PDF(3.5 MB) View with Adobe Reader on a variety of devices
Updated:February 19, 2020
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Caution
Cisco IOS supports redundant configurations with identical supervisor engines. If they are not identical, one supervisor engine will boot first and become active and hold the other in a reset condition.
– Based on Release 15.0(1)SY2 and Release 12.2(33)SXJ3
Note Release 15.1SY supports only Ethernet ports. Release 15.1SY does not support any WAN features or commands.
FPD-Image Dependant Modules
FPD image packages update FPD images. If a discrepancy exists between an FPD image and the Cisco IOS image, the module that has the FPD discrepancy is deactivated until the discrepancy is resolved. These modules use FPD images:
ASA services module (WS-SVC-ASA-SM1-K9)—See this publication:
The 1-Gigabit Ethernet ports and the 10-Gigabit Ethernet ports have the same QoS port architecture (2q4t / 1p3q4t) unless you disable the 1-Gigabit Ethernet ports with the platform qos 10g-only global configuration command. With the 1-Gigabit Ethernet ports disabled, the QoS port architecture of the 10-Gigabit Ethernet ports is 8q4t / 1p7q4t.
In RPR redundancy mode, the ports on a Supervisor Engine 2T-10GE in standby mode are disabled.
Policy Feature Cards Supported with Supervisor Engine 2T
The PFC4 supports a theoretical maximum of 131,072 (128K) MAC addresses with 118,000 (115.2K) MAC addresses as the recommended maximum.
The PFC4 partitions the hardware FIB table to route IPv4 unicast, IPv4 multicast, MPLS, and IPv6 unicast and multicast traffic in hardware. Traffic for routes that do not have entries in the hardware FIB table are processed by the route processor in software.
• IPv4 multicast and IPv6 unicast and multicast: Up to 119,000 routes
Enter the platform cef maximum-routes command to repartition the hardware FIB table. IPv4 unicast and MPLS require one hardware FIB table entry per route. IPv4 multicast and IPv6 unicast and multicast require two hardware FIB table entries per route. Changing the partition for one protocol makes corresponding changes in the partitions of the other protocols. You must enter the reload command to put configuration changes made with the platform cef maximum-routes command into effect.
Note With a non-XL-mode system, if your requirements cannot be met by repartitioning the hardware FIB table, upgrade components as necessary to operate in XL mode.
You cannot use one type of PFC on one supervisor engine and a different type on the other supervisor engine for redundancy. You must use identical policy feature cards for redundancy.
PFC4—These restrictions apply to a configuration with a PFC4 and these DFCs:
– PFC4 and DFC4—No restrictions (PFC4 mode).
– PFC4 and DFC4XL—The PFC4 restricts DFC4XL functionality: the DFC4XL functions as a DFC4 (PFC4 mode).
PFC4XL—These restrictions apply to a configuration with a PFC4XL and these DFCs:
– PFC4XL and DFC4—PFC4XL functionality is restricted by the DFC4: after a reload with a DFC4-equipped module installed, the PFC4XL functions as a PFC4 (PFC4 mode).
– PFC4XL and DFC4XL—No restrictions (PFC4XL mode).
Switching modules that you install after bootup that are equipped with a DFC that imposes a more restricted PFC mode than the current PFC mode remain powered down.
You must reboot to use a switching module equipped with a DFC that imposes a more restricted PFC mode than the current PFC mode.
Enter the show platform hardware pfc mode command to display the PFC mode.
FIB TCAM exception may be thrown in case of a route churn where TCAM utilization is more than 80% of the total utilization. This limitation is applicable to DFC TCAM on -XL line cards. If FIB TCAM exception is thrown for a transit route for IPv4 or IPv6 or MPLS traffic, the route does not get installed in FIB and connectivity gets affected. This can result in elevated CPU usage due to software switching.
Policy Feature Card 4XL
Product ID
(append “=” for spares)
Product Description
Minimum
Software
Version
VS-F6K-PFC4XL
Policy Feature Card 4XL (PFC4XL)
Note Use VS-F6K-PFC4XL= to upgrade to a PFC4XL.
With Supervisor Engine 2T-10GE
15.0(1)SY
Policy Feature Card 4
Product ID
(append “=” for spares)
Product Description
Minimum
Software
Version
VS-F6K-PFC4
Policy Feature Card 4 (PFC4)
With Supervisor Engine 2T-10GE
15.0(1)SY
Distributed Forwarding Cards Supported with Supervisor Engine 2T
– QoS architecture: 2q4t / 1p3q4t or 8q4t / 1p7q4t
Note The 1-Gigabit Ethernet ports and the 10-Gigabit Ethernet ports have the same QoS port architecture (2q4t/1p3q4t) unless you disable the 1-Gigabit Ethernet ports with the mls qos 10g-only global configuration command, which is required to configure DSCP-based queueing. With the 1-Gigabit Ethernet ports disabled, the QoS port architecture of the 10-Gigabit Ethernet ports is 8q4t/1p7q4t.
One port group: ports 1 through 5.
Two Universal Serial Bus (USB) 2.0 ports (not currently enabled)
Supervisor Engine 720-10GE with PFC3C and PFC3CXL
Product ID
(append “=” for spares)
Product Description
Minimum
Software
Versions
VS-S720-10G-3CXL
Supervisor Engine 720-10GE with PFC3CXL
15.1(1)SY
VS-S720-10G-3C
Supervisor Engine 720-10GE with PFC3C
15.1(1)SY
Supervisor Engine 720-10GE Restrictions
In RPR redundancy mode, the ports on a Supervisor Engine 720-10GE in standby mode are disabled.
There are no memory-only upgrade options for the Supervisor Engine 720-10GE.
Two external slots (disk0: and disk1:) for CompactFlash Type II flash PC cards sold by Cisco Systems, Inc., for use in Supervisor Engine 720.
Note Some Supervisor Engine 720 Release 12.2SX images are larger than the bootflash device and must be stored on a CompactFlash card (sup-bootdisk: or disk0: or disk1:).
Two Ethernet uplink ports:
– 512-KB packet buffer per port
– Port 1—Gigabit Interface Converter (GBIC)
– Port 2—Configurable as either:
• Gigabit Interface Converter (GBIC)
• 10/100/1000 Mbps RJ-45
QoS port architecture (Rx/Tx): 1p1q4t / 1p2q2t
Port grouping:
– Number of ports: 2
– Number of port groups: 1
– Port ranges per port group: 1–2
Supervisor Engine 720 with PFC3BXL
Note If you install WS-SUP720-3BXL=, upgrade the memory on any DFC3-equipped switching modules. See this document for DFC3 memory upgrades:
Use WS-F6K-PFC3BXL= to upgrade a WS-SUP720-3B with a PFC3BXL. WS-F6K-PFC3BXL= includes 1 GB memory upgrades for the Supervisor Engine 720 and the MSFC3.
– If you install WS-F6K-PFC3BXL=, upgrade the memory on any DFC3-equipped switching modules.
The PFC3C supports a theoretical maximum of 96 K MAC addresses (64 K MAC addresses recommended maximum).
The PFC3B and PFC3BXL support a theoretical maximum of 64 K MAC addresses (32 K MAC addresses recommended maximum).
The PFC3 partitions the hardware FIB table to route IPv4 unicast, IPv4 multicast, MPLS, and IPv6 unicast and multicast traffic in hardware. Traffic for routes that do not have entries in the hardware FIB table are processed by the route processor in software.
The defaults for XL mode are:
– IPv4 unicast and MPLS—512,000 routes
– IPv4 multicast and IPv6 unicast and multicast—256,000 routes
The defaults for non-XL mode are:
– IPv4 unicast and MPLS—192,000 routes
– IPv4 multicast and IPv6 unicast and multicast—32,000 routes
Note The size of the global internet routing table plus any local routes might exceed the non-XL mode default partition sizes.
These are the theoretical maximum numbers of routes for the supported protocols (the maximums are not supported simultaneously):
– XL mode:
• IPv4 and MPLS—Up to 1,007,000 routes
• IPv4 multicast and IPv6 unicast and multicast—Up to 503,000 routes
– Non-XL mode:
• IPv4 and MPLS—Up to 239,000 routes
• IPv4 multicast and IPv6 unicast and multicast—Up to 119,000 routes
Enter the mls cef maximum-routes command to repartition the hardware FIB table. IPv4 unicast and MPLS require one hardware FIB table entry per route. IPv4 multicast and IPv6 unicast and multicast require two hardware FIB table entries per route. Changing the partition for one protocol makes corresponding changes in the partitions of the other protocols. You must enter the reload command to put configuration changes made with the mls cef maximum-routes command into effect.
Note With a non-XL-mode system, if your requirements cannot be met by repartitioning the hardware FIB table, upgrade components as necessary to operate in XL mode.
You cannot use one type of PFC3 on one supervisor engine and a different type on the other supervisor engine for redundancy. You must use identical policy feature cards for redundancy.
PFC3B—These restrictions apply to a configuration with a PFC3B and these DFCs:
– PFC3B and DFC3B—No restrictions (PFC3B mode; does not support virtual switch mode).
– PFC3B and DFC3BXL—The PFC3B restricts DFC3BXL functionality: after a reload with a DFC3BXL-equipped module installed, the DFC3BXL functions as a DFC3B (PFC3B mode; does not support virtual switch mode).
– PFC3B and DFC3C—The PFC3B restricts DFC3C functionality: the DFC3C functions as a DFC3B (PFC3B mode; does not support virtual switch mode).
– PFC3B and DFC3CXL—The PFC3B restricts DFC3CXL functionality: the DFC3CXL functions as a DFC3B (PFC3B mode; does not support virtual switch mode).
PFC3BXL—These restrictions apply to a configuration with a PFC3BXL and these DFCs:
– PFC3BXL and DFC3B—PFC3BXL functionality is restricted by the DFC3B: after a reload with a DFC3B-equipped module installed, the PFC3BXL functions as a PFC3B (PFC3B mode; does not support virtual switch mode).
– PFC3BXL and DFC3BXL—No restrictions (PFC3BXL mode; does not support virtual switch mode).
– PFC3BXL and DFC3C—Each restricts the functionality of the other: the PFC3BXL functions as a PFC3B and the DFC3C functions as a DFC3B (PFC3B mode; does not support virtual switch mode).
– PFC3BXL and DFC3CXL—The PFC3BXL restricts DFC3CXL functionality: the DFC3CXL functions as a DFC3BXL (PFC3BXL mode; does not support virtual switch mode).
PFC3C—These restrictions apply to a configuration with a PFC3C and these DFCs:
– PFC3C and DFC3B—PFC3C functionality is restricted by the DFC3B: after a reload with a DFC3B-equipped module installed, the PFC3C functions as a PFC3B (PFC3B mode; does not support virtual switch mode).
– PFC3C and DFC3BXL—PFC3C functionality is restricted by the DFC3BXL: after a reload with a DFC3BXL-equipped module installed, the PFC3C functions as a PFC3BXL (PFC3BXL mode; does not support virtual switch mode).
– PFC3C and DFC3C—No restrictions (PFC3C mode).
– PFC3C and DFC3CXL—The PFC3C restricts DFC3CXL functionality: the DFC3CXL functions as a DFC3C (PFC3C mode).
PFC3CXL—These restrictions apply to a configuration with a PFC3CXL and these DFCs:
– PFC3CXL and DFC3B—PFC3CXL functionality is restricted by the DFC3B: after a reload with a DFC3B-equipped module installed, the PFC3CXL functions as a PFC3B (PFC3B mode; does not support virtual switch mode).
– PFC3CXL and DFC3BXL—PFC3CXL functionality is restricted by the DFC3BXL: after a reload with a DFC3BXL-equipped module installed, the PFC3CXL functions as a PFC3BXL (PFC3BXL mode; does not support virtual switch mode).
– PFC3CXL and DFC3C—PFC3CXL functionality is restricted by the DFC3C: after a reload with a DFC3C-equipped module installed, the PFC3CXL functions as a PFC3C (PFC3C mode).
– PFC3CXL and DFC3CXL—No restrictions (PFC3CXL mode).
Switching modules that you install after bootup that are equipped with a DFC that imposes a more restricted PFC mode than the current PFC mode remain powered down.
You must reboot to use a switching module equipped with a DFC that imposes a more restricted PFC mode than the current PFC mode.
Enter the show platform hardware pfc mode command to display the PFC mode.
FIB TCAM exception may be thrown in case of a route churn where TCAM utilization is more than 80% of the total utilization. This limitation is applicable to DFC TCAM on XL line cards. If FIB TCAM exception is thrown for a transit route for IPv4 or IPv6 or MPLS traffic, the route does not get installed in FIB and connectivity gets affected. This can result in elevated CPU usage due to software switching.
Policy Feature Card 3CXL
Note Use VS-F6K-PFC3CXL= to upgrade a VS-S720-10G-3C with a PFC3CXL. See this publication for more information:
Note Use WS-F6K-PFC3BXL= to upgrade a WS-SUP720 or WS-SUP720-3B with a PFC3BXL. WS-F6K-PFC3BXL= includes 1 GB memory upgrades for the Supervisor Engine 720 and the MSFC3. See this publication for more information:
Requires switching module ROMMON version 12.2(18r)S1 or later. To display the switching module ROMMON version, enter the remote command module module_slot_number show version | include ROM command. To upgrade the switching module ROMMON, see this document:
Requires switching module ROMMON version 12.2(18r)S1 or later. To display the switching module ROMMON version, enter the remote command module module_slot_number show version | include ROM command. To upgrade the switching module ROMMON, see this document:
Requires switching module ROMMON version 12.2(18r)S1 or later. To display the switching module ROMMON version, enter the remote command module module_slot_number show version | include ROM command. To upgrade the switching module ROMMON, see this document:
Supervisor Engine 720 supports a WS-F6K-DFC3BXL on these WS-X6516-GBIC switching module hardware revisions:
– Lower than 5.0
– 5.5 and higher
Requires DFC ROMMON version 12.2(18r)S1 or later. To display the switching module ROMMON version, enter the remote command module module_slot_number show version | include ROM command. To upgrade the switching module ROMMON, see this document:
Supervisor Engine 720 does not support a DFC3 on WS-X6516-GBIC switching module hardware revisions 5.0 through 5.4. With a Supervisor Engine 720 and with a DFC3 installed, WS-X6516-GBIC switching module hardware revisions 5.0 through 5.4 do not power up.
With a Supervisor Engine 720 but without a DFC3, WS-X6516-GBIC switching module hardware revisions 5.0 through 5.4 operate in bus mode.
See external field notice 24494 for more information about Supervisor Engine 720 and a DFC3 on WS-X6516-GBIC switching modules:
Requires switching module ROMMON version 12.2(18r)S1 or later. To display the switching module ROMMON version, enter the remote command module module_slot_number show version | include ROM command. To upgrade the switching module ROMMON, see this document:
Requires DFC ROMMON version 12.2(18r)S1 or later. To display the switching module ROMMON version, enter the remote command module module_slot_number show version | include ROM command. To upgrade the switching module ROMMON, see this document:
Supervisor Engine 720 supports a WS-F6K-DFC3B on these WS-X6516-GBIC switching module hardware revisions:
– Lower than 5.0
– 5.5 and higher
Supervisor Engine 720 does not support a DFC3 on WS-X6516-GBIC switching module hardware revisions 5.0 through 5.4. With a Supervisor Engine 720 and with a DFC3 installed, WS-X6516-GBIC switching module hardware revisions 5.0 through 5.4 do not power up.
With a Supervisor Engine 720 but without a DFC3, WS-X6516-GBIC switching module hardware revisions 5.0 through 5.4 operate in bus mode.
See external field notice 24494 for more information about Supervisor Engine 720 and a DFC3 on WS-X6516-GBIC switching modules:
Each bay can support a CFP transceiver (supports one 40 Gigabit Ethernet port) or a FourX adapter (supports four 10 Gigabit Ethernet SFP+ transceivers).
WS-X6904-40G supported modes (default mode is oversubscribed):
–Or eight 10 Gigabit Ethernet ports (5 through 12)
—Right bays:
–Either two 40 Gigabit Ethernet ports (3 and 4)
–Or eight 10 Gigabit Ethernet ports (13 through 20)
– Performance mode:
—Configurable per module or per bay:
no hw-module slotslot_numberoversubscription [port-groupport_group_number]
—Supported in the top left bay and top right bay.
—Any of these combinations:
–40 Gigabit Ethernet port 1 (top left bay) and port 3 (top right bay)
–10 Gigabit Ethernet ports 5 through 9 (top left bay) and ports 13 through 16 (top right bay)
–Top left bay: 40 Gigabit Ethernet port 1 or 10 Gigabit Ethernet ports 5 through 9 Top right bay: 40 Gigabit Ethernet port 3 or 10 Gigabit Ethernet ports 13 through 16
Number of ports: 16 Number of port groups: 4 Port ranges per port group: 1–4, 5–8, 9–12, 13–16
When not configured in oversubscription mode, supported in virtual switch links.
To configure port oversubscription, use the hw-module slot command.
With Supervisor Engine 720-10GE or Supervisor Engine 720 in a 13-slot chassis, supported only in slots 9 through 13 and does not power up in other slots.
Dual switch-fabric connections: Fabric Channel #1: Ports 3 and 4 Fabric Channel #2: Ports 1 and 2
Number of ports: 4 Number of port groups: 4 Port ranges per port group: 1 port in each group
WS-X6704-10G is the orderable product ID.
The front panel is labeled WS-X6704-10GE.
Cisco IOS software commands display WS-X6704-10GE with any DFC.
On WS-X6704-10GE ports, STP BPDUs are not exempt from Traffic Storm Control multicast suppression. Do not configure multicast suppression on STP-protected WS-X6704-10GE ports that interconnect network devices. (CSCsg86315)
With Supervisor Engine 720-10GE or Supervisor Engine 720 in a 13-slot chassis, supported only in slots 9 through 13 and does not power up in other slots.
With Supervisor Engine 720-10GE
(not supported in VSS mode)
15.1(1)SY
With Supervisor Engine 720
15.1(1)SY
Optical Interface Module (OIM) for WS-X6502-10GE
WS-G6488
10GBASE-LR serial 1310 nm long-reach OIM
WS-G6483
10GBASE-ER serial 1550 nm extended-reach OIM
Not supported in virtual switch mode.
dCEF256 with a DFC
QoS port architecture (Rx/Tx): 1p1q8t/1p2q1t
Number of ports: 1 Number of port groups: 1 Port ranges per port group: 1 port in 1 group
Use with a DFC requires DFC ROMMON version 12.2(18r)S1 or later. To display the switching module ROMMON version, enter the remote command module module_slot_number show version | include ROM command. To upgrade the switching module ROMMON, see this document:
Multi rate port card with standard tables. This module has 16 10-Gigabit or 1-Gigabit module slots which support 1-Gigabit SFPs or 10-Gigabit SFP+ modules. Supported only on the Catalyst 6880-X-LE switch model.
15.1(2)SY2
C6880-X-16P10G
1
Multi rate port card with XL tables. This module has 16 10-Gigabit or 1-Gigabit module slots which support 1-Gigabit SFPs or 10-Gigabit SFP+s modules. Supported only on the Catalyst 6880-X switch model.
1.These port cards are supported only on the specified switch models and are not interoperable.
Cisco Catalyst 6807-XL Modular Switch
Product ID
(append “=” for spares)
Product Description
Minimum
Software
Version
C6807-XL
7-slot modular chassis.
The switch supports redundant power supply modules (AC-input), redundant supervisor engines, fan-tray, power supply convertor modules, clock modules, and voltage termination enhanced (VTT-E) modules
Number of ports: 48 Number of port groups: 4 Port ranges per port group: 1, 3, 5, 7, 9, 11, 13, 15, 17, 19, 21, 23 2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24 25, 27, 29, 31, 33, 35, 37, 39, 41, 43, 45, 47 26, 28, 30, 32, 34, 36, 38, 40, 42, 44, 46, 48
On WS-X6848-SFP-2T and WS-X6748-SFP ports, STP BPDUs are not exempt from Traffic Storm Control multicast suppression. Do not configure multicast suppression on STP-protected WS-X6848-SFP-2T or WS-X6748-SFP ports that interconnect network devices.
With Supervisor Engine 720-10GE or Supervisor Engine 720 in a 13-slot chassis, supported only in slots 9 through 13 and does not power up in other slots.
Number of ports: 24 Number of port groups: 2 Port ranges per port group: 1–12, 13–24
On WS-X6824-SFP-2T and WS-X6724-SFP ports, STP BPDUs are not exempt from Traffic Storm Control multicast suppression. Do not configure multicast suppression on STP-protected WS-X6824-SFP-2T or WS-X6724-SFP ports that interconnect network devices.
Requires DFC ROMMON version 12.2(18r)S1 or later. To display the switching module ROMMON version, enter the remote command module module_slot_number show version | include ROM command. To upgrade the switching module ROMMON, see this document:
With Supervisor Engine 720-10GE
(not supported in VSS mode)
15.1(1)SY
With Supervisor Engine 720
15.1(1)SY
dCEF256 with a DFC
CEF256
Supports egress multicast replication
QoS port architecture (Rx/Tx): 1p1q4t / 1p2q2t
Number of ports: 16 Number of port groups: 2 Port ranges per port group: 1–8, 9–16
Requires DFC ROMMON version 12.2(18r)S1 or later. To display the switching module ROMMON version, enter the remote command module module_slot_number show version | include ROM command. To upgrade the switching module ROMMON, see this document:
With Supervisor Engine 720-10GE
(not supported in VSS mode)
15.1(1)SY
With Supervisor Engine 720
15.1(1)SY
dCEF256 with a DFC
CEF256
QoS port architecture (Rx/Tx): 1p1q4t / 1p2q2t
Number of ports: 16 Number of port groups: 2 Port ranges per port group: 1–8, 9–16
Requires DFC ROMMON version 12.2(18r)S1 or later. To display the switching module ROMMON version, enter the remote command module module_slot_number show version | include ROM command. To upgrade the switching module ROMMON, see this document:
Supervisor Engine 720 supports a DFC3 on these WS-X6516-GBIC hardware revisions:
– Lower than 5.0
– 5.5 and higher
Supervisor Engine 720 does not support a DFC3 on WS-X6516-GBIC hardware revisions 5.0 through 5.4. With a Supervisor Engine 720 and with a DFC3 installed, WS-X6516-GBIC hardware revisions 5.0 through 5.4 do not power up.
With a Supervisor Engine 720 but without a DFC3, WS-X6516-GBIC hardware revisions 5.0 through 5.4 operate in bus mode.
See external field notice 24494 for more information:
Number of ports: 48 Number of port groups: 4 Port ranges per port group: 1–12, 13–24, 25–36, 37–48
On WS-X6848-TX-2T and WS-X6748-GE-TX ports, STP BPDUs are not exempt from Traffic Storm Control multicast suppression. Do not configure multicast suppression on STP-protected WS-X6848-TX-2T or WS-X6748-GE-TX ports that interconnect network devices.
With Supervisor Engine 720-10GE or Supervisor Engine 720 in a 13-slot chassis, WS-X6748-GE-TX is supported only in slots 9 through 13 and does not power up in other slots.
WS-X6548-GE-TX, WS-X6548V-GE-TX, WS-X6548-GE-45AF
Product ID
(append “=” for spares)
Product Description
Minimum
Software
Versions
WS-X6548-GE-TX
WS-X6548V-GE-TX
WS-X6548-GE-45AF
48-port 10/100/1000 Mbps
Note Not supported with Supervisor Engine 2T.
With Supervisor Engine 720-10GE
(not supported in VSS mode)
15.1(1)SY
With Supervisor Engine 720
15.1(1)SY
Supports more than 1 Gbps of traffic per EtherChannel on the WS-X6548-GE-TX (and voice-power daughtercard equipped) switching modules.
WS-X6548-GE-TX (and voice-power daughtercard equipped) switching modules do not support these features:
FourX coverter to convert each 40GE port into 4 10GE SFP+ ports
15.0(1)SY1
X2 Modules
Note ● WS-X6716-10G and WS-X6708-10GE do not support X2 modules that are labeled with a number that ends with -01. (This restriction does not apply to X2-10GB-LRM.)
All X2 modules shipped since WS-X6716-10G became available provide EMI compliance with WS-X6816-10G and WS-X6716-10G.
Some X2 modules shipped before WS-X6716-10G became available might not provide EMI compliance with WS-X6816-10G and WS-X6716-10G. See the information listed for each type of X2 module in the following table.
For information about X2 modules, see the Cisco 10GBASE X2 Modules data sheet:
10GBASE-ER Serial 1550-nm extended-reach, single-mode fiber (SMF), dispersion-shifted fiber (DSF)
15.0(1)SY
XENPAK-10GB-LR
10GBASE-LR Serial 1310-nm long-reach, single-mode fiber (SMF), dispersion-shifted fiber (DSF)
15.0(1)SY
XENPAK-10GB-LR+
10GBASE-LR Serial 1310-nm long-reach, single-mode fiber (SMF), dispersion-shifted fiber (DSF)
15.0(1)SY
XENPAK-10GB-LW
10GBASE-LW XENPAK Module with WAN PHY for SMF
Note XENPAK-10GB-LW operates at an interface speed compatible with SONET/SDH OC-192/STM-64. XENPAK-10GB-LW links might go up and down if the data rate exceeds 9Gbs. (CSCsi58211)
15.0(1)SY
XENPAK-10GB-LX4
10GBASE-LX4 Serial 1310-nm multimode (MMF)
15.0(1)SY
XENPAK-10GB-SR
10GBASE-SR Serial 850-nm short-reach multimode (MMF)
Note ● For service modules that run their own software, see the service module software release notes for information about the minimum required service module software version.
With SPAN configured to include a port-channel interface to support a service module, be aware of CSCth03423 and CSCsx46323.
EtherChannel configuration can impact some service modules. In particular, distributed EtherChannels (DECs) can interfere with service module traffic. See this field notice for more information:
See the module software release notes for information about the minimum required service module software version.
Firewall Services Module (FWSM)
Product ID
(append “=” for spares)
Product Description
Minimum
Software
Version
WS-SVC-FWM-1-K9
Firewall Services Module
With Supervisor Engine 2T-10GE
15.0(1)SY
With Supervisor Engine 720-10GE
15.1(1)SY
With Supervisor Engine 720
15.1(1)SY
With Firewall Services Module Software Release 2.3(1) and later releases, WS-SVC-FWM-1-K9 maintains state when an NSF with SSO redundancy mode switchover occurs.
WS-SVC-FWM-1-K9 runs its own software—See these publications:
Note Chassis with 64 MAC addresses automatically enable the Extended System ID feature, which is enabled with the spanning-tree extend system-id command. You cannot disable the extended-system ID in chassis that support 64 MAC addresses. The Extended System ID feature might already be enabled in your network, because it is required to support both extended-range VLANs and any chassis with 64 MAC addresses. Enabling the extended system ID feature for the first time updates the bridge IDs of all active STP instances, which might change the spanning tree topology.
13-Slot Chassis
Note With Supervisor Engine 2T-10GE, the slot reserved for a redundant supervisor engine can be populated with one of these modules:
WS-X6148E-GE-45AT
WS-X6148A-GE-TX, WS-X6148A-GE-45AF
WS-X6148-FE-SFP
WS-X6148A-RJ-45, WS-X6148A-45AF
WS-X6196-RJ-21, WS-X6196-21AF
Product ID
(append “=” for spare)
Product Description
Minimum
Software
Version
WS-C6513-E
13 slots
Slot 7 and slot 8 are reserved for supervisor engines
64 chassis MAC addresses
With Supervisor Engine 2T-10GE
15.0(1)SY
With Supervisor Engine 720-10GE
15.1(1)SY
With Supervisor Engine 720
15.1(1)SY
CISCO7613-S
13 slots
Slot 7 and slot 8 are reserved for supervisor engines
64 chassis MAC addresses
With Supervisor Engine 2T-10GE
15.1(1)SY
WS-C6513
Catalyst 6513 chassis:
13 slots
64 chassis MAC addresses
Use with Supervisor Engine 720-10GE or Supervisor Engine 720 requires WS-C6K-13SLT-FAN2
These modules are supported only in slots 9 through 13 and do not power up in other slots:
– WS-X6700 series switching modules except WS-X6724-SFP
– WS-X6816-GBIC switching modules
– WS-SVC-WISM-1-K9
Note Not supported with Supervisor Engine 2T.
With Supervisor Engine 720-10GE
15.1(1)SY
With Supervisor Engine 720
15.1(1)SY
9-Slot Chassis
Product ID
(append “=” for spare)
Product Description
Minimum
Software
Version
WS-C6509-V-E
9 vertical slots
64 chassis MAC addresses
Required power supply:
– 2,500 W DC or higher
– 3,000 W AC or higher
With Supervisor Engine 2T-10GE
15.0(1)SY
With Supervisor Engine 720-10GE
15.1(1)SY
With Supervisor Engine 720
15.1(1)SY
WS-C6509-E
9 horizontal slots
Chassis MAC addresses:
– Before April 2009—1024 chassis MAC addresses
– Starting in April 2009—64 chassis MAC addresses
Note Chassis with 64 MAC addresses automatically enable the Extended System ID feature, which is enabled with the spanning-tree extend system-id command. You cannot disable the extended-system ID in chassis that support 64 MAC addresses. The Extended System ID feature might already be enabled in your network, because it is required to support both extended-range VLANs and any chassis with 64 MAC addresses. Enabling the extended system ID feature for the first time updates the bridge IDs of all active STP instances, which might change the spanning tree topology.
Requires 2,500 W or higher power supply
With Supervisor Engine 2T-10GE
15.0(1)SY
With Supervisor Engine 720-10GE
15.1(1)SY
With Supervisor Engine 720
15.1(1)SY
CISCO7609-S
9 vertical slots
64 chassis MAC addresses
Required power supply:
– 2,500 W DC or higher
– 3,000 W AC or higher
With Supervisor Engine 2T-10GE
15.0(1)SY1
6-Slot Chassis
Product ID
(append “=” for spare)
Product Description
Minimum
Software
Version
WS-C6506-E
6 slots
Chassis MAC addresses:
– Before April 2009—1024 chassis MAC addresses
– Starting in April 2009—64 chassis MAC addresses
Note Chassis with 64 MAC addresses automatically enable the Extended System ID feature, which is enabled with the spanning-tree extend system-id command. You cannot disable the extended-system ID in chassis that support 64 MAC addresses. The Extended System ID feature might already be enabled in your network, because it is required to support both extended-range VLANs and any chassis with 64 MAC addresses. Enabling the extended system ID feature for the first time updates the bridge IDs of all active STP instances, which might change the spanning tree topology.
Release 15.1SY supports only the hardware listed in the “Supported Hardware” section. Unsupported modules remain powered down if detected and do not affect system behavior.
Release 12.2SX supported these modules, which are not supported in Release 15.1SY:
Supervisor Engine 32 (CAT6000-SUP32/MSFC2A)
ME 6500 Series Ethernet Switches (ME6524)
Policy Feature Card 3A and Distributed Forwarding Card 3A
76-ES+XT-4TG3CXL, 76-ES+XT-4TG3C
76-ES+XT-2TG3CXL, 76-ES+XT-2TG3C
7600-ES+4TG3CXL, 7600-ES+4TG3C
7600-ES+2TG3CXL, 7600-ES+2TG3C
Shared Port Adapter (SPA) Interface Processors (SIPs) and Shared Port Adapters (SPAs)
Services SPA Carrier (SSC) and Services SPAs
Enhanced FlexWAN Module
Anomaly Guard Module(AGM)
Traffic Anomaly Detector Module (ADM)
Communication Media Module (CMM)
Content Switching Module (CSM)
Content Switching Module with SSL (CSM-S)
Secure Sockets Layer (SSL) Services Module
Images and Feature Sets
Use Cisco Feature Navigator to display information about the images and feature sets in Release 15.1SY.
The releases includes strong encryption images. Strong encryption images are subject to U.S. and local country export, import, and use laws. The country and class of end users eligible to receive and use Cisco encryption solutions are limited. See this publication for more information:
The Universal Boot Loader (UBL) image is a minimal network-aware image that can download and install a Cisco IOS image from a running active supervisor engine in the same chassis. When newly installed as a standby supervisor engine in a redundant configuration, a supervisor engine running the UBL image automatically attempts to copy the image of the running active supervisor engine in the same chassis.
Behavior changes describe the minor modifications that are sometimes introduced in a software release. When behavior changes are introduced, existing documentation is updated.
Release 15.1(2)SY16
CSCvi48253 : Self-signed certificates expire on 00:00 1 Jan 2020 UTC, can't be created after that time
CSCvq66030 : Cisco IOS and Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability
Release 15.1(2)SY8
CSCuh97087 (Transport Input) In previous Cisco IOS release versions, the default was the " transport input all" command and device allows all transport protocols and accepts the incoming network connections to tty lines by default. But Based on the CSDL's product Security Baseline Requirement (SEC-MGT-DEFT-2) transport input has been changed to NONE from ALL through CSCuh97087 and documented.
Now we must configure an incoming transport {protocol | all } command before the line will accept incoming connections, Otherwise default is NONE and cisco devices cannot accept the connections to tty lines. Old behavior: transport input all New behavior (After fix): transport input none It has already documented and the command is available in this location. http://www.cisco.com/c/en/us/td/docs/ios/termserv/command/reference/tsv_book/tsv_s1.html#pgfId-1069219
CSCuu55288 (Mechanism to throttle NDE export) Default behavior will be same. Command flow hardware export priority low reduces the process priority from Critical to medium and because of this command flow export time may vary based on the CPU usage in the system.
CSCva39982 (IPv6 neighbor discovery packet processing behavior) Before fix: To rate limit the ipv6 icmp nd type 13-137 packets, there is classmap in the default policy-map, which gets programmed on control plane
sh policy-map policy-default-autocopp | b ndv6 Class class-copp-match-ndv6 police rate 1000 pps, burst 1000 packets conform-action set-discard-class-transmit 48 exceed-action drop
so for both valid ipv6 icmp nd type 13-137 packets (i.e with hop-limit 255) and invalid packets (with hop-limit < 255), there is single policy. So this allows attacker to send a crafted IPv6 ND packet that will cause dropping of valid CPU-bound ipv6 icmp nd traffic. Fix: Added a class-map above "class-copp-match-ndv6" named as class-copp-match-ndv6hl as follows FM-NAT#sh policy-map policy-default-autocopp | b ndv6
Class class-copp-match-ndv6hl
police rate 10 pps, burst 1 packets
conform-action drop
exceed-action drop
Class class-copp-match-ndv6
police rate 1000 pps, burst 1000 packets
conform-action set-discard-class-transmit 48
exceed-action drop so that all ipv6 icmp nd type 133-137 packets having invalid hop-limit (!=255) will be dropped in hardware. For this class-map to be effective, following points has to be considered:
– This new class-map doesn't get applied on reload only, as auto-copp gets saved in the start-up config, and on reload the saved policy reappears.
– to apply the policy-map with new class-map, user has to remove the default control plane policy using no policy-map policy-default-autocopp, the new class-map for policy-default-autocopp appears upon reload.
– In config-mode a cli is available no platform qos auto-copp, which when applied, removes the policy-map policy-default-autocopp
– and when platform qos auto-copp applied, regenerates the policy-map policy-default-autocopp along with new class-map "class-copp-match-ndv6hl" and add service-policy to control-plane.
CSCub46031 (knob to turn off auto-copp) This enhancement deals with following CLI creation : no platform qos auto-copp. Initial Issue: If the user wishes to remove the default control plane policy using no policy-map policy-default-autocopp, the same config for policy-default-autocopp reappears upon reload. Fix/Enhancement: New CLI has been introduced in config mode : no platform qos auto-copp. Suppose the user issuesthis command prior to or after issuing no policy-map policy-default-autocopp, the config for policy-map policy-default-autocopp doesnt reappear after reload and thereby fixing the issue. Also, if the user wants to reconfigure the policy-default-autocopp configs, they can issue platform qos auto-copp command which will immediately regenerate the config and add the service-policy to control plane if there was no policy there in the first place. In the case there was another policy on the control plane, while the policy map will be regenerated it wont be attached to control-plane.
CSCva69133 : cli changes needed for fix in CSCva39982
Release 15.1(2)SY7
Deprecated CLI command
Old behavior: Running the CLI command “ show platform fex-debug status ” is no longer supported.
New behavior: Use the new CLI command “ show fex <fex-id> ” instead.
Old behavior: The RADIUS server does not have Point-to-Point Tunneling Protocol (PPTP) tunnel-specific information because the tunnel-client endpoint and tunnel-server endpoint attributes are missing in the access-request packets sent to the RADIUS server.
New behavior: The following commands are introduced to identify the hostname or address of the network access server (NAS) at the initiator and server end of the Point-to-Point Tunneling Protocol (PPTP) tunnel by sending the Tunnel-Client-Endpoint attribute and the Tunnel-Server-Endpoint attribute in access-request packets to the RADIUS server.
Caution
On Cisco Catalyst 6880-X switch, in performance mode, the disabled ports in 15.1(2)SY1 are ports 3-4, 7-8, 11-12 and 15-16, while the disabled ports in 15.1(2)SY2 are ports 5-8 and 13-16. Before you upgrade to 15.1(2)SY2, reconfigure to the available open ports (1-4 and 9-12) to prevent an outage.
EIGRP IPv6 Graceful Restart (GR)—The EIGRP IPv6 Graceful Restart (GR) feature is enabled by default in EIGRP IPv6 configurations. GR is a way to rebuild forwarding information in routing protocols and resets router’s control plane without impacting (global) routing.
Granular enablement of CTS SGACL at interface level—See this publication:
Configurable System Controller Reset Threshold—With a redundant supervisor engine, if a TM_DATA_PARITY_ERROR, TM_LINK_ERR_INBAND, or TM_NPP_PARITY_ERROR error occurs, the affected supervisor engine reloads.
Without a redundant supervisor engine, if a TM_DATA_PARITY_ERROR, TM_LINK_ERR_INBAND, or TM_NPP_PARITY_ERROR error occurs, one of the following happens:
– If the system controller reset threshold has not been reached, reset the system controller ASIC.
– If the system controller reset threshold has been reached, reload the supervisor engine.
The default system controller reset threshold value is 1, configurable with the platform system-controller reset-threshold threshold_value command. The value range is 1 through 100.
TM_DATA_PARITY_ERROR, TM_LINK_ERR_INBAND, and TM_NPP_PARITY_ERROR errors cause system messages.
– Before the threshold is reached, the errors cause the following system messages:
ISIS BFD TLV—The IS-IS Bidirectional Forwarding Detection (BFD) Tag Length Value (TLV) feature provides a faster method to detect a loss of an IS-IS adjacency. Before, when an IS-IS adjacency reached the UP state (and therefore could be used for forwarding), a BFD session needed to be established with that neighbor. Now, a BFD session is maintained as long as the hello holddown timer for the neighbor does not expire, which is new for BFD TLV. The BFD session is only deleted if the neighbor hello times out. If BFD signals to IS-IS that a session has gone DOWN, the adjacency associated with that session will transition to DOWN state. Once the BFD session goes back UP, the adjacency state can transition back to an UP state.
For a given IS-IS topology, IS-IS determines if BFD is usable for a given neighbor on that topology. BFD is not usable when BFD is enabled on both sides and the BFD session is down. When there are multiple BFD sessions enabled for different address families, such as IPv4 and IPv6, if BFD is not usable for any address family, then BFD is consider not usable for the entire adjacency on that topology. For example, if both IPv4 and IPv6 BFD are enabled for single topology, if either the IPv4 BFD session is down or IPv6 BFD session is down, the neighbor state will be set to DOWN state. If BFD is not enabled for a given address family, then BFD is considered usable for that address family.
For single topology mode, the neighbor state is down when either the IPv4 or IPv6 BFD session is not BFD usable, that is, if BFD is enabled on both sides and the BFD session is DOWN. If BFD is not enabled on either side, BFD will be set to TRUE. For multi-topology mode, IS-IS adjacency will be in UP state as long as any topology is UP. However, the neighbor for the topology where BFD is consider not usable is considered down for that specific topology. For example, if both IPv4 and IPv6 BFD are enabled, and the IPv4 session is DOWN and IPv6 session is UP, then the IS-IS adjacency is still UP. In this case, the IPv4 neighbor is considered DOWN and ipv6 neighbor is considered UP.
ISIS client for BFD c-bit support—See this publication:
LLDP IPv6 address support—The release support IPv6 Link Layer Discovery Protocol (LLDP) and LLDP Media Endpoint Discovery (MED) addresses.
Mac Move and Replace—See this publication:
Manually configured IPv6 in IPv4 with IPSec—The Manually Configured IPv6 in IPv4 with IPsec feature complies with U.S. Government IPv6 (USGv6) guidelines by supporting the following IPsec features:
– IPv6 Support for IPsec and IKEv2. For more information about this feature, see the “Configuring Internet Key Exchange Version 2 (IKEv2) and FlexVPN Site-to-Site” module and the “Configuring Security for VPNs with IPsec” module at the following links:
– OSPF for IPv6 (OSPFv3) Authentication Support with IPsec. For more information about this feature, see the “IPv6 Routing: OSPF for IPv6 Authentication Support with IPsec” module at the following link:
MVPN - Data MDT Enhancements—Multicast distribution tree (MDT) groups were selected at random when the traffic passed the threshold and there was a limit of 255 MDTs before they were reused. The MVPN - Data MDT Enhancements feature provides the ability to deterministically map the groups from inside the VPN routing and forwarding (S,G) entry to particular data MDT groups, through an access control list (ACL).
The user can now map a set of VPN routing and forwarding (S,G) to a data MDT group in one of the following ways:
– 1:1 mapping (1 permit in ACL)
– Many to 1 mapping (many permits in ACL)
– Many to many mapping (multiple permits in ACL and a nonzero mask data MDT)
Because the total number of configurable data MDTs is 1024, the user can use this maximum number of mappings in any of the described combinations.
OSPF for Routed Access—The OSPF for Routed Access feature allows users to extend layer 3 routing capabilities to the access or Wiring Closet. OSPF for Routed Access supports only one OSPFv2 and one OSPFv3 instance with a maximum number of 200 dynamically learned routes permitted.
With the typical hub and spoke topology in a campus environment, the Wiring Closets (spokes) are connected to the distribution switch (Hub) forwarding all non-local traffic to the distribution layer. There is no requirement to hold a complete routing table at the Wireless Closet switches. In best practices designs, the distribution switch sends a default route to the Wiring Closet switch for reaching inter- area and external routes (OSPF Stub area configuration). The OSPF for Routed Access feature supporst this type of topology.
The IP base image supports OSPF for Routed Access. The Enterprise services image continues to be required if multiple OSPFv2 and OSPFv3 instances with no route restrictions are required. Additionally, Enterprise Services is required to enable the VRF-lite feature.
Use Cisco Feature Navigator to display supported features that were introduced in earlier releases.
Unsupported Commands
Cisco IOS images for the Supervisor Engine 2T do not support mls commands or mls as a keyword. See this document for a list of some of the mls commands that have been replaced:
Note Some of the replacement commands support different keyword and parameter values than those supported by the Release 12.2SX commands.
Cisco IOS images for the Supervisor Engine 2T do not support these commands:
ip multicast helper-map
ip pim accept-register route-map
Unsupported Features
Note The IPsec Network Security feature (configured with the crypto ipsec command) is supported in software only for administrative connections to Catalyst 6500 series switches.
These features are not supported in Release 15.1SY:
WAN features
Performance Routing (PfR)
OER Border Router Only Functionality
Flexible NetFlow on Supervisor Engine 720-10GE and Supervisor Engine 720
IOS Server Load Balancing (SLB)
Note Release 15.1SY supports server load balancing (SLB) as implemented on the Application Control Engine (ACE) module (ACE30-MOD-K9).
Per-VLAN Spanning Tree (PVST) mode (spanning-tree mode pvst global configuration mode command) on Supervisor Engine 2T
Note Release 15.1SY supports these spanning tree protocols: —Rapid Spanning Tree Protocol (RSTP): •spanning-tree mode rapid-pvst global configuration mode command • Enabled by default —Multiple Spanning Tree Protocol (MSTP): •spanning-tree mode mst global configuration mode command • Can be enabled
Router-Port Group Management Protocol (RGMP)
Stub IP Multicast Routing
TCP Intercept
Note Release 15.1SY supports the Firewall Services Module (WS-SVC-FWM-1-K9).
Conditions: This is currently believed to affect all released versions of IOS code which support the CISCO-ENTITY-EXT-MIB. This may occur when polling the ceExtSysBootImageList object in CISCO-ENTITY-EXT-MIB. This object returns a semicolon-separated list of boot statements on the device, similar to the following:
The DATACORRUPTION error will occur under a specific corner case, where the total length of one or more complete boot variables (counted starting after the 'boot system' token) is less than 255 bytes, BUT when semicolons are added (one per boot statement) meets or exceeds this number.
Consider the following example:
boot system bootflash:this_is_a_128_character_long_boot_statement_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
boot system bootflash:this_is_a_125_character_long_boot_statement_yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
128 + 125 + 2 semicolons = 255 characters (bytes)
If another boot statement is added after this, the DATACORRUPTION error will be seen and the SNMP query will return invalid data.
Workaround: Reduce the quantity/length of configured boot variables.
Further Problem Description: This is not known to have any functional impact outside of the (potentially alarming) error message. The error will only be printed once, but subsequent occurrences of this condition can be seen via the 'show data-corruption' command.
CSCur43251
Symptom: The HTTPS client only offer till SSLv3.0 which is vulnerable to poodle attack.
Conditions: Any Application is using HTTPS client with SSL3.0
Workaround: Disable app which use HTTPS client.
Further Problem Description: After fixing Poodle (CSCur23656) in the ssl component, this fix in the http component is required too. After the fix, TLS 1.0 will be used. After this fix HTTPS client will only offer TSL1.0.
CSCut55517
Symptom: 7200 router crash during multiple session validations.
Conditions: When two certificate validations in progress, 7200 platform is crashing.
Workaround: None.
Further Problem Description: This defect more visible on 7200 platform than any other platform. This is not only limited to GetVPN configuration, but also with any configurations like IKEv2.
CSCus77875
Symptom: Router may become unresponsive. Memory is all used up and no longer available for other processes. Router may eventually reload on its own OR would need to be reloaded manually, to restore services.
Conditions: Normal operations.
Workaround: Track Used memory and when it approaches 70-80% utilization levels, please schedule a reload.
Further Problem Description: Output of show process mem sorted will show signs of increase in Used. Memory held by processes Chunk Manager and CCSIP_TLS_SOCKET will show corresponding increase. show mem all totals will show increase for List Headers
CSCus19794
Symptom: A vulnerability in the IPv6 snooping feature from the first-hop security features in Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to insufficient Control Plane Protection (CPPr) against specific IPv6 ND packets. An attacker could exploit this vulnerability by sending a flood of traffic consisting of specific IPv6 ND packets to an affected device where the IPv6 snooping feature is configured.
Conditions: See published Cisco Security Advisory
Workaround: See published Cisco Security Advisory
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:
Symptom: A vulnerability in the IPv6 snooping feature from the first-hop security features in Cisco IOS and IOS XE Software could allow an
unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to insufficient validation of IPv6 ND packets that use the Cryptographically Generated Address (CGA) option. An attacker could exploit this vulnerability by sending a malformed packet to an affected device where the IPv6 Snooping feature is enabled. Cisco has released software updates that address these vulnerabilities. There are no workarounds to mitigate these vulnerabilities. This advisory
Note The September 23, 2015, release of the Cisco IOS and IOS XE Software Security Advisory bundled publication includes three Cisco Security Advisories. All the advisories address vulnerabilities in Cisco IOS Software and Cisco IOS XE Software. Individual publication links are in Cisco
Event Response: September 2015 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication at the following link:
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:
Symptom: This product includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
Symptom: Cisco IOS and IOS-XE include a version of OpenSSL that may be affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-3505 - Double Free when processing DTLS packets
CVE-2014-3506 - DTLS memory exhaustion
CVE-2014-3507 - DTLS memory leak from zero-length fragments
CVE-2014-3508 - Information leak in pretty printing functions
CVE-2014-3509 - Race condition in ssl_parse_serverhello_tlsext
CVE-2014-3510 - OpenSSL DTLS anonymous EC(DH) denial of service
CVE-2014-5139 - Crash with SRP ciphersuite in Server Hello message
This bug has been opened to address the potential impact on this product.
Conditions: See published Cisco Security Advisory
Workaround: None.
Further Problem Description: At this point the investigation is ongoing, this bug will be updated in the future to reflect better the real impact on the product.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
Symptom: This product includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:
Affected Versions: One of more of these vulnerabilities affect all versions of IOS prior to the versions listed in the Integrated In field of this defect
Workaround: None.
Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 5.0/3.7
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
Symptom: This product includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:
This bug has been opened to address the potential impact on Cisco IOS and IOS-XE products.
Conditions: LIST SPECIFIC VULNERABLE CONFIGURATION INFORMATION. IF DEFAULT CONFIGURATION IS VULNERABLE, USE THE TEXT "Exposure is not configuration dependent."
Following Cisco IOS features may invoke the affected code and might be vulnerable:
- SSLVPN feature (for any platform running IOS) ("webvpn gateway")
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 7.1/6.9
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
Symptom: A vulnerability in the TCL script interpreter of Cisco IOS Software could allow an authenticated, local attacker to escalate its privileges from those of a non-privileged user to a privileged (level 15) user. This would allow a non-privileged user to execute privileged commands
(those under privilege level 15). The vulnerability is due to an error on resetting VTY privileges after running a TCL script. An attacker could exploit this vulnerability by establishing a session to an affected device immediately after a TCL script has been run. An attacker would need to provide valid credentials and successfully pass authentication to the device.
Conditions: This behavior is timing dependent, as the attacker would need to log-in to the device immediately after the TCL script finishes execution.
Workaround: None.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.6/5.5:
A vulnerability in the TCP input module of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a memory leak and
eventual reload of the affected device. The vulnerability is due to improper handling of certain crafted packet sequences used in establishing a TCP three-way handshake. An attacker could exploit this vulnerability by sending a crafted sequence of TCP packets while establishing a thee-way handshake. A successful exploit could allow the attacker to cause a memory leak and eventual reload of the affected device.
There are no workarounds for this vulnerability.
Cisco has released free software updates that address this vulnerability. This advisory is available at the following link:
Symptom: A 6500 reloads after negotiating an IPSec tunnel with ASR9000.
Conditions: The 6500 needs to run 12.2(33)SXJ8 and the IPsec engine must be a WS-SSC-600 WS-IPSEC-3 combination.This crash does not happen with 7600-SSC-400 IPSEC-2 combination.
Workaround: None.
Further Problem Description: A vulnerability in the IKE subsystem of Cisco WS-IPSEC-3 service module could allow an authenticated, remote attacker to cause a reload of the Catalyst switch. The vulnerability is due to insufficient bounds checks on a specific message during the establishment of an IPSEC tunnel. An attacker could exploit this vulnerability by successfully establishing an IKE session and sending the offending packet during subsequent negotiations. An exploit could allow the attacker to cause a denial of service by forcibly reloading the switch.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.9/4.9:
CVE ID CVE-2015-0771 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL:
Symptom: A vulnerability in the implementation of the IP version 6 (IPv6) protocol stack in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause I/O memory depletion on an affected device that has IPv6 enabled. The vulnerability is triggered when an affected device processes a malformed IPv6 packet.
Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability.
Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication.
Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link:
Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:
Symptom: A vulnerability in TCP stack of Cisco IOS Software could allow an unauthenticated, remote attacker to cause an ACK storm.
The vulnerability is due to improper closing of the established TCP connection. An attacker could exploit this vulnerability by sending a crafted sequence of TCP ACK and FIN packets to an affected device. An exploit could allow the attacker to cause an ACK storm resulting in excessive network utilization and high CPU.
Conditions: Multiple FIN/ACK packets are received.
Workaround: Do clear' tcp tcb 0x......' where the hex value is the address of the TCB stuck in LASTACK state in ’show tcp brief.'
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2013-5469 has been assigned to document this issue.