caveats in Release 12.2(17d)SXB11

Resolved Service Module Caveats in Release 12.2(17d)SXB10

Resolved Service Module Caveats in Release 12.2(17d)SXB9

Resolved Service Module Caveats in Release 12.2(17d)SXB8

Resolved Service Module Caveats in Release 12.2(17d)SXB7

Resolved Service Module Caveats in Release 12.2(17d)SXB6

Resolved Service Module Caveats in Release 12.2(17d)SXB5

Resolved Service Module Caveats in Release 12.2(17d)SXB4

Resolved Service Module Caveats in Release 12.2(17d)SXB3

Resolved Service Module Caveats in Release 12.2(17d)SXB2

Resolved Service Module Caveats in Release 12.2(17d)SXB1

Open Service Module Caveats in Release 12.2(17d)SXB11a

None.

Resolved Service Module Caveats in Release 12.2(17d)SXB11a

None.

Resolved Service Module Caveats in Release 12.2(17d)SXB11

None.

Resolved Service Module Caveats in Release 12.2(17d)SXB10

None.

Resolved Service Module Caveats in Release 12.2(17d)SXB9

None.

Resolved Service Module Caveats in Release 12.2(17d)SXB8

None.

Resolved Service Module Caveats in Release 12.2(17d)SXB7

None.

Resolved Service Module Caveats in Release 12.2(17d)SXB6

None.

Resolved Service Module Caveats in Release 12.2(17d)SXB5

None.

Resolved Service Module Caveats in Release 12.2(17d)SXB4

None.

Resolved Service Module Caveats in Release 12.2(17d)SXB3

None.

Resolved Service Module Caveats in Release 12.2(17d)SXB2

None.

Resolved Service Module Caveats in Release 12.2(17d)SXB1

None.

Caveats in Release 12.2(17a)SX Rebuilds

General Caveats in Release 12.2(17a)SX Rebuilds

Open Service Module Caveats in Release 12.2(17a)SX4

Open FlexWAN Module Caveats in Release 12.2(17a)SX4

General Caveats in Release 12.2(17a)SX Rebuilds

Open General Caveats in Release 12.2(17a)SX4

Resolved General Caveats in Release 12.2(17a)SX4

Resolved General Caveats in Release 12.2(17a)SX2

Resolved General Caveats in Release 12.2(17a)SX1

Open General Caveats in Release 12.2(17a)SX4

Following a high availability switchover or a reload of the designated router, you can ignore these messages:

vrrp: IP address ip_address is already in a group
vrrp: Cannot set IP address for this group

(CSCeb14745)

When you boot an image that supports Secure Shell (SSH), you can ignore these messages:

No serial number found

(CSCeb55044)

Resolved General Caveats in Release 12.2(17a)SX4

A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.

All Cisco products which contain TCP stack are susceptible to this vulnerability.

This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.

A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.

This problem is resolved in Release 12.2(17a)SX4. (CSCed93836, CSCdz84583)

After Cisco IOS ACLs have been updated dynamically or after responding dynamically to an IDS signature, a reload might occur following attempts to access a low memory address. This problem is resolved in Release 12.2(17a)SX4. (CSCed35253)

Resolved General Caveats in Release 12.2(17a)SX2

A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.

All Cisco products which contain TCP stack are susceptible to this vulnerability.

This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.

A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.

This problem is resolved in Release 12.2(17a)SX2. (CSCed27956, CSCed38527)

Resolved General Caveats in Release 12.2(17a)SX1

GRE implementation of Cisco IOS is compliant with RFC2784 and RFC2890 and backward compatible with RFC1701.

As an RFC compliancy this DDTS adds the check for bits 4-5 (0 being the most significant) of GRE header.

This issue does not cause any problem for router operation.

This problem is resolved in Release 12.2(17a)SX1. (CSCea22552)

With the Response Time Reporter (RTR) feature configured, spurious accesses might occur. This problem is resolved in Release 12.2(17a)SX1. (CSCdy56859)

The MSFC3 might not boot successfully from a supervisor engine flash device if there are no active VLANs. This problem is resolved in Release 12.2(17a)SX1. (CSCea47314)

You can ignore this message:

ROMMON running F2 region, but first magic is FIRST_RUN

This problem is resolved in Release 12.2(17a)SX1. (CSCea78564, CSCeb69141)

The Supervisor Engine 720 may fail to detect an OIR of the CompactFlash device and reset. This problem is resolved in Release 12.2(17a)SX1. (CSCec68645)

With redundant supervisor engines, if you enter the boot config command, the startup-config file is not synchronized from the active MSFC to the redundant MSFC when you save the running configuration. This problem is resolved in Release 12.2(17a)SX1. (CSCeb52602)

Open Service Module Caveats in Release 12.2(17a)SX4

None.

Open FlexWAN Module Caveats in Release 12.2(17a)SX4

None.

Caveats in Release 12.2(14)SX2

Open Caveats in Release 12.2(14)SX2

Resolved Caveats in Release 12.2(14)SX2

Open Caveats in Release 12.2(14)SX2

With redundant supervisor engines, if you enter the boot config command, the startup-config file is not synchronized from the active MSFC to the redundant MSFC when you save the running configuration. This problem is resolved in Release 12.2(17a)SX1. (CSCeb52602)

Following a high availability switchover or a reload of the designated router, you can ignore these messages:

vrrp: IP address ip_address is already in a group
vrrp: Cannot set IP address for this group

(CSCeb14745)

When you boot an image that supports Secure Shell (SSH), you can ignore these messages:

No serial number found

(CSCeb55044)

You can ignore this message:

ROMMON running F2 region, but first magic is FIRST_RUN

This problem is resolved in Release 12.2(17a)SX1. (CSCea78564, CSCeb69141)

Resolved Caveats in Release 12.2(14)SX2

None.

Troubleshooting Information

For troubleshooting information, refer to the publications at this URL:

http://www.cisco.com/en/US/partner/products/hw/switches/tsd_products_support_category_home.html

Related Documentation

The following sections describe the documentation available for Cisco IOS Release 12.2. These documents consist of software installation guides, Cisco IOS configuration and command references, system error messages, and other documents.

Documentation is available as printed manuals or electronic documents.

Use these release notes with the documents and tools described in the following sections:

Cisco Feature Navigator

Cisco IOS Software Documentation Set

Platform-Specific Documents

These publications are available for the Catalyst 6500 series switches running Cisco IOS on the supervisor engine and MSFC:

Catalyst 6500 Series Switch Installation Guide

Catalyst 6500 Series Switch Module Installation Guide

Catalyst 6500 Series Switch Software Configuration Guide

Catalyst 6500 Series Switch Command Reference

Catalyst 6500 Series Switch System Message Guide

Cisco Feature Navigator

Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.

To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:

http://www.cisco.com/register

Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:

http://www.cisco.com/go/fn

Cisco IOS Software Documentation Set

The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS command references, and several other supporting documents. The Cisco IOS software documentation set is not shipped with your order unless you specifically ordered the printed versions.

Release 12.2 Documentation Set

Table 1 lists the contents of the Cisco IOS Release 12.2 software documentation set.

Table 1 Cisco IOS Release 12.2 Documentation Set 

Books
Major Topics

Cisco IOS Configuration Fundamentals Configuration Guide

Cisco IOS Configuration Fundamentals Command Reference

Cisco IOS User Interfaces
File Management
System Management

Cisco IOS Bridging and IBM Networking Configuration Guide

Cisco IOS Bridging and IBM Networking Command Reference, Volume 1 of 2

Cisco IOS Bridging and IBM Networking Command Reference, Volume 2 of 2

Transparent Bridging
SRB
Token Ring Inter-Switch Link
Token Ring Route Switch Module
RSRB
DLSw+
Serial Tunnel and Block Serial Tunnel
LLC2 and SDLC
IBM Network Media Translation
SNA Frame Relay Access
NCIA Client/Server
Airline Product Set
DSPU and SNA Service Point
SNA Switching Services
Cisco Transaction Connection
Cisco Mainframe Channel Connection
CLAW and TCP/IP Offload
CSNA, CMPC, and CMPC+
TN3270 Server

Cisco IOS Dial Technologies Configuration Guide

Cisco IOS Dial Technologies Command Reference

Preparing for Dial Access
Modem and Dial Shelf Configuration and Management
ISDN Configuration
Signaling Configuration
Dial-on-Demand Routing Configuration
Dial Backup Configuration
Dial Related Addressing Service
Virtual Templates, Profiles, and Networks
PPP Configuration
Callback and Bandwidth Allocation Configuration
Dial Access Specialized Features
Dial Access Scenarios

Cisco IOS Interface Configuration Guide

Cisco IOS Interface Command Reference

LAN Interfaces
Serial Interfaces
Logical Interfaces

Cisco IOS IP Configuration Guide

Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services

Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols

Cisco IOS IP Command Reference, Volume 3 of 3: Multicast

IP Addressing and Services
IP Routing Protocols
IP Multicast

Cisco IOS AppleTalk and Novell IPX Configuration Guide

Cisco IOS AppleTalk and Novell IPX Command Reference

AppleTalk
Novell IPX

Cisco IOS Apollo Domain, Banyan VINES, DECnet, ISO CLNS, and XNS Configuration Guide

Cisco IOS Apollo Domain, Banyan VINES, DECnet, ISO CLNS, and XNS Command Reference

Apollo Domain
Banyan VINES
DECnet
ISO CLNS
XNS

Cisco IOS Voice, Video, and Fax Configuration Guide

Cisco IOS Voice, Video, and Fax Command Reference

Voice over IP
Call Control Signaling
Voice over Frame Relay
Voice over ATM
Telephony Applications
Trunk Management
Fax, Video, and Modem Support

Cisco IOS Quality of Service Solutions Configuration Guide

Cisco IOS Quality of Service Solutions Command Reference

Packet Classification
Congestion Management
Congestion Avoidance
Policing and Shaping
Signaling
Link Efficiency Mechanisms

Cisco IOS Security Configuration Guide

Cisco IOS Security Command Reference

AAA Security Services
Security Server Protocols
Traffic Filtering and Firewalls
IP Security and Encryption
Passwords and Privileges
Neighbor Router Authentication
IP Security Options
Supported AV Pairs

Cisco IOS Switching Services Configuration Guide

Cisco IOS Switching Services Command Reference

Cisco IOS Switching Paths
NetFlow Switching
Multiprotocol Label Switching
Multilayer Switching
Multicast Distributed Switching
Virtual LANs
LAN Emulation

Cisco IOS Wide-Area Networking Configuration Guide

Cisco IOS Wide-Area Networking Command Reference

ATM
Broadband Access
Frame Relay
SMDS
X.25 and LAPB

Cisco IOS Mobile Wireless Configuration Guide

Cisco IOS Mobile Wireless Command Reference

General Packet Radio Service

Cisco IOS Terminal Services Configuration Guide

Cisco IOS Terminal Services Command Reference

ARA
LAT
NASI
Telnet
TN3270
XRemote
X.28 PAD
Protocol Translation

Cisco IOS Configuration Guide Master Index

Cisco IOS Command Reference Master Index

Cisco IOS Debug Command Reference

Cisco IOS Software System Error Messages

New Features in 12.2-Based Limited Lifetime Releases

New Features in Release 12.2 T

Release Notes (Release note and caveat documentation for 12.2-based releases and various platforms)

 


Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html



hometocprevnextglossaryfeedbacksearchhelp

Posted: Thu Aug 9 10:39:31 PDT 2007
All contents are Copyright © 1992--2007 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.