WS-X6816-GBIC

e. For

ml

o IOS

se. series releasein the

Release Notes for Catalyst 6500 SeriesSoftware Release 7.x

Current Release7.6(21)—May 16, 2007Previous Releases: 7.6(20), 7.6(19), 7.6(18), 7.6(17), 7.6(16), 7.6(15), 7.6(14), 7.6(13), 7.6(12)–GD release, 7.6(11), 7.6(10),7.6(9), 7.6(8), 7.6(7), 7.6(6), 7.6(5), 7.6(4)–Supervisor Engine 2 images deferred, 7.6(3a)–Supervisor Engine 2 imagesdeferred, 7.6(3)–Supervisor Engine 2 images deferred, 7.6(2a)–Supervisor Engine 2 images deferred,7.6(2)–Supervisor Engine 2 images deferred, 7.6(1)–Supervisor Engine 2 images deferred, 7.5(1), 7.4(3), 7.4(2), 7.3(2),7.3(1), 7.2(2), 7.1(2), 7.1(1a), 7.1(1)

Caution The Supervisor Engines 1 and 1A are not supported in Catalyst software release 7.6(18) and abovmore information, refer to Product Bulletin No. 2595 at this URL:http://www.cisco.com/en/US/products/hw/switches/ps708/prod_eol_notice0900aecd8017a5d1.ht

Note For information on the latest caveats and updates for the Cisco 7600 series router, refer to the CiscRelease 12.1(7a)E1 or later MSFC release notes athttp://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/index.htm

Note Release notes for prior Catalyst 6500 series software releases were accurate at the time of releaHowever, for information on the latest caveats and updates to previously released Catalyst 6500software releases, refer to the release notes for the latest maintenance release in your softwaretrain. You can access all Catalyst 6500 series release notes at the World Wide Web locations listed“Obtaining Documentation” section on page 175.

Corporate Headquarters:

Copyright © 2001–2007 Cisco Systems, Inc. All rights reserved.

Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

http://www.cisco.com/en/US/products/hw/switches/ps708/prod_eol_notice0900aecd8017a5d1.html

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/index.htm

Contents

ContentsThis document consists of these sections:

• Release 7.x DRAM Memory Requirements, page 3

• Boot ROM (ROMMON) Requirements, page 4

• Upgrading the Boot ROM, page 4

• Flash PC Card Support, page 5

• Redundant Supervisor Engine Configurations, page 6

• Product and Software Version Matrix, page 6

• Unsupported Hardware, page 16

• Orderable Software Images, page 16

• Software Image Version Compatibility, page 23

• Catalyst 6500 Series Features, page 24

• Usage Guidelines and Restrictions, page 46

• Open and Resolved Caveats in Software Release 7.6(21), page 70


















• Open and Resolved Caveats in Software Release 7.6(3a), page 116






2Release Notes for Catalyst 6500 Series Software Release 7.x

OL-1982-25

Release 7.x DRAM Memory Requirements

ch

hon

for

ading

kit.









• Catalyst Software Image Upgrade Procedure, page 168

• Troubleshooting, page 171

• Additional Documentation, page 175

• Obtaining Documentation, page 175

• Documentation Feedback, page 176

• Cisco Product Security Overview, page 176

• Product Alerts and Field Notices, page 177

• Obtaining Technical Assistance, page 178

• Obtaining Additional Publications and Information, page 179

Release 7.x DRAM Memory RequirementsSupervisor Engine 2:The Catalyst 6500 series Supervisor Engine 2 ships with 128-MB DRAM, whifully supports software release 7.x.

Supervisor Engine 1: Early versions of the Catalyst 6500 series Supervisor Engine 1 shipped wit64-MB DRAM (currently, new Supervisor Engine 1 modules ship with 128-MB DRAM). Dependingthe software release you are running, be aware of these DRAM memory requirements:

• With software releases 7.5(1) and later, 64-MB DRAM may not provide adequate free memoryall configurations. With large, existing configurations using manyfeatures, or when enabling newfeatures available in release 7.5 and later, 64-MB DRAM may not be enough. We recommend upgrto 128-MB DRAM to ensure adequate free memory is available to the system at all times.

• Software release 7.6(4) and later 7.6(x) releases are too large to fit in the 64-MB DRAM thatoriginally shipped on some Supervisor Engine 1 modules. You must upgrade to128-MB DRAM.

Supervisor Engine 1 upgrade options: With the exception of WS-X6K-SUP1A-MSFC, all otherSupervisor Engine 1 modules can upgrade to 128-MB DRAM using the MEM-S1-128MB= upgradeFor detailed information on the MEM-S1-128MB= upgrade, refer to theCatalyst 6500 Series SwitchSupervisor Engine 1A DRAM Upgrade Installation Note at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/cfgnotes/78_14357.htm

To upgrade to 128-MB DRAM on the WS-X6K-SUP1A-MSFC, use the MEM-S1-128MB-UPG=upgrade kitwhich also includes an MSFC2 upgrade.


OL-1982-25


Boot ROM (ROMMON) Requirements

with

havein, theented

and.x(x)

n bee

otble.

field.

tance

e

Caution The 7.1(1) and 7.1(2) CiscoView + SSH images may fail to boot on Supervisor Engine 1 systems64-MB DRAM. This problem applies to all models of Supervisor Engine 1 (WS-X6K-SUP1-2GE,WS-X6K-SUP1A-2GE, WS-X6K-SUP1A-PFC, WS-X6K-SUP1A-MSFC, WS-X6K-S1A-MSFC2).Due to this problem, the cat6000-supcvk9.7-1-1.bin and cat6000-supcvk9.7-1-2.bin CCO imagesbeen deferred. As an alternative, the cat6000-supcvk8.7-1-1.bin or the cat6000-supcvk8.7-1-2.bimages may be used if SSH support is not required. If both CiscoView and SSH support is required6.3(x) supcvk9 images or the 7.2(x) and later supcvk9 images should be used. This issue is documin open caveat CSCdw70549.

Boot ROM (ROMMON) RequirementsFor Supervisor Engine 1, the minimum boot ROM (ROMMON) required for software release 5.4(1)later 5.x(x) releases is 5.2(1). The minimum boot ROM required for software releases 6.x(x) and 7is 5.2(1). The default (shipping) image for software releases 6.x(x) and 7.x(x) is 5.3(1).

For Supervisor Engine 2, the minimum boot ROM required for software releases 6.2(2) and lateris 6.1(3).

Note The supervisor engine boot ROM versions must be identical in redundant systems.

Upgrading the Boot ROMFollow these guidelines to upgrade the boot ROM (ROMMON) on Supervisor Engine 1 or 1A:

Note For Supervisor Engine 2 with boot ROM version 6.1(3) or later, the boot ROM software image caupgraded through a software download from Cisco.com. Refer to the boot ROM software upgradprocedure at this URL:http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/78_13488.htm

• For supervisor engines with an MSFC, due to the location of the boot ROM, upgrading the boROM could damage your supervisor engine. This hardware configuration is not field upgrada

• For supervisor engines with an MSFC2 or no PFC, the boot ROM upgrade can be done in the

• The boot ROM upgrade kit part number is WS-X6K-BOOT=

Note The boot ROM upgrade kit is not orderable. If an upgrade is needed, contact the Technical AssisCenter (TAC) to verify your hardware configuration and arrange for delivery of the upgrade kit.

• For boot ROM installation information, refer to theCatalyst 6500 Series Switch Supervisor EnginNMP Boot ROM Upgrade Installation Note at this URL:http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/cfgnotes/78_10142.htm


OL-1982-25

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/78_13488.htm


Flash PC Card Support

wing

2.

hes.

he data

otormat.ine 2.ine 1.

ear

lashrvisor

iscoflash.

C2 the

Flash PC Card SupportThe following Flash PC cards are supported on Catalyst 6500 series switches:

• MEM-C6K-FLC16M(=)



• MEM-C6K-ATA-1-64M(=)

Prior to software release 7.5(1), Supervisor Engine 1 and Supervisor Engine 2 supported the folloFlash PC cards:

• 16-MB Flash PC card (MEM-C6K-FLC16M=). The device name isslot0:.

• 24-MB Flash PC card (MEM-C6K-FLC24M=). The device name isslot0:.

With software releases 7.5(1) and later, additional Flash PC card support was added as follows:

• 64-MB ATA Flash PC card (MEM-C6K-ATA-1-64M=)—Only supported on Supervisor Engine The device name isdisk0: and the card requires ROMMON version 7.1(1) or later releases.

• 64-MB linear Flash PC card (MEM-C6K-FLC64M=)—Only supported on Supervisor Engine 1. Tdevice name isslot0: and the card requires ROMMON software release 5.3(1) or later release

Note The MEM-C6K-ATA-1-64M(=) and MEM-C6K-FLC64M= Flash PC cards are not formatted. Althougthe cards appear to be formatted when first installed, you must format the cards to prevent possiblcorruption.

Note The 16-MB MEM-C6K-FLC16M(=) and 24-MB MEM-C6K-FLC24M(=) linear Flash PC cards are nformatted. Supervisor Engine 1 and Supervisor Engine 2 do not support the same Flash PC card fTo use a Flash PC card with Supervisor Engine 2, you must format the card with Supervisor EngTo use a Flash PC card with Supervisor Engine 1, you must format the card with Supervisor Eng

Note For Supervisor Engine 1, software release 7.6(1) or later CV images need a 24-MB or 64-MB linFlash PC card.

With the 24-MB linear Flash PC card with a Supervisor Engine 1/MSFC or a Supervisor Engine1/MSFC2 with a 16-MB MSFC2 bootflash, you need to put the Catalyst image on the 24-MB linear FPC card, the IOS bootloader on the MSFC bootflash, and the Cisco IOS image on the 16-MB supeengine bootflash.

With the 64-MB linear Flash PC card with a Supervisor Engine 1/MSFC or a Supervisor Engine1/MSFC2 with a 16-MB MSFC2 bootflash, you can put the Catalyst image and the MSFC/MSFC2 CIOS image on the 64-MB linear Flash PC card, and the Cisco IOS bootloader on the MSFC boot

With the 24-MB or 64-MB linear Flash PC card on a Supervisor Engine 1/MSFC2 with 32-MB MSFbootflash, the MSFC2 bootloader and Cisco IOS image can be put on the MSFC2 bootflash, andCatalyst image can be put on the 24-MB or 64-MB linear Flash PC cards.


OL-1982-25


Redundant Supervisor Engine Configurations

ve thens:

gine

g for

the

thatpe for

Redundant Supervisor Engine ConfigurationsIn systems with redundant supervisor engines, both supervisor engines must be identical and hasame daughter card configurations. For example, your switch can have the following configuratio

• Slot 1—Supervisor Engine 2, PFC2, MSFC2Slot 2—Supervisor Engine 2, PFC2, MSFC2

• Slot 1—Supervisor Engine 2, PFC2Slot 2—Supervisor Engine 2, PFC2

• Slot 1—Supervisor Engine 1, PFC, MSFC2Slot 2—Supervisor Engine 1, PFC, MSFC2

• Slot 1—Supervisor Engine 1, PFC, MSFC1Slot 2—Supervisor Engine 1, PFC, MSFC1

• Slot 1—Supervisor Engine 1, PFCSlot 2—Supervisor Engine 1, PFC

• Slot 1—Supervisor Engine 1Slot 2—Supervisor Engine 1

These configuration requirements apply to all Catalyst 6500 series switches. We do not supportconfigurations that are not identical.

Product and Software Version MatrixTable 1 lists the minimum supervisor engine version and the current recommended supervisor ensoftware version for Catalyst 6500 series modules and chassis.

Note For information about AC power requirements and heat dissipation, refer to Chapter 2, “PreparinInstallation,” of theCatalyst 6500 Series Switch Installation Guide:http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/6000hw/index.htm

For information about power management and determining system power requirements, refer to “Power Management” section in Chapter 20, “Administering the Switch,” of theCatalyst 6500 SeriesSwitch Software Configuration Guide:http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_7_1/index.htm

Note There might be additional minimum software version requirements for intelligent modules (thoserun an additional, separate software image). Refer to the software release notes for the module tymore information.


OL-1982-25

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/6000hw/index.htm

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_7_1/index.htm

Product and Software Version Matrix

Table 1 Minimum and Recommended Supervisor Engine Software Versions

Product Numberappend with“=” for spares Product Description

MinimumSupervisor EngineSoftware Version

RecommendedSupervisor EngineSoftware Version

Supervisor Engine 2

WS-X6K-S2U-MSFC2 Supervisor Engine 2, dual 1000BASE-X GBICuplinks, fabric-enabled, CEF, PFC2, and MSFC2256 MB on supervisor engine, 256 MB on MSFC2QoS port architecture (Rx/Tx):1p1q4t/1p2q2t

6.1(1d) 6.4(21)

WS-X6K-S2-MSFC2 Supervisor Engine 2, dual 1000BASE-X GBICuplinks, fabric-enabled, CEF, PFC2, and MSFC2128 MB on supervisor engine, 128 MB on MSFC2QoS port architecture (Rx/Tx):1p1q4t/1p2q2t

6.1(1d) 6.4(21)

WS-X6K-S2-PFC2 Supervisor Engine 2, dual 1000BASE-X GBICuplinks, fabric-enabled, and PFC2QoS port architecture (Rx/Tx):1p1q4t/1p2q2t

6.1(1d) 6.4(21)


OL-1982-25


Supervisor Engine 11, 2

WS-X6K-S1A-MSFC2 Supervisor Engine 1A, dual 1000BASE-X GBICuplinks, PFC, and MSFC2QoS port architecture (Rx/Tx):1p1q4t/1p2q2t

5.4(3) 6.4(21)

WS-X6K-SUP1A-MSFC Supervisor Engine 1A, dual 1000BASE-X GBICuplinks, PFC, and MSFCQoS port architecture (Rx/Tx):1p1q4t/1p2q2t

5.3(1a)CSX 6.4(21)

WS-X6K-SUP1A-PFC Supervisor Engine 1A, dual 1000BASE-X GBICuplinks, and PFCQoS port architecture (Rx/Tx):1p1q4t/1p2q2t

5.3(1a)CSX 6.4(21)

WS-X6K-SUP1A-2GE Supervisor Engine 1A, dual 1000BASE-X GBICuplinksQoS port architecture (Rx/Tx):1p1q4t/1p2q2t

5.3(1a)CSX 6.4(21)

WS-X6K-SUP1-2GE Supervisor Engine 1, dual 1000BASE-X GBICuplinksQoS port architecture (Rx/Tx):1q4t/2q2t

5.1(1)CSX 6.4(21)

Switch Fabric Modules

WS-C6500-SFM Switch Fabric Module to support fabric-enabledmodules

6.1(1d) 6.4(21)

WS-X6500-SFM2 Switch Fabric Module version 2 6.2(2) 6.4(21)

10-Gigabit Ethernet Switching Modules

WS-X6501-10GEX4 1-port 10GBASE-EX4 Metro 10-Gigabit Ethernet,fabric-enabledQoS port architecture (Rx/Tx):1p1q8t/1p2q1t

7.1(1) 7.6(9)

WS-X6502-10GE 1-port 10GBASE-E Serial 10-Gigabit Ethernet,fabric-enabledQoS port architecture (Rx/Tx):1p1q8t/1p2q1t

Note: The WS-X6502-10GE module does notsupport ISL encapsulation.

7.1(1) 7.6(9)

WS-G6483 10GBASE-ER Serial 1550-nm extended-reachOptical Interface Module (OIM)

7.2(2) 7.6(9)

WS-G6488 10GBASE-LR Serial 1310-nm long-haul OIM 7.1(1) 7.6(9)

Table 1 Minimum and Recommended Supervisor Engine Software Versions (continued)





OL-1982-25


Gigabit Ethernet Switching Modules

WS-X6148-GE-TXWS-X6148V-GE-TX

48-port 10/100/1000BASE-TX switching module(WS-X6148V-GE-TX provides inline power to IPtelephones)QoS port architecture (Rx/Tx):1q2t/1p2q2t

7.6(1) 7.6(9)


48-port 10/100/1000BASE-TX switching module,fabric-enabled (WS-X6548V-GE-TX providesinline power to IP telephones)QoS port architecture (Rx/Tx):1q2t/1p2q2t

7.6(1) 7.6(9)


48-port 10/100/1000BASE-TX switching module(WS-X6148V-GE-TX provides inline power to IPtelephones)QoS port architecture (Rx/Tx):1q2t/1p2q2t

7.6(1) 7.6(9)


48-port 10/100/1000BASE-TX switching module,fabric-enabled (WS-X6548V-GE-TX providesinline power to IP telephones)QoS port architecture (Rx/Tx):1q2t/1p2q2t

7.6(1) 7.6(9)

WS-X6516A-GBIC 16-port Gigabit Ethernet GBIC switching module,fabric-enabled, 1-MB per-port packet buffersQoS port architecture (Rx/Tx):1p1q4t/1p2q2t

7.5(1) 7.6(9)

WS-X6516-GBIC 16-port Gigabit Ethernet GBIC switching module,fabric-enabledQoS port architecture (Rx/Tx):1p1q4t/1p2q2t

6.1(1d) 6.4(11)

WS-X6516-GE-TX 16-port 10/100/1000BASE-T Ethernet Module,fabric-enabledQoS port architecture (Rx/Tx):1p1q4t/1p2q2t

6.2(2) 6.4(11)

WS-X6416-GBIC 16-port Gigabit Ethernet GBIC switching moduleQoS port architecture (Rx/Tx):1p1q4t/1p2q2t

5.4(2) 6.4(11)

WS-X6416-GE-MT 16-port Gigabit Ethernet MT-RJQoS port architecture (Rx/Tx):1p1q4t/1p2q2t

5.3(5a)CSX 6.4(11)

WS-X6316-GE-TX 16-port 1000BASE-TX RJ-45 Gigabit EthernetQoS port architecture (Rx/Tx):1p1q4t/1p2q2t

5.4(2) 6.4(11)

WS-X6408A-GBIC 8-port Gigabit Ethernet GBICQoS port architecture (Rx/Tx):1p1q4t/1p2q2t

5.3(1a)CSX 6.4(11)

WS-X6408-GBIC 8-port Gigabit Ethernet GBICQoS port architecture (Rx/Tx):1q4t/2q2t

5.1(1)CSX 6.4(11)






OL-1982-25


Fast Ethernet Switching Modules

WS-X6524-100FX-MM 24-port 100FX Ethernet multimode, fabric-enabledQoS port architecture (Rx/Tx):1p1q0t/1p3q1t

7.1(1) 7.6(9)

WS-X6324-100FX-SMWS-X6324-100FX-MM

24-port 100FX single mode or multimode MT-RJwith 128K per-port packet buffersQoS port architecture (Rx/Tx):1q4t/2q2t

5.4(2) 6.4(11)

WS-X6224-100FX-MT 24-port 100FX Multimode MT-RJQoS port architecture (Rx/Tx):1q4t/2q2t

5.1(1)CSX 6.4(11)

Ethernet/Fast Ethernet (10/100) Switching Modules

WS-X6548-RJ-21 48-port 10/100BASE-TX RJ-21, fabric-enabledQoS port architecture (Rx/Tx):1p1q0t/1p3q1t

6.2(2) 6.4(11)

WS-X6548-RJ-45 48-port 10/100BASE-TX RJ-45, fabric-enabledQoS port architecture (Rx/Tx):1p1q0t/1p3q1t

6.2(2) 6.4(11)

WS-X6348-RJ21V 48-port 10/100BASE-TX RJ-21 with 128Kper-port packet buffers (WS-X6348-RJ21Vprovides inline power to IP telephones)QoS port architecture (Rx/Tx):1q4t/2q2t

6.2(2) 6.4(11)

WS-X6348-RJ-45WS-X6348-RJ-45V

48-port 10/100BASE-TX RJ-45 with 128Kper-port packet buffers (WS-X6348-RJ-45 acceptsa field-upgradable voice daughter card to provideinline power to IP telephones. Already installed onWS-X6348-RJ-45V)QoS port architecture (Rx/Tx):1q4t/2q2t

WithoutWS-F6K-VPWR:5.4(2)

WithWS-F6K-VPWR:5.5(1)

WithoutWS-F6K-VPWR:6.4(11)

WithWS-F6K-VPWR:6.4(11)

WS-X6148-RJ-45WS-X6148-RJ-45V

48-port 10/100BASE-TX RJ-45 with 128Kper-port packet buffers (WS-X6148-RJ-45Vprovides inline power to IP telephones)QoS port architecture (Rx/Tx):1q4t/2q2t

For softwarereleases 6.x: 6.4(1)


For softwarereleases 6.x:6.4(11)


WS-X6148-RJ21WS-X6148-RJ21V

48-port 10/100BASE-TX RJ-21 with 128Kper-port packet buffers (WS-X6148-RJ21Vprovides inline power to IP telephones)QoS port architecture (Rx/Tx):1q4t/2q2t





WS-F6K-VPWR Inline-power field-upgrade module for the 48-port10/100BASE-TX RJ-45 and RJ-21 modules

5.5(1) 6.4(11)

WS-X6248-RJ-45 48-port 10/100BASE-TX RJ-45QoS port architecture (Rx/Tx):1q4t/2q2t

5.1(1)CSX 6.4(11)






OL-1982-25


WS-X6248A-TEL 48-port 10/100BASE-TX RJ-21 with 128Kper-port packet buffersQoS port architecture (Rx/Tx):1q4t/2q2t

5.3(2)CSX 6.4(11)

WS-X6248-TEL 48-port 10/100BASE-TX RJ-21QoS port architecture (Rx/Tx):1q4t/2q2t

5.2(1)CSX 6.4(11)

Ethernet Switching Modules

WS-X6024-10FL-MT 24-port 10BASE-FL MT-RJQoS port architecture (Rx/Tx):1q4t/2q2t

5.3(3)CSX 6.4(11)

Power Over Ethernet Daughter Cards

WS-F6K-FE48X2-AF IEEE 802.3af PoE daughter card for:

WS-X6148X2-45AF 8.2(1) 8.3(3)

WS-X6196-21AF 8.4(1) 8.4(1)

WS-F6K-GE48-AF IEEE 802.3af PoE daughter card for:

WS-X6148A-GE-45AF 8.4(1) 8.4(1)

WS-X6148V-GE-TX 7.6(1) 7.6(9)

WS-X6148-GE-45AF 8.2(1) 8.3(3)

WS-X6548V-GE-TX 7.6(1) 7.6(9)

WS-X6548-GE-45AF 8.2(1) 8.3(3)

WS-F6K-FE48-AF IEEE 802.3af PoE daughter card for:

WS-X6148A-45AF 8.4(1) 8.4(1)

WS-X6148-RJ-45V For softwarereleases 6.x: 6.4(1)




WS-X6148-RJ21V For softwarereleases 6.x: 6.4(1)




WS-F6K-VPWR-GE IEEE 802.3af PoE daughter card for:

WS-X6548V-GE-TX 7.6(1) 7.6(9)

WS-X6148V-GE-TX 7.6(1) 7.6(9)






OL-1982-25


WS-F6K-VPWR IEEE 802.3af PoE daughter card for:

WS-X6348-RJ-45V 5.5(1) 6.4(11)

WS-X6348-RJ21V 6.2(2) 6.4(11)

WS-X6148-RJ-45V For softwarereleases 6.x: 6.4(1)




WS-X6148-RJ21V For softwarereleases 6.x: 6.4(1)




Voice Modules

WS-SVC-CMM Communication Media Module 7.6(12) 8.3(3)

WS-SVC-CMM-6E 16-port E1 interface port adapter 7.6(12) 8.3(3)

WS-SVC-CMM-6T1 6-port T1 interface port adapter 7.6(12) 8.3(3)

WS-SVC-CMM-24FXS 24-port FXS interface port adapter 7.6(12) 8.3(3)

WS-SVC-CMM-ACT Ad-hoc conferencing and transcoding port adapter7.6(12) 8.3(3)

WS-X6624-FXS 24-port FXS analog interface module 5.5(1) 6.4(11)

WS-X6608-T1WS-X6608-E1

8-port T1/E1 PSTN interface modules 5.5(1) 6.4(11)

FlexWan Module3

WS-X6182-2PA FlexWAN Module 5.4(2) 6.4(11)

Intrusion Detection System Module (IDSM)4

WS-X6381-IDS Intrusion Detection System Module 6.1(1d) 6.4(11)

WS-SVC-IDSM2-BUN-K9 Intrusion Detection System Module 2 7.5(1) 7.6(9)

Network Analysis Module (NAM)5, 6

WS-X6380-NAM Network Analysis Module, 256-MB RAM 5.5(1) 6.4(11)

WS-SVC-NAM-1 Network Analysis Module, 512-MB RAM,fabric-enabled

7.3(1) 7.6(9)

WS-SVC-NAM-2 Network Analysis Module, 1-GB RAM, fabricenabled,acceleratordaughter card

7.3(1) 7.6(9)

Firewall Services Module7

WS-SVC-FWM-1-K9 Firewall Services Module 7.5(1) 7.6(9)






OL-1982-25


SSL Services Module8

WS-SVC-SSL-1 SSL Services Module 7.5(1) 7.6(9)

Content Switching Module (CSM)9

WS-X6066-SLB-APC Content Switching Module 7.5(1) 7.6(9)

Content Services Gateway (CSG)10

WS-SVC-CSG-1 Content Services Gateway 7.6(1) 7.6(9)

ATM11

WS-X6101-OC12-SMF Single-port single-mode OC-12 ATM 5.3(2)CSX 6.4(11)

WS-X6101-OC12-MMF Single-port multimode OC-12 ATM 5.3(2)CSX 6.4(11)

Multilayer Switch Module (MSM)12

WS-X6302-MSM Multilayer Switch Module 5.2(1)CSX 6.4(11)

Optical Services Modules (OSMs)13, 14

4-port Gigabit Ethernet WAN

OSM-4GE-WAN-GBIC 4-port Gigabit Ethernet Optical Services Module 6.1(2) 6.4(11)

OC-12 Packet over SONET15

OSM-2OC12-POS-MM 2-port OC-12c/STM-4c POS Optical ServicesModule, MM, with 4 Gigabit Ethernet ports

6.1(2) 6.4(11)

OSM-2OC12-POS-SI 2-port OC-12c/STM-4c POS Optical ServicesModule, SM-IR, with 4 Gigabit Ethernet ports

6.1(2) 6.4(11)

OSM-2OC12-POS-SL 2-port OC-12c/STM-4c POS Optical ServicesModule, SM-LR16, with 4 Gigabit Ethernet ports

6.1(2) 6.4(11)


6.1(2) 6.4(11)


6.1(2) 6.4(11)

OSM-4OC12-POS-SL 4-port OC-12c/STM-4c POS Optical ServicesModule, SM-LR, with 4 Gigabit Ethernet ports

6.1(2) 6.4(11)



7.1(1) 7.6(9)


6.1(2) 6.4(11)


6.1(2) 6.4(11)


6.1(2) 6.4(11)


6.1(2) 6.4(11)






OL-1982-25



6.1(2) 6.4(11)


6.1(2) 6.4(11)


OSM-1OC48-POS-SS 1-port OC-48c/STM-16cPOS Optical ServicesModule, SM-SR, with 4 Gigabit Ethernet ports

6.1(3) 6.4(11)

OSM-1OC48-POS-SI 1-port OC-48c/STM-16cPOS Optical ServicesModule, SM-IR, with 4 Gigabit Ethernet ports

6.1(3) 6.4(11)

OSM-1OC48-POS-SL 1-port OC-48c/STM-16cPOS Optical ServicesModule, SM-LR, with 4 Gigabit Ethernet ports

6.1(3) 6.4(11)

Power Supplies

WS-CAC-1000W 1000W AC power supply 5.1(1)CSX 6.4(11)

WS-CAC-1300W 1300W AC power supply 5.1(1)CSX 6.4(11)

WS-CDC-1300W 1300W DC power supply 5.1(1)CSX 6.4(11)

WS-CAC-2500W 2500W AC power supply 5.4(2) 6.4(11)

WS-CDC-2500W 2500W DC power supply 5.4(2) 6.4(11)



PWR-4000-DC17 4000W DC power supply 6.1(3) 8.3(3)

PWR-950-AC18 950W AC power supply 7.5(1) 7.6(9)


PWR-1900-AC/619 1900W AC power supply 7.2(2) 7.6(9)


Modular Chassis

WS-C6513 Catalyst 6513 chassis:

• 13 slots

• 64 chassis MAC addresses

• Supported only with Supervisor Engine 2

6.2(2) 6.4(11)


• 9 slots


5.1(1)CSX 6.4(11)

WS-C6509-NEB Catalyst 6509-NEB chassis:

• 9 vertical slots


5.4(2) 6.4(11)






OL-1982-25



• 3 slots


• Does not support SFM

7.4(2) 7.6(9)


• 9 slots


5.1(1)CSX 6.4(11)


• 6 slots


5.2(1)CSX 6.4(11)


• 6 slots


5.2(1)CSX 6.4(11)

OSR-7609-AC, -DC Cisco 7609 router chassis:

• 9 vertical slots



6.1(1b) 6.4(11)

CISCO7603 Cisco 7603 router chassis:

• 3 slots


• Does not support SFM

7.1(1) 7.6(9)


• 6 slots



7.2(2) 7.6(9)


• 13 slots



7.6(1) 7.6(9)

1. Not supported in the WS-C6513 chassis.

2. Not supported in software release 7.6(18). For more information, refer to Product Bulletin No. 2595 at this URL:http://www.cisco.com/en/US/products/hw/switches/ps708/prod_eol_notice0900aecd8017a5d1.html

3. Refer to theCatalyst 6500 Series Switch FlexWAN Module Installation and Configuration Note.

4. Refer to theCatalyst 6500 Series Switch Intrusion Detection System Module Installation and Configuration Note.

5. Refer to theNetwork Analysis Module Installation and Configuration Note.






OL-1982-25

http://www.cisco.com/en/US/products/hw/switches/ps708/prod_eol_notice0900aecd8017a5d1.html

Unsupported Hardware

e andelease

s

e to

the

and), thergerrne

the

Unsupported HardwareThe Distributed Forwarding Card (WS-F6K-DFC) and 16-port Gigabit Ethernet switching module(WS-X6816-GBIC) are not supported in systems running Catalyst software on the supervisor enginCisco IOS software only on the MSFC. These items are supported on systems running Cisco IOS R12.1(8a)E or later on both the Supervisor Engine 2 and the MSFC2.

Orderable Software ImagesTable 2 lists the software versions and applicable ordering information for the Catalyst 6500 seriesupervisor engine software.

Caution Always back up the switch configuration file before upgrading or downgrading the switch softwaravoid losing all or part of the configuration stored in nonvolatile RAM (NVRAM).When downgradingswitch software, you will lose your configuration.Use thewrite network command or thecopy configtftp command to back up your configuration to a Trivial File Transfer Protocol (TFTP) server. Usecopy config flash command to back up the configuration to a Flash device.

Note CiscoView images are available approximately 2 weeks after the Flash images are released.

Note Due to the size of the CiscoView 7.5(1) and later images (Supervisor Engine 1: cat6000-supcvk8cat6000-supcvk9, Supervisor Engine 2: cat6000-sup2cvk8.7-5-1.bin, cat6000-sup2cvk9.7-5-1.binsupervisor engine bootflash must be larger than 16 MB. If your supervisor engine bootflash is not lathan 16 MB, use the optional 24-MB linear Flash PC card for Supervisor Engine 1 and SupervisoEngine 2 (MEM-C6K-FLC24M=) or use the optional 64-MB ATA Flash PC card for Supervisor Engi2 (MEM-C6K-ATA-1-64M=). Additionally, for Supervisor Engine 1, you may use the 64-MB linearFlash PC card (MEM-C6K-FLC64M[=]).

6. The Network Analysis Module (NAM) application image 1.1(1a) and NAM maintenance image 1.1(1a)m are not supported with supervisor engine softwarereleases 6.3(2) and later. For supervisor engine software releases 6.3(2) and later, use the 1.2 NAM image.

7. Refer to theCatalyst 6500 Series Switch and 7600 Series Firewall Services Module Installation and Configuration Note.

8. Refer to theCatalyst 6500 Series Switch SSL Services Module Installation and Configuration Note.

9. Refer to theCisco Content Switching Module Installation and Configuration Guide.

10. Refer to theCisco Content Services Gateway Installation and Configuration Guide.

11. Refer to theATM Configuration Guide and Command Reference.

12. Refer to theMultilayer Switch Module Release Notes.

13. Refer to theOptical Services Module Installation and Configuration Note.

14. Channelized OSMs are not supported on Catalyst 6500 series switches; they are supported only on the Cisco 7600 series router platform.

15. Also has four Layer 2 Gigabit Ethernet ports.

16. Single-mode, long reach.

17. The full 4000W is only available with software release 8.1(1) and later releases. With software release 6.1(3) and later 6.x and 7.x releases, the maximumwattage is2506.56W.

18. Supported only on the WS-C6503 and CISCO7603 chassis.

19. Supported only on the CISCO7606 chassis.

20. The CiscoView 7.4(2) image for the Catalyst 6500 series switch does not support the WS-C6503 chassis. Support for this chassis will be included in next CiscoView release.


OL-1982-25

Orderable Software Images

ngine

isord intware

isord intwareare notf the

nginedled

ftwarewever,

)maged inf the

1) or

Note The CiscoView 7.4(2) image for the Catalyst 6500 series switch contains the latest 7.4(2) supervisor esoftware with bug fixes incorporated. The CiscoViewapplication software found in the bundled CiscoViewimagesupports all of the hardware feature introduced in software release 7.4(2). (There were no newsoftware features introduced in software release 7.4[2].)

Note The CiscoView 7.3(1) image for the Catalyst 6500 series switch contains the latest 7.3(1) supervengine software with bug fixes incorporated. In addition, the CiscoView application software founthe bundled CiscoView image supports all of the hardware and software features introduced in sofreleases 7.2(2) and 7.3(1).

Note The CiscoView 7.2(2) image for the Catalyst 6500 series switch contains the latest 7.2(2) supervengine software with bug fixes incorporated. In addition, the CiscoView application software founthe bundled CiscoView image supports all of the hardware and software features introduced in sofrelease 7.1(1). Note that the hardware and software features introduced in software release 7.2(2)supported by the bundled CiscoView image. However, they will be supported when a later version oCiscoView application is released.

Note The CiscoView 7.1(2) image for the Catalyst 6500 series switch contains the latest 7.1(2) supervisor esoftware with bug fixes incorporated. In addition, the CiscoView application software found in the bunCiscoView image supports hardware features introduced in software release 7.1(1). Note that the sofeatures introduced in software release 7.1(1) are not supported by the bundled CiscoView image. Hothey will be supported when a later version of the CiscoView application is released.

Note The 7.1(1) and 7.1(1a) CiscoView images for the Catalyst 6500 series switch contain the latest 7.1(1supervisor engine software with bug fixes but the CiscoView application software in the bundled CV iis the current 6.3(3) CiscoView version. Note that the new hardware and software features introducesoftware release 7.1(1) will not be supported by the bundled CiscoView application until a new version oCiscoView application becomes available at a later date.

Note The 7.1(1) and 7.1(2) CiscoView + SSH images have been deferred. For details, refer to the 7.1(7.1(2) open caveats section, caveat CSCdw70549.

Table 2 Orderable Software Images

Software Version Filename Orderable Product Number1

Supervisor Engine 2

7.6(21) Flash image cat6000-sup2k8.7-6-21.bin SC6K-SUP2K8-7.6

7.6(21) Flash image (CiscoView) cat6000-sup2cvk8.7-6-21.bin SC6K-SUP2CVK8-7.6

7.6(21) Flash image (Secure Shell) cat6000-sup2k9.7-6-21.bin SC6K-SUP2K9-7.6

7.6(21) Flash image (Secure Shell and CiscoView) cat6000-sup2cvk9.7-6-21.bin SC6K-SUP2CVK9-7.6


OL-1982-25







































Table 2 Orderable Software Images (continued)



OL-1982-25





























7.5(1) Flash image cat6000-sup2k8.7-5-1.bin SC6K-SUP2K8-7.5.1

7.5(1) Flash image (CiscoView) cat6000-sup2cvk8.7-5-1.bin SC6K-SUP2CVK8-7.5.1

7.5(1) Flash image (Secure Shell) cat6000-sup2k9.7-5-1.bin SC6K-SUP2K9-7.5.1

7.5(1) Flash image (Secure Shell and CiscoView) cat6000-sup2cvk9.7-5-1.bin SC6K-SUP2CVK9-7.5.1










OL-1982-25




















7.1(1a) Flash image cat6000-sup2k8.7-1-1a.bin SC6K-SUP2K8-7.1.1a

7.1(1a) Flash image (CiscoView) cat6000-sup2cvk8.7-1-1a.bin SC6K-SUP2CVK8-7.1.1a

7.1(1a) Flash image (Secure Shell) cat6000-sup2k9.7-1-1a.bin SC6K-SUP2K9-7.1.1a

7.1(1a) Flash image (Secure Shell and CiscoView) cat6000-sup2cvk9.7-1-1a.bin SC6K-SUP2CVK9-7.1.1a





Supervisor Engine 1

7.6(17) Flash image cat6000-supk8.7-6-17.bin SC6K-SUPK8-7.6

7.6(17) Flash image (CiscoView) cat6000-supcvk8.7-6-17.bin SC6K-SUPCVK8-7.6

7.6(17) Flash image (Secure Shell) cat6000-supk9.7-6-17.bin SC6K-SUPK9-7.6

7.6(17) Flash image (Secure Shell and CiscoView) cat6000-supcvk9.7-6-17.bin SC6K-SUPCVK9-7.6









OL-1982-25









































OL-1982-25













7.6(3a) Flash image cat6000-supk8.7-6-3a.bin SC6K-SUPK8-7.6

7.6(3a) Flash image (CiscoView) cat6000-supcvk8.7-6-3a.bin SC6K-SUPCVK8-7.6

7.6(3a) Flash image (Secure Shell) cat6000-supk9.7-6-3a.bin SC6K-SUPK9-7.6

7.6(3a) Flash image (Secure Shell and CiscoView) cat6000-supcvk9.7-6-3a.bin SC6K-SUPCVK9-7.6





7.6(2a) Flash image cat6000-supk8.7-6-2a.bin SC6K-SUPK8-7.6.2a

7.6(2a) Flash image (Secure Shell) cat6000-supk9.7-6-2a.bin SC6K-SUPK9-7.6.2a

7.6(2) Flash image cat6000-supk8.7-6-2.bin SC6K-SUPK8-7.6.2

7.6(2) Flash image (CiscoView) cat6000-supcvk8.7-6-2.bin SC6K-SUPCVK8-7.6.2

7.6(2) Flash image (Secure Shell) cat6000-supk9.7-6-2.bin SC6K-SUPK9-7.6.2

7.6(2) Flash image (Secure Shell and CiscoView) cat6000-supcvk9.7-6-2.bin SC6K-SUPCVK9-7.6.2















OL-1982-25

Software Image Version Compatibility

e

ble forage

Software Image Version CompatibilityWith high-availability versioning enabled, you can have two different but compatible images on thactive and standby supervisor engines. The active supervisor engine exchanges image versioninformation with the standby supervisor engine and determines whether the images are compatienabling high availability. If the active and standby supervisor engines are not running compatible imversions, you cannot enable high availability.






















7.1(1a) Flash image cat6000-supk8.7-1-1a.bin SC6K-SUPK8-7.1.1a

7.1(1a) Flash image (CiscoView) cat6000-supcvk8.7-1-1a.bin SC6K-SUPCVK8-7.1.1a

7.1(1a) Flash image (Secure Shell) cat6000-supk9.7-1-1a.bin SC6K-SUPK9-7.1.1a





1. Installed on system; append with “=” for spare on floppy media.




OL-1982-25

Catalyst 6500 Series Features

ioningg

llows:

llows:

are as

Image versioning is supported in supervisor engine software releases 5.4(1) and later. With versenabled, high availability is fully supported with the active and standby supervisor engines runnindifferent images as long as the images are compatible. The only fully compatible images are as fo

• Supervisor Engine 1

– 5.5(3) and 5.5(4)

– 6.1(3) and 6.1(4)

– 6.2(2) and 6.2(3)

– 6.3(2) and 6.3(3)

– 6.3(4) and 6.3(5)

– 6.3(6) and 6.3(7)


– 6.1(3) and 6.1(4)

– 6.2(2) and 6.2(3)

– 6.3(2) and 6.3(3)

Images that are compatible with all modules except Gigabit Ethernet switching modules are as fo


– 5.4(3) and 5.4(4)

– 5.5(3) and 5.5(5)

– 5.5(4) and 5.5(5)

Images that are compatible with Gigabit Ethernet switching modules but not compatible with10/100BASE-T modules are as follows:


– 5.5(6a) and 5.5(7)

Images that are compatible with all modules except the SFM/SFM2 and fabric-enabled modules follows:


– 6.3(4) and 6.3(5)

– 6.3(6) and 6.3(7)

Note Attempting to run incompatible image versions could result in configuration loss.


Note For complete hardware requirements for the software features listed, see theCatalyst 6500 SeriesSoftware Configuration Guides.

These sections describe the Catalyst 6500 series features:

• Features for Supervisor Engine Software Release 7.6, page 26


OL-1982-25










• Features for Supervisor Engine Software Releases 5.1 Through 5.5, page 46


OL-1982-25


e

andn the

Features for Supervisor Engine Software Release 7.6These sections describe the features in software release 7.6, 17 April 2003:

• Software Release 7.6 Hardware Features, page 26

• Software Release 7.6 Software Features, page 27

Note Maximum switching performance is achieved when all switch components are fabric enabled. Thpresence of nonfabric-enabled switching modules might impact overall switching performance.

Software Release 7.6 Hardware Features

Software release 7.6 provides initial support for these modules and chassis:

• Content Services Gateway (WS-SVC-CSG-1)

The Content Services Gateway (CSG) provides the capability to examine the mobile wirelesswireline IP datastream beyond the IP and TCP/UDP headers to enable billing that is based ocontent being provided to the end user.

• 48-port 10/100/1000BASE-TX switching module (WS-X6148-GE-TX) (WS-X6148V-GE-TXprovides inline power to IP telephones)

• 48-port 10/100/1000BASE-TX switching module, fabric enabled (WS-X6548-GE-TX)(WS-X6548V-GE-TX provides inline power to IP telephones)

The WS-X6548-GE-TX, WS-X6548V-GE-TX, WS-X6148-GE-TX, and WS-X6148V-GE-TXmodules do not support the following:

– More than 1 Gbps of traffic per EtherChannel (see the“EtherChannel” section on page 52 fordetails)

– ISL trunking

– VLAN translation

– Jumbo frames

– 802.1Q tunneling

– Traffic storm control

– In software release 7.6(x) and earlier releases: ingress SPAN sources when the switch isoperating in truncated and compactmodes (also applies to the WS-X6516A-GBIC module)

• Cisco 7613 router (CISCO7613)


OL-1982-25


high

rateakeswhene on

end

ature

RBS)

(as

Software Release 7.6 Software Features

Software release 7.6 provides support for these software features:

• In software release 7.6(8) and later releases, improved supervisor engine failover rates with availability enabled are as follows: In flow through, truncated, and compact modes, the SupervisorEngine 1 and Supervisor Engine 2 failover time is less than 500 ms.

• Layer 2 protocol tunneling on trunk ports—Allows third-party vendor’s equipment to interopewith the Catalyst 6500 series switch in service-provider networks. Layer 2 protocol tunneling mcontrol protocol PDUs such as STP, CDP, and VTP, transparent to the service provider cloudpassing traffic through trunk ports. In earlier releases, Layer 2 protocol tunneling was availablaccess ports only.

• 802.1X with DHCP enhancements—802.1X authentication support for Dynamic HostConfiguration Protocol (DHCP) allows network administrators to secure IP addresses, given tousers for accounting purposes and to grant services, based on Layer 3 criteria.

• TDR—You can check the status of copper cables using the time domain reflectometer (TDR) feon the 48-port 10/100/1000BASE-T modules (WS-X6148-GE-TX and WS-X6548-GE-TX).

• PRBS test—Cable diagnostics allow you to activate the Pseudorandom Binary Sequence (Ptest on 10-Gigabit Ethernet links.

Note The PRBS test is currently available only on the 1-port 10GBASE-E serial 10-GigabitEthernet module (WS-X6502-10GE).

• Support for multiple SVIs (secure VLAN interfaces) on the Firewall Services Module(WS-SVC-FWM-1-K9).

• syslog dump—If the system fails, a file containing the system messages in the syslog buffer displayed when entering theshow logging buffer command) is produced.

• Auto-save feature for text configuration mode—Allows you to automatically save the textconfiguration in NVRAM.

• Supports the following enhanced MIBs:

– CISCO-CATOS-ACL-QOS-MIB

– CISCO-ENVMON-MIB

– CISCO-IP-IF-MIB

– CISCO-PAE-MIB


OL-1982-25


e

vices

ffic also

w you

tesa used

ulesedle,

ell ases.

Features for Supervisor Engine Software Release 7.5These sections describe the features in software release 7.5, 27 December 2002:






• Firewall Services Module (WS-SVC-FWM-1-K9)

Connections between the inside, outside, and DMZ networks are controlled by the Firewall SerModule through the firewall using a network-modeled protection scheme that is based upon aconfiguration and security policy. By implementing a security policy, you can ensure that all trafrom the protected networks only passes through the firewall to the unprotected network. Youcan control who accesses the networks and with which services. Features on the module alloto control how your security policy is used.

• SSL Services Module (WS-SVC-SSL-1)

The SSL Services Module is a Layer 4-through-Layer 7 service module. The module terminasecure sockets layer (SSL) transactions and accelerates the encryption and decryption of datin SSL sessions.

The module operates either in a standalone configuration or with the Content Switching Mod(CSM). In a standalone configuration, secure traffic is directed to the module using policy-barouting (PBR). When used with the CSM, only encrypted client traffic is forwarded to the moduwhile clear text traffic is forwarded to the real servers.

• Content Switching Module (WS-X6066-SLB-APC)

The CSM provides high-performance server load balancing (SLB) among groups of servers,firewalls, caches, VPN termination devices, and other network devices, based on Layer 3 as wLayer 4 through Layer 7 packet information. Server farms are groups of load-balanced devic

• Intrusion Detection System Module 2 (WS-SVC-IDSM2-BUN-K9)

The IDSM2 is an integrated services module that detects unauthorized activity traversing thenetwork by analyzing traffic in real-time, helping enable you to quickly respond to securitybreaches.

• 16-port Gigabit Ethernet GBIC switching module (WS-X6516A-GBIC)

Fabric-enabled with 1-MB per-port packet buffers.


OL-1982-25


uritygh

If youough

that

ries for

oice

d

nd. Itffic

d on a



• IEEE 802.1X enhancements

– 802.1X with port security

802.1X authentication is compatible with the port security feature. If you enable port secfor only one MAC address on a specific port, only that MAC address will authenticate throua RADIUS server. Users connected through all other MAC addresses are denied access.enable port security for multiple MAC addresses, each address needs to authenticate thrthe 802.1X RADIUS server.

– 802.1X with a guest VLAN

The guest VLAN feature allows non-802.1X capable hosts to be able to access networksuse 802.1X authentication.

– 802.1X with an auxiliary VLAN

You can enable 802.1X on a Multiple VLAN Access Port (MVAP), and you can enable anauxiliary VLAN ID on an 802.1X port.

• Automatic QoS

Automatic QoS consists of a macro that simplifies QoS configuration on the Catalyst 6500 seswitches. The automatic QoS macro covers all the QoS configuration tasks that are requiredimplementing the recommended Architecture for Voice, Video, and Integrated Data (AVVID)settings for a voice port.

• Automatic voice configuration

Automatic voice configuration consists of two macros that simplify voice configuration on theCatalyst 6500 series switches. The automatic voice configuration macros cover all the voiceconfiguration tasks that are required for implementing the recommended AVVID settings for a vport.

• High availability enhancements

– High availability for 802.1X

– High availability for port security

The switch synchronizes runtime 802.1X and port security information between the active anstandby supervisor engines.

• ARP inspection

The ARP inspection feature allows you to configure a set of order-dependent rules within thesecurity ACL (VACL) framework to prevent ARP table attacks.

• Configuring 802.1Q tagging on a per-port basis

The dot1q-all-tagged feature command prior to software release 7.5(1) was a global commaconfigured a switch to forward all frames from 802.1Q trunks with 802.1Q tagging, including train the native VLAN (default VLAN), and admit only 802.1Q tagged frames on 802.1Q trunks,dropping any untagged traffic, including untagged traffic in the native VLAN.

In software releases 7.5(1) and later, the dot1q-all-tagged feature can be enabled or disableper-port basis.


OL-1982-25


dasedocked

theS

sedan

cificnd

tm#

Toolling

ble,s you

the

oneing;.

d ononly

• IGMP version 3 snooping

IGMP version 3 snooping uses source-based filtering and is the industry-designated standarprotocol for hosts to signal channel subscriptions in Source Specific Multicast (SSM). Source-bfiltering enables hosts and routers to specify which source addresses should be allowed or blfor a specific multicast group.

Note IGMP version 3 snooping requires the Supervisor Engine 2 and Multicast MultilayerSwitching (MMLS) must be disabled on the MSFC2.

• Local user authentication

Local user authentication uses local user accounts and passwords that you create to validatelogin attempts of local usersrather than requiring a network authentication protocol such as RADIUor TACACS+.

• Network-Based Application Recognition (NBAR)

NBAR is a classification engine that recognizes a wide variety of applications, including web-baand other difficult-to-classify protocols that utilize dynamic TCP/UDP port assignments. Whenapplication is recognized and classified by NBAR, a network can invoke services for that speapplication. NBAR ensures that network bandwidth is used efficiently by classifying packets athen applying QoS to the classified traffic.

For NBAR configuration information, refer to this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/dtnbarad.h

• New MAC address trap

This feature enables background polling of the hardware CAM table so that the software canrecognize when new MAC addresses are learned by the switch and generate an SNMP trap.prevent overloading the network with traps, multiple addresses that are learned during one pinterval generate only one trap(see theset cam notificationcommand description in theCatalyst 6500Series Switch Command Reference publication).

• CAM usage monitoring

This featureallows you to enable notification when a MAC address change occurs to the CAM taenable notification when the CAM table utilization exceeds a predefined threshold, and also allowto set the time between notifications (see theset cam notificationcommand description in theCatalyst6500 Series Switch Command Reference publication).

• Policy-based forwarding (PBF) enhancements

The enhancements added to the PBF feature simplify the process of setting and committing security ACLs and adjacency information.

• Per-port unicast flood blocking

You can enable unicast flood blocking on any Ethernet port on a per-port basis. Unicast floodblocking provides you the option to drop unicast flood packets on an Ethernet port that has onlyhost connected to the port. All Ethernet ports on a switch are configured to allow unicast floodunicast flood blocking allows you to drop the unicast flood packets before they reach the port

• Rapid PVST+

Rapid PVST+ is the same as PVST+, although rapid PVST+ utilizes a rapid STP that is baseIEEE 802.1w instead of 802.1D. Rapid PVST+ uses the same configuration as PVST+ and youneed minimal extra configuration.


OL-1982-25

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/dtnbarad.htm#


t tois aing

rade

or

hen

limittd

:

is

are toour

ne 2oot

• Rate limiting for Cisco IOS ACL logging

The rate-limiting feature for Cisco IOS ACL logging limits the number of packets that are senthe MSFC CPU for bridged ACEs. An ACE is bridged when the result for the Cisco IOS ACL deny or permit with the log option specified. The bridge action can result in Cisco IOS ACL loggoverloading the MSFC CPU. When you configure rate limiting for Cisco IOS ACL logging, thebridged ACEs are redirected to the MSFC with rate limiting.

• EPLD image upgrades

– Automatic Supervisor Engine 2 EPLD image upgrade—The supervisor engine EPLD upgis performed automatically when the switch is reset or power cycled.

– Nonsupervisor engine module EPLD image upgrade—You can upgrade the nonsupervisengine module EPLD image by using thedownload command with theepld keyword. You canupgrade the EPLD image on one or all modules.

• RADIUS enhancement

The framed-ip-address is now sent in the RADIUS authentication access-request packet.

• NVRAM monitoring

The NVRAM monitoring feature is a background process that allows the system to recover wdata in NVRAM is corrupted.

• Increased QOS ACL limit

You can configure the maximum number of QoS ACLs that the hardware supports. The new allows 512 IP QoS ACLs, 512 IPX QoS ACLs, and 512 MAC QoS ACLs on up to 512 differeninterfaces. Previous to this software release, only 512 QoS ACLs in combination (IP, IPX, anMAC) were supported on 512 different interfaces.

• NetFlow version 5 support

• Additional Flash PC card support

Prior to software release 7.5(1), Supervisor Engine 1 and Supervisor Engine 2 supported thefollowing Flash PC cards:

– 16-MB Flash PC card (device name isslot0:)

– 24-MB Flash PC card (device name isslot0:)

With software releases 7.5(1) and later, additional Flash PC card support is added as follows

– 64-MB ATA Flash PC card—Only supported on Supervisor Engine 2. The device name isdisk0: and the card requires ROMMON version 7.1(1) or later releases.

– 64-MB linear Flash PC card—Only supported on Supervisor Engine 1. The device nameslot0: and the card requires ROMMON software release 5.3(1) or later releases.

• Recognizes 512 MB-DRAM

On switches with Catalyst software installed on the Supervisor Engine 2 and Cisco IOS softwinstalled on the MSFC2, the supervisor engine will accept 512-MB DRAM, but works only up256 MB. This situation allows you to upgrade your DRAM to 512 MB in the event you change yoperating system to Cisco IOS software on both the Supervisor Engine 2 and the MSFC2. Insoftware releases prior to release 7.5(1), with 512-MB DRAM installed on a Supervisor Engirunning Catalyst software on the supervisor engine and Cisco IOS software on the MSFC, bmessages and theshow version command only showed 256 MB. This problem is resolved insoftware release 7.5(1). (CSCdw84513)


OL-1982-25


ces,

e

• In-band sc1 management interface support

A configurable inband sc1 IP management interface is added. If you configure two inband interfasc0 and sc1, the switch is directly accessible from two different VLANs at the same time.

• SNMP support for the sc1 interface

• SNMP broadcast suppression enhancement

• SNMPv1 and SNMPv2c enhancements

– Setting the multiple SNMP community strings

– Clearing the SNMP community strings

– Specifying the access numbers for hosts

– Clearing the IP addresses that are associated with the access numbers

– Specifying, displaying, and clearing an interface alias

• Supports the following new and enhanced MIBs:

– RFC 2665 EtherLike-MIB enhancement

– RFC 2863 IF-MIB enhancement

– RFC 2737 ENTIT-MIB enhancement

– CISCO-SWITCH-ENGINE-MIB

– CISCO-SWITCH-ENGINE-MIB enhancement

– CISCO-SWITCH-ENGINE-MIB enhancement 2

– CISCO-CATOS-ACL-QOS-MIB enhancement

– CISCO-FLASH-MIB enhancement

– CISCO-IGMP-SNOOPING-MIB

– CISCO-L2-TUNNEL-CONFIG-MIB

– CISCO-PAE-MIB enhancement

– CISCO-STP-EXTENSION-MIB enhancement

– CISCO-VLAN-MEMBERSHIP-MIB enhancement

– CISCO-VTP-MIB enhancement

Features for Supervisor Engine Software Release 7.4These sections describe the features in software release 7.4, 27 September 2002:





OL-1982-25


is

e

ide the

theyssed.

conds



• WS-C6503 chassis (3 slots)

Note The WS-C6503 chassis has 64 MAC addresses. The MAC address reduction feature enabled by default on this chassis.


Software release 7.4 does not provide any new software features.

Features for Supervisor Engine Software Release 7.3These sections describe the features in software release 7.3:






• Network Analysis Module, 512-MB RAM, fabric enabled(WS-SVC-NAM-1)

• Network Analysis Module, 1-GB RAM, fabric enabled,acceleratordaughter card(WS-SVC-NAM-2)


Software release 7.3 does not provide any new software features. Software release 7.3 does provfollowing software enhancement:

• You can now display or suppress the “Cisco Systems Console” Telnet login banner using thesetbanner telnet {enable| disable} command.

• Theshow cdp neighbors command now displays IP phone capabilities.

• LACP behavior for half-duplex links has changed, and LACP ports are no longer suspended ifbecome half duplex. Instead of suspending a port, LACP PDU transmission (if any) is suppreIf the port is part of a channel, the port is detached from the channel but still functions as anonchannel port.

• You can now increase the port debounce timer value in increments of 100 up to 5000 milliseusing theset port debouncemod num/port num time command.


OL-1982-25


e

es

s

is







• 48-port 10/100BASE-TX RJ-45 with 128K per-port packet buffers (WS-X6148-RJ-45V providinline power to IP telephones)

• 48-port 10/100BASE-TX RJ-21 with 128K per-port packet buffers (WS-X6148-RJ21V provideinline power to IP telephones)

• 1000BASE-TX (copper) GBIC (WS-G5483)

• Coarse Wave Division Multiplexer (CWDM) GBICs

– CWDM-GBIC-1470(=)








• Cisco 7606 router (6 slots)

Note The Cisco 7606 chassis has 64 MAC addresses. The MAC address reduction featureenabled by default on this chassis.



• Authentication login lockout enhancement

You can set the authentication login lockout (delay) time to a maximum of 43200 seconds (inprevious releases, the maximum was 600 seconds).

• Bridged NetFlow statistics

You can set bridged flow statistics reporting per VLAN. Bridged flows are exported throughNetFlow Data Export (NDE) when you enable bridged flow statistics.


OL-1982-25


drop

r, thee

rkedt-cos

by

teddcasts:

n the

n theast

eled

ereckets

• Broadcast suppression enhancement

When broadcast, multicast, or unicast suppression occurs, you can configure ports to either packets or go into the errdisable state.

• QoS burst size/rate limit enhancement

Provides more flexibility for traffic flows and their rate limits.

• Errdisable reactivation per port

Before supervisor engine software release 7.2(2), if a port went into errdisable state, it wasreenabled automatically after a selected time interval. With software releases 7.2(2) and latetimeout enhancement allows you to manually prevent a port from being enabled by setting therrdisable timeout for that port to disabled.

• Trusted boundary (extended trust for CDP devices)

You can use this feature to prevent security problems if users disconnect their PCs from netwoCisco IP Phones and plug them directly into the switch port to take advantage of the QoS trusswitch port settings.

• MLS IP-directed broadcasts

Before supervisor engine software release 7.2(2), IP-directed broadcast traffic was handled enabling IP directed broadcasts using theip directed-broadcast command on the MSFC whichhandled the traffic at the process level causing high CPU utilization.

With software releases 7.2(2) and later, you can configure the MSFC2 to handle the IP-direcbroadcasts in hardware using the PFC2. This example shows how to enable IP-directed broa

Router(config-if)# mls ip directed-broadcast ?exclude-router exclude router from recipient list for directed broadcastinclude-router include router in recipient list for directed broadcast

The exclude-router option forwards the IP-directed broadcast packet in hardware to all hosts iVLAN except the router.

The include-router option forwards the IP-directed broadcast packet in hardware to all hosts iVLAN including the router. With this option, the router does not forward the IP-directed broadcpacket again.

Note Cisco IOS Release 12.1(11b)E is required on the MSFC2.

• Jumbo frame support on the sc0 interface

Jumbo frames are passed through the sc0 interface as a nonconfigurable default; no CLIconfiguration is necessary.

• Layer 2 protocol tunneling

Layer 2 protocol tunneling allows protocol data units (PDUs) (CDP, STP, and VTP) to be tunnthrough a network.

• Policy-Based Routing (PBR) default next-hop route

Before supervisor engine software release 7.2(2), when using theset ip default next-hopipaddrMSFC2 command (as part of the route-map for PBR), the router packets getting forwarded wsoftware switched by the MSFC2. With supervisor engine software releases 7.2(2) and later, pathat need to be forwarded as a result of theset ip default next-hopipaddr command, are hardwareswitched by the PFC2.


OL-1982-25


oinedn

the

e

)

Note Cisco IOS Release 12.1(11b)E is required on the MSFC2.

• VLAN assignment with 802.1X

Before supervisor engine software release 7.2(2), once the 802.1X client was authenticated, it jan NVRAM-configured VLAN. With software releases 7.2(2) and later, after authentication, a802.1X client can receive its VLAN assignment from the RADIUS server.

• The SNMP community string is synchronized to theNetwork Analysis Module (NAM)

The SNMP community string for the NAM is synchronized between the supervisor engine andNAM allowing greater integration of network management functions.


– CISCO-AAA-CLIENT-MIB enhancement—authentication lockout

– CISCO-CATOS-ACL-QOS-MIB enhancement—burst size/rate limit

– CISCO-CDP-MIB enhancement—extended trust

– CISCO-ENVMON-MIB enhancement with temperature monitoring

– CISCO-L2-TUNNEL-CONFIG-MIB

– CISCO-PAGP-MIB enhancement

– CISCO-PROCESS-MIB enhancement

– CISCO-STACK-MIB enhancement—broadcast suppression enhancement

– CISCO-STACK-MIB enhancement—errdisable reactivation per port

– CISCO-STP-EXTENSIONS-MIB enhancement—BPDU filter/guard per port

– CISCO-SWITCH-ENGINE-MIB enhancement—unicast total flows







• 24-port 100FX Ethernet multimode fabric-enabled module (WS-X6524-100FX-MM)

• 1-port 10GBASE-EX4 Metro 10-Gigabit Ethernet fabric-enabled module (WS-X6501-10GEX4

• 1-port 10GBASE-E Serial 10-Gigabit Ethernet, fabric-enabled module (WS-X6502-10GE)

• Optical Interface Module (OIM) (WS-G6488)

• Cisco 7603 chassis (3 slots)


OL-1982-25


is

tends

IEEETP,

adgP)those

you

rder

tem.

P

n that

Note The Cisco 7603 chassis does not support the SFM.

Note The Cisco 7603 chassis has 64 MAC addresses. The MAC address reduction featureenabled by default on this chassis.



• IEEE 802.1s—Multiple Spanning Tree (MST) over VLAN trunks

The MST feature is an IEEE standard. 802.1s for MST is an amendment to 802.1Q. MST exthe 802.1w Rapid Spanning Tree (RST) algorithm to multiple spanning trees. This extensionprovides rapid convergence and load balancing in a VLAN environment. The MST protocol iscurrently in development and the MST feature for this release is based on a draft version of thestandard. The protocol as implemented in this release is backward compatible with 802.1D S802.1w (the Rapid Spanning Tree Protocol [RSTP]), and the Cisco PVST+ architecture.

• IEEE 802.1w—Rapid reconfiguration of spanning tree

Provides rapid reconvergence of the spanning tree after the failure of any link in a bridgedenvironment.

• IEEE 802.3ad—Link Aggregation Control Protocol (LACP)

Allows Cisco switches to manage Ethernet channeling with devices that conform to the 802.3(LACP) specification. Prior to software release 7.1(1), Port Aggregation Control Protocol (PAwas available. PAgP is a Cisco-proprietary protocol that can be run only on Cisco switches andswitches released by licensed vendors.

• Improved ACL merging algorithm

Significantly reduces the number of ACEs after a merge. In addition, with the new algorithm,can do the following:

– You do not need to limit the number of actions when configuring an ACL.

– The resultant ACEs are order dependent; with the old algorithm, the resultant ACEs were oindependent.

• Per-port BPDU filtering enhancement

Allows you to avoid transmitting BPDUs on a PortFast-enabled port connected to an end sysThis feature is on a per-switch basis; after BPDU filtering is enabled, it applies to allPortFast-enabled ports. The PortFast BPDU filter allows access ports to move directly to theforwarding state as soon as end hosts are connected.

• IGMP snooping querier

Enables IGMP snooping within a VLAN where Protocol Independent Multicast (PIM) and IGMare not configured because the multicast traffic does not need to be routed.

• Option for no VTP support

In the VTP off mode, switches behave the same as in VTP transparent mode with the exceptioVTP advertisements are not forwarded.


OL-1982-25


nd forcause

r theort’s

gh

rror

dedntutes.

FC

SFCtefuled

NsidedN

2

• PortFast support for trunks

Allows PortFast to be configured for trunk and channel ports. On linkup, the port immediatelytransitions into spanning tree forwarding mode, bypassing the listening and learning states, abypassing the DTP, PAgP, and IEEE 802.3ad protocols. This feature would normally be useddirect connections to routers or servers and is not intended for connection to other switches bespanning tree loops could occur.

• Show port MAC address

Displays individual port MAC addresses when you enter themac-addresskeyword to theshow portcommand. Before this feature, the only way you could find the port's MAC address was to enteshow modulecommand to display the module's MAC address range and then calculate each pMAC address.

• Port security timer enhancement

Increases the valid range of the “Port Security Age Time” and “Shutdown Timeout” to 1 throu1440 minutes (previously, the range was 10 through 1440 minutes).

• System warnings on port counters

Allows you to monitor and troubleshoot the Catalyst 6500 series switches by polling selected ecounters on all ports and logging the system error messages.

• Improvedsingle router mode (SRM) redundancy support for multicast traffic

Provides improved convergence times and less disruption of multicast traffic during MSFC2switchovers when you enable SRM redundancy. The MSFC2 is protected from being overloawith multicast traffic during the switchover. The switch caches flows from the MSFC2 that wedown and uses the cached flows to forward traffic until the newly activated MSFC2 learns the roOnly a few flows at a time are provided to the MSFC2 to prevent it from being overwhelmed.

Note Improved SRM support for multicast traffic is supported on Supervisor Engine 1 with Pand MSFC2 and Supervisor Engine 2 with PFC2 and MSFC2. It is not supported onSupervisor Engine 1 with MSFC.

Note In software releases prior to release 7.1(1), when using Supervisor Engine 1 with the Mor MSFC2 for SRM redundancy, be aware that failover to the second MSFC is not stafor multicast MLS. When the primary MSFC fails, all multicast MLS entries are removand are then recreated and reinstalled in the hardware by the newly active MSFC.

Note SRM support for the MSFC2 was introduced in Cisco IOS Release12.1(8a)E2.

• IGMP snooping with private VLANs

Provides support for IGMP snooping with private VLANs.

• Multicast support for private VLANs

Provides support for Layer 2 and Layer 3 hardware switching for multicast traffic in private VLAwhen you use a Supervisor Engine 2 only (PFC2/MSFC2). Layer 2 isolation for hosts is provfrom traffic sourced by other receivers (hosts) in the same private VLAN, only if the private VLAis an isolated private VLAN. For community private VLANs, there is no isolation for hosts fromtraffic sourced within the same community private VLAN. For community private VLANs, Layerisolation for hosts is provided from traffic sourced by other hosts in adifferent private VLAN.


OL-1982-25


the

e

areftware

Note Multicast support for private VLANs requires Cisco IOS Release 12.1(11b)E or later onMSFC2.


– cseL3Vlan MIB

– CISCO-CATOS-ACL-QOS-MIB enhancement

– CISCO-ENTITY-FRU-CONTROL-MIB enhancement

– CISCO-ENVMON-MIB

– CISCO-LAG-MIB

– CISCO-MEMORY-POOL-MIB enhancement

– CISCO-PAE-MIB

– CISCO-STP-EXTENSIONS-MIB

– CISCO-SWITCH-ENGINE-MIB enhancement

– IEEE8021-PAE-MIB

– IEEE8023-LAG-MIB

– SMON-MIB VLAN Statistics support






There is no new hardware being introduced in software release 6.3.

Note Software releases 6.1(1) and later do not support the same Flash PC card format as earlier softwreleases. To use a Flash PC card with software releases 6.1(1) and later, format the card with soreleases 6.1(1) and later.


OL-1982-25


e.

that

3(1),dded

k was

red

ation.

le”

0 to

e ofand

is, thevisorled on

g



• Single router mode (SRM) redundancy

SRM redundancy is an alternative to having both MSFC2s in a chassis active at the same tim

Note that SRM redundancy requires Cisco IOS Release 12.1(8a)E2, and SRM redundancyconfiguration information will be available when Release 12.1(8a)E2 is posted to Cisco.com. Attime, refer to the “Configuring Redundancy” chapter of the online version of theCatalyst 6500Series Switch Software Configuration Guide, Release 6.3, for detailed configuration procedures.

• Private VLANs on the sc0 interface

The sc0 management interface can be assigned to a private VLAN.

• EtherChannel enhancements

An EtherChannel is preserved even if it contains only one port. In software releases prior to 6.if you had a 2-port channel and one link was removed, the remaining link was removed and aback to spanning tree. This situation caused a loss of connection on the channel until the linforwarding again.

• Text file configuration mode

When you use text file configuration mode, the system stores its configuration as a text file innonvolatile storage, either in NVRAM or Flash memory. This text file consists of commands enteby you to configure various features.

• Support for NetFlow version 8

• CDPv2 enhancements

– Addition of TLVs such as sysName, sysObjectID, management address, and physical loc

– Support of a new device ID format called the mac-address format in addition to the “old-styformat (as in the device hardware serial number).

– Display changes corresponding to some parameters such as device ID for theshow cdpcommand.

• Ability to increase QoS ACLs

The maximum number of QoS ACLs that can be stored in NVRAM has been increased from 25500. The maximum number of security ACLs (VACLs) remains the same at 250.

• Ethernet link debounce timer feature

The debounce time is the time a module’s firmware waits before notifying the supervisor engina link change at the physical layer when a link goes down. If the link is up and then goes downremains down for a time interval longer than the debounce time, then the supervisor engine notified. As soon as the link is up again, the timer is reset. If the link is down and then goes upsupervisor engine is notified immediately. The debounce timer value is hard-coded in the superengine depending upon the type of module being used. The link debounce feature can be enaba per-port basis on Ethernet modules.

• Display SNMPv3 counters using the CLI

Use the CLI to display SNMPv3 counters for various MIBs.

• Autostate enhancements

A VLAN interface will not transition to the up state until at least one port in the VLAN is forwardintraffic.


OL-1982-25


ghThe

e

is

areftware

• SNMPv3 enhancements

The SNMPv3 implementation in software releases prior to 6.3(1) supported RFC 2271 throuRFC 2275. RFC 2271 through RFC 2275 were replaced with RFC 2571 through RFC 2576. SNMPv3 enhancement in 6.3(1) implements RFC 2571 through RFC 2576.

• Supports the following MIBs:

– CISCO-AAA-CLIENT-MIB

– CISCO-CATOS-ACL-QOS-MIB

– CISCO-CAT6K-CROSSBAR-MIB

– CISCO-STP-EXTENSION-MIB

– CISCO-SWITCH-ENGINE-MIB

– CISCO-SYSTEM-MIB enhancement






Software release 6.2 provides initial support for these modules:

• WS-C6513—Catalyst 13-slot chassis

Note The WS-C6513 chassis is supported with Supervisor Engine 2 only.

Note The WS-C6513 chassis has 64 MAC addresses. The MAC address reduction feature enabled by default on this chassis.

• WS-X6500-SFM2—Switch Fabric Module version 2

• WS-X6516-GE-TX—16-port 10/100/1000BASE-TX fabric-enabled Ethernet module

• WS-X6548-RJ-45—48-port 10/100BASE-TX fabric-enabled Ethernet module

• WS-X6548-RJ-21—48-port 10/100BASE-TX fabric-enabled Ethernet module

• WS-X6348-RJ21V—48-port 10/100BASE-TX Ethernet module with inline power



OL-1982-25


ets)

d by

n

ied

tN.itch the

hone

g



• QoS minimum threshold for WRED

Allows you to configure the minimum threshold for WRED.

• QoS queuing for port type 1p1q0t/1p3q1t

Allows queuing on ports that support 1p1q0t/1p3q1t

• Non-RPF MFD (Multicast Fast Drop)

Non-RPF multicast fast drop (MFD) rate limits packets that fail the RPF check (non-RPF packand drops the majority of the non-RPF packets in hardware.

• Multicast suppression for Gigabit Ethernet modules

Suppresses multicast traffic on Gigabit Ethernet ports to prevent the ports from being disruptea broadcast storm.

• QoS data export

The QoS statistics data export feature generates per-port and per-aggregate policer utilizatioinformation and forwards this information in UDP packets to traffic monitoring, planning, oraccounting applications.

• VACL logging of access denied

Allows you to configure a log option on any VACL, so that packets or flows that are access denby the VACL will be redirected to supervisor engine CPU to generate a report.

• Bidirectional VACLs for private VLANs

Lets you create a policy that denies access in or out of a network.

• Per-port utilization of QoS statistics

Provides the input and output packet rate and input and output byte rate on a per-port basis.

• TCAM test on bootup

The system performs a TCAM test during bootup.

• Dynamic VLAN support with auxiliary VLANs.

Prior to software release 6.2(2), dynamic ports could only belong to one VLAN. You could noenable the dynamic port VLAN feature on ports that carried a native VLAN and an auxiliary VLAWith software releases 6.2(2) and later, the dynamic ports can belong to two VLANs. The swport configured for connecting an IP phone can have separate VLANs configured for carryingfollowing traffic:

– Voice traffic to and from the IP phone (auxiliary VLAN)

– Data traffic to and from the PC connected to the switch through the access port of the IP p(native VLAN)

• BPDU packet filtering

BPDU packet filtering turns off BPDU transmission on PortFast-enabled ports and nontrunkinports.


OL-1982-25


s

ing.

portg theDUs

stem.

rt

ms.

twarey

e

• IEEE 802.1X

IEEE 802.1X is a client-server-based access control and authentication protocol that restrictunauthorized devices from connecting to a LAN through publicly accessible ports.

• BPDU skew detection

BPDU skew detection allows you to troubleshoot slow network convergence caused by skew

• Loop guard

The loop guard feature checks that a root port or an alternate root port is receiving BPDUs. If ais not receiving BPDUs, the loop guard feature puts the port into an inconsistent state, isolatinfailure and letting spanning tree converge to a stable topology until the port starts receiving BPagain.

• Local command accounting

Local command accounting records the last 100 commands that the user entered into the sy

• MSFC Autostate Disable

Allows you to disable Autostate. Autostate shuts down (or brings up) Layer 3interfaces/subinterfaces on the MSFC and the Multilayer Switch Module (MSM) when the poconfiguration changes occur on the switch.

• Redundancy enhancement

Enhanced redundancy provides more efficient system fault detection and recovery mechanis

• Core dump for debugging

A core dump produces a comprehensive report of images when your system fails due to a soferror. The core image is produced in Cisco core file format and is stored in the file system. Bexamining the core dump file, TAC can analyze the error condition of a terminated process.

• Supports the following MIBs:

– HC-RMON MIB enhancement

– Cisco STP-EXTENSIONS-MIB enhancements

– Cisco PRIVATE-VLAN-MIB

– Cisco ACL-QoS-MIB

– Cisco QoS-Policy-MIB






OL-1982-25


QoS

RPF

areftware

er 3

t port

on

igureer 3

Software Release 6.1 Hardware FeaturesSoftware release 6.1(2) provides initial support for these modules:

• 2- and 4-port OC-12 POS Optical Services Modules

• 8- and 16- port OC-3 POS Optical Services Modules

Software release 6.1 provides initial support for these modules:

• Supervisor Engine 2—Policy Feature Card 2 (PFC2; shipped only on Supervisor Engine 2)WS-X6K-S2-MSFC2 or WS-X6K-S2-PFC2dual 1000BASE-X GBIC uplinks, fabric-enabled, Cisco Express Forwarding (CEF), enhancedfeatures, PFC2, and MSFC2

– The Cisco IOS Unicast RPF feature is supported in hardware on the PFC2. For ACL-basedchecks, traffic that matches the RPF ACL is forwarded to the MSFC2.

– Supervisor Engine 2 and PFC2 do not support ASLB.

• Switch Fabric ModuleWS-C6500-SFMSupports fabric-enabled modules.

Note The WS-C6500-SFM is not supported in the WS-C6513 chassis.

• Fabric-enabled 16-port Gigabit Ethernet GBIC switching moduleWS-X6516-GBIC

• Intrusion Detection System ModuleWS-X6381-IDS




• CEF for PFC2—Supervisor Engine 2 and PFC2 provide IP and IPX unicast and IP multicast Layswitching with Cisco Express Forwarding implemented on the PFC2.

• Jumbo frame feature enhancement—You can configure the jumbo frame feature on any Etherneand on EtherChannels and trunk ports.

Note With Cisco IOS Release 12.1(2)E or later, you can configure support for jumbo framesMSFC2 VLAN interfaces.

• EtherChannel enhancements with PFC2—On a Supervisor Engine 2 with PFC2, you can confthe EtherChannel feature to distribute IP traffic based on Layer 4 port numbers in addition to Layaddresses. With both Supervisor Engine 1 and 2, you can enter theshow channel traffic commandto display EtherChannel traffic.

• Globally disable EtherChannel—Enter theset port channel all mode off command to disable allEtherChannels on the switch.


OL-1982-25


.

EE

pooltifies

its of

nated

es.

eIUS

t aress

that

lnetmpt.

e wait

at amines

tnd it

• Globally disable trunking—Enter theset trunk all off command to disable all trunks on the switch

• VMPS server—The Catalyst 6500 series switch can function as a VMPS server.

• 4096 VLANs—Catalyst 6500 series switches support 4096 VLANs in accordance with the IE802.1Q standard.

• Reduced MAC address usage—The MAC address reduction feature is used to enableextended-range VLAN identification. When MAC address reduction is enabled, it disables theof MAC addresses used for the VLAN spanning tree, leaving a single MAC address that identhe switch.

Note The MAC address reduction feature is enabled by default on Cisco switches that have64 MAC addresses (Cisco 7606, CISCO7603, WS-C6503, and WS-C6513).

• Multi-Instance Spanning Tree Protocol (MISTP)—MISTP allows you to group multiple VLANsunder a single instance of spanning tree. MISTP combines the Layer 2 load-balancing benefPVST+ with the lower CPU load of IEEE 802.1Q.

• Spanning Tree Protocol root guard—The root guard feature forces a port to become a desigport so that no switch on the other end of the link can become a root switch.

• IEEE 802.1Q tunneling—802.1Q tunneling allows multiple VLANs in other VTP domains to bcarried by a single VLAN on the Catalyst 6500 series switch without losing their unique VLAN ID

• Enhanced ACL configuration with private VLANs—ACLs can be applied as follows:

– VACLs can be mapped to secondary VLANs or primary VLANs.

– Cisco IOS ACLs that are mapped to a primary VLAN will get mapped to the associatedsecondary VLANs.

– Cisco IOS ACLs cannot be mapped to secondary VLANs.

– Dynamic ACEs cannot be mapped to a private VLAN.

– QoS ACLs can be mapped to secondary VLANs or primary VLANs.

• Secure Shell (SSH) encryption—The SSH feature provides security for Telnet sessions to thswitch. SSH encryption supports 3DES encryption and can be used in conjunction with RADand TACACS+ authentication (requires a “k9” image).

• MAC address filtering—You can filter traffic based on a host’s MAC address so that packets thatagged with that specific source MAC address are discarded. When you specify a MAC addrefilter, incoming traffic from that host MAC address will be dropped and packets addressed to host will not be forwarded.

• Ability to limit console and Telnet login attempts—You can specify how many console and Telogin attempts to allow and the duration of the lockout after the switch has denied a login atte

• Cisco IOS-like ping—The -sargument in the Cisco IOS-likeping command allows you to configurethe number of packets to ping, the packet size, and the wait time before timing out a response. Thtime can be set as low as 0, which would produce a continuous ping.

• Layer 2 Traceroute—The Layer 2 Traceroute utility allows you to identify the physical path thpacket takes when going from a source to a destination. The Layer 2 Traceroute utility deterthe path by looking at the forwarding engine tables of the switches in the path.

• write tech-support command—Thewrite tech-support command allows you to generate a reporwith status information about your switch. You can upload this report to a TFTP server and seto Cisco TAC.


OL-1982-25

Usage Guidelines and Restrictions

.

ation

l, and

ecify

to the

• Search on More prompt—At the More prompt during ashowcommand, enter a slash character (“/”)followed by a text string to search for text.

• Clearing counters on a per-port basis—Theclear counterscommand clears MAC and port counters

• Enhanced support for scripting—The switch assumes a positive (“yes”) answer to all the confirmprompts when configured from a configuration file.

• System warnings and error counters—Selected debug port counters are polled at a fixed intervawarnings are generated when the count differs from the previous poll.

• SNMP group access context—When defining the access rights of an SNMP group, you can spa context string and the way to match the context string.

Features for Supervisor Engine Software Releases 5.1 Through 5.5For a complete list of hardware and software features for software releases 5.1 through 5.5, referRelease Notes for Catalyst 6500 Series Switch Software Release 6.x athttp://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/78_11235.htm

Usage Guidelines and RestrictionsThese sections provide usage guidelines and restrictions for the Catalyst 6500 series switches:

• System and Supervisor Engine, page 47

• Modules and Switch Ports, page 49

• EtherChannel, page 52

• Quality of Service, page 53

• Automatic Quality of Service with Cisco IP Phones, page 55

• Multicast, page 55

• Spanning Tree, page 57

• Access Control, page 58

• High Availability, page 59

• Multilayer Switching, page 60

• MIBs, page 60

• VLANs, VTP, and VLAN Trunks, page 60

• Authentication, Authorization, and Accounting, page 62

• SPAN and RSPAN, page 62

• TDR, page 62

• Auto-MDI/MDIX, page 63

• Binary and Text File Configuration Modes, page 63

• CiscoView, page 65


OL-1982-25


o the

6503

ove.

andyou has

3(1).

um,

d to

t

ndby

ndbyinor

and can

System and Supervisor EngineThis section contains usage guidelines, restrictions, and troubleshooting information that apply tsupervisor engine and to the switch at the system level:

• Moving a Supervisor Engine 2 and an MSFC2 between a Catalyst 6509 switch and a Catalystswitch may corrupt the MSFC2 NVRAM.

Workaround: Save the configuration to Flash memory, and restore the configuration after the m(CSCdy83320)

• The WS-C6K-9SLOT-FAN2 fan tray is supported in all chassis (except for the 3-slot chassis)all software releases. The minimum power supply requirement is 2500W. It is important that determine the power requirements for your hardware configuration to ensure that your switchadequate power for all modules. To determine power requirements, refer to the CCO powercalculator at this URL: http://www.cisco.com/go/powercalculator.

• Theset option command set was inadvertently removed from software releases 7.6(7) and 8.Theset option command set will be available again in software releases 7.6(8) and 8.3(3).

• The WS-X6548-GE-TX, WS-X6548V-GE-TX, WS-X6148-GE-TX, and WS-X6148V-GE-TXmodules do not support the following:

– More than 1 Gbps of traffic per EtherChannel

– ISL trunking

– VLAN translation

– Jumbo frames

– 802.1Q tunneling

– Traffic storm control

– In software release 7.6(x) and earlier releases: ingress SPAN sources when the switch isoperating in truncated and compactmodes (also applies to the WS-X6516A-GBIC module)

• MAC addresses—Theoretical and recommended limits for PFC/PFC2: 128K theoretical maxim32K recommended.

• A Supervisor Engine 2 might show 100 percent traffic utilization in theshow system andshowtraffic command displays. This problem is a cosmetic issue. To correct the problem, you neereprogram the Supervisor Engine 2 EPLD. To reprogram the EPLD, download theepld-sup2-trafficmeter-swupdate.hZ image and follow the instructions documented in theREADME.epld_update file. (CSCdx54751)

• Thestandby use-bia option should not be used in an HSRP configuration. MLS entries are nocreated when you use thestandby use-biaoption. When you configure thestandby use-biaoption,if an HSRP active interface goes up and down, there will be no router CAM address for the staVLAN interface. Without the router CAM entry, no shortcuts are created. This problem isindependent of any MSFC Cisco IOS release.(CSCdz17169)

• When upgrading an image (image synchronization) from the active supervisor engine to the stasupervisor engine, the standby supervisor engine and possibly other modules might report “Mhardware problem in Module X” to the console display.

Workaround: Either reset the individual modules reporting this error, or reset the switch.(CSCdv51172)

• When the diagnostic mode is set tocomplete(set test diaglevel completecommand), the system mightdisplay “local bus stall error” messages when modules come online. The messages are erroneousbe ignored. This problem does not occur when the system is configured to runminimal (default)diagnostics. (CSCdw09555)


OL-1982-25

http://www.cisco.com/go/powercalculator


. ATAthe

same

e

0

ter

P viceing

ethe

in notly.est

low

ially

tom any

st

• ATA Flash PC cards are not supported with supervisor engine software releases 7.1(x). If the supervisorengine fails to read/write to the Flash PC card, make sure you are not using an ATA Flash PC cardFlash PC cards are supported only on switches running Cisco IOS Release 12.1(8a)EX on both supervisor engine and the MSFC.

• In a redundant supervisor engine configuration, both supervisor engines must be running theboot ROM version. For information on upgrading the boot ROM version, refer to theCatalyst 6500Series Switch Supervisor Engine 2 Boot ROM and Bootflash Device Upgrade Installation Not at

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/cfgnotes/78_12667.htm#xtocid4196

• For Supervisor Engine 1, the minimum boot ROM required for software release 5.4(1) and lareleases is 5.3(1). For Supervisor Engine 2, the minimum boot ROM required for softwarerelease 6.2(2) and later releases is 6.1(3).

• IPX Layer-3 switched traffic with a SAP encapsulation type (Novell Ethernet 802.2) to non-SAencapsulation type (Novell Ethertype's: Ethernet 802.3, Ethernet II, and Ethernet SNAP) andversa, follows the software forwarding path (via MSFC/MSFC2) on the PFC and PFC2 forwardengines. This might cause high CPU utilization on the MSFC/MSFC2.

Workaround: Avoid SAP to non-SAP and vice versa encapsulation changes when doing IPXLayer 3 switching.

• When a Supervisor Engine 2 is running in truncated mode with QoS enabled and policersconfigured, the traffic subject to policing that is received on a fabric-enabled switching moduldestined to a non-fabric-enabled switching module is overpoliced. The traffic is policed to halfvalue configured in the policer. (CSCds02280)

• If you perform a manual switchover or reset a switch while high-availability events are waitingthe queue of the standby supervisor engine, when the events will be completely processed isknown, and all configurations might not synchronize to the standby supervisor engine proper(High-availability events are the result of changing the configuration through the CLI.) We suggthat after changing the configuration, you allow additional time before resetting the switch to althe supervisor engine to process all synchronized events. (CSCdp59261)

• With a PFC2, traffic that matches an egress reflexive ACL is handled by the MSFC2 as a partswitched flow. (CSCds09775)

• Changing the console port baud rate from 19,200 to 38,400 incorrectly sets the console port9600 baud. After a reset, the console port baud rate is 38,400. Changing the rate to 38,400 froother setting works correctly. (CSCdk86876)

• In extremely rare conditions, if you enter theshow module command, the status of the MSFC onthe standby supervisor engine might be displayed asother. This has no impact on MSFC behaviorand you should ignore this display. (CSCdp87997)

• With PFC or PFC2 and a standard network topology as shown below where you have multicasenders in the core and multicast receivers on the access layer:

Layer 3 distribution No. 1

/ \

Layer 2 access Core

\ /

Layer 3 distribution No. 2


OL-1982-25


vide the

with

ad

uring to

s. Asying

re

les),

o

douseys inior isg you

ss, andsses

If both distribution switches have two supervisor engines and MSFCs and are configured to promulticast functionality for the same access VLANs, then you will see high CPU utilization onnon-DR routers due to non-RPF traffic. (CSCdr74908)

• If you configure aging for UDP, it could slow down the removal of TCP entries belonging to aterminated connection. You might see entries no longer used in the NetFlow table being agedthe regular aging time of all the NetFlow entries instead of the very fast LDA aging.

Workaround: Enable the fast UDP aging only when it is really needed (for example, when lobalancing UDP). (CSCdp79475)

• In a system with a Supervisor Engine 2 and WS-X6101 (ATM LANE) modules, ACLs that youconfigured from the CLI or COPS on the ATM LANE module ingress ports do not work.(CSCds09425)

• With Supervisor Engine 1 and PFC, online diagnostic failures are experienced on modules dbootup, online insertion, or module reset if you reconfigure the QoS default-action MAC ACLinclude an aggregate policer with an action of drop. The system default does not include anaggregate policer in the default-action MAC ACL. The likelihood of the diagnostics failuresincreases as the amount of traffic being policed (dropped) by that aggregate policer increasethe rate value specified in the policer decreases, the amount of traffic matching all ACLs specifthat aggregate policer increases. (CSCdp15471)

Note For switches with Supervisor Engine 2 and PFC2, CSCdp15471 is resolved in softwarelease 6.1(1a).

• In a 13-slot chassis with redundant Supervisor Engine 2s, if the diagnostic mode is set tobypass,the bringup time of the system may be longer.

Workaround: Set the diagnostic mode tominimal or complete. (CSCdw09563)

• In a 13-slot chassis with a large number of installed modules (especially 48-port 10/100 moduthere might not be enough NVRAM to save the configuration. In this event, use the text fileconfiguration mode.

Modules and Switch PortsThis section contains usage guidelines, restrictions, and troubleshooting information that apply tmodules and switch ports:

• It is possible to power down a Switch Fabric Module from the CLI before it comes online but wenot support this action. Powering down a Switch Fabric Module while it is coming online can caconflicting switching mode change operations to occur simultaneously which can result in delarestoring the data path and unpredictable switch behavior. This Switch Fabric Module behavnot going to be addressed by any hardware or software modifications. Rather, we are advisinto wait to power down a Switch Fabric Module until it comes online.

• On a port that has port security enabled, a nonzero age time, a manually configured MAC addredynamically learned MAC addresses, when the age time expires, you will lose all the MAC addrethat you manually configured. (CSCdy30515)


OL-1982-25


16:

and

nly

and

ule

em is

thatline

e.

pon

TX,is a

ulegine

e

• The broadcast suppression counter undercounts packets that have a size evenly divisible by

– A 64-byte packet should be counted as 4 but is counted as 3

– 65- to 79-byte packets are correctly counted as 4

– An 80-byte packet should be counted as 5 but is counted as 4

– 81- to 95-byte packets are correctly counted as 5

– A 96-byte packet should be counted as 6 but is counted as 5

(CSCdr56784)

• If a link partner has auto-mdix enabled, this will interfere with the TDR cable diagnostics testthe test results will be misleading. Auto-mdix should only be enabled on one end of the link.(CSCea73643)

• The 8-port T1 PSTN interface module (WS-X6608-T1) voice ports will not retain theirconfiguration across switch reboots if the switch is in text config mode.

Workaround: Manually configure the T1 voice module after each switch reset. This problem oapplies if the switch is in text config mode. (CSCdv04864)

• When the WS-X6548-RJ-45 is operating at 10Mb mode, pre-1994 NICs on ports 7, 15, 23, 3139 may have connectivity problems. If these ports are having connectivity problems, enableauto-polarity detection in the NIC driver (where this is available) or use any of the other modports. For additional information, refer to CSCdx15951.

• With a Switch Fabric Module installed and the switch in flow-through mode, resetting afabric-enabled module during periods of high traffic might cause other modules to reset. Thissituation can cause temporary traffic loss until the reset module comes back online. This problonly seen when the diagnostics are set tominimal or complete (set test diaglevel command).

Workaround: Power cycle the module (set module power up/downmod_num). (CSCdw04861)

• When you connect a Cisco IP Phone 7960 to a port on the 10/100 Ethernet switching modulesupplies inline power, the phone might lose power after switching from wall power back to inpower. The link remains up but the phone is down. This problem only occurs at 10 Mbps.

Workaround: Disconnect and then reconnect the cable between the switch port and the phon(CSCdr37056)

• A module might fail to come online after a software upgrade.

Workaround: Reset the module to bring it online. (CSCdu77125)

• When a module is reset due to a firmware download, the module may take 30 to 50 seconds(depending on the type of module) to come online and another 2 to 30 seconds (depending uwhether PortFast is configured or not) for spanning tree related events.

• Later model 10/100/1000 switching module ports (such as WS-X6148-GE-TX, WS-X6548-GE-and WS-X6516-GE-TX) that are set to half-duplex may count runts along with collisions. Thishardware issue and is not related to any software versions. (CSCec79736)

• The Distributed Forwarding Card (WS-F6K-DFC) and 16-port Gigabit Ethernet switching mod(WS-X6816-GBIC) are not supported in systems running Catalyst software on the supervisor enand Cisco IOS software only on the MSFC. These items are supported on systems runningCisco IOS Release12.1(8a)E or later on both the Supervisor Engine 2 and the MSFC2. For morinformation, refer to the Release Notes for12.1(8a)E on Cisco.com:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/ol_2310.htm

• You cannot reset individual ports on WS-X6608-T1 or -E1 modules. To reset a port, reset themodule. (CSCds19417)


OL-1982-25


jectorout

out the

gine

).sectors

erL ofreareor

ds:

uter ISL

e

ce

• When you hot insert a module into a Catalyst 6000 or 6500 series chassis, be sure to use the elevers on the front of the module to seat the backplane pins properly. Inserting a module withusing the ejector levers might cause the supervisor engine to display incorrect messages abmodule.

If you see minor hardware failures or sync errors on bootup, reconfirm that the supervisor enand all the switching modules are fully seated, the ejector levers are fully depressed, and thethumbscrews are fully tightened.

• There is a cabling issue with the 48-port 10/100BASE-TX switching module (WS-X6248-TELThe WS-X6248-TEL module RJ-21 connectorsdo not support Category 3 RJ-21 telco connectorand cabling. Using Category 3 connectors and cabling causes carrier sense errors. The connare keyed for Category 5 telco connectors and cables. Youmust use Category 5 RJ-21 telcoconnectors and cables.

• 24-port 100FX switching modules (WS-X6224-100FX-MT) with a hardware version of 1.1 or lowonly support IEEE 802.1Q VLAN trunking; they do not support ISL trunking. Do not configure IStrunks on 24-port 100FX switching modules (WS-X6224-100FX-MT) with a hardware version1.1 or lower. The restriction against ISL VLAN trunking is the only known problem with hardwaversion 1.1 or lower of these modules. If you do not require ISL VLAN trunking, these modulesfully functional. The ISL VLAN trunking problem has been corrected in hardware version 1.2 later of these modules. If you wish to return a WS-X6224-100FX-MT module with a hardwareversion of 1.1 or lower, contact Cisco Systems.

You can identify WS-X6224-100FX-MT hardware versions using one of the following two metho

– Command-line interface (CLI) method—Use the show version command to identify thehardware version of the WS-X6224-100FX-MT module as follows:

Console> show version< ... output truncated ... >Mod Port Model Serial # Versions--- ---- ------------------- ----------- --------------------------------------< ... output truncated ... >5 24 WS-X6224-100FX-MT SAD02470006 Hw : 1.1< ... output truncated ... >Console>

The example shows a WS-X6224-100FX-MT module with a hardware version of 1.1; thisversion does not support ISL VLAN trunking.

– Physical inspection method—Look for the part number that is printed on a label on the oedge of the component side of the module. Versions 73-3245-04 or lower do not supporttrunking.

• When multiple instances are configured over a LANE trunk and when the root for one of theinstances is moved, the other instances stop receiving BPDUs. The fix for this problem will bavailable in a Cisco IOS Release for the ATM LANE module later than Release 12.1(2)E1.(CSCdr88794)

• Theshow module command might show different versions for different modules in the chassiswhen upgraded with versioning enabled. (CSCdr55665)

• The followingdebounce timer command options have been added to increase the jitter toleranon 10/100 UTP ports to make them interoperable with out-of-spec NICs:set option debounce enable—Sets debounce to 3.1 seconds on 10/100 cards.set option debounce disable—Sets debounce to 300 ms. The default is 300 ms debounce.(CSCdp56343)


OL-1982-25


y

y

e

o

bitit

or all

tion

ortsvenbitceed

ornnel

nnelmore

les.

• If a 16-port Gigabit Ethernet fabric-enabled GBIC switching module (WS-X6516-GBIC) is fullpopulated with1000BASE-TX (copper) GBICs, it might be difficult to accessthe insertion/removalbracket on the module.

Workaround: Remove at least two of the1000BASE-TX GBICs before removing the module.(CSCdw25775)

• If a 16-port Gigabit Ethernet fabric-enabled GBIC switching module (WS-X6516-GBIC) is fullpopulated with1000BASE-TX (copper) GBICs, it might be difficult toremove the module in the slotabove the WS-X6516-GBIC module.

Workaround: Remove at least two of the1000BASE-TX GBICs before removing the module abovthe WS-X6516-GBIC module. (CSCdx19538)

EtherChannelThis section contains usage guidelines, restrictions, and troubleshooting information that apply tEtherChannel:

• When you enable UplinkFast, the EtherChannel port path cost (set with theset channel costcommand) for a 4-port 10/100 EtherChannel is less than the port path cost of a parallel GigaEthernet link. This situation causes the slower 4-port EtherChannel to forward and the GigabEthernet link to block. (CSCds22895)

• The WS-X6548-GE-TX, WS-X6548V-GE-TX, WS-X6148-GE-TX, and WS-X6148V-GE-TXmodules have a limitation with EtherChannel. EtherChannel is supported on these modules fconfigurations (10, 100, and 1000 Mbps speeds) but be aware of the following cases ofoversubscription when you are configuring these modules:

Note With software release 8.2(1), due to firmware enhancements, the following oversubscripproblems are no longer an issue with the WS-X6548-GE-TX and WS-X6548V-GE-TXmodules.

– On these modules there is a single 1-Gigabit Ethernet uplink from the port ASIC that suppeight ports. For EtherChannel, the data from all links in a bundle goes to the port ASIC, ethough the data is destined for another link. This data consumes bandwidth in the 1-GigaEthernet link. For these modules, the sum total of all data on an EtherChannel cannot ex1 Gigabit.

– You could also run into the oversubscription problem if you have four WS-X6148-GE-TX WS-X6148V-GE-TX modules running at 100 Mbps with 48 EtherChannels, and each chahaving 4 ports (1 port per module).

– If you use the Switch Fabric Module with the WS-X6548-GE-TX or WS-X6548V-GE-TXmodules, that configuration would avoid the oversubscription problem. The Switch FabricModule interface filters and distributes the packets to the correct module per the EtherChabundle hash. However, you must have one port per module in the bundle. Once you havethan one port of a WS-X6548-GE-TX or WS-X6548V-GE-TX module in an EtherChannelbundle it will start oversubscribing.

Note Using channeling for Layer 1 redundancy is a valid configuration option with these modu


OL-1982-25


ease. HPtails.

QoS:

gleing.

S IPifiesrtblish

ce. AoS

s

s

witch

f the

et

theed off

• Catalyst switches running supervisor engine software releases 6.2(x) and later cannot form achannel with HP-server NICs. TLV checking, which was added for PAgP packets in software rel6.2(1), uncovered a problem with HP-UX systems where the packet length was set incorrectlyhas an updated driver available that can solve the problem; contact HP Technical Support for de(CSCdu84575)

Quality of ServiceThis section contains usage guidelines, restrictions, and troubleshooting information that apply to

• The ToS byte remains unchanged in bridged multicast packets when you enable MulticastMultilayer Switching (MMLS). The system does not support multiple, different rewrites for a sinpacket. A Layer 3 rewrite is generated for multicast; there is no rewrite for the Layer 2 forward

For example, you have a multicast source in VLAN 13, a receiver in the same VLAN, and a QoACL configured and mapped to the source’s ingress port that matches the traffic flow and specDSCP 31. When you disable the MMLS feature, the IP packets captured on the receiver’s pocontain a ToS byte of x7C (the expected result). When you enable the MMLS feature and estaa Layer 3 flow, the captured packet’s ToS byte is unchanged from the value sent by the sourToS rewrite occurs on the replicated packets in the outgoing VLANs (other than VLAN 13). No Trewrite occurs for the packets that are bridged in the same incoming VLAN. (CSCdm72364)

• The rate and burst parameters for microflow/aggregate policing are specified in terms of kbp(kilobits per second) and Kb (kilobits). However, the following should be noted:

– Rate specification—1 kbps is equivalent to 1000 bits per second (as opposed to 1024 bitper second)

– Burst specification—1 Kb is equivalent to 1024 bits

• Running two or more QoS commands from different Telnet or SSH sessions could cause the sto hang or reset. We recommend that you do not execute two or more QOS commandssimultaneously from different Telnet, SSH, or Console sessions. (CSCdy74994)

• Theset port qosmod/port {port-based | vlan-based} command configures all ports on switchingmodules with1p1q0t/1p3q1t QoS port architecture.

• Microflow policing does not support policing of identical flows arriving on different interfacessimultaneously. Attempts to do so lead to incorrectly policed flows. (CSCdt72147)

• If there is an error in installing any COPS policy, a successful commit is sent to the PDP even ipolicy was not correctly installed. In such situations, any modifications to the port’s rolecombination does not install the correct policy on the port and might result in a switch reset.(CSCdp66572)

• If you create a security ACL with the redirect option and then replace the module that has thredirect port with another kind of module, the security ACL does not have the redirect port lisanymore.

Workaround: Manually modify the security ACL with the new redirect port information.(CSCdp74757)

• If you download a COPS ACL containing a policer to the switch and the switch cannot supportexact rate/burst supplied by the policer, no message informs you that the rate/burst was roundto the nearest value that the hardware could support. (CSCdr28715)


OL-1982-25


PMrnedified

s are

es getoty

ut

ightme

ffic

s

esty

ortspes.

Sport.

,

ueue

uleule is

and

have

• Catalyst 6500 series switches do not support nonzero WRED minimum values. If a COPS Qserver sends down a COPS policy with a nonzero WRED minimum value, no error report is retuto the COPS server. As a result, there is no indication to the user that the WRED minimum specin the COPS policy was not used. (CSCdr28819)

• COPS and RSVP are not supported in software release 6.2(2).

• On a Catalyst 6500 series switch, when the switch QoS policy source is COPS, no COPS roledefined for a port, and the port policy source is COPS, the values that you set for the QoSconfiguration (such as queue mappings and sizes) are inappropriate. For example, all CoS valumapped to the strict-priority queue on a 1p2q2t or 1p1q4t port type. This situation can lead tbandwidth starvation for other ports in the switch, especially, if these ports with a strict-prioriqueue are generating high rates of traffic.

Workaround: Either configure a COPS role on all ports in the switch or configure all ports withoa COPS role to use local policy. (CSCdp44965)

• If a large number of QoS ACLs are defined on the system during switch bootup, some packets mget switched before the QoS ACLs are installed in hardware. This scenario would result in sopackets getting an incorrect ToS or no policing applied. After the QoS ACLs are installed inhardware, the correct ToS and policers are applied. It is considered inappropriate to block trafrom flowing until all the QoS policy is installed. (CSCdp68608)

• After setting the QoS policy source to local, you might need to wait approximately 20 secondbefore the QoS policy source can be set back to COPS. (CSCdp34367)

• The COPS policy fails to install on ports with a large number of QoS policers.

Workaround: Unmap the local ACLs before installing the COPS policy. (CSCdp63138)

• Use the QoS strict-priority queues for your highest-priority traffic only. The strict-priority queuare designed to accommodate only a limited volume of traffic. If you overload the strict-prioriqueues, the supervisor engine cannot service the standard queues. (CSCdm90683)

• With QoS disabled, an EtherChannel can contain ports with both strict-priority queues and pwithout strict-priority queues. With QoS enabled, an EtherChannel cannot contain both port tyIf you enable QoS, ports drop out of any EtherChannels that contain both port types.

• When COPS is the QoS policy source, TFTP traffic and switching might be affected if a COPpolicer is configured with a rate or burst value that the Catalyst 6500 series switch cannot sup(CSCds16976)

• Except for ports that support1p1q0t/1p3q1t, theset port qos trust command and thetrust-ipprecandtrust-dscp port keywords are not supported on 10-, 10/100-, and 100-Mbps ports. Insteadconfigure ACLs with thetrust-cos, trust-dscp, andtrust-ipprec ACE keywords. Note that thetrust-cos port keyword can be used on 10-, 10/100-, and 100-Mbps ports to enable receive-qdrop thresholds.

• To avoid the case where all traffic is out of profile, the burst size specified in a QoS policing rmust be at least as large as the maximum packet size permissible in the traffic to which the rapplied.

• With heavy COPS protocol traffic between either the COPS-DS client or the COPS-RSVP clientthe PDP, it is possible for a connection keep-alive timeout event to occur and for the COPSconnection manager to miss a Client Close from the PDP. When this happens, the switch mightan exception later. (CSCdp64213)


OL-1982-25


o

cketsto see

sultst not on

m,

the

g

m,

one’should

rk. For

witchvyem,

o

.

.

Automatic Quality of Service with Cisco IP PhonesThis section contains usage guidelines, restrictions, and troubleshooting information that apply tconfiguring automatic QoS with Cisco IP Phones:

• Cisco IP Phone 79xx phone marking—The Cisco IP Phone 79xx does not mark its protocol pasuch as DHCP, TFTP, and DNS packets with nonzero DSCP values. This causes the IP phoneDHCP, DNS, and/or TFTP timeouts when an uplink port on a switch is oversubscribed. This rein the IP phone taking a long time to register with the Cisco CallManager or the IP phone mighregister at all. Additionally, phone directories, IP phone services, call logs, ring tones, and sobecome unavailable or do not work correctly for the IP phone user.

Workaround: Use custom QoS ACLs instead of automatic QoS on the switch. For this problecaveat CSCdy62735 has been logged against the Cisco IP phone.

• Cisco CallManager is not marking protocol packets—This Cisco CallManager issue is similar toabove issue (CSCdy62735). If uplink ports are oversubscribed, TFTP packets from the CiscoCallManager are dropped by the switch.

Workaround: Use custom QoS ACLs instead of automatic QoS on the switch.

• Cisco SoftPhone does not tag any voice signaling packets—With this problem, voice signalinpackets from Cisco SoftPhones get dropped and Cisco Soft Phones fail to connect to theCisco CallManager and the user cannot make or receive calls if the switch uplink ports areoversubscribed.

Workaround: Use custom QoS ACLs instead of automatic QoS on the switch. For this problecaveat CSCdy60186 has been logged against Cisco SoftPhone.

• Cisco IP Phone 79xx phone reset problem—The Cisco IP Phone 79xx resets when the IP phPC port is oversubscribed. This problem is seen in rare circumstances; the IP phone’s PC port snot get oversubscribed unless there is a broadcast storm or some other outage in the netwothis problem, caveat CSCdy50584 has been logged against the Cisco IP phone.

• CDP issue—CDP protocol packets are not CoS labeled correctly. This problem prevents the sfrom properly prioritizing the “hello” packets being sent to and from the IP phone. Under heatraffic conditions, this results in loosing the IP phone from the CDP perspective. For this problcaveat CSCdy53339 has been logged against the Catalyst software.

MulticastThis section contains usage guidelines, restrictions, and troubleshooting information that apply tmulticast protocols and traffic on the switch:

• IGMP version 3 does not support private VLANs. (CSCdx08912)

• SPAN, RSPAN, Private VLANs, and RGMP are not supported with IGMP version 3 snooping

• IGMP version 3 reports might flood on VLANs. IGMP version 3 reports should not flood onVLANs. The reports should be sent only to IGMP version 3 router ports and IGMP version 3 hosts(CSCdx51216)


OL-1982-25


mat

he notg).

ts to

henGMPstops

.

entsterfaultectedwithinavior

is

when

m809)

e

allyries)

rate

u set

Caveat CSCdx51216 wasopened to address the issue of preventing IGMP version 3 reports froflooding in VLANs. IGMP version 3 reports are supported with both PFC2 and PFC3A and thsupport is described as follows:

– PFC2: IGMP version 3 reports are captured to the supervisor engine and are flooded to tVLAN. This behavior will not be changed because flooding the IGMP version 3 reports doescause any problems (there is no concept of report suppression with IGMP version 3 snoopin

– PFC3A: There is a separate, conditional RAM that only captures the IGMP version 3 reporthe supervisor engine. There is no flooding to VLANs.

• An IGMP version 3 client may receive traffic from unwanted sources. This problem might occur wthe IGMP version 3 client abruptly stops sending the IGMP version 3 report and starts sending the Iversion 3 report to receive traffic from sources that it does not want to receive (before it abruptly sending the IGMP version 3 report). (CSCdx53609)

• A security ACL will not take effect for sources that are present in the INCLUDE list if the IGMPversion 3 state is in INCLUDE mode and the multicast source and receiver are in the same VLAN(CSCdy15849)

• The Cisco IOS last-member-query-interval command allows you to increase the time that therouter waits for host responses to IGMP GS queries (group-specific queries). The switch implemthis interval statically, as defined in RFC 2236 (the default is 1000 ms). If you configure a routhat is connected to the switch with a “last-member-query-interval” that is greater than the deinterval as defined in RFC 2236, and you enable IGMP snooping on the switch, then hosts connto the switch might have packets discarded if these hosts are unable to respond to GS queriesthe interval implemented on the switch. The supervisor engine software does not modify its behbased on the last-member-query-interval that is configured on the connected routers. Do notmodifythe last-member-query-interval on the routers that are connected to the switch if IGMP snoopingenabled.

Workaround: Disable IGMP snooping on the switch. (CSCdu72041)

• Ports may be added to a source list even though a port does not want traffic from that sourcethe IGMP version 3 mode changes from INCLUDE to EXCLUDE. (CSCdy25856)

• Theshow multicast v3-groupcommand may not show any port in the exclude port list for a maximuof 60 seconds when the IGMP version 3 state changes from INCLUDE to EXCLUDE. (CSCdy25

• A new command,set igmp ratelimit [disable | enable], has been added to the 6.x, 7.x, and 8.xsoftware releases starting with the following releases:

– 6.4(7)

– 7.6(5)

– 8.2(1)

IGMP rate limiting is disabled by default. In the 6.4(x) software release, rate-limit counters arsupported only in text configuration mode. Theset igmp ratelimit [disable | enable] command issupported in both text and binary configuration modes in all software release trains.

If IGMP rate limiting and multicast are enabled, multicast router ports might age out sporadicbecause the rate of the multicast control packets (such as PimV2-hellos or IGMP-General Queexceed the IGMP rate-limit watermarks that were configured. The default values for thesewatermarks is 100.

Workaround: The workaround (documented in CSCea44331) is to increase the PimV2-helloslimit; we recommend that you set the value to 3000 using theset igmp ratelimit pimv2 3000command. You can also increase the IGMP-General Queries rate limit; we recommend that yothe value to 500 using theset igmp ratelimit general-query 500 command.


OL-1982-25


t oringntries

st

de,

y

5488.

anyd byiesunt of

thees the that

ction

ware

eats

will

are

o

nds.ives thelogy

• The maximum number of supported multicast CAM entries is 124. After adding 124 permanenstatic multicast CAM entries the switch produces the error “Failed to add CAM entry.” After add124 static or permanent CAM entries, all attempts to add more static or permanent multicast efail. This is true for the same port/same VLAN, different port/same VLAN, and differentport/different VLAN.

• A Catalyst 6500 series switch running IGMP snooping may intermittently stop adding multicarouter ports because it is receiving too many PIMv2 Hello packets.

Workaround: Increase the rate limit value using theset igmp ratelimit pimv2 command.(CSCea44331)

• If you install an MSFC2 and the VLAN interface that is defined on the MSFC2 is in shutdown mobridged IP multicast traffic will not be policed. (CSCdu12731)

• The only ports that send out the GMRP LeaveAll messages are the ports that have previouslreceived GMRP joins.

• With software releases 7.1(1) and later, the maximum number of Layer 2 multicast entries is 1

• If RGMP-enabled routers connected to an RGMP-enabled Catalyst 6500 series switch join mgroups, the switch might run out of memory. Ensure that the total number of entries displayetheshow rgmp group count command is fewer than 800. The actual maximum number of entrwill vary depending on the features enabled on the Catalyst 6500 series switch and the amomemory installed.

• When a multicast goes to both bridged and routed addresses, the multicast packets going torouted addresses are Layer 3 switched, and the multicast matches an ACL so that QoS rewritToS byte in the multicast packet. QoS does not rewrite the ToS byte for the multicast packetsare bridged.

• We recommend that you do not use more than 1500 multicast groups with GMRP. This restridoes not apply to IGMP.

• In extremely rare conditions, multicast traffic might be blocked due to a mismatch between hardand software entries. (CSCdp81324)

• Be aware of the following multicast traffic caveats specific to Supervisor Engine 2 (these cavapply toall software releases supporting Supervisor Engine 2):

– If an outgoing IOS ACL is configured on an interface, Supervisor Engine 2 based systemsmatch/apply the IOS ACL in software. This results inall outgoing multicast flows for thatinterface being handled in software (based upon specificdeny/permit all statements). MMLSis effectively disabled for the interface. Be aware that handling outgoing IOS ACLs in softwincreases CPU utilization.

– Outgoing VACLs are not applied to multicast traffic with Supervisor Engine 2.

Spanning TreeThis section contains usage guidelines, restrictions, and troubleshooting information that apply tSpanning Tree:

• MST problem—Powering down the Switch Fabric Module usually takes between 3 and 5 secoDuring this time, traffic and protocol packets are disrupted. The MST root port does not receBPDUs during this period and the re-root mechanism is called (the re-root mechanism causeroot port to go to the blocking state). As soon as the MST port starts receiving BPDUs, the toporeconverges. (CSCdv86120)


OL-1982-25


avoid

n STP

also root

plustree

384,

sty in

o

a

the

• If the forward delay, max age, andhello time Spanning Tree Protocol (STP) parameters arereduced in value, ensure that the number of instances of STP are also reduced proportionally toSTP loops in the network.

• Occasionally (less than once in every 100 attempts), the console process might lock when amode changes from PVST+ to MISTP.

Workaround: Reset the switch. (CSCds20952)

• If you have a Catalyst switch in your network with MAC address reduction enabled, you shouldenable MAC address reduction on all other Layer-2 connected switches to avoid undesirableelection and spanning tree topology issues.

When MAC address reduction is enabled, the root bridge priority becomes a multiple of 4096the VLAN ID. With MAC address reduction enabled, a switch bridge ID (used by the spanning-algorithm to determine the identity of the root bridge, the lowest being preferred) can only bespecified as a multiple of 4096. Only the following values are possible: 0, 4096, 8192, 12288, 1620480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440.

Therefore, if another bridge in the same spanning-tree domain does not run the MAC addresreduction feature, it could claim and win root bridge ownership because of the finer granularithe selection of its bridge ID.

Note The MAC address reduction feature is enabled by default on Cisco switches that have64 MAC addresses (Cisco 7606, CISCO7603, WS-C6503, and WS-C6513).

Access ControlThis section contains usage guidelines, restrictions, and troubleshooting information that apply tsecurity:

• Note that the VACLs access-controlall traffic passing through a VLAN. This includes broadcasttraffic and packets going to and from the router. Therefore, you must use care when definingVACL.

For example, to allow traffic from a local IPX client (daf11511) to a remote server (daf00402),following VACL is configured (remote server is learned through a routing protocol):

set security acl ipx jg_ipx_permit --------------------------------------------------- 1. permit any DAF00402 DAF11511 2. permit any DAF11511 DAF00402 3. permit any DAF01023 DAF01023 4. permit any DAF11511 0 5. permit any 0 0 6. permit any DAF11511 DAF11511


OL-1982-25


rver

est to

ve the

N

ns)on

oSset

high

t on the

high

the

r alllly

te thaty.

FC2s).

The VACL description is as follows:

– 1, 2. Allow IPX between client and server.

– 3. The router needs to see the RIP/SAP packets.

– 4. If packets are dropped during a connection, the client tries to find another route to the seby sending out RIP requests to IPX network 0.ffff.ffff.ffff. Not doing this results in a lostconnection after packet drop.

– 5. Upon startup, a client sends its first packets to 0.ffff.ffff.ffff and uses 0.ffff.ffff.ffff as its oneIPX address.

– 6. When a server connection socket is timed out, the client reconnects by sending a requits local network to find its server.

As the example shows, just 1 and 2 is not enough; you also have to define 3 through 6 to achiegoal. (CSCdm55828)

• Make sure that the redirect port defined in a VACL is on the same VLAN as the “incoming” VLAfor the packet that is to be redirected. Otherwise, the redirected packet will be dropped.

For example, a redirect VACL is defined on VLAN 5 and the redirect destination port is also oVLAN 5. If an MLS entry is destined to VLAN 5, packets that are coming from VLAN 2 hit thiMLS entry and also hit the VACL redirect ACE (both VLAN 2 and VLAN 5 ACLs will be checkedand are redirected in the incoming VLAN, VLAN 2. The redirect destination port will drop themVLAN 5 rather than on VLAN 2.

• In a Catalyst 6500 series switch with two Supervisor Engine 2s, if you have more than 300 QACLs and each QoS ACL is mapped to a different VLAN, the active supervisor engine might reafter clearing all the QoS ACLs and then committing the change. (CSCdu85021)

High AvailabilityThis section contains usage guidelines, restrictions, and troubleshooting information that apply toavailability:

• With high availability enabled, port security is then enabled on a port using theviolation restrictmode. On repeatedly clearing the secured addresses under continuous traffic, the secured porstandby supervisor engine might shut down. (CSCin25168)

• In software release 7.6(8) and later releases, improved supervisor engine failover rates with availability enabled are as follows: In flow through, truncated, and compact modes, the SupervisorEngine 1 and Supervisor Engine 2 failover time is less than 500 ms.

• After a high-availability switchover, MSFC2 LTLs are not set when the standby router becomesdesignated router. (CSCdy83322)

• MSFC configuration synchronization is only supported for IP and IPX configurations. Beforeenabling synchronization, you must ensure that both MSFCs have identical configurations foprotocols. If you are using AppleTalk, DECnet, VINES, or any other routing, you must manuaensure that identical configurations are on both MSFCs for all protocols.

• Redundant supervisor engines must be of the same type with the same model feature card. NoWS-X6K-SUP1-2GE and WS-X6K-SUP1A-2GE (both without PFCs) are compatible for redundancFor supervisor engines with PFCs, the PFCs must be identical for redundancy (two PFCs or two P


OL-1982-25


te a

n

sor

MLS:

pidlyct of

ausegets

t.

ource

tion

o

y

74)

VTP,

cnot

• High availability does not support use of the Reset button. Pressing the Reset button to initiaswitchover results in a high-availability switchover failure.

Workaround: Make the active supervisor engine the standby supervisor engine first, and theremove it from the chassis. (CSCdp76806)

• NVRAM synchronization and high-availability synchronization does not work between superviengine software release 6.3(1) and any later version. (CSCdv43206)

Multilayer SwitchingThis section contains usage guidelines, restrictions, and troubleshooting information that apply to

• If you have routed flows with MLS disabled (no shortcuts created), candidate entries age out rato ensure that the forwarding table is used as much as possible by shortcut flows. A side effethis rapid aging of candidate entries is that the microflow policer does not work accurately becits policing history is lost when the entries age out. When the same flow creates a new entry, itthe entire traffic contract again even if it had exceeded the contract before the entry aged ou(CSCdp59086)

• Layer 3 switching on the Catalyst 6500 series switches does not support full or destination-sflows for IPX traffic. With Supervisor Engine 1 and PFC, when the MLS flow mask isdestination-source or full-flow, theshow mls entry ipx destination command that should select aspecific destination displays all IPX Layer 3 entries rather than just those for a specific destinaIPX address. (CSCdm46984)

MIBsThis section contains usage guidelines, restrictions, and troubleshooting information that apply tSNMP MIBs, RMON groups, and traps:

Note For information on MIBs, RMON groups, and traps, refer to the Cisco public MIB directorlocated at this URL:http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

• You cannot use the tftpGrp MIB object to download Catalyst 6000 ATM software. (CSCdp165

VLANs, VTP, and VLAN TrunksThis section contains usage guidelines, restrictions, and troubleshooting information that apply toVLANs, and VLAN trunks:

• Use caution when including the sc0 interface in a normal or private VLAN. Under heavy trafficonditions, there is a risk of losing connectivity with the interface. We recommend that you doconfigure the sc0 interface in any VLAN with user data. (CSCdv12023)


OL-1982-25

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml


o

affiche

orts

base.L is02 in

and

ewly

• This problem is related to the following configuration:

The Cat6k-A configuration is as follows:

– 100—Primary VLAN

– 101—Secondary VLAN (isolated/community/two-way community)


– 2/1—Promiscuous port carrying the mapping from VLAN 101 to VLAN 100 and VLAN 102 tVLAN 100

– 3/1—ATM trunk port carrying VLANs 100, 101, 102, 200, 300

The Cat6k-B configuration is as follows:

– 100—Primary VLAN



– 3/1—ATM trunk port carrying VLANs 100, 101, 102

– 2/1—Private port with VLAN 101 to VLAN 100 association

– 2/2—Private port with VLAN 102 to VLAN 100 association

In this configuration, assume that Server 1 is interacting with the router and there is no trafficbetween Server 2 and the router. If Server 2 suddenly starts interacting with the router, the trbetween Server 1 and the router might stop. This happens when the Cat6k-A 3/1 port is on tWS-X6101-OC12-MMF ATM module.

In summary, do not have a configuration with a promiscuous port on switch A and secondary pon switch B connected through an ATM trunk on the WS-X6101-OC12-MMF module.(CSCdy03515)

• When using a VLAN interface other than the VLAN 1 interface, a VLAN added on aCatalyst 3500XL running 120.5.1-XP does not appear in the Catalyst 6500 series switch dataAs soon as management interfaces are put back in VLAN 1, a VLAN configured on the 3500Xsent properly to the Catalyst 6500 series switch through VTP. Check the status of CSCdr809your Cisco IOS release. (CSCdr66376)

• In a redundant configuration, if you modify the VLAN mapping on the active supervisor enginea high-availability switchover occurs before the VLAN mapping is synchronized between thesupervisor engines, you might experience a mapping inconsistency (VLANs claimed by twodifferent instances) if you reenter the mapping command.

Workaround: Recreate a new mapping on a different instance after the switchover. On the nactive supervisor engine, enter theset vlanvlan_nummistp none command and reenter themapping. (CSCds27902)

Router ------------------Cat6k-A-----------ATM switch-------------Cat6k-B------------Server 1|

100, 101 100, 101100, 102 102 100, 101

2/1 3/1 3/1 2/1

2/1100, 102------------Server 2


OL-1982-25


o

s theill

ed toe setlogine

ion,empt.rd>ith

o

d26)

DTP,

to the

er ison theer

DR

is

Authentication, Authorization, and AccountingThis section contains usage guidelines, restrictions, and troubleshooting information that apply tauthentication, authorization, and accounting (AAA):

• For login authentication, starting from software releases 5.5(15), 6.3(7), and 7.3(1), if you presEnter key and then type in your password (<Enter> <password>) the ACS TACACS+ server wtreat it as an indication that you are attempting to change your password. This behavior is relatCSCdx08395. Before the CSCdx08395 fix, the user privilege level was hard coded to 15 in thTACACS+ authentication request packet. With the CSCdx08395 fix, the user privilege level isbased on the privilege level that the user is authenticated as. For example, if the user is doing aauthentication, the privilege level would be 1. If the user is doing an enable authentication, thprivilege level would be 15.

The Cisco ACS TACACS+ server acts differently for <Enter> <password>. For login authenticatif the user priv-lvl is hard coded to 15, <Enter> <password> is treated as a regular password attIf the user priv-lvl is set to 1 (CSCdx08395) during login authentication, then <Enter> <passwois treated as an indication of a changing password. The latter case is a behavior consistent wTACACS+ enable authentication and Cisco IOS software handling of <Enter> <password>.(CSCdy35129)

SPAN and RSPANThis section contains usage guidelines, restrictions, and troubleshooting information that apply tSwitched Port Analyzer (SPAN) and Remote SPAN (RSPAN):

• A SPAN session with a 10/100 source port and a Gigabit destination port might result in duplicatepackets on the destination port. This problem is seen in all 7.6(x) software releases. (CSCea329

• RSPAN does not support monitoring of BPDU packets or Layer 2 protocol packets such as CDP,and VTP.

TDRThis section contains usage guidelines, restrictions, and troubleshooting information that appliestime domain reflectometer (TDR) feature:

• The TDR test can only be run on 16 ports at a time. (CSCea46739)

• The TDR test does not provide accurate results if it is run on a link where the remote link partnconfigured at 100-Mbps fixed speed (CSCea70930). 10 Mbps, 1000 Mbps, and auto speeds remote link partner will not interfere with the TDR test. Also, a 100-Mbps port without a link partnwill complete the TDR test successfully.

• The WS-X6148 and WS-X6548 GE-TX modules have the following cable restrictions with the Ttest: If a Revision B0 Marvell PHY is used, the maximum cable length that can be detected is115 meters. If a Revision C0 Marvell PHY is used, the maximum length that can be detected168 meters. (CSCea76395)


OL-1982-25


ome

eds.

bps

s

d

s

n thef bothestoreult

Auto-MDI/MDIXWith auto-MDI/MDIX you can use either a straight or crossover cable, and the module willautomatically detect and adjust for the cable type. Auto-MDI/MDIX works with the speed set toauto/1000 Mbps, but not with the speed set to 10 Mbps or 100 Mbps. This means that the link will cup with either a straight or crossover cable if the speed is set to auto/1000 using theset port speedmod/portauto command or theset port speedmod/port1000command. The link comes up even if thespeed is autonegotiated at 10 Mbps or 100 Mbps inauto mode. However, if you enter theset port speedmod/port10 command or theset port speedmod/port100command, the link fails to come up if thewrong cable is used.

Auto-MDI/MDIX has always been enabled on the following modules:

• WS-X6548-RJ-45, WS-X6548-RJ-21, WS-X6148-GE-TX, WS-X6548-GE-TX

Auto-MDI/MDIX works in 10-, 100-, and 1000-Mbps modes with autonegotiated and fixed spe

• WS-X6516-GE-TX

Auto-MDI/MDIX works with the speed set to auto/1000 Mbps, but not with the speed set to 10 Mor 100 Mbps.

• WS-X6316-GE-TX

With software release 8.2(1), auto-MDIX is also enabled on the following modules:

• WS-X6748-GE-TX, Supervisor Engine 720 port 2 (RJ-45)

Auto-MDI/MDIX works with the speed set to auto/1000, but not with the speed set to 10 Mbpor 100 Mbps.

• WS-X6148X2-RJ-45, WS-X6148X2-45AF

Auto-MDI/MDIX works with the speed set to auto, but not with the speed set to 10 Mbpsor 100 Mbps.

Note Auto-MDI/MDIX is not supported on any other 10/100-Mbps Ethernet modules or GBIC, SFP, anXENPAK ports.

Binary and Text File Configuration ModesThe main purpose of storing configuration information in NVRAM blocks is to restore the systemconfiguration when the switch boots up after a reset. The supervisor engine boot process includereading the NVRAM blocks and using the configuration information in the blocks to configure thesystem. Before restoring the configuration from an NVRAM block, a new checksum is generated odata in the block, and the new checksum is compared with the checksum stored in the block itself. Iof the checksums match, the data is determined to be valid and the data in the block is used to rthe configuration. If the checksum matching fails, the NVRAM block is deallocated, and the defaconfiguration is used.

There are two modes for storing the configuration file, binary configuration mode and text fileconfiguration mode. These modes are described in the following sections.


OL-1982-25


eock

ule

of the, andonlyme

al

r not

ed the

AMa

o

textks

ese

f

ery

ot

Binary Configuration Mode

In binary configuration mode, the NVRAM configuration model uses binary data structures to savinformation. The NVRAM is allocated in blocks, and each data structure is stored as an NVRAM blas follows:

• A global block is statically allocated for saving global configuration information.

• Per-module NVRAM blocks are allocated for each module to store information for every modand port.

• Other NVRAM blocks include blocks for SNMP,VTP, SSH, NVRAM logging, and so on.

When you enter a command to configure a feature, the information is stored immediately in one NVRAM blocks. Some blocks are allocated at startup, such as the global block, the SNMP blockthe VTP block. Other blocks are allocated as needed. For example, a module block is allocated when a nondefault setting is configured for the module or configured for a port on the module. SoNVRAM blocks also grow dynamically. The VTP block, by default, allows for 256 VLANs to beconfigured. If more than 256 VLANs are configured, the VTP block expands to allow 256 additionVLANs. Binary configuration mode provides an easy way to store the configuration immediatelywithout the need for awrite memory command to commit the configuration to NVRAM.

Binary storage of data is also space efficient. For example, remembering if a feature is enabled orequires a single bit of NVRAM.

Text File Configuration Mode

A disadvantage of the binary configuration mode is that although configured features can be storefficiently, a large amount of NVRAM space can be wasted by features that are not configured byuser. For example, the global block currently requires approximately 150 KB, but users may haveconfigured only a few features. Similarly, a 48-port module consumes approximately 25 KB of NVRspace (about 0.5 KB per port) even if only a single port on the module has been configured with nondefault setting.

With software release 6.3(1) and later releases, the text file configuration mode was introduced tsupport the new 13-slot chassis and all the configurable options on the switch. With text fileconfiguration mode, you can store the configuration as a text file in Flash memory or NVRAM. Infile configuration mode, the binary NVRAM data structures are deleted from NVRAM. The only blocnot deleted from NVRAM are those that contain information not stored in the configuration file. Thblocks include the following:

• Boot block (B_BOOTAREA)—Must stay in NVRAM. It contains information about the location oconfiguration blocks (NVRAM or DRAM).

• Option block (B_OPTION)—Contains the configuration for hidden commands.

• Module logging block (B_MODULELOG)—Contains the NVRAM log traces (NVLOG).

• Command logging block (B_CMDLOG)—Contains the command history log.

• RSAKEY (B_RSAKEY)—Contains encrypted key information that should not be regenerated evtime.

• I/F index block (B_MODULEIFINDEX)—Contains SNMP interface index information that is nin the text configuration file.

• RMON blocks (B_RMON, B_RMON2, and B_EXTENDEDRMON)—Contains RMONinformation that is not in the text configuration file.


OL-1982-25


ionP;

er

t ofat they

isple,M.

cted.

ely to

y beiresfile.

me,x,luesed

//.”

o

ems

,

ort is.2(x)70549.

• SNMP block (B_SNMP)—Contains SNMP-related information that is not in the text configuratfile. Additionally, fields in this block can be specified as non-volatile by the user through SNMthose fields must be saved immediately to non-volatile storage.

• VTP block—Needs to stay in NVRAM to be compliant with the VTP specification in VTP servmode.

The NVRAM blocks are copied to DRAM before being deleted. Except for some isolated codeassociated with the copying of the NVRAM blocks into DRAM, this change is transparent to the resthe software. The data structures are manipulated and accessed as before; the only difference is thare now stored in the DRAM instead of the NVRAM memory region.

A new B_GENERAL NVRAM block is also created when operating in text configuration mode. Thblock contains any configuration from a deleted block that must still be saved in NVRAM. For examthere are time zone and encryption-related fields in the global block that must be stored in NVRAThese fields are moved to the new B_GENERAL block whenever text configuration mode is seleThe B_GENERAL block is deleted when moving back to binary configuration mode.

When operating in text file configuration mode, most user settings are no longer saved immediatNVRAM. Instead, configuration changes are written to the DRAM only. You must enter thewritememory command to store the configuration in non-volatile storage. The non-volatile storage maeither the Flash file system or NVRAM. Because the text file configuration file in most cases requless space than the binary data structures, NVRAM is an appropriate place for the configuration Alternatively, you may specify a file in the Flash file system.

Note When a new VLAN is added (created), the VTP domain information fields (such as VtpDomainNaVtpPassword, VtpMode, VtpInterval, VtpRevisionNo, VtpVlanCount, VtpUdpater, VtpDomainIindeVtpPruningMode, and VtpV2Enabled) are updated if their values are different from the current vain NVRAM. Out of all of these information fields, the VtpVlanCount field is the only one that is changwhen a VLAN is added or deleted. When the VtpVlanCount field is changed, the global block inNVRAM is changed, resulting in the following trap being sent: “Global block changed by ConsoleThis behavior is documented in caveat CSCea23160.

CiscoViewThis section contains usage guidelines, restrictions, and troubleshooting information that apply tCiscoView:

• The 7.1(1) and 7.1(2) CiscoView + SSH images may fail to boot on Supervisor Engine 1 systwith 64-MB DRAM. This problem applies to all models of Supervisor Engine 1(WS-X6K-SUP1-2GE, WS-X6K-SUP1A-2GE, WS-X6K-SUP1A-PFC, WS-X6K-SUP1A-MSFCWS-X6K-S1A-MSFC2). Due to this problem, the cat6000-supcvk9.7-1-1.bin andcat6000-supcvk9.7-1-2.bin CCO images have been deferred. As an alternative, thecat6000-supcvk8.7-1-1.bin or the cat6000-supcvk8.7-1-2.bin images may be used if SSH suppnot required. If both CiscoView and SSH support is required, the 6.3(x) supcvk9 images or the 7and later supcvk9 images should be used. This issue is documented in open caveat CSCdw


OL-1982-25


re as

ound

ViewJava

e

• The supported client platforms, browsers, and Java Plug-in versions supported by CiscoView afollows:

Note The Java Plug-in can be downloaded fromhttp://www.cisco.com/cgi-bin/tablebuild.pl/cview-plugin

Note Java Plug-in versions 1.3.0_01 and 1.3.0_02 do not work with CiscoView.

Note Java Plug-in versions 1.3.1_01 and later are not supported by CiscoView.

• If the CiscoView chassis scrollbar does not appear, resize the browser window. Another workaris to right-click on the chassis and select “Resize” to decrease the size of the chassis view.

On Windows NT machines with Java Plug-in 1.3.0 installed and Netscape running, the Ciscochassis scrollbar does not appear, even after resizing it. To correct the problem, upgrade to Plug-in 1.3.1. (CSCdw58407)

• On Solaris machines with Java Plug-in version 1.3.1 installed, if you are using either NetscapNavigator 4.77, 4.78, or 4.79, you might see a blank screen after launching CiscoView.(CSCdw13384)

To correct the problem, perform these steps:

Step 1 Uninstall the current Java Plug-in from your machine.

Step 2 Download the Java Plug-in from the following location and install it on your machine:

http://www.cisco.com/cgi-bin/tablebuild.pl/cview-plugin

Step 3 Clear the cache by entering the following CLI command:rm -rf ~/.netscape

Step 4 Enter the following CLI command:export NPX_PLUGIN_PATH = /usr/j2se/jre/plugin/sparc/ns4

Step 5 Launch Netscape Navigator.

Step 6 SelectEdit > Preferences, and then clickAdvanced in the navigation tree.

Step 7 Make sure theEnable Java checkbox isnot selected.

Client Platform Web Browser Java Plug-in

Solaris 2.7/2.8 Netscape Navigator 4.76, 4.77, 4.78,4.79

Java Plug-in 1.3.0 (JRE 1.3.0)Java Plug-in 1.3.1 (JRE 1.3.1)

Windows 98Windows NT 4.0Windows 2000

Internet Explorer 5.5Netscape Navigator 4.76, 4.77, 4.78,4.79

Java Plug-in 1.3.0-C (JRE 1.3.0)Java Plug-in 1.3.1 (JRE 1.3.1)

HPUX 11.0 Netscape Navigator 4.77, 4.78, 4.79 Java Plug-in 1.2.2 (JRE 1.2.2)Java Plug-in 1.3.1 (JRE 1.3.1)

AIX 4.3.3 Netscape Navigator 4.77, 4.78, 4.79 Java Plug-in 1.3.0 (JRE 1.3.0)Java Plug-in 1.3.1 (JRE 1.3.1)


OL-1982-25


e is

nsole

oes

h PC

g99.”

sage:

IC

as thethe

er

Step 8 Specify the IP address of the device you want to access and launch CiscoView. The Java consoldisplayed, but the chassis view does not appear.

Step 9 SelectEdit > Preferences, and then clickAdvanced in the navigation tree.

Step 10 Select the “Enable Java” checkbox.

Step 11 Specify the IP address of the device you want to access and launch CiscoView. Both the Java coand chassis view should now be displayed.

• If you are using Netscape and have installed a Java Plug-in earlier than version 1.3.0, you might geta blank screen when you launch CiscoView. (CSCdw59601)

To correct the problem, download Java Plug-in 1.3.0 or later from the following location:http://www.cisco.com/cgi-bin/tablebuild.pl/cview-plugin

• If your machine is running Windows 2000, Windows NT, or Windows 98 and the chassis view dnot appear, you should disable the Java Plug-in’s JAR caching feature, as follows:

– For Java Plug-in 1.3.1:

1) SelectStart > Settings > Control Panel > Java Plug-in 1.3.1.

2) Click theCache tab.

3) Click Clear JAR Cache.

– For Java Plug-in 1.3.0:

1) SelectStart > Settings > Control Panel > Java Plug-in.

2) Click theBasic tab.

3) Make sure the “Cache JARs In Memory” checkbox is not selected.

4) Click Apply.

• If your machine runs on the HP-UX platform, we recommend that you use the HP release ofNetscape. The HP release of Netscape can be downloaded from the following location:http://www.hp.com/workstations/products/unix/software/netscape/index.html(CSCdw59617)

• CiscoView images take approximately 12 minutes to download from a TFTP server to a Flascard. (CSCdr14437)

• In the VLAN & Bridge dialog box (Device > Configure > VLAN & Bridge ), deleting the primaryVLAN after unbinding the secondary VLAN returns an error message.

Workaround: Close and reopen the dialog box and then delete the primary VLAN.

After binding a secondary VLAN to the primary VLAN, delete the primary VLAN and the followinerror message is displayed: “Set failed due to snmpRspGenErr for vtpVlanEditRowStatus.1.1

Workaround: Close and then reopen the dialog box. You should now see the correct error mes“The Primary is bounded ...” (CSCdt65530)

• The Carrier Alarm LED status on WAN modules is not supported by SNMP. (CSCdw50111)

• CWDM GBICs and 1000BASE-TX (copper) GBICs installed in WAN modules display as normal GBports in CiscoView. (CSCdy18652)

• If you have configured Internet Explorer to bypass certain addresses in the proxy server (suchIP address of the switch), the Java applet on the PC will still try to connect to the switch throughproxy server. For security reasons, this may cause the CiscoView GUI to fail if the proxy servcannot talk to the switch directly. (CSCdw48852)


OL-1982-25


9)

e, the

n

)

e to

Cisco

are

(1).

dget

• In the EtherChannel dialog box (Port > Configure > EtherChannel), when EtherChannel OperationMode is changed from “pagpOn” to “off/manual,” clickRefresh and the PAgP dialog box displays“N/A” for every field. To work around the problem, close and reopen the dialog box. (CSCdw7630

• If you use QoS Device Management to create a policy name and try to delete the policy namfollowing incorrect error message appears:

Unable to set row status

(CSCdu11333)

• If you use QoS Device Management to add an IP ACL, select theAdd/Edit ACE option, select anentry and make some changes, and then either clickCancel or OK . The configuration fails due tomisconfigurations when you selectOK ; the previously entered values will appear as defaults wheyou attempt to edit your configuration.

Workaround: Overwrite the values in the fields if necessary. (CSCdu05678 and CSCdu15066

• If you use QoS Device Management to add or edit an IP/IPX/MAC ACL, no buttons are availablmove ACE entries up and down.

Workaround: Select the entry that needs to be moved and click onEdit and selectOK . This entryis then moved to the bottom of the ACE list. (CSCdt64023)

• If you use QoS Device Management and selectPolicy Selection, Add/Edit Policies >Change, andthen select a policy and click OK, selectingCancelwhen the confirmation window displays will notcancel the operation. The policy is still added to the Policy Selection.

Workaround: Delete the policy selection entry that was added. (CSCdu43690)

• The Catalyst 6000 CiscoView (CV) images do not support the Carrier Alarm LED for WANmodules. (CSCdt52011)

• There is a problem when you highlight the MultiChannel DS3 Port Adapter in the WS-X6182-PAmodule, and then selectConfigure > Interface. The dialog box displays “n/a” or the incorrect values inevery field. Also, if you selectMonitor > Interface , the charts in the resulting dialog box do not getupdated, and an error message is displayed in the status bar. This problem is corrected in MSFCIOS Releases 12.1(13)E, E1, and E2. (CSCdr39591)

• Disabled WAN modules are placed in the power-down state. This problem is resolved in softwrelease 7.2(2). (CSCdw50083)

• 802.1X Authentication timer fields are available in the port-level PAE dialog box (Port > Config > PAE> Port Authenticator). This problem is resolved in software release 7.3(1). (CSCdw86044)

• The Redetect Protocol function in the MST Port Status dialog box (Port > Configure > Spanning Tree> MST Port Status) does not work on voice ports. This problem is resolved in software release 7.3(CSCdx04800)

• When a device is set to MST Spanning Tree mode, the “Path Cost” and “Priority” fields in the BriDetails dialog box (Port > Configure > Bridge > Bridge Details) cannot be set on a channeling port thais using PAGP or LACP. This problem is resolved in software release 7.3(1). (CSCdx23200 andCSCdx23217)

• CiscoView device discovery fails when supervisor engine 1 in slot 1 is in ROMMON mode andSupervisor Engine 2 in slot 2 is active. (CSCin43526)


OL-1982-25


ewht

try

t see

lem

try

->

all

• With CiscoView, the Firewall Services Module, Content Services Module, and SSL ServicesModule features might not work consistently with Windows NT. When you try to launch CiscoViADP on Windows NT, the progress dialog either runs for a long time and then stops or it miglaunch suddenly. This problem is occurring only with Windows NT with Internet Explorer andNetscape browsers. There is no problem with Windows 2000 or Solaris platforms.

Workaround: Because the problem is intermittent, the workaround is to close the dialog andlaunching the application again. (CSCin41067)

• In rare occurrences with CiscoView, when launching the Firewall Services Module, ContentServices Module, and SSL Services Module features, the progress dialog might stop. You mighthe problem with the following Firewall Services Module, Content Services Module, and SSLServices Module features:

– Device->VLAN Flows

– Device->Configure->VLAN& Bridge->SVI Configuration

– FWM Card->Firewall Service Blade Setup Wizard

– FWM Card->Assign VLANs To Firewall Blade

– FWM Card->Configure Firewall Interface(s)

– FWM Card->Configure Static Route

– FWM Card->Configure HTTP Service on Firewall Interface(s)

– FWM Card->Configure HTTP Server

– CSM Card->CSM Details

– SSL Card->SSL Details

You might see the problem with Windows NT, Windows 2000, and Solaris platforms. The probis not seen with other features.

Workaround: Because the problem is intermittent, the workaround is to close the dialog andlaunching the application again. (CSCin42718)

• In rare occurrences with CiscoView, you might experience the following two problems:

– Problem 1: Clicking theCancel button causes an exception. Launch any Firewall ServicesModule, Content Services Module, and SSL Services Module feature dialog such as: “FWMAssign Vlans to Firewall blade.” The progress bar appears. When you click theCancelbutton,the following message displays: “Aborting the operation. Please wait”. A window is thendisplayed with the following message: “Failed to retrieve category: Assign VLANs to FirewBlade.java.lang.NullPointerException.” When you close this window, the main window(“Aborting the operation, please wait”) is closed.

– Conditions for Problem 1: Clicking theCancel button causes an exception. Enter the LoginCredentials and try to launch the following Firewall Services Module, Content ServicesModule, and SSL Services Module feature dialogs:

FWM Card->Firewall Service Blade Setup Wizard

FWM Card->Assign VLANs To Firewall Blade

FWM Card->Configure Firewall Interface(s)

FWM Card->Configure Static Route

FWM Card->Configure HTTP Service on Firewall Interface(s)

FWM Card->Configure HTTP Server

CSM Card->CSM Details


OL-1982-25

Open and Resolved Caveats in Software Release 7.6(21)

log

ss

le

og

these

8):

occur.

timeavingenge to

r.es not

After the progress dialog displays, press theCancel button. This action displays the followingmessage: “Failed to retrieve category: Assign VLANs to FirewallBlade.java.lang.NullPointerException:.”

This problem is intermittent and the cancel operation is successful for VLAN flows dialogs.

Workaround: The workaround for problem 1 is to close the exception and try to launch the diaagain.

– Problem 2: Close the progress bar by clicking the* button (this action is not applicable toSolaris platforms). Launch any dialog such as “FWSM -> Assign VLAN to blade.” The progrebar is displayed. Closing the progress bar by clicking theX button causes a “CiscoView error”to display and the dialog stops.

– Conditions for problem 2: Close the progress bar by clicking the* button (this action is notapplicable for Solaris platforms). Enter the Login Credentials. Try to launch service modudialogs other than VLAN flows. After the progress dialog displays, press the close (X) button.

Workaround: The workaround for problem 2 is to close the session and try to launch the dialagain. Instead of using the close (X) button, press theCancel button to close the dialog.(CSCin43633)

• With CiscoView, the SVI configuration dialog is still shown under“Device ->Configure->VLAN&Bridge” for the Firewall Services Module, Content ServicesModule, and SSL Services Module when a Supervisor Engine 1 module is installed. Becausemodules require a Supervisor Engine 2, the dialog should not be displayed. (CSCin43687)

Open and Resolved Caveats in Software Release 7.6(21)These sections describe open and resolved caveats in supervisor engine software release 7.6(1

• Open Caveats in Software Release 7.6(21), page 70

• Resolved Caveats in Software Release 7.6(21), page 71

Open Caveats in Software Release 7.6(21)This section describes open caveats in supervisor engine software release 7.6(21):

• When a standby supervisor engine is rebooted because of an exception, some packet loss may

Workaround : Disable the set test diaglevel bypass diagnostic test.

• If daylight saving time is enabled on a switch with active and standby supervisor engines, thedisplayed by the standby supervisor engine does not change to one hour earlier when daylight stime ends. If a switchover occurs, and the standby supervisor engine becomes the new activsupervisor engine, the time displayed by the new active supervisor engine also does not chaone hour earlier when daylight saving time ends.

Workaround : None. (CSCsi86485)

• If daylight saving time is enabled using theset summertime recurring command on a switch withactive and standby supervisor engines, and daylight saving time ends after a switchover hasoccurred, the time displayed by the new active supervisor engine changes to one hour earlieHowever, the year value used to calculate the start and end dates for daylight saving time doincrement.

Workaround : None. (CSCsi89867)


OL-1982-25


nd aort.

totheand

ine if

8):

• You cannot configure primary or secondary multiple PVLANs on the switch console.

Workaround: To configure more than one PVLAN, you must configure them one at a time.(CSCsi92247)

Resolved Caveats in Software Release 7.6(21)This section describes resolved caveats in supervisor engine software release 7.6(21):

• When you change the root port of an edge switch with uplinkfast, the channel port cannot seTCN trap. If you do not use the channel port, the software will send a TCN trap to only one pThe following conditions must be present for this situation to occur:

– The STP mode is MISTP

– Uplinkfast is used

CatOS 7.1(1) and 7.6(3) or later experiences the same behavior.

Workaround: None.

This problem is resolved in software release 8.6(1). (CSCed52709)

• A VLAN value might not be returned for NAM and IDS module ports.

This problem is resolved in software release 7.6(21). (CSCin51922)

• The URL-redirect string in a policy is not accepting “?”.

Workaround : Set editing disable.

This problem is resolved in software release 7.6(21). (CSCse29446)

• The output of theshow logging buffer command displays some messages that do not conformthe standard message format. The messages include a date/time stamp at the beginning of message. This situation prevents some syslog servers from correctly interpreting messages notifying customers when necessary.

Workaround: None.

This problem is resolved in software release 7.6(21). (CSCsh86516)

• When you use theset summertime datecommand to enable a change to daylight saving time(during the summertime), the switch may reset (or switch over to the standby supervisor engone is present) when the end of daylight saving time is reached.

This problem is resolved in software release 7.6(21). (CSCsi00968)






OL-1982-25


occur.

e port

theityor

l stay

n

ode.

to the

ation

n

ode.

• When a standby supervisor engine is rebooted because of an exception, some packet loss may

Workaround : Disable the set test diaglevel bypass diagnostic test.


• With QoS, you might see policer configuration corruption after filling the aggregate policer table.

This problem is resolved in software release 7.6(20).(CSCec42270)

• When enabling both portfast and BPDU-guard on a port on a Catalyst 6000 series switch, thdoes not go into errdisable status.

Workaround: Enable BPDU guard on the access port.

This problem is resolved in software release 7.6(20). (CSCsd94558)

• On a Catalyst 6000 Multilayer Switch Feature Card (MSFC), the router MAC stays present incam table after creation and deletion of a Layer-3 VLAN interface. This can cause connectivproblems when that MAC address needs to be learned elsewhere (for example, on a firewall content switch module).

Workaround: Reset the switch to clear the MAC address.

This problem is resolved in software release 7.6(20). (CSCei27809)

• When loopguard has been enabled, there are some situations in which both sides of a link wilin a loop-inconsistent state if Rapid-PVST is used and the root bridge gets removed from thenetwork or changes its priority.

Workaround: Disable loopguard on the designated side of the link.


• The output of ashow vtp domain command will show as a negative value once the configuratiorevision is higher than 0x7FFFFFFF (2147483647).

Workaround: To clear the parser error, perform one of the following tasks:

1. Change the VTP mode from server mode to transparent mode and then back to server m

2. Change the VTP domain name from its current name to a different name and then back original name.

3. Reload the switch.


• On a Catalyst 6000 MSFC, the router MAC address stays present in the CAM table after creand deletion of a Layer-3 VLAN interface. This can cause connectivity issues when the MACaddress needs to be learned elsewhere.

Workaround: Reset the switch to clear the MAC address.

This problem is resolved in software release 7.6(20). (CSCei27809)

• The output of ashow vtp domaincommand will be a negative value once the configuration revisiois higher than 0x7FFFFFFF (2147483647).

Workaround: Perform one of the following tasks:

– Change the VTP mode from server mode to transparent mode and then back to server m


OL-1982-25


to the

ter a

ble.

l staywork

port

ander

al

ode.

to the

out.

erate

– Change the VTP domain name from its current name to a different name and then back original name.

– Reset the switch.


• When using a WS-X6K-S1A-2GE switching module on CatOS release 7.6.9 or 8.3.1, if you enshow count supervisor command the cli will display the following error message:

***** Available only on Earl5 supervisors *****.

Upon entering aclear counter supervisorcommand, the supervisor engine will then failover if ina redundant configuration or reload.

Workaround: Do not enter theclear count supervisorcommand on a supervisor engine without aPFC installed.

This problem is resolved in software release 7.6(20). (CSCsg68051)

• With QoS, you might see policer configuration corruption after filling the aggregate policer ta

This problem is resolved in software release 7.6(20).(CSCec42270)

• When loopguard has been enabled, there are some situations in which both sides of a link wilin loop-inconsistent state if rapid PVST is used and the root bridge gets removed from the netor changes its priority.

Workaround: Disable loopguard on the designated side of the link.


• When enabling both portfast and bpdu-guard on a port on a Catalyst 6000 series switch, thedoes not go into errdisable status.

Workaround: Enable BPDU guard on the access port.


• On switches with a Supervisor Engine 2 and MSFC 2 that are running hybrid software (CatOSMSFC IOS), the supervisor engine might crash due to a Watchdog Timeout on the AclManagshortly after a large RACL (contain 2,000 or more ACEs) is applied to one of the switch virtuinterfaces (SVIs) on the MSFC.

Workaround: None.


• The output of ashow vtp domain command will be displayed as a negative value once theconfiguration revision is higher than 0x7FFFFFFF (2147483647).

Workaround: To clear the parser error, perform one of the following tasks:

– Change the VTP mode from server mode to transparent mode and then back to server m

– Change the VTP domain name from its current name to a different name and then back original name.

– Reload the switch.


• The syslog may send out multiple duplicate traps for the traps which have already been sent

This problem is resolved in software release 7.6(20). (CSCsg80406)

• Starting in calendar year 2007, daylight savings summertime rules may cause CatOS to gentimestamps (such as in syslog messages) that are off by one hour.


OL-1982-25


te

er

You

8):

thee.

Workaround: Use theset summertimecommand to manually configure the start date and end dafor daylight savings time. Enter the following commands:

Console> (enable) set summertime enable PDTSummertime is enabled and set to 'PDT' Start : Sun Mar 11 2007, 02:00:00 End : Sun Nov 4 2007, 02:00:00 Offset: 60 minutes Recurring: yes, starting at 02:00am of second Sunday of March and ending on 0.Console> (enable) set summertime recurring second Sunday March 02:00 first SundayNovember 02:00 60Summertime is enabled and set to 'PDT' Start : Sun Mar 11 2007, 02:00:00 End : Sun Nov 4 2007, 02:00:00 Offset: 60 minutes Recurring: yes, starting at 02:00am of second Sunday of March and ending on 0.Console> (enable)

Note This example specifies the United States Pacific time zone.

This workaround will not work if the time in the configuration is modified to a date before Novemb6, 2006. The limitation is not present while upgrading.


• You can disable the summertime setting by using theset summertime disablecommand when youare actually in summertime. This command will cause the clock to be set back to offset time.can define the offset by using theset summertime recurring command or the offset will be set toa default of 60 minutes. (CSCsh11577)





Open Caveats in Software Release 7.6(19)There are no open caveats in supervisor engine software release 7.6(19).


• A Catalyst 6509 containing a WS-X6524-100FX-MM module may experience an issue wheremodule interfaces are receiving traffic but the number of transmitted frames does not increas

Workaround: Reset the module to correct this issue. (CSCse81638)


OL-1982-25


y

hen

low:

8):

thee port

or

)

the

ules:

• A Catalyst 6500 series switch running Catalyst operating system release 7.6(14) or later maunexpectedly reload due to a TLB exception.

Workaround: None. (CSCsb91548)

• When you initiate and abort a format of a flash card on any standby supervisor engine, and tattempt to view a directory listing, the standby supervisor engine’s file system locks, the diskbecomes inaccessible, and you see a “Try again later” message as shown in the example be

Console> (enable) dir 1/disk0:File system in use (2). Try again later.

Workaround: Reset the supervisor.






• With 802.1X authentication, if a high-availability switchover occurs during an authentication after switchover completes, single authentication and port security are in the authenticated state, but thmight not get added to spanning tree. If this situation occurs, then the port would not receive ColBlocking Logic (CBLs) or Local Targeting Logic (LTLs). Theshow port security command showsthat the port MAC address is secured but no MAC address is in the CAM table. (CSCin20244


• With PAgP mode set to “on,” you might not be able to map a QoS ACL to a channel port whenport’s status is “not connected.” An example of the problem is as follows:

Console> (enable) set qos acl map test-qos 3/9Transient error. Port state in transition. Please retry command. Failed to map ACLtest-qos to port 3/9.Console> (enable)

Workaround : Use one of the following workarounds:

– Map the QoS ACL to the port before configuring the channel.

– Change the PAgP mode to either auto or desirable.

– Map the QoS ACL only to ports with a status of “connected.”

This problem is resolved in software release 7.6(18). (CSCdz89506)

• In rare circumstances, you might see the following behavior with the WS-X6324-100FX mod


OL-1982-25


).

lemse

)

the

ge

em is

ped

in

– Port counters indicate packets received and transmitted.

– No CDP neighbors are seen on the switch on ports of the affected module.

– No MAC addresses are learned on ports of the affected module.

– All incoming (receive) traffic on all ports is lost.

– Transmit traffic is working.

Workaround : Reset the affected module. This problem is resolved in software release 7.6(18(CSCeg60285)

• On a Supervisor Engine 2/MSFC2 with PFC hardware version 2.0, you might see high CPUutilization after committing a large VACL that results in spanning tree recalculations. This probis not seen with PFC hardware version 1.0 or 1.3. This problem is resolved in software relea7.6(18). (CSCeh37782)

• The supervisor engine might reset when you specify a large number of ports using theset portauxiliaryvlan command. This problem is resolved in software release 7.6(18). (CSCsd30799

• The MIB object vlanTrunkPortTable displays the wrong values for channel trunk interfaces invlanTrunkPortTable. This problem is resolved in software release 7.6(18). (CSCsd63741)

• On a switch with high availability enabled and Rapid PVST+, the switch might display a root bridID of 0/00-00-00-00-00-00 after a supervisor engine switchover.

Workaround 1 : Run PVST+ instead of Rapid PVST+.

Workaround 2 : Disable high availability using theset system highavailability disablecommand.This problem is resolved in software release 7.6(18). (CSCsd69668)

• The supervisor engine might fail over with the following error message:

Last Exception occurred on [ date ] ...Software version = 6.4(18)Error Msg:PID = 35 cdpdtimerEPC: 806F1670

The supervisor engine appears to be operating normally when this problem occurs. This problresolved in software release 7.6(18). (CSCsd35254)

• If you have mapped a large amount of QoS ACLs in the system (for example, 500 ACLs mapto 500 different VLANs), processing commands such aswrite mem, show running-config,show startup-config, write terminal , write net, might take up to 20 minutes to complete.This problem affects all releases of the Catalyst operating system. This problem is resolved software release 7.6(18). (CSCdw40857)


OL-1982-25


7):

thee port

or

)

withlem

ts in

ly

seen

ork.







• Disabling one port in an EtherChannel removes the entire channel from STP. This problem occursMISTP and MST modes only; there is no problem with PVST+ and Rapid PVST+ modes. This probis found in software releases 7.6(12) and later releases.

Workaround: When one of the ports in the channel goes down, disable and enable all the porthe channel. This problem is resolved in software release 7.6(17). (CSCsc34494)

• After a high-availability switchover, you might experience a MISTP reconvergence on the newactive supervisor engine and the following message may display:

2005 Sep 09 16:00:49 JST +09:00 %SPANTREE-2-SWOVER_TOOLONG: switchover took too muchtime. All STP ports restarted.

This problem is resolved in software release 7.6(17). (CSCej37841)

• Theshow trunk command displays regular VLANs although allowed VLANs were defined. Thisproblem is resolved in software release 7.6(17). (CSCsc30173)

• After doing a supervisor engine switchover, the default IP route is not cleared. This problem isunder the following conditions:

1) On the active (slot 1) supervisor engine, configure two default routes.

2) On the active (slot 1) supervisor engine, enter theswitch supervisor command.

3) On the newly active (slot 2) supervisor engine, enter theclear config all command.

4) On the active (slot 2) supervisor engine, add a route to an external network to ping the netw

4) On the active (slot 2) supervisor engine, enter theswitch supervisor command.

5) On the newly active (slot 1) supervisor engine, the default IP route is still there.

Workaround: Manually clear the default IP route on the slot 1 supervisor engine. This problem isresolved in software release 7.6(17). (CSCei04333)

• A switch running MST with high availability enabled might have stalled root information andmistakenly reuse the root information.


OL-1982-25


bled

f

hetion.

not be

Workaround: Disable high availability.This problem is resolved in software release 7.6(17).(CSCsc37456)

• You might experience a TLB (Load/Fetch) exception during booting when the Layer 3 cache is disaand the diagnostic level is set to complete.

Workaround: Enable the Layer 3 cache or set the diagnostic level to minimal or bypass instead ocomplete.This problem is resolved in software release 7.6(17). (CSCsc91179)

• The switch might fail to forward multicast traffic. This problem is resolved in softwarerelease 7.6(17). (CSCsc75774)

• The supervisor engine might crash after accepting numerous SSH login attempts.This problem isresolved in software release 7.6(17). (CSCsc01175)

• Adding a VLAN to the FWSM may cause inconsistencies in allowed and trunked VLANs. After tFWSM is reset, ports in the FWSM PortChannel might errdisable due to a channel misconfiguraWhen this problem occurs, the following is displayed:

%DTP-5-TRUNKPORTON:Port 4/1 has become dot1q trunk %SYS-3-MOD_PORTINTFINSYNC:PortInterface in sync for Module 4 %ETHC-5-PORTTOSTP:Port 4/1 joined bridge port 4/1-6%DTP-5-TRUNKPORTON:Port 4/2 has become dot1q trunk %DTP-5-TRUNKPORTON:Port 4/3 hasbecome dot1q trunk %DTP-5-TRUNKPORTON:Port 4/4 has become dot1q trunk%DTP-5-TRUNKPORTON:Port 4/5 has become dot1q trunk %ETHC-3-ONMODEFAIL:Port 4/5errdisabled, ON mode attributes mismatch %DTP-5-TRUNKPORTON:Port 4/6 has become dot1qtrunk %ETHC-3-ONMODEFAIL:Port 4/6 errdisabled, ON mode attributes mismatch%ETHC-5-PORTTOSTP:Port 4/2 joined bridge port 4/1-6 %ETHC-5-PORTTOSTP:Port 4/3 joinedbridge port 4/1-6 %ETHC-5-PORTTOSTP:Port 4/4 joined bridge port 4/1-6%DTP-5-NONTRUNKPORTON:Port 4/5 has become non-trunk %DTP-5-NONTRUNKPORTON:Port 4/6 hasbecome non-trunk

Workaround: Manually add/delete the VLANs to the individual ports.This problem is resolved insoftware release 7.6(17).(CSCsd15946)

• After a switchover in a redundant system, a syslog message configured to be sent as a trap maysent as a trap.This problem is resolved in software release 7.6(17).(CSCsd23319)


OL-1982-25


6):

s withlem

ts in

thee port

or

)

g anPF,move

ches,s:

CMACThis

gy

to

f





• Disabling one port in an EtherChannel removes the entire channel from STP. This problems occurMISTP and MST modes only; there is no problem with PVST+ and Rapid PVST+ modes. This probis found in software releases 7.6(12) and later releases.

Workaround: When one of the ports in the channel goes down, disable and enable all the porthe channel. (CSCsc34494)



• With redundant supervisor engines/MSFCs, MSFCs configured in DRM with both MSFCs usinadministered MAC address on the VLAN interface, and MSFCs configured with HSRP and OSthere is no problem as long as both supervisor engines remain in the same chassis. If you rethe standby supervisor engine and install it in another chassis with a link between the two swityou lose unicast communication between the MSFCs, as evidenced by the following problem

– Cannot ping between the physical IP addresses

– OSPF does not come up

– Problems with HSRP

When you enter theshow cam system command on the initial chassis, you can see that the MAaddress configured on the removed MSFC still points to port 16/1. As soon as the administeredaddress is removed from the VLAN interfaces on the removed MSFC, communication returns.problem is resolved in software release 7.6(16). (CSCed20984)

• Not all MST topology change events (TCs) are counted in theshow spantreemod/portmst instancecommand output. The TCs are needed to determine the source and track the count of topolochanges to troubleshoot excessive flooding.This problem is resolved in software release 7.6(16).(CSCsb11469)

• After entering the set ip unreachable disable command, “destination unreachable” replies continue be output from the switch. This problem is resolved in software release 7.6(16). (CSCsb56969)

• In Rapid PVST+ mode, BPDUs might be sent with an incorrect age (1/256 of a second, instead o1 second).This problem is resolved in software release 7.6(16). (CSCsc77642)


OL-1982-25


5):

thee port

or

)

itches-TX

on

ved







• The NAM might not be able to communicate with the supervisor engine if only SNMP extendedcommunity strings are configured on the switch.

Workaround: Configure the primary SNMP string.This problem is resolved in softwarerelease 7.6(15). (CSCeh12102)

• Removing a private VLAN from a promiscuous port using theclear pvlan mapping primary-vlansecondary-vlan mod/port command breaks connectivity on that promiscuous port for all othermapped secondary VLANs. This problem has been seen with a Supervisor Engine 1A on swrunning software release 7.6(11) and later releases with ports configured on the WS-X6148-GEmodule.

Workaround: To restore connectivity, add back the VLAN mapping. This problem is resolved insoftware release 7.6(15). (CSCeh51722)

• After a reset, you might not be able to send traffic to the MSFC through a bridged VLAN.This problemis resolved in software release 7.6(15). (CSCei55044)

• An access list created by theset snmp access-listcommand might not appear in the output of theshowrunning config andshow config commands.This problem is resolved in software release 7.6(15).(CSCej06964)

• When theswitch supervisor command is entered while the system is receiving the SNMP get ofcaqAggPolicerPackets, the standby supervisor engine might crash and fail to take over.This problem isresolved in software release 7.6(15). (CSCsb24936)

• CBL might be disabled after adding a new VLAN on a trunk port resulting in a loss of connectivitythe new VLAN.This problem is resolved in software release7.6(15). (CSCsb86395)

• After a period of time, the Supervisor Engine 1A might drop multicast traffic. This problem is resolin software release 7.6(15). (CSCsb55180)

• In rare circumstances, the switch might crash when theshow qos acl info runtimeacl_namecommandis run a large number of times in a script.This problem is resolved in software release 7.6(15).(CSCea16823)


OL-1982-25


arengedtree

T+.

the

nedvisorAC lot of

ll be

itch.

4):

thee port

or

)

• Under very rare and undetermined conditions, with a WS-X6K-SUP2-2GE module and softwrelease 7.6(6), you might experience a condition in which the CAM aging time cannot be chafrom the default value of 300 seconds. This lock condition is possibly triggered by a spanningtopology change at the same time that theset cam agingtimevlan valuecommand is entered. Thelock condition might also be the result of migrating from PVST+ to Rapid PVST+.

Workaround: Reload the switch or revert momentarily to PVST+ and then back to Rapid PVSThis problem is resolved in software release 7.6(15). (CSCef29999 )

• On a switch running software release 7.6(7), applying the patch/fix for FN29407 fails and reloadsswitch instead of just the module(s) that the fix should be applied to.This problem is resolved insoftware release 7.6(15). (CSCei63548)

• You might experience a TLB exceptionwhen committing a VACL with approximately 278 or morelines.This problem is resolved in software release 7.6(15). (CSCej06637)

• With a Supervisor Engine 2, if a situation occurs where the same MAC address is being learmany times in a short period (a typical case would be a Layer 2 spanning tree loop), the superengine might crash. Probable scenarios where this situation might occur are: 1) When the Mmove notification is enabled. 2) When aging has been set to the minimum (5 seconds) and aentries are being aged out. 3) When the CAM monitor is turned on.

This problem is resolved in software release 7.6(15). (CSCej08098)

• With IGMP snooping enabled and no router ports configured, all Layer 2 multicast entries wicleared in a particular VLAN if any of the ports in that VLAN go up and down. The Layer 2multicast entries will be cleared only when there is no multicast router port configured on the sw

Workaround: Create a multicast router port, either dynamically or statically.This problem is resolvedin software release 7.6(15). (CSCsb95715)







OL-1982-25


tree

t be

y aroup of

orts

ight

eoutscomesis

y ite

till


• With a Supervisor Engine 2, if MAC address move notification is turned on and a Layer 2 spanningloop is created, the switch might crash.This problem is resolved in software release 7.6(14).(CSCeg47768)

• With a Supervisor Engine 1 or Supervisor Engine 2, the configuration information for SPAN mighlost when the switch is reset after entering theclear config all command followed by theset spancommand. This problem has been seen with the following hardware/software:

– WS-X6K-SUP1A-2GE/software release 6.1(2)



– WS-X6K-SUP2-2GE/software release 6.1(3)





This problem is resolved in software release7.6(14). (CSCsb40859)

• The “out discard” counter on the WS-X6148-GE-TX and WS-X6548-GE-TX modules might displazero count when a port is oversubscribed. This problem happens when the aggregate rate of a geight ports exceeds 1 Gbps.

Workaround: There is no per-port counter for these drops. There is a counter for the group of eight pthat can be seen by entering theshow qos statistics command.This problem is resolved in softwarerelease 7.6(14). (CSCeh81280)

• In rare circumstances with a Supervisor Engine 2 and UDLD and high availability enabled, you msee a unidirectional link after a high-availability switchover.This problem is resolved in softwarerelease 7.6(14). (CSCei12152)

• The slot 16 MSFC might boot up faster than the slot 15 MSFC.When SPAN is configured and anFWSM is present in the system, the MSFC roles are reversed duringbootup. This behavior is causedbecause the FWSM does not respond to SCP SPAN messages during its bootup. The resulting timand retries in the supervisor engine change the timing of the bootup sequence, and the MSFC 16 bethe designated router. Fixes were first committed for this problem in software release 7.6(13). Thproblem is resolved in software release 7.6(14).(CSCeh91972)

• With a WS-X6101-OC12-SMF/MMF ATM module, you might not be able to copy the ATM moduleimage directly to the ATM module bootflash using TFTP.

Workaround: Copy the ATM module image onto the supervisor engine bootflash and then copto the ATM module bootflash from the supervisor engine. This problem is resolved in softwarrelease 7.6(14). (CSCin81645)

• With a Supervisor Engine 2/MSFC2, unicast reverse path forwarding might not work properly formultipath routes after reverse path forwarding is disabled on certain VLANs while other VLANs shave reverse path forwarding enabled.

Workaround: Disable all reverse path forwarding-enabled VLANs and then enable them.This problemis resolved in software release 7.6(14). (CSCin86197)


OL-1982-25


3):

thee port

or

)

ress

gured

ot

e the

isor







• With 802.1X authentication, when a configured supplicant logs off, the supplicant’s MAC addis removed from the configured list. This problem is resolved in software release 7.6(13).(CSCin25663)

• You might not get a response to an SNMP client getmany request when the sc1 interface is confiand the sc0 interface is up but is not configured with an IP address. The problem is seen with thefollowing configuration:

1) The sc1 interface is configured with a valid IP address and the sc0 interface is up but is nconfigured with an IP address.

2) The SNMP client getmany request is issued but there is no response because no route isconfigured.

3) The host route is configured but the getmany request still fails.

Workaround: Configure the sc0 interface to “down.” This problem is resolved in softwarerelease 7.6(13). (CSCed70000)

• The time stamp displayed using theshow cam notification history command reflects the SNMPsysUptime. The uptime is displayed as the number of 10-ms increments that have occurred sincsystem came up. This representation is not very user friendly when used within a CLI.This problem isresolved in software release 7.6(13). (CSCef96946)

• The SNMP “snmpdm” process is sleeping after running for a long time.This problem is resolved insoftware release 7.6(13). (CSCeg64313)

• A switching module’s port cost values might not synchronize correctly with the standby supervengine after the following configuration steps are performed on the switching module:

– UplinkFast is enabled.

– The module’s configuration is cleared.

The problem is seen regardless of the spanning-tree mode. This problem is resolved in softwarerelease 7.6(13). (CSCeg78210)


OL-1982-25


ther

er to

theent.g a

hen

re

ertlythe

f

wn

y is

ingning haspulledit isrmally.

• The switch might not return the values of the cseL2ForwardedLocalOctets MIB counter, although ocounters in the cseL2StatsEntry tree are correctly returned. This problem is resolved in softwarerelease 7.6(13). (CSCeh16351)

• When an indirect failure is introduced in the spanning tree topology causing the message age timexpire on the edge switches, UplinkFast does not get triggered if loop guard is configured.This problemis resolved in software release 7.6(13). (CSCeh19259)

• IEEE BPDUs may be sent from an 802.1Q trunk port even if the native VLAN is cleared fromtrunk. When the native VLAN on a trunk is cleared, the IEEE untagged BPDUs should not be sIf the trunk port reinitializes itself for any reason (such as disabling/enabling the trunk or doinmodule or switch reset), the trunk port may start to send IEEE untagged BPDUs.

Workaround: Add the native VLAN and clear it again as follows:

set trunk mod/port NativeVlan_ID

clear trunk mod/port NativeVlan_ID

This problem is resolved in software release 7.6(13). (CSCeh28209)

• FWSM ports that are channeling get turned off if you enter theset port channel all mode offcommand. To prevent the loss of channeling for the FWSM ports, perform the workaround.

Workaround: 1) Turn off the channeling using the module-specificset port channelmod/ports ...mode off) command instead of using theall keyword. 2) Clear the FWSM configuration and reset theswitch.This problem is resolved in software release 7.6(13). (CSCeh33181)

• MSFC autostate does not work properly when NAM or IDSM modules get powered down or wthe NAM/IDSM management port is the first forwarding port on a VLAN.

Workaround: Manually clear VLANs from trunks to the NAM/IDSM to ensure that these ports anot unnecessarily part of VLANs.This problem is resolved in software release 7.6(13). (CSCeh50560)

• Theset ip default next-hopstatement for policy-based routing (PBR) may forward incorrectly afta supervisor engine failover with single-router mode (SRM). The route map will forward correcwhen initially configured. The problem occurs only after a supervisor engine failover and only ifroute map has theset ip default next-hop command. After a failover, the traffic that matches theaccess list that corresponds with thedefault next-hop command and that has the destination IP oa known network in the routing table, may be forwarded to the IP address configured in theset ipdefault next-hop command. This behavior is incorrect as the destination network would be knoand the traffic should be forwarded through the routing table.

Workaround: You can clear this problem immediately by using theclear ip route * command on thedesignated MSFC. Note that this problem is only observed when using theset ip default next-hopcommand. Theproblem is not seen when using theset ip next-hopcommand.This problem is resolvedin software release 7.6(13). (CSCeh63420)

• OSPF hello packets are not forwarded from the switching module to the MSFC on the standbsupervisor engine, which result in OSPF adjacencies going down on the MSFC. This problemobserved when the FPOE consistency checker is enabled.

Workaround: Disable the FPOE consistency checker. This problem is resolved in softwarerelease 7.6(13). (CSCeh74503)

• With high availability enabled, using one uplink from slot 1 and another uplink from slot 2, and runnrapid spanning tree, when slot 1 is pulled out, high availability makes slot 2 active, but rapid spantree convergence may fail to negotiate the correct port role on the remaining uplink. The problembeen seen only when one uplink is the root and the other is designated before the slot 1 module isout. If the uplink from slot 1 was the root port, and the uplink from slot 2 is the alternate (therefore,blocking, non-DESG), the problem is not observed and rapid spanning tree convergence occurs no


OL-1982-25


link

ed into

facerm

eoutscomes

timer

, the(13).

to the

the

Workaround: Design the network topology and/or tune the spanning tree port cost to make one upthe root port or designated port and the other uplink as the alternate port.This problem is resolved insoftware release 7.6(13). (CSCeh97436)

• With certain hardware configurations, because the MSFC loopback address may not be programmthe hardware CEF, packet loss and some routing protocols may be affected.

Workaround: Remove/reconfigure the loopback IP address.This problem is resolved in softwarerelease 7.6(13). (CSCei22583)

• The management interface on a switch (sc0) can be part of any VLAN. However, the NAM intercan only be part of VLAN 1. Because both interfaces need to be in the same VLAN for propecommunication, this NAM restriction limits the options for selecting a VLAN for sc0. This probleis resolved in software release 7.6(13). (CSCef50452)

• The slot 16 MSFC might boot up faster than the slot 15 MSFC.When SPAN is configured and anFWSM is present in the system, the MSFC roles are reversed duringbootup. This behavior is causedbecause the FWSM does not respond to SCP SPAN messages during its bootup. The resulting timand retries in the supervisor engine change the timing of the bootup sequence, and the MSFC 16 bethe designated router.This problem is resolved in software release 7.6(13). (CSCeh91972)

• When theset errordetection portcounters enable command is entered, you will see two SCP retriesevery 30 minutes.

Workaround: Enter theset errordetection portcounters disablecommand.This problem is resolvedin software release 7.6(13). (CSCei08970)

• In single authentication mode, an 802.1X port might not reauthenticate when the port security ageexpires. Also, the CAM entry is not getting installed in multihost mode even though the port isreauthenticated.This problem is resolved in software release 7.6(13). (CSCin91340)

• With an EtherChannel formed using ports on both the standby and active supervisor enginesswitchover time might take longer than normal. This problem is resolved in software release 7.6

Workaround: Use the ports in a module other than the supervisor engine for the EtherChannel.(CSCef00617)

• With a Supervisor Engine 2, you might see the following error message when copying an image 64-MB ATA Flash card:

SYS-5-SUP_IMGSYNC:File synchronization process will start in 2 secondsSYS-5-SUP_IMGSYNC:File synchronization process will start in 2 seconds

The message is displayed repeatedly until the image is fully copied.This problem is resolved insoftware release 7.6(13). (CSCsb15599)

• You might experience an exception when using CiscoWorks RME4.0 to pull information fromswitch. This problem is resolved in software release 7.6(13). (CSCsb18681)


OL-1982-25


2):

thee port

or

)

ress

andosticssages3(2).

SM,

re

ext

(12).






• With 802.1X authentication, when a configured supplicant logs off, the supplicant’s MAC addis removed from the configured list. (CSCin25663)


• With a Supervisor Engine 2 and a FWSM in slot 13 of a 13-slot chassis and with both SFM2spowered down, the FWSM fails online diagnostics (PC loopback) but passes the same tests comes online if the FWSM is reset after bootup. If the SFM2s are up, the module passes diagnand comes online. Although, if diagnostic traces are set to 1, there are still some failure mescoming out of TestKomodoPlusPorts. This problem is resolved in FWSM software release 2.(CSCed79483)

• With software release 7.6(12) and later releases, support for service modules (CSM, SSL, FWVPN, and so on) has been enhanced as follows:

– Service modules that pass traffic will now participate in spanning tree.

– PortFast and TrunkFast are enabled on the service modules by default.

– All STP parameters are configurable on these service modules.

– BPDU guard and BPDU filter are set as “default” by default on the service modules and auser-configurable. (CSCed73352)

• CMM ports might come up disabled and cannot be enabled. This problem usually occurs in tconfiguration mode with the default port status “disabled.”

Workaround: Enter theset default portstatus enablecommand, enter theset config mode binarycommand, and then reset the CMM module. This problem is resolved in software release 7.6(CSCee63050)


OL-1982-25


TX

(12).

e.

TP

is

ngedsode.

12).

ckets

is

en2.1X

nk,

2).

• In rare circumstances, a group of four ports (1-4, 5-8, 9-12, or 13-16) on the WS-X6516-GE-module may experience connectivity problems. If this problem occurs, the following syslogmessages might be seen:

%PM_SCP-SP-6-LCP_FW_ERR_INFORM: Module 4 is experiencing the following error:Pinnacle #0 Frames with Bad Packet CRC Error (PI_CI_S_PKTCRC_ERR - 0xC7) = 110

Workaround: Reset the module (hard reset). This problem is resolved in software release 7.6(CSCef46923)

• Theshow tech-supportcommand might display configured passwords in text configuration modThis problem is resolved in software release 7.6(12). (CSCeg17866)

• After uploading and downloading both default and nondefault configurations to and from a TFserver, the “set mmls nonrpf timer 10” entry might mistakenly appear in theshow config allcommand output as follows:

Console> (enable) show conf all/snip/#mmls nonrpfset mmls nonrpf enableset mmls nonrpf timer 60set mmls nonrpf window 10set mmls nonrpf timer 10 <--- should be interval

The second “set mmls nonrpf timer” entry should be “set mmls nonrpf interval.” This problemresolved in software release 7.6(12). (CSCeh20805)

• With redundant supervisor engines, the status and configuration of port 1/1 and port 2/1 is chaafter a switchover. The first supervisor engine port on the newly active supervisor engine getenabled even if the default is set to disable. This problem is only seen in text configuration m

Workaround: Use binary configuration mode. This problem is resolved in software release 7.6((CSCsa42331)

• With a Supervisor Engine 2 running software release 7.6(10), the switch could crash with aBreakpoint Exception when copying the configuration. This problem is resolved in softwarerelease 7.6(12). (CSCeg53997)

• When 802.1X is enabled on a port that has an IP phone connected, multicast music-on-hold pado not get forwarded out of the switch port to the IP phone.

Workaround: Disable 802.1X on the switch port where the IP phone is connected. This problemresolved in software release 7.6(12). (CSCeg79376)

• With 802.1X, when a host is connected through a hub to a multiple authentication port and thmoved to a single authentication port, the single authentication port is shut down due to an 80security violation and the following syslog is displayed:

%SECURITY-1-DOT1X_PORT_SHUTDOWN:DOT1X: port [n/m] shutdown because of dot1x securityviolation by [MAC address of HOST]

This problem is resolved in software release 7.6(12). (CSCeh22145)

• In software release 7.6(12) only, when the native VLAN other than VLAN 1 is cleared from a truDTP is not able to form a trunk.

Workaround: Do not clear the native VLAN. This problem is resolved in software release 7.6(1(CSCeh24071)


OL-1982-25


shuta link

)

ng inredthe

hentothese+

hich

ot(12).

ationlved

se theftware

Thisthe

dule

e

ote

012

tion

ntrol

• With LACP only, if you have EtherChannel ports that span across multiple modules and you down a module that has one of the EtherChannel ports, the EtherChannel continues hashing tothat now does not exist. This problem is resolved in software release 7.6(12). (CSCeh43106

• In rare occurrences, when a root switch is running Rapid PVST+ and a second switch is runniPVST+ mode, if a VLAN is added to the second switch and if the VLAN had been preconfigufor quite some time on the root switch, the second switch might receive malformed BPDUs fromroot switch for that VLAN and the secondary root switch might not receive any BPDUs from troot switch on that particular VLAN. This behavior results in ports on the second switch going iforwarding mode causing a spanning tree loop. The loop may cause high CPU utilization on switches. This problem is seen only when adding a VLAN to a switch that is running in PVSTmode and only if the VLAN had been preconfigured for quite some time on the root switch wis running Rapid PVST+.

Workaround: Remove the VLAN from all switches, add it again to all switches, and then rebothe root switch or the secondary root switch. This problem is resolved in software release 7.6(CSCeh53054)

• When the management VLAN for the sc0 or sc1 interfaces is changed in MST, the local associis lost for the old management VLAN even though it contains access ports. This problem is resoin software release 7.6(12). (CSCsa43581)

• Disaster recovery cannot be done for CMM modules from the Catalyst operating system becaucommands that are documented are not available to end users. This problem is resolved in sorelease 7.6(12) and later releases through the following commands:

– set poll {enable | disable}

Use this command to enable or disable system polling. System polling is enabled by default.command allows you to enable or disable polling on the entire system. When set to disable, supervisor engine stops polling all the modules in the chassis. Use the show poll command todisplay polling status.

– set module power {up | down} mod_num [pm_option]

This command is used for setting the power management bit to do disaster recovery. Thepm_optionis set to zero by default. This command allows you to set the power management bit for the moon which disaster recovery needs to be done. Setting the power management bit triggers thedownload mechanism (downloading an image from the supervisor engine Flash memory to thCMM) every time that the CMM is reset. Refer to the CMM disaster recovery section in theCatalyst 6500 Series Switch and Cisco 7600 Series Router CMM Installation and Verification Nat this URL:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/cfgnotes/78_14107.htm#wp278

(CSCee06730)

• Using 802.1X, simultaneous authentications might fail. This problem is resolved in softwarerelease 7.6(12). (CSCeh52596)

• The Telnet access denied message includes “retry” timer information. The retry timer informahas been removed in software release 7.6(12). (CSCeh18221)

• If the sc1 inband interface receives excessive broadcasts, you might experience a loss of copackets. This problem is resolved in software release 7.6(12). (CSCsa47028)


OL-1982-25

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/cfgnotes/78_14107.htm#wp278012


1):

thee port

or

)

ress

andosticssages

e, theight in

ed

, the

the

eaves

lem







• With a Supervisor Engine 2 and a FWSM in slot 13 of a 13-slot chassis and with both SFM2spowered down, the FWSM fails online diagnostics (PC loopback) but passes the same tests comes online if the FWSM is reset after bootup. If the SFM2s are up, the module passes diagnand comes online. Although, if diagnostic traces are set to 1, there are still some failure mescoming out of TestKomodoPlusPorts. (CSCed79483)


• If you have a configured startup file with the boot environment variable CONFIG_FILE set, thstartup file might be read before the modules in the switch are completely online. As a resultconfiguration for the modules specified in the startup file is lost. In some cases, the switch mstill boot correctly if the diagnostic level is changed to a lower level. This problem is resolvedsoftware release 7.6(11). (CSCec08789)

• The T1, E1, and FXS voice modules may not come online in text configuration mode.

Workaround: Manually reset the module after the switch fully boots up. This problem is resolvin software release 7.6(11). (CSCed12999)

• With dual Supervisor Engine 2s and dual WS-6500-SFM modules running in truncated modeWS-X6516-GBIC module might fail to receive multicast traffic. The switch can send multicasttraffic and there is no problem with unicast traffic on the problem port.

Workaround: Force the system to run in bus-only mode, or use a single supervisor engine inchassis. This problem is resolved in software release 7.6(11). (CSCee13437)

• In a two-port EtherChannel, when the second port is added to the EtherChannel, the first port land then rejoins the EtherChannel (this leaving and rejoining occurs twice).

Workaround: The problem does not occur if the EtherChannel mode is set to “on.” This probis resolved in software release 7.6(11). (CSCee76807)


OL-1982-25


does

theON

t”

ed to

orteinged in

f the

nds.

ess6020)

youru seeechotus.

an

tencyng

pped

RP

• In rare circumstances, when versioning up or down to a different software release, the switchnot boot with the software that is configured to boot.

Workarounds: 1) Verify the bootstring and reset the system one more time. 2) After the reset, ifswitch is booting with the wrong image, break the autoboot process and enter into the ROMMmode by sending a Break. From ROMMON, execute theboot command to boot the switch with thecorrect image. This problem is resolved in software release 7.6(11). (CSCef43494)

• Out-Discard and Rcv-Octet counters increment on GBIC ports that are showing a “notconnecstatus. This problem is resolved in software release 7.6(11). (CSCeg48512)

• FPOE LTLs might not be set correctly. In software release 7.6(11) a new feature has been addautomatically correct FPOE errors. (CSCed72434)

• With a Supervisor Engine 2/MSFC2, a MST BPDU might not be generated when a blocking pforms a channel and moves to forwarding state. This behavior results in the CAM table not bflushed at the other end of the link which causes a communication loss. This problem is resolvsoftware release 7.6(11). (CSCee08366)

• With port security enabled on a port, if the port goes up and down during the programming osecure MAC address, you will lose connectivity. This problem is resolved in softwarerelease 7.6(11). (CSCef06707)

• You might see a VTP pruning failure with spanning tree PortFast enabled.This problem is resolved insoftware release 7.6(11). (CSCef86022)

• If a port in a Gigabit EtherChannel goes down, you might experience packet loss for 5 or 6 secoThis problem is resolved in software release 7.6(11). (CSCeg28124)

• With port security, when a port is shut down due to a security violation, the offending MAC addris not displayed in the syslog. This problem is resolved in software release 7.6(11). (CSCeg7

• You might experience a problem with an SSH login. The login prompt appears and you enterlogin name and get a password login prompt. After entering the password, there is no reply; yoa blank line and pressing Enter again does nothing. If you try to enter a command, there is noon the screenbut the output from the command is displayed on the screen. This problem is noaffecting the ability of the switch to function correctly. Once the problem happens, it is continuoLogging off and back on does not clear the problem. You must reboot the switch to clear theproblem. If you attempt an SSH login on an affected switch and it fails, you can immediately doSSH login to an unaffected switch from the same session without a problem. This problem isresolved in software release 7.6(11). (CSCef54438)

• Under certain conditions, such as bringing up the standby supervisor engine, the FPOE consischecker might be disabled even though the active supervisor engine had consistency checkienabled before the switchover. This problem is resolved in software release 7.6(11). (CSCeg64212)

• With a Supervisor Engine 2, packets with an unresolved destination MAC address may be droinstead of being forwarded to the MSFC for the triggering of ARP requests.

Workarounds: 1) Ping the destination from the supervisor engine or the MSFC. 2) Add a static Aentry on the MSFC. This problem is resolved in software release 7.6(11). (CSCeg73090)

• With certain topologies where 802.1X is being used and UplinkFast is enabled, you mightexperience a transient loop that could affect the passing of traffic on 802.1X-enabled ports.

Workaround: Disable UplinkFast. This problem is resolved in software release 7.6(11).(CSCeg75736)


OL-1982-25


thesent.nd

m

erent

annelts on

hattolly)

ed

ight

ctive

t the

uired.

• An IEEE BPDU may be sent from an 802.1Q trunk port even if the native VLAN is cleared fromtrunk. When the native VLAN on a trunk is cleared, the IEEE untagged BPDU should not be If the trunk port reinitializes itself for any reason (such as disabling/enabling, module reset, aswitch reset), the trunk port may start to send IEEE untagged BPDUs.

Workaround: Add the native VLAN and clear it again as follows:

1) set trunk mod/port NativeVlan_ID

2) clear trunk mod/port NativeVlan_ID

This problem is resolved in software release 7.6(11). (CSCeg29195)

• In software release 7.6(11), the number of TCP-established sessions has been increased fro64 to 128. (CSCeg85630)

• The switch may not be able to communicate with a connected device on a secure port in a diffVLAN. This problem does not impact the other traffic of the connected devices.

Workaround: Disable port security on desired ports using theset port security mod/portdisablecommand. This problem is resolved in software release 7.6(11). (CSCeg71622)

• When a Supervisor Engine 2 has an EtherChannel configured in “desirable mode,” the EtherChmight randomly unbundle due to PAgP corruption. This problem is seen only when voice porthe WS-X6608 modules are going up and down.

Workaround: Configure the trunking and EtherChannel modes to “on.” We also recommend tyou enable UDLD on all trunks in the EtherChannel on both switches. Doing this allows you monitor and detect any unidirectional links that “desirable mode” EtherChannel would normadetect and recover from. This problem is resolved in software release 7.6(11). (CSCeg78848

• After a supervisor engine switchover, if you add a VLAN to a trunk port, the VLAN is not displayin the “Vlans in spanning tree forwarding state and not pruned” field of theshow trunk command.This problem is resolved in software release 7.6(11). (CSCeg47658)

• If you use theshow trunk [mod[/port]] extended-rangecommand, the system might display all theports without releasing the CPU for other processes. During this period, BPDU processing mstop. This problem is resolved in software release 7.6(11). (CSCeg73646)

• The MIB object “snmpEngineTime” does not report the correct value if the SNMP engine has been afor more than 496 days. This problem is resolved in software release 7.6(11). (CSCeg61577)

• In rare circumstances, the switch might crash if you have a WS-X6608-T1 module and you resegateway from the Cisco CallManager server.This problem is resolved in software release 7.6(11).(CSCeg72089)

• WS-X6548-GE-TX module ports that are hard coded to “100-full” speed might show“not-connected” after a reboot either due to a power cycling or upgrade where a reload is req

Workaround: On the problem port, enter theset port disable command followed by theset portenable command. You might have to do this more than once. Sometimes rebooting the switchcorrects the problem. This problem is resolved in software release 7.6(11). (CSCeg31700)


OL-1982-25


0):

estart

e, theight

thee port

or

)

ress

andosticssages

ted at

ndhemay





• When port security is enabled with a large number of secure addresses, spanning tree might rafter a high-availability switchover. (CSCdy24582)

Note This problem is not seen in any later software releases.

• If you have a configured startup file with the boot environment variable CONFIG_FILE set, thstartup file might be read before the modules in the switch are completely online. As a resultconfiguration for the modules specified in the startup file is lost. In some cases, the switch mstill boot correctly if the diagnostic level is changed to a lower level. (CSCec08789)



• With a Supervisor Engine 2 and a FWSM in slot 13 of a 13-slot chassis and with both SFM2spowered down, the FWSM fails online diagnostics (PC loopback) but passes the same tests comes online if the FWSM is reset after bootup. If the SFM2s are up, the module passes diagnand comes online. Although, if diagnostic traces are set to 1, there are still some failure mescoming out of TestKomodoPlusPorts. (CSCed79483)


• With a large number of service modules installed, you might see the following message repeabootup:

2004 Feb 19 16:51:11 PST -08:00 %IP-6-UDP_SOCKOVFL:UDP ...


• If you enter theshow port command on a switch with voice modules (such as WS-X6624-FXS aWS-X6608-T1), theshow port command appears to stop responding, and port information for tvoice module is not printed. Sometimes the digital signal processor (DSP) on the voice modulealso reset. We recommend that you do not run theshow port or show port status commands onswitches with FXS or T1/E1 ports. This problem is resolved in software release 7.6(10).(CSCed91778, CSCec01126)


OL-1982-25


odule

ules

itch

port,ct

36)

that is

riencePAN

samey, ifif the

olkit

,tryry

utes

. Weareny

ationthe

• A FWSM and possibly other service modules may not be able to communicate if thedot1q-all-tagged feature is enabled. You cannot use the dot1q-all-tagged feature if a service mis present in the switch.

Workaround: Enter theset dot1q-all-tagged disable command, and then reset the switch. Thisproblem is resolved in software release 7.6(10). (CSCed18049)

• In text configuration mode, the SPAN sessions on the NAM, IDS module, and other service modare not reconfigured after a reset.

Workaround: Manually configure the SPAN sessions on a service module each time that the swis reset. This problem is resolved in software release 7.6(10). (CSCed65635)

• The portSecuritySecureSrcAdd field, defined in the CISCO-STACK-MIB, incorrectly displays00 00 00 00 00 00 when you enable port security, and the MAC address is learned from the instead of being configured manually. The portSecuritySecureSrcAdd field displays the correinformation for the configured MAC addresses.

Workaround: Configure the secured MAC address manually using theset port security mod/portenablemac_addr command. This problem is resolved in software release 7.6(10). (CSCee569

• When the EOBC out-of-band management bus fault detection code tries to power a module in the “power-deny” state, the switch may crash. This problem is resolved in softwarerelease 7.6(10). (CSCee59418)

• Gigabit fiber-based modules (and under some conditions, copper-based modules) might expehigh latency on ports when a SPAN destination session is configured on the same module. If a Sdestination port goes up and down, there is the possibility for ports that are connected to theport ASIC to experience latency (or possibly total lockup) in the receive direction. The latencpresent, is noticeable when low amounts of traffic are being sent through the system and/or received packet size on ports adjacent to the SPAN port are small or of average size.

For complete details on this problem and a list of affected modules, refer to the online bug torelease notes at the following URL:

http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl

This problem is resolved in software release 7.6(10). (CSCef39614)

• If a port is moved from VLAN X to VLAN Y, permanent CAM entries might be lost. For exampleif you have port group 1/1-8 with port 1/2 and port 1/7 in VLAN 10 and a permanent CAM enconfigured on port 1/2, if port 1/7 is moved from VLAN 10 to VLAN 20, the permanent CAM enton port 1/2 might be deleted.

Workaround: After moving a port to a different VLAN, reconfigure the permanent CAM entry.This problem is resolved in software release 7.6(10). (CSCef66696)

• With theWS-X6502-10GEmodule, theset qos map command maps CoS values to the WREDthresholds only and not to the tail drop thresholds. This problem is resolved in softwarerelease 7.6(10). (CSCdy79506)

• If you set the text configuration autosave interval to greater than 25 days or above 35000 minusing theset config mode text auto-save intervalinterval command, you might see the followingerror message: “Failed to start text configuration auto-save timer.”

Workaround: Do not set the autosave interval to greater than 25 days or above 35000 minuteshave stopped supporting timers with intervals greater than 25 days or 35000 minutes in softwrelease 7.6(10) and later releases, 8.3(4) and later releases, and 8.4(1) and later releases. Acommands configured with an interval greater than 35000 minutes (or 25 days) in the configurfile are automatically set to 35000 minutes (or 25 days) when the configuration file is loaded onswitch. The same behavior applies to theset system info-log intervalinterval command and allother commands that support an interval configuration. (CSCee17413)


OL-1982-25

http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl


ade.rains.

oldinghe

the158)

red

905)

esse

pe of. Thislledlost

is

es at4)

ice

under

0).

in

e

veANthe

• The sc1 interface might appear on the same VLAN as the sc0 interface after a software upgrThis problem is related to upgrading from non-supported sc1 interface trains to sc1 supported tThis problem is resolved in software release 7.6(10). (CSCef06801)

• The switch does not respond properly when the logout timer is set to 3 (by using theset logout3command) if you are accessing the switch through a Telnet session and the screen is either hthe display at the “More” prompt, the “Enter Password” prompt, or the “Username” prompt. Tlogout timer is ignored during these conditions, allowing the connection to remain open beyondconfigured logout timer setting. This problem is resolved in software release 7.6(10). (CSCef15

• LTL indexes for configured multicast CAM entries that point to an EtherChannel that is configuin desirable mode are lost when the EtherChannel link goes up and down.

Workarounds: 1) Clear the configured CAM table entry and reenter it. 2) Configure theEtherChannel to “ON” mode. This problem is resolved in software release 7.6(10). (CSCef51

• When you use the set port security auto-configure enable command to globally enabledynamically learned MAC addresses to be associated with particular ports, the MAC addressshould not be cleared under any circumstances other than manually. The problem is that thedynamically learned MAC addresses are aging out. This problem is resolved in softwarerelease 7.6(10). (CSCef56108)

• If you configure a SPAN session on a module and then replace the module with a different tymodule, the switch disables the SPAN session because a different type of module was insertedis normal behavior. The problem is that if you configure a new SPAN session on the newly instamodule and then perform a high availability switchover, the newly configured SPAN session isafter the switchover.

Workaround: Reconfigure the SPAN session after the high availability switchover. This problemresolved in software release 7.6(10). (CSCef67073)

• When standard MST is used with Layer 2 protocol tunneling, there might be convergence issuthe remote customer end. This problem is resolved in software release 7.6(10). (CSCef7365

• The switch displays the following syslog message when the system is under a Denial of Servattack:

TCP-2-TCP_MAXESTABLISHED:Possible TCP ACK attack. . Maximum established connectionlimit 64 reached. Will drop unused connection

However, under some circumstances, the syslog might be generated when the system is notattack. The system functionality is not affected. This problem is resolved in softwarerelease 7.6(10). (CSCef77162)

• The dot1dStpPortDesignatedPort MIB might return the wrong value as compared to theshowspantree statisticsmod/portcommand output. This problem is resolved in software release 7.6(1(CSCef79667)

• Theshow tech-supportcommand does not display “outband counters.” This problem is resolvedsoftware release 7.6(10). (CSCef81144)

• With IGMP snooping enabled, PIM hellos might not be going out of the ATM LANE modules.

Workaround: Disable and then reenable IGMP snooping. This problem is resolved in softwarrelease 7.6(10). (CSCef81723)

• Theset snmp ifaliascommand fails on FlexWAN interfaces. The FlexWAN module does not haany ifIndexes (“0” ports); therefore, you should not be allowed to set the SNMP ifalias on FlexWmodule interfaces. Additionally, the system should not display a FlexWAN module entry whenshow snmp ifalias command is entered. This problem is resolved in software release 7.6(10).(CSCef82995)


OL-1982-25


rity

eing

If

AM

on

is

fatal(10).

m is

l

seenngfromom athis

tion

swords

):

• Theshow tech command should not display password information as this could create a secuvulnerability. This problem is resolved in software release 7.6(10). (CSCef86581)

• For a Supervisor Engine 2/MSFC2 with more than 255 VLANs assigned to the same HSRPgroup ID, the HSRP MAC address may be deleted mistakenly, resulting in Layer 3 packets bforwarded to the MSFC2 for software switching.

Workaround: Limit the number of VLANs with the same HSRP group ID to no more than 255.necessary, use other HSRP group IDs. This problem is resolved in software release 7.6(10).(CSCef88220)

• When port security is configured with the violation mode set torestrict , traffic from insecureaddresses is dropped. This behavior is achieved by installing a special “trap” CAM entry in the Ctable. While this special CAM entry is suppressed in theshow cam dynamiccommand output, theinsecure address is still registered in the CAM notification history and is shown in theshow camnotification history command output. Functionality is not affected. This problem is resolved insoftware release 7.6(10). (CSCef98123)

• When the FWSM is powered down or shut down using theset module power downmodcommand,enabling or disabling the multiple VLAN interface feature incorrectly shuts down secure SVIsthe MSFC.

Workaround: Do not enable or disable the multiple VLAN interface feature when the FWSM powered down or shut down. This problem is resolved in software release 7.6(10). (CSCea45818)

• With a Supervisor Engine 1, you might see some Layer 3 table parity errors. These are non-errors (packets are still forwarded in software). This problem is resolved in software release 7.6(CSCdy41174)

• Manually configured MAC addresses on port security enabled ports might age out. This probleresolved in software release 7.6(10). (CSCin83482)

• When upgrading from software release 7.6(2) to a later 7.6 release, you lose the port channeconfiguration for the CSM ports. The output of theshow configmodcommand wheremodis the slotwhere the CSM is located, appears empty. The CSM configuration is not modified and can beby entering theshow run command on the MSFC, but the CSM port configuration is lost. Upgradito software release 7.6(10) fixes the CSM port channel configuration problem during upgradesany software release before 7.6(4) to any release after 7.6(4) in the 7.6 train. Any upgrade frsoftware release before 7.6(4) to release 8.2(x) results in the loss of the CSM configuration. Inevent, you might need to rely on the text configuration mode for the configuration. No configuraloss occurs when upgrading from releases after 7.6(4) to a later 7.6(x) release. There are noproblems when upgrading from any release before 7.6(4) to any release after release 8.3(1).(CSCeg00509)

• The system passwords (both console and enable passwords) might not work after loading the pasfrom a previously saved password configuration file. This problem is resolved in softwarerelease 7.6(10). (CSCeg05183)





OL-1982-25


lity

e, theight

thee port orC

ress

andosticsages

n youre

ion

ghtyed:

o the

licyblemferent462)


• When port security is enabled with a large number of secure addresses, after a high-availabiswitchover, spanning tree might restart. (CSCdy24582)

• If you have a configured startup file with the boot environment variable CONFIG_FILE set, thstartup file might be read before the modules in the switch are completely online. As a resultconfiguration for the modules specified in the startup file is lost. In some cases, the switch mstill boot up correctly if the diagnostic level is changed to a lower level. (CSCec08789)

• With 802.1X authentication, if a high-availability switchover occurs during an authentication after switchover completes, single authentication and port security are in the authenticated state but thmight not get added to spanning tree. If this situation occurs, then the port would not receive CBLLTLs. Theshow port security command shows that the port MAC address is secured but no MAaddress is in the CAM table. (CSCin20244)


• With a Supervisor Engine 2 and a FWSM in slot 13 of a 13-slot chassis and with both SFM2spowered down, the FWSM fails online diagnostics (PC loopback) but passes the same tests comes online if the FWSM is reset after bootup. If the SFM2s are up, the module passes diagnand comes online (although if diagnostic traces are set to 1, there are still some failure messcoming out of TestKomodoPlusPorts). (CSCed79483)


• If the system banner size is over approximately 3072 characters, the switch might crash wheenter theshow banner command through a Telnet session. This problem is resolved in softwarelease 7.6(9). (CSCef44617)

• The switch might reset (%SYS-5-MOD_NOSCPPINGRESPONSE) when getting CBL informatthrough a PERL script. This problem is resolved in software release 7.6(9). (CSCee62021)

• When 250 QoS ACLs (or a number large enough to fill NVRAM) are committed, the console mihang indefinitely. When this problem was experienced, the following syslog message was displa

MGMT-4-OUTOFNVRAM:Out of NVRAM space: (50,239188,524288,237344)

The problem is seen only when ACLs are very large and fill up NVRAM. The system is stillfunctional but CLI access cannot be recovered. This behavior is intermittent.

Workaround: Use text configuration mode. Note that after the problem is seen, Telnet access tswitch is still functional. This problem is resolved in software release 7.6(9). (CSCec58333)

• With a Supervisor Engine 2 or Supervisor Engine 720, traffic might be switched matching a pomap using the hardware CEF table instead of the next hop as set by the policy map. This prohas been observed only when you have a policy map with a large number of sequences and difnext hops for each sequence. This problem is resolved in software release 7.6(9). (CSCef38


OL-1982-25


f the

g

375)

OE

on

he

g the. Theases:

).

he

elved

83

lue9)

Alllable

• The switch might drop all EtherChannels configured to “desirable” mode for approximately10 minutes and depending on the topology, connectivity may be affected for the entire period ooutage.

Workaround: Configure EtherChannels to “ON” mode using theset port channelmod/portmodeon command. This problem is resolved in software release 7.6(9). (CSCef02710)

• After experiencing a fabric sync error (%SYS-3-FAB_SYNCERR) some modules might haveproblems receiving control traffic such as UDLD packets (there is no problem with transmittintraffic).

Workaround: Reset the switch. This problem is resolved in software release 7.6(9). (CSCef06

• In software release 7.6(9), to facilitate the troubleshooting of fabric-related problems, the FPmismatch count (error counter) has been added to theshow fabric channel counters command.Additionally, a syslog has been added to indicate that this error counter is incrementing.(CSCef25518)

• With a Supervisor Engine 2/MSFC2, you might experience a memory leak in the “FIB” processthe supervisor engine. This problem is seen when entering theshow proc mem command.

Workaround: Disable hardware ARP throttling from the global configuration mode by entering tno mls ip cef arp-throttling command on the MSFC2. This problem is resolved in softwarerelease 7.6(9). (CSCef30384)

• With redundant Supervisor Engine 2s/MSFC2s and dual router mode (DRM) enabled, resettindesignated MSFC2 might cause loss of connectivity to/from the MSFC2 when it boots up againnewly designated MSFC2 is not affected. This problem is seen in the following software rele

– 1) If the MLS rate limiter is not enabled, the problem is seen in software releases 7.6(5)through 7.6(8).

– 2) If the MLS rate limiter is enabled, the problem is seen in software releases up to 7.6(8

Workaround: There are two ways to restore connectivity to the affected MSFC2: 1) Disable tMLS rate limiter by entering theset mls rate 0 command. Note that if the problem is seen insoftware releases 7.6(5) through 7.6(8), even if the MLS rate limiter is not enabled, entering thsetmls rate 0 command restores connectivity. 2) Reset the affected MSFC2. This problem is resoin software release 7.6(9). (CSCef32204)

• If the switch is peering with a multicast router through an ATM interface (either LANE or RFC 14with PVC binding), you might experience high utilization with the multicast receive process.

Workaround: Disable IGMP or enable the multicast rate-limit feature and set the rate to a vathat alleviates the problem. This problem is resolved in software release 7.6(9). (CSCef2734

• There is a vulnerability in the Transmission Control Protocol (TCP) specification (RFC 793). Cisco products that contain TCP stack are susceptible to this vulnerability. This advisory is avaiat these URLs:

– http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml

This URL describes this vulnerability as it applies to Cisco products that run Cisco IOSsoftware.

– http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml

This URL describes this vulnerability for products that do not run Cisco IOS software.



OL-1982-25

http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml

http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml


and

hould

nottch is

on

ing

lesut

dow(9).

lved

on a

re

em

ct to

• The following syslog error message indicates an ASIC error with the WS-X6548-RJ-45 modulethe recommended action is to replace the module:

SYS-6-SYS_LCPERR6:Module [dec]: Pentamak Ddr Sync Error

This message has a logging level of 6 but the severity of the error dictates that the logging level sbe a 3. This problem is resolved in software release 7.6(9). (CSCef18763)

• With MISTP enabled and the EtherChannel mode set to “ON,” if you configure more than oneEtherChannel and trunk in a short period of time, all of the newly configured channels might join the trunk. With this configuration scenario, the problem has also been seen after the swireset. This problem is resolved in software release 7.6(9). (CSCee95922)

• It might take an unusually long time for a trunk port to join an EtherChannel. This problem isresolved in software release 7.6(9). (CSCee95479)

• If port security is enabled on ports that have an auxiliary VLAN configured, no traffic switchesthe auxiliary VLAN.

Workaround: Disable port security. This problem is resolved in software release 7.6(9).(CSCef14201)

• With a Supervisor Engine 1/1A or Supervisor Engine 2, the switch might reload with the followlog message:

ProcessStatusPing:Module 1 local SCP error detected... resetting module

Workaround: Remove the faulty module.

Note The fix for this problem involves running a background task to intelligently detect moduthat could be causing the SCPerrors. When a faulty module is detected, it is automatically shdown.

This problem is resolved in software release 7.6(9). (CSCea38268)

• Enabling and disabling the SPAN feature might generate control characters in your Telnet winduring an open Telnet session to the switch. This problem is resolved in software release 7.6(CSCeb62318)

• The FWSM ports are not allowed to be configured as SPAN source ports. This problem is resoin software release 7.6(9). (CSCed81400)

• Spanning tree status information for MST instance 1 might disappear from theshow spantreemod/port display after a high availability switchover. Connectivity is not affected.

Workaround: Disable high availability. This problem is resolved in software release 7.6(9).(CSCee34858)

• With Rapid PVST+ enabled, a port might get stuck in the listening state after STP is enabledgiven VLAN.

Workaround: Disable and then reenable the affected port. This problem is resolved in softwarelease 7.6(9). (CSCef28337)

• After a switchover, the first module/link trap for any module/link might not be sent. This problis resolved in software release 7.6(9). (CSCef27093)

• When running a K9 software image, the switch might crash when the SSH client tries to connethe switch. This problem is resolved in software release 7.6(9). (CSCdz04272)


OL-1982-25


):

ility

e, thestill

thee port

L orC

ress

andosticsages

to8).

enew

the





• When port security is enabled with a large number of secure addresses, after a high-availabswitchover, spanning tree might restart. (CSCdy24582)

• If you have a configured startup file with the boot environment variable CONFIG_FILE set, thstartup file might be read before the modules in the switch are completely online. As a resultconfiguration for the modules specified in the startup file is lost. In some cases the switch mightboot up correctly if the diagnostic level is changed to a lower level. (CSCec08789)

• With 802.1X authentication, if a high-availability switchover occurs during an authentication after switchover completes, single authentication and port security are in the authenticated state but thmight not get added to spanning tree. If this situation occurs, then the port would not receive CBLTLs. Theshow port security command shows that the port MAC address is secured but no MAaddress is in the CAM table. (CSCin20244)




• Inserting a single-port OC-12 ATM module in a switch where all switching modules are fabricenabled causes the module diagnostics to fail on the ATM module. To put the ATM module inservice, enter theresetslot_numbercommand. This problem is resolved in software release 7.6((CSCds12349)

• If a multicast entry is configured through the CLI by entering theset camcommand, it does not getsynchronized to the standby supervisor engine in the following cases:

– When the standby supervisor engine is reloaded after configuring the entry.

– When high availability is disabled and then reenabled after configuring the entry.

In general, whenever high availability global synchronization is involved in the presence of thentry, it is not synchronized to the standby supervisor engine. When a switchover is done, theactive supervisor engine is not aware of the multicast entry and it does not show the entry inshow cam command output.


OL-1982-25


d noare

lyn a

nly

, butering

that

port

ed in

e

3(1).

tsce6)

nism.

d in

ht This

are

).

on CLI).

Workaround: Ensure that high availability is enabled and “ON” by entering theshow systemhighavailability command before creating any multicast entries using theset camcommand. Thisproblem is resolved in software release 7.6(8). (CSCee27955)

• IPX unicast packets may be dropped on the ingress MSFC interface when IP ACLs, VACLs, anIP redirects are configured. The problem is seen on the Supervisor Engine 720 running softwrelease 8.2(1) with Cisco IOS Release 12.2(17a)SX4 running on the MSFC. The problem onoccurs when you have the following three configuration components: An IP ACL configured oVLAN interface, “no ip redirects” configured on the MSFC, and a VACL configured for thecorresponding VLAN on the switch side. The problem is seen once the interface comes up. Obroadcast IPX traffic actually reaches the MSFC. If either the access group is removed or IPredirects are enabled on the VLAN interface on the MSFC, the problem is cleared immediatelyif the configuration is added back and the interface is brought down and then back up by enttheshutdown command followed by theno shutdown command, the problem returns.

Workaround: Remove one of the three components that causes the problem. This problem isresolved in software release 7.6(8). (CSCee51617)

• A watchdog timeout might occur when you clear a large ACL (the problem was seen with an ACLhad 2000 ACEs).This problem is resolved in software release 7.6(8). (CSCee88608)

• Disabling or enabling port negotiation does not work correctly if you specify more than a singleor single range of ports. For example, if you enterset port negotiation 3/1,3/5-6 disable, ports 1through 6 are disabled. This problem is resolved in software release 7.6(8). (CSCee52831)

• After upgrading Catalyst software to a version that supports theset msfcautostatecommand froma software version that did not support the command,set msfcautostate disable is automaticallyconfigured even though the default option for this command is enabled. This problem is resolvsoftware release 7.6(8). (CSCee62169)

• Theset port debounce timer{ mod/port} valuecommandvaluerange has been changed to a rangfrom 100 ms (default) to 5000 ms. (CSCdw91987)

• Theset option command set was inadvertently removed from software releases 7.6(7) and 8.Theset option command set will be available again in software releases 7.6(8) and 8.3(3).(CSCee67932)

• You might see FCS-Err, Rcv-Err, Multi-Coll, and Carri-Sen errors incrementing on switch porconnected to an MSM even if there is no traffic into or out of the ports. The MSM Gigabit interfadoes not report any errors. This problem is resolved in software release 7.6(8). (CSCee2348

• Redundancy enhancements were added to the internal supervisor engine switchover mecha(CSCea94065)

• You might experience a TLB exception in the EthChnlConfig process. This problem is resolvesoftware release 7.6(8). (CSCea49775)

• If you have an EtherChannel configured across modules, the EtherChannel configuration migchange after disabling PortFast, BPDU filter, and BPDU guard and then resetting the switch.problem is resolved in software release 7.6(8). (CSCee67595)

• The supervisor engine might fail to power down the SFM after a synchronization error or hardwfailure.

Workaround: Remove the defective SFM. This problem is resolved in software release 7.6(8(CSCee34175)

• You might experience an SNMP MIB walk timeout and a CLI delay when checking port statusthe WS-X6608-T1 module. The SNMP tables polled are moduleTable and portTable, and thecommand is theshow port status command. This problem is resolved in software release 7.6(8(CSCed91778)


OL-1982-25


3the

ved

orteddoes

tely

nthe

This

s6/1,

becol

SCPQoSor a

not. This

• When IGMP version 3 processing is enabled, and if the switch receives faulty IGMP version reports (reports with the NUMBER-OF-SOURCES field greater than 366), then every 5 minutesfollowing syslog is displayed:

%MCAST-2-IGMPV3_BADPKT:IGMPV3: No of bad packets received (# Groups exceed max of 183) =<number>

Workaround: Disable IGMP version 3 processing and reboot the switch. This problem is resolin software release 7.6(8). (CSCin46946)

• With redundant Supervisor Engine 2s and high availability disabled, the switch can boot upnormally. However, when a non-high availability switchover is performed, the new standbysupervisor engine fails to synchronize in local test mode. Several critical failures are then repand the module fails the boot process and ends up with an error on the console. This problemnot happen when the number of VLAN mappings for a security ACL are reduced to approxima250 VLANs. This problem is resolved in software release 7.6(8). (CSCee43443)

• Trunking inconsistencies were seen when the following actions were taken on a switch: 1) AEtherChannel was configured using two modules. 2) One of the modules was removed from switch. 3) An existing VLAN on the switch was added to trunks that were members of theEtherChannel. 4) The removed module was reinserted resulting in trunking inconsistencies. problem is resolved in software release 7.6(8). (CSCed44129)

• With a Supervisor Engine 2/MSFC2 and port security enabled, the switch might display thefollowing message: “Unable to add entry to earl on port 15/1, rc : -1.” If the MSFC2 in slot 2 iactive, the switch might display the following message: “Unable to add entry to earl on port 1rc : -1.” This problem is resolved in software release 7.6(8). (CSCeb86233)

• With a Supervisor Engine 1/MSFC, an input IOS ACL on the MSFC can cause Layer 2 traffic todropped in a VLAN. This problem is seen when no ip unreachables are configured and protofiltering is enabled.

Workaround: Reset the switch to clear the problem. This problem is resolved in softwarerelease 7.6(8). (CSCee69960)

• IP phone traffic received on an untrusted port should match the configured QoS ACL but the Dbased on the ACL is not rewritten. This problem is due to the wrong mask being used in the ACL. The problem is caused by a CLI problem; the CLI asks for the IP mask but it should ask fwildcard. The problem is resolved by making the CLI consistent with the Cisco IOS CLI:

– Catalyst operating system CLI:

Console> (enable) set qos acl ip ipacl1 dscp 32 ip 10.1.3.0 ?<ip_addr> Source IP MaskConsole> (enable)

– Cisco IOS CLI:

msfc2(config)# access-list 199 permit ip 10.1.3.0 ?A.B.C.D Source wildcard bits

This problem is resolved in software release 7.6(8). (CSCec68825)

• An SNMP query for cvbStpForwardingMap might return an invalid port state. This problem isresolved by a power cycle, module reset, disabling and enabling the port, or swapping modulesproblem is resolved in software release 7.6(8). (CSCee58481)

• If the default community strings are cleared, community strings configured by entering theset snmpcommunity-ext command do not work after resetting the switch. This problem is resolved insoftware release 7.6(8). (CSCee66094)


OL-1982-25


h ise

the6310)

n the

d in

ightm is

is

thedtion also

em is

m is

ge),

is

• In text configuration mode, with the switch configured to send a “cold start” trap when the switcreloaded, the switch does not send the trap after a reload. This problem is not seen when thconfiguration mode is set to binary. This problem is resolved in software release 7.6(8).(CSCee81130)

• With UplinkFast enabled, invalid dummy multicast packets might be sent out from the switchresulting in communication failure.

Workaround: Clear the ARP cache. This problem is resolved in software release 7.6(8).(CSCee22626)

• The MSFC might not be able to ping the sc0 interface on VLAN 1. This is a reoccurrence of problem seen in CSCeb02380. This problem is resolved in software release 7.6(8). (CSCee6

• In a redundant system, after a reset or switchover, you might not be able to view the error log ostandby supervisor engine. Entering theshow log command results in an error message. Thisproblem is seen only when Network Time Protocol (NTP) is configured.

Workaround: Reset the switch or perform a supervisor engine failover. This problem is resolvesoftware release 7.6(8). (CSCee54278)

• With a Supervisor Engine 2, when a redirect error interrupt occurs, the Supervisor Engine 2 mcrash. The Supervisor Engine 2 should recover from the interrupt without crashing. This probleresolved in software release 7.6(8). (CSCee57837)

• A UNIX script might get stuck at the Telnet prompt.

Workaround: PressEnter when the script gets stuck to start the script again. This problem isresolved in software release 7.6(8). (CSCeb69513)

• The switch might crash with crashing function name po_ipu_get_adj_vlan_mac. This problemresolved in software release 7.6(8). (CSCef00947)

• There is an inconsistency between the default signalling DSCP value used by the switch andCisco CallManager. Cisco CallManager release 4.x uses DSCP 24 by default for IP phone anCisco Softphone signaling. However, automatic QoS on the switch uses DSCP 26. This situaresults in IP phone packets egressing the switch with an incorrect DSCP value. This situationresults in Softphone/Communicator packets not getting the appropriate QoS value. This problresolved in software release 7.6(8). (CSCee61555)

• The value of dot1dStpPortDesignatedPort is not correct when queried from SNMP. This probleresolved in software release 7.6(8). (CSCee94422)

• A switch running software release 7.6(7) and rapid spanning tree (the switch is not the root bridmay log the following events in the syslog if it received a corrupt BPDU:

2001 Apr 07 23:40:16 %SPANTREE-2-LOOPGUARDUNBLOCK: Port 4/2 restored in MST instance 12001 Apr 07 23:40:28 %SPANTREE-2-LOOPGUARDBLOCK: No BPDUs were received on port 4/2 inMST instance 1. Moved to loop-inconsistent state2001 Apr 07 23:40:28 %SPANTREE-2-LOOPGUARDUNBLOCK: Port 4/2 restored in MST instance 12001 Apr 07 23:40:42 %SPANTREE-2-LOOPGUARDBLOCK: No BPDUs were received on port 4/2 inMST instance 1. Moved to loop-inconsistent state2001 Apr 07 23:40:42 %SPANTREE-2-LOOPGUARDUNBLOCK: Port 4/2 restored in MST instance 12001 Apr 07 23:40:59 %SPANTREE-2-LOOPGUARDBLOCK: No BPDUs were received on port 4/2 inMST instance 1. Moved to loop-inconsistent state2001 Apr 07 23:40:59 %SPANTREE-2-LOOPGUARDUNBLOCK: Port 4/2 restored in MST instance 12001 Apr 07 23:41:13 %SPANTREE-2-LOOPGUARDBLOCK: No BPDUs were received on port 4/2 inMST instance 1. Moved to loop-inconsistent state2001 Apr 07 23:41:13 %SPANTREE-2-LOOPGUARDUNBLOCK: Port 4/2 restored in MST instance 1

These symptoms are usually seen when there is more than one MST instance configured. Thproblem is resolved in software release 7.6(8). (CSCee77039)


OL-1982-25


e.

):

ility

thendlts in

thee port

L orC

ress

to

enew

the

• A switch running software release 7.6(7) may not ackowledge a Topology Notification Chang(TNC) received on a MST boundary port. This problem is resolved in software release 7.6(8)(CSCee71601)






• There is an inconsistency between the default signalling DSCP value used by the switch andCisco CallManager. Cisco CallManager release 4.x uses DSCP 24 by default for IP phone aCisco Softphone signalling. However, automatic QoS on the switch uses DSCP 26. This resuIP phone packets egressing the switch with an incorrect DSCP value. This also results inSoftphone/Communicator packets not getting the appropriate QoS value. (CSCee61555)

• With 802.1X authentication, if a high-availability switchover occurs during an authentication after switchover completes, single authentication and port security are in the authenticated state but thmight not get added to spanning tree. If this situation occurs, then the port would not receive CBLTLs. Theshow port security command shows that the port MAC address is secured but no MAaddress is in the CAM table. (CSCin20244)


• Inserting a single-port OC-12 ATM module in a switch where all switching modules are fabricenabled causes the module diagnostics to fail on the ATM module. To put the ATM module inservice, enter theresetslot_number command. (CSCds12349)

• If a multicast entry is configured through the CLI by entering theset camcommand, it does not getsynchronized to the standby supervisor engine in the following cases:

– When the standby supervisor engine is reloaded after configuring the entry.

– When high availability is disabled and then reenabled after configuring the entry.

In general, whenever high availability global synchronization is involved in the presence of thentry, it is not synchronized to the standby supervisor engine. When a switchover is done, theactive supervisor engine is not aware of the multicast entry and it does not show the entry inshow cam command output.

Workaround: Ensure that high availability is enabled and “ON” by entering theshow systemhighavailability command before creating any multicast entries using theset cam command.(CSCee27955)


OL-1982-25


andosticsages

e, thestill

reset,e

1s the

m

4)

youone

teringtistic

nghentinguntersg sidenters

port.

cted

em




• When a system with a Supervisor Engine 1A/MSFC or MSFC2 running software release 7.6(6) ismodules may not come online. Entering theshow module command shows that the modules are in th“other” state. Supervisor Engine 1A systems without an MSFC/MSFC2 are not affected.

Workaround: Set the diagnostics level to bypass by entering theset test diaglevel bypasscommand. This problem is resolved in software release 7.6(7). (CSCee15779)

• With 802.1X authentication, the authenticator will not be able to communicate through the scinterface to the RADIUS server if the authenticator address configured on the RADIUS server isc1 interface IP address. This problem is resolved in software release 7.6(7). (CSCin14627)

• TCP flags are not shared correctly. This problem is resolved in software release 7.6(7).(CSCee12831)

• Theset boot system flash Disk0:command does not work on Supervisor Engine 720. This probleis resolved in software release 7.6(7). (CSCed56322)

• Doing a minimal entry (entering only the first part of a command’s syntax) on the followingcommands:set errdisable, set option, andshow cdp portmod/port,results in either a missing keyword or no error message. This problem is resolved in software release 7.6(7). (CSCed9286

• The unicast packet count is not shown correctly if a port in an EtherChannel is disabled. Afterclear the port counters on two directly connected switches, with traffic still running, shut downport in the channel connecting the switches. When you enter theshow maccommand on the downedport, the port shows zero packets, although some packets were sent in the period between entheclear counterscommand and the shutdown. These packets are seen in the Rcv-Unicast staon the neighboring port. If you enter the show mac command in the period between entering theclear counterscommand and the shutdown, you will see Xmit-Unicast incrementing. After shuttidown the port, the count is slightly higher than previously shown but considerably less than tRcv-Unicast statistic shown on the connecting port. The receive side counters are not incremeafter the port shut down. All the packets that passed across the link between the time the cowere cleared and the time the port was shut down are not seen on the sending side. The sendinstill shows zero packets as if the port was shut down when the counters were cleared. The couwere cleared before the port was shut down, so there should be outgoing traffic seen on the This problem is resolved in software release 7.6(7). (CSCed46961)

• When you enter theshutdown command followed by theno shutdown command on a loopbackinterface, and the same loopback interface address is also configured on two or more connerouters, the switch may crash with a FIB exception. This problem is resolved in softwarerelease 7.6(7). (CSCea50206)

• Booting the MSFC image from slot0: might cause problems with VLANs and trunks. This problis resolved in software release 7.6(7). (CSCed59675)


OL-1982-25


-6-4V-Mhost

, the

wronglem

is

lem

This

5 isntriesthe

• When a Catalyst 6506 with a Supervisor Engine 1A running software image cat6000-supk9.7on the supervisor engine and an MSFC2 running Cisco IOS image MSFC IOS C6MSFC-PK2S12.1(20)E2 is connected to an Windows XP host that runs IGMP version 3, the Windows XP stops receiving traffic after approximately 5 minutes. This problem is resolved in softwarerelease 7.6(7). (CSCee08209)

• You might experience a memory leak related to the “Kernel and Idle” process if you enter theshowproc mem command. This problem is resolved in software release 7.6(7). (CSCed60959)

• After a high-availability switchover, when the standby supervisor engine becomes the activesupervisor engine, channeling ports may receive different QoS attributes and break theEtherChannel due to timing issues. This problem is resolved in software release 7.6(7).(CSCee02504)

• On a switch running a cryptographic (k9) image, if the value of sshPublicKeySize is nonzeroSNMP_THREAD process might have a memory leak when sshPublicKeySize is polled. Thisproblem is resolved in software release 7.6(7). (CSCed95950)

• When the cache error handler is called on a Supervisor Engine 2, the status register shows thevalue (0xfffff f83). This behavior hides the real register value and hinders debugging. This probis resolved in software release 7.6(7). (CSCed79489)

• A cluster leak might result in high-availability toggling between enable and disable states. Thproblem is resolved in software release 7.6(7). (CSCee06373)

• An MSFC trunk might not be added to the spanning tree after a switchover in DRM. This probis resolved in software release 7.6(7). (CSCee20623)

• The permanent multicast CAM entries might not work after a high-availability switchover.

Workaround: Clear the permanent multicast CAM entries and then enter the entries manually.problem is resolved in software release 7.6(7). (CSCed87627)

Note While caveat CSCed87627 is resolved in software release 7.6(7), caveat CSCee2795open in software release 7.6(7) and CSCee27955 prevents permanent multicast CAM efrom working after a high-availability switchover. For a description of CSCee27955, see“Open Caveats in Software Release 7.6(7)” section on page 103. (CSCee27955 is resolvedin software release 7.6[8].)


OL-1982-25


):

1s the

lity

thee port orC

ress

to

reset,e

e, thestill

tatee is





• With 802.1X authentication, the authenticator will not be able to communicate through the scinterface to the RADIUS server if the authenticator address configured on the RADIUS server isc1 interface IP address. (CSCin14627)


• With 802.1X authentication, if a high-availability switchover occurs during an authentication after switchover completes, single authentication and port security are in the authenticated state but thmight not get added to spanning tree. If this situation occurs, then the port would not receive CBLLTLs. Theshow port security command shows that the port MAC address is secured but no MAaddress is in the CAM table. (CSCin20244)



• When a system with a Supervisor Engine 1A/MSFC or MSFC2 running software release 7.6(6) ismodules may not come online. Entering theshow module command shows that the modules are in th“other” state. Supervisor Engine 1A systems without an MSFC/MSFC2 are not affected.

Workaround: Set the diagnostics level to bypass by entering theset test diaglevel bypasscommand. (CSCee15779)



• With 802.1X authentication, the authenticated 802.1X-enabled port goes to the connecting safter a high-availability switchover if the nonsupplicant in the guest VLAN behind an IP phonreplaced with a supplicant before the switchover. This problem is resolved in softwarerelease 7.6(6). (CSCdz60484)


OL-1982-25


hone

TTPto open

em.raffic

up, ms.

his

This

e 8.2(1)

r the

ht beFC

• After a high-availability switchover, an 802.1X port security-enabled port will shut down due to asecurity violation. This problem occurs if the supplicant that is connected to a port through an IP pwas previously in a guest VLAN when the port was authenticated. The problem seems to occur onlywith externally powered IP phones. This problem is resolved in software release 7.6(6).(CSCdz60394)

• HTTP authentication bypasses the IP permit list. If you have the IP permit list configured with the Hserver enabled on the switch, a user can cause a denial of service attack by repeatedly attemptingan HTTP session to the switch.

Workaround: Configure access control lists (ACLs) on the supervisor engines that support thOn the switches that do not support ACLs, use an external device for access controlling HTTP tto the switch or disable the HTTP server on the switch. This problem is resolved in softwarerelease 7.6(6). (CSCdw46637)

• When sending TCP or UDP traffic with a Supervisor Engine 2, the output for theshow mls entrycommand might be empty when the MLS flow is set to full. When the flow is set to destination ordestination-source, the entries are correct.

Workaround: Use theshow mls entry ip protocol tcpor show mls entry ip protocol udpcommandsto show the details of the TCP or UDP traffic.This problem is resolved in software release 7.6(6).(CSCin59452)

• Under rare conditions, the following switching modules might reset when a port is rapidly goingand down: WS-6248-RJ45, WS-6248-TEL, WS-6348-RJ45, WS-6348-RJ21, WS-6148-RJ45WS-6148-RJ21, and WS-6348-100FX. The port must go from down to up to down within 300This problem affects all releases of Catalyst software and Cisco IOS software.

Workaround: Disable the port that is going up and down or fix the root cause of the problem. Tproblem is resolved in software release 7.6(6). (CSCed17719)

• The MMLS shortcuts between the supervisor engine and the MSFC might not be consistent.problem is resolved in software release 7.6(6). (CSCec65498)

• After lowering the number of MAC addresses that can be configured using theset port securitymod/portmaximum num_of_maccommand, entering theclear port security all command might notclear all the secured addresses from the configuration. This problem might be seen in softwarerelease 6.4(8) or earlier releases, software release 7.6(5) or earlier releases, and software releasor earlier releases.

Workaround: Set the maximum number of MAC addresses allowed to a higher value and then enteclear port security all command.This problem is resolved in software release 7.6(6). (CSCin66276)

• When the MSFC is reloaded, some VLANs between the MSFC and the supervisor engine migpruned. This problem is seen with the MSFC VLAN interfaces in the “up/up” state but the MSdoes not respond to the supervisor engine or clients.

Workarounds: Enter theshutdown command followed by theno shutdown command on theVLAN interfaces. This problem is resolved in software release 7.6(6). (CSCec43550)


OL-1982-25


ules)

s

h

the

ping

his

bled

Nthanin

in

this

o are

as the.6(6).

erin

red,

• At bootup, some non-Ethernet modules (such as the MSFC, WAN modules, and service modmay fail to come online. This problem is seen especially in fully loaded chassis.

Workaround: Manually reset each module that fails to come online at bootup. This problem iresolved in software release 7.6(6). (CSCed24552)

• The WS-X6608-T1 and WS-X6608-E1 voice modules might not get configured correctly if the switcis in text configuration mode; some commands could be missing from the running configuration.

Workaround: Manually configure the voice modules after the switch comes online.This problem isresolved in software release 7.6(6). (CSCec00993)

• When you have a VMPS database downloading to the switch (initiated by entering thedownload vmpscommand), the switch might crash during the “VMPSDownload” process. This problem is due to vmps-port-group field not being specified in the VMPS configuration file.This problem is resolved insoftware release 7.6(6). (CSCed43310)

• You can now disable and enable the IGMP rate-limit feature and set the rate limit for IGMP snoopackets by using theset igmp ratelimit command as follows:

set igmp ratelimit {enable | disable}set igmp ratelimit {dvmrp | general-query | mospf1 | mospf2 | pimv2} rate

IGMP rate limiting is disabled by default. The default value for each rate-limit counter is 100. Tproblem is resolved in software release 7.6(6). (CSCin53701)

• Under rare conditions with SPAN disabled, traffic may not be sent outbound on a port in a fabric-enasystem due to a misprogramming of the ports FPOE (fabric port of exit) on the ingress module.

Workarounds: 1) Enable SPAN for the egress port (the port should be the source of the SPAsession). 2) Soft reset the egress module. 3) Configure the SPAN destination port to be less port 33 in the range of ports, the port should be between 1 and 32. This problem is resolved software release 7.6(6). (CSCed56130)

• When you start a Telnet session to the Catalyst switch using certain Telnet clients, theCatalyst switch prompt is not displayed until you press theEnter (return) key.

Workaround: Press theEnter key to get to the Catalyst switch prompt. This problem is resolvedsoftware release 7.6(6). (CSCed45576)

• After performing a software upgrade, the switch might experience an exception and reset. If problem occurs, theshow log command displays the following error message:

Error Msg: mfree 2: m=0x8c994080 PID = 0 Kernel an


• When logging into a switch with TACACS authentication configured, if the TACACS server isunavailable, the user is still prompted for a username. This condition is confusing to users whnot aware that the TACACS server is unavailable and they might keep trying to enter a validusername/password combination.

Workaround: Enter any value as a username. As long as the switch enable password is usedpassword, the authentication will be successful. This problem is resolved in software release 7(CSCdz16477)

• In software releases 7.6(4), 7.6(5), and 8.2(1), after you successfully enable RMON from eithSNMP or the CLI, theshow snmpcommand shows RMON as disabled. This problem is resolvedsoftware release 7.6(6) and software release 8.2(2) and later releases. (CSCed77175)

• After accessing the switch through a Telnet session and entering theclear vlan command to clear a largenumber of VLANs, if the Telnet session automatically logs you out before all the VLANs are cleathe VLAN database might be left in an inconsistent state.


OL-1982-25


ghs

s by

, thes in thedomsolved

validitch

iority

ch

g forVTPtware

the

is

-TX

(6).

Workarounds: 1) Reset the switch. 2) If you need to clear a large number of VLANs, then do it throuthe switch console rather than a Telnet session. 3) If you choose to clear a large number of VLANthrough a Telnet session, use theset logout 0command, then clear the VLANs.This problem is resolvedin software release 7.6(6). (CSCec19091)

• A TACACS+ server might not record accounting information if you input two consecutive commandcopying and pasting in the commands.This problem is resolved in software release 7.6(6).(CSCec63892)

• If your switch has multipath BGP with recursive lookup configured with per-prefix statistics disabledhardware counters show an inaccurate number of packets/bytes transmitted through all adjacencieTCAM. When the traffic is sent through the adjacency, the counters keep showing inaccurate/rannumbers. Once the traffic stops, the counters return to the initial inaccurate state. This problem is rein software release 7.6(6). (CSCea13680)

• The switch might crash with RADIUS authentication enabled after you do the following:

– Configure RADIUS authentication with theall option.

– Set the enable password for console.

– Enable the local login authentication.

– Log in to the switch and enter a valid RADIUS username and password at the prompt.

After you do the preceding steps, the switch might respond that the account is disabled for bothand invalid passwords after you try to enter the enable mode. After repeated attempts, the swmight go into an idle state and then reset.This problem is resolved in software release 7.6(6).(CSCed76069)

• When using Rapid STP/MST, a spanning tree loop might occur when you change the bridge prat the root bridge. This problem is resolved in software release 7.6(6). (CSCed33849)

• The Network Analysis Module (WS-X6380-NAM) management VLAN does not match the switsc0 interface VLAN. These VLANs should match.

Workaround: Leave the sc0 interface in VLAN 1. This problem is resolved in softwarerelease 7.6(6). (CSCed47510)

• You might receive traps indicating configuration revision errors, and theshow vtp statisticscommandmight show the number of configuration revision errors increasing and the revision number matchinall the switches in the VTP domain. To correct the problem, you must upgrade all the switches in thedomain to software release 6.4(9) and then add and delete a VLAN. This problem is resolved in sofrelease 7.6(6). (CSCdy11099)

• When you attempt to upgrade the EPLDs on a module with a voice daughter card attached, system cannot read the SPROM of the module.

Workaround: Remove the daughter card, and then run the upgrade on the module. This problemresolved in software release 7.6(6). (CSCed84492)

• A switch equipped with a Supervisor Engine 720 may stop forwarding traffic over a WS-X6548-GEmodule. If this occurs, theshow port command displays the port as connected, and theshow maccommand does not show any transmitted traffic. This problem is resolved in software release 7.6(CSCed68821)

• Depending on the location of thecapture lines in a VACL, the capture function might not work. Thisproblem does not impact VACL filtering. This problem is resolved in software release 7.6(6).(CSCec57893)


OL-1982-25


M onuring

is

is

):

tatee is

1s the

lity

hone

thee port orno

ress

TTPto open

em.raffic

• When using either Supervisor Engine 1 or Supervisor Engine 2 in a redundant system with DRthe MSFC and high availability enabled on the supervisor engine, packets may be dropped dan MSFC/supervisor engine switchover until the nondesignated MSFC is up. This problem isresolved in software release 7.6(6). (CSCed91504)

• In DRM, an MSFC trunk may not be added to spanning tree after a switchover. This problemresolved in software release 7.6(6). (CSCed92082)

• The auxiliary VLANs and VTP pruning might not work together in all instances. This problemresolved in software release 7.6(6). (CSCed05516)





• With 802.1X authentication, the authenticated 802.1X-enabled port goes to the connecting safter a high-availability switchover if the nonsupplicant in the guest VLAN behind an IP phonreplaced with a supplicant before the switchover. (CSCdz60484)



• After a high-availability switchover, an 802.1X port security-enabled port will shut down due to asecurity violation. This problem occurs if the supplicant that is connected to a port through an IP pwas previously in a guest VLAN when the port was authenticated. The problem seems to occur onlywith externally powered IP phones. (CSCdz60394)

• With 802.1X authentication, if a high-availability switchover occurs during an authentication, afterswitchover completes, single authentication and port security are in the authenticated state but thmight not get added to spanning tree. If this situation occurs, then the port would not receive CBLLTLs. Theshow port securitycommand shows that the port MAC address is secured but there isMAC address in the CAM table. (CSCin20244)



Workaround: Configure access control lists (ACLs) on the supervisor engines that support thOn the switches that do not support ACLs, use an external device for access controlling HTTP tto the switch or disable the HTTP server on the switch. (CSCdw46637)


OL-1982-25


to

e, thestill

e

LD,

42.e is tos. Thea new

ode.rationtion

ports

sage: or

y

ure,5).

5).

5582)




• With the ip verify unicast reverse-pathcommand configured on an MSFC interface, the interfacfails to drop packets when there is a default route without a more specific route.

Workaround: Configure the MSFC interface using theip verify unicast source reachable-via rxcommand. This problem is resolved in software release 7.6(5). (CSCec50151)

• You might experience high CPU utilization after entering theshow acl indexcommand. If you enterthis command and CPU utilization increases, you may start losing control packets, such as UDBPDU, MLS, and MMLS.

Workaround: Do not use this command. This problem is resolved in software release 7.6(5).(CSCec73483)

• VLAN assignment issue: Solution testing for the upcoming Microsoft release of KB article 8269Microsoft has developed code to allow VLAN assignment and DHCP interoperability. The codwritten with the following logic (assuming proper VLAN assignment): Send three ICMP echosthe current default gateway. If echos are not answered, broadcast renew for the DHCP addresresult is that the pings are actually answered, therefore the tested end point does not requestIP address. This problem is resolved in software release 7.6(5). (CSCec70893)

• The standby supervisor engine uplink ports are not configured correctly in text configuration mThe standby supervisor engine uplink ports are not configured correctly because the configuis applied when the ports are not up. To correct this problem, the execution of the text configurafile was delayed for the standby supervisor engine until the standby supervisor engine uplinkare up. This problem is resolved in software release 7.6(5). (CSCeb15672)

• In rare circumstances, upgrading a supervisor engine or module EPLD may fail with the mes“Error: Programming EPLD. Error code = 16.” This problem may leave the supervisor enginemodule inoperable. This problem is resolved in software release 7.6(5). (CSCec77150)

• When you enter theset igmp flooding enable command, flooding is enabled. But if you enter another character afterset igmp flooding, such asset igmp flooding en, flooding is disabled insteadof being enabled. When you enter theset igmp flooding disablecommand, IGMP snooping is notdisabled, and instead it returns the command help screen.

Workaround: Theset igmp flooding enable command is used for enabling or disabling IGMPflooding for source-only groups. The default status is enabled. If you want to disable the featenter theset igmp flooding disablecommand. This problem is resolved in software release 7.6((CSCed11725)

• MLS IP fast aging might not work correctly. This problem is resolved in software release 7.6((CSCec70012)

• When you enter thesqueeze slot0: command, the supervisor engine CPU might spike above95 percent for about 30 seconds. This problem is resolved in software release 7.6(5). (CSCec2


OL-1982-25


whatword.6(5).

nat

reeingore

This

ning

esults

ext

idthissues1-8,

in

n the. Theof theportsng to

theolved

• When doing SSH to the switch using external authentication, if you press theEnter key at theusername prompt (effectively putting a blank username in), the session locks up regardless ofpassword is entered. Also, if you enter an incorrect username, you will be prompted for the passthree times and then the session disconnects. This problem is resolved in software release 7(CSCea89170)

• The Supervisor Engine 1 port ifIndex may become 0 after a high-availability switchover. Thisproblem is resolved in software release 7.6(5). (CSCec44842)

• The MST commandset spantree mst config namedoes not have a carriage return (\n) if the revisionumber is set to zero in theshow configcommand output. This action causes the next command thyou enter to merge with this command. This problem is resolved in software release 7.6(5).(CSCed05362)

• When two trunks are enabled one by one with a small delay in between, and with spanning tdisabled for the VLANs, there could be a race condition between the first port going to forwardstate in a particular VLAN and the second trunk port join the spanning tree. Therefore, when mthan one port is established as a trunk in a short time period, several VLANs are not allowed.problem is resolved in software release 7.6(5). (CSCed12056)

• Supervisor Engine 1A might reset when entering thecopy config flashcommand. This problem isresolved in software release 7.6(5). (CSCdy21260)

• A Switch Fabric Module switchover might take 8 seconds when the chassis is populated withfabric-enabled modules. This problem is resolved in software release 7.6(5). (CSCed08827)

• When a FlexWAN interface (such as ATM, HSSI, or any port adapter) is created in a system runsingle router mode (SRM), and the designated MSFC is reloaded (either using thereload commandfrom the MSFC or using thereset command from the switch CLI), some of theinterface/sub-interface IP addresses of the FlexWAN interface are no longer pingable. This rin the MLS receive entry on the switch side missing for the IP address.

Workaround: Do a shut/no-shut on the interface/sub-interface. This fixes the problem until the nSRM switchover. This problem is resolved in software release 7.6(5). (CSCed30949)

• When a WS-X6548-GE-TX port is configured as a SPAN destination and the aggregate bandwof the spanned traffic exceeds the SPAN destination port's capacity, you can see performanceon other ports within the same group. A group of ports is defined as a group of 8-ports (such as9-16, and 17-24).

Workaround: Disable destination SPAN to ports on the WS-X6548-GE-TX module or put theSPAN destination port in a group where there is nothing connected. This problem is resolvedsoftware release 7.6(5). (CSCed25278)

• When enabling and disabling QoS on the switch, some channeling ports may leave and rejoichannel. This problem occurs only when using LACP channels. PAgP channels are not affectedproblem may occur when some ports are associated to the same administrative key but not allports belong to the same channel. For example, the problem might occur when you have fourwith the same administrative key and two are channeling while the others are disabled or beloanother channel because of an incompatibility on the partner link.

Workarounds: There are two workarounds:

1. Enable and configure QoS before forming any LACP channels.

2. When assigning the administrative key to a set of ports, make sure that the ports belong tosame channel and that no other ports are assigned that administrative key. This problem is resin software release 7.6(5). (CSCdv68689)


OL-1982-25


a),

me

ithing: If

):

tatee is

1s the

ility

hone

• The following problems have been seen when running software releases 7.6(1), 7.6(2), 7.6(27.6(3), 7.6(3a), and 7.6(4):

– Unable to reach the switch through Telnet or ping.

– Unable to access the switch through SNMP or other management applications.

– Able to reach the MSFC through Telnet or ping.

– When connected through the console, nothing is output or garbled characters are output(repeating characters are seen such as “R” or “.” or other characters).

– System status LED is normal (green) and backplane utilization LED is at 0 percent. In socases, the traffic meter LED may be at 100 percent.

– System has been up for approximately 7 months.

Workarounds: With a single supervisor engine, schedule a maintenance window to reset thesupervisor engine when the uptime is close to 150 days. To view the system uptime enter theshowsystem or show version commands.

With dual supervisor engines, the redundant supervisor engine should automatically takeover w10 minutes. However, if required, a maintenance window can be scheduled to do the followinhigh availability is not enabled, enable high availability by entering theset system highavailabilityenablecommand. Wait for high availability to synchronize. Enter theshow system highavailabilitycommand and verify that the high availability operational-status is “ON.”

With dual supervisor engines, a second workaround is to manually switch to the redundantsupervisor engine by entering theswitch supervisor command.

This problem is resolved in software release 7.6(5). (CSCeb37694, CSCed38989)








• After a high-availability switchover, an 802.1X port security-enabled port will shut down due to asecurity violation. This problem occurs if the supplicant that is connected to a port through an IP pwas previously in a guest VLAN when the port was authenticated. Theproblem seems to happen onlywith externally powered IP phones. (CSCdz60394)


OL-1982-25


thee port orno

ress

TTPto open

em.raffic


the

to

e, thestill

f thelved

mainm is

ordlved








2. When assigning the administrative key to a set of ports, make sure that the ports belong tosame channel and that no other ports are assigned that administrative key. (CSCdv68689)




• In a redundant system with WS-X6516 modules configured for channel mode, a reset of one omodules might cause traffic forwarded through the channel to be dropped. This problem is resoin software release 7.6(4). (CSCec18911)

• Disabling and enabling ports that belong to two channels may cause ports in one channel to rein spanning tree blocking state and traffic going through the channel to be dropped. This probleresolved in software release 7.6(4). (CSCec63559)

• In a system running Cisco IOS on the MSFC and Catalyst operating system on the SupervisEngine, the boot loader on the MSFC does not work if the MSFC run-time image is on locatesup-slot0 and the Catalyst software is configured using text config mode. This problem is resoin software release 7.6(4). (CSCeb36759)


OL-1982-25


to thesing

are

lem

are

eare

d in

ouf the10

ndort

ntraffic

eeded

dwareion.

mayrvice

eay

ease

• ARP requests or responses with a length of 60 bytes that are received by the switch and sentCPU of the switch for ARP inspection are padded by the switch with an additional 8 bytes, cau68-byte ARPs. This problem is resolved in software release 7.6(4). (CSCec65991)

• The NVRAM monitor needs to be enabled by default at bootup. This problem is resolved in softwrelease 7.6(4). (CSCec62324)

• LTL for multicast and broadcast traffic cannot be set after an MST topology change. This probis resolved in software release 7.6(4). (CSCec23939)

• Port Security cannot be configured on 802.1q tunnel ports. This problem is resolved in softwrelease 7.6(4). (CSCec31643)

• In a system running software release 6.4(4a) on a Supervisor Engine 2 and Cisco IOS releas12.1(13)E19 on the MSFC2, MLS entries in the Supervisor Engine forwarding information basenot updated after a server failover although the ARP entry is correct. This problem is resolvesoftware release 7.6(4). (CSCec27027)

• When you attempt to establish a console connection and are prompted for the username, if yinadvertently cut and paste a large file (over 100 KB) into the CLI username prompt instead ocorrect username, you will see many “%MGMT-5-LOGIN_FAIL:User log” messages. Then afterto 14 minutes, the switch will reset. This problem is resolved in software release 7.6(4).(CSCea72986)

• When configuring an EtherChannel with ports on separate modules with the jumbo frames a802.1Q tunneling features configured, the channel configuration may get lost on a member pwhen using text configuration mode.

Workaround: Use “desirable” mode or binary configuration mode. This problem is resolved insoftware release 7.6(4). (CSCec06429)

• The system may require a long time to clear and reestablish secure MAC addresses when aage-enabled port has a few hundred secure MAC addresses with large amounts of continuousgoing through the port. This problem is resolved in software release 7.6(4). (CSCeb22295)

• If the system configuration mode is set to text and test diagnostics level to complete, theconfiguration process may begin before some modules come online due to the longer time nto run diagnostics. If this occurs, a port channel admin-group may not get set and a defaultadmin-group number may be assigned. This problem is resolved in software release 7.6(4).(CSCea63643)

• On a Catalyst 6500 series switch or Cisco 7600 series router, packets that are forwarded in harmight have an incorrect source MAC or might be forwarded to an incorrect next-hop destinatThis problem is resolved in software release 7.6(4). (CSCdy87433)

• On a Catalyst 6500 series switch or Cisco 7600 series router, an SSH authentication failure result in 32 bytes of memory leakage. A repeated exploitation of this may cause denial of sesymptoms on the switch.

Workaround : Permit SSH access only to authorized hosts. An example may look like this:

set ip permit <authorized host #1> sshset ip permit <authorized host #2> sshset ip permit enable

This problem is resolved in software release 7.6(4). (CSCeb49724)

• Entering theshutdown, no shutdown, andreset commands on ports configured as VACL capturports on a WS-X6548-GE-TX module or forcing a switchover of a WS-X6548-GE-TX module mcause the VACL capture ports not to function correctly. This problem is resolved in software rel7.6(4). (CSCeb88190)


OL-1982-25

Open and Resolved Caveats in Software Release 7.6(3a)

ftware

mesblem

USE

d in

st

mayent

e a

s

a):

e, thestill

• A system with a Supervisor Engine 2 may reload after displaying the following system errormessage:

%ACL-3-TCAMFULL:Acl engine TCAM table is full

These messages are seen during updates of large IOS ACLs. This problem is resolved in sorelease 7.6(4). (CSCec04515)

• If you connect a PC to a port on a WS-X6548-RJ-45 module using a straight cable, the port coonline, but if you change the cable to a crossover cable, the port does not come online. This prois resolved in software release 7.6(4). (CSCec17508)

• When an end station sends PAUSE frames to a switchport that has flow control disabled, the PAframes are sent to supervisor engine, causing a high load on the CPU.

Workaround : Enable receive flow control on the port receiving the PAUSE frames.

This problem is resolved in software release 7.6(4). (CSCec00232)

• If two ports on a WS-X6248-TEL module are connected but only one port has been manuallyenabled, the module may display a “connected” status for both ports. This problem is resolvesoftware release 7.6(4). (CSCea19802)

• Entering theset port qos trust trust-cos command on WS-X6502-10GE ports may cause unicapackets to be dropped. This problem is resolved in software release 7.6(4). (CSCeb30334)

• A system with a Supervisor Engine 2 running software release 7.4(3) might reload with a PIDSptTimer error. This problem is resolved in software release 7.6(4). (CSCdu43267)

• If a port is configured for Rapid-PVST+ mode and has loop guard enabled, the CAM aging timestay at 15 seconds for the VLAN to which that port belongs if the port enters a loop-inconsiststate. This problem is resolved in software release 7.6(4). (CSCeb45116)

• While the system displays the output for theshow spantree mst config andshow spantree mst[ instance] commands, BPDUs will not be sent from designated ports. This will eventually causloop condition to occur. This problem is resolved in software release 7.6(4). (CSCec16775)

• The maximum number of 128 permanent CAM entries needs to be increased. This problem iresolved in software release 7.6(4). (CSCdz35901)

Open and Resolved Caveats in Software Release 7.6(3a)These sections describe open and resolved caveats in supervisor engine software release 7.6(3

• Open Caveats in Software Release 7.6(3a), page 116

• Resolved Caveats in Software Release 7.6(3a), page 117

Open Caveats in Software Release 7.6(3a)This section describes open caveats in supervisor engine software release 7.6(3a):



OL-1982-25


tatee is

1s the

ility

hone

thee port

L orno

ress

TTPto open

em.raffic


o the

to

abled,





• With 802.1X authentication, if a high-availability switchover occurs during an authentication, afterswitchover completes, single authentication and port security are in the authenticated state but thmight not get added to spanning tree. If this situation occurs, then the port would not receive CBLTLs. Theshow port securitycommand shows that the port MAC address is secured but there isMAC address in the CAM table. (CSCin20244)







2. When assigning the administrative key to a set of ports, make sure that the ports belong tsame channel and that no other ports are assigned that administrative key. (CSCdv68689)


Resolved Caveats in Software Release 7.6(3a)This section describes resolved caveats in supervisor engine software release 7.6(3a):

• With MISTP and EtherChannel between switches, when channel ports are disabled and then ensome VLANs of the MISTP instance may still show a CBL disable status.This problem is resolved insoftware release 7.6(3a). (CSCec19186)


OL-1982-25


Any beainst

efer

):

tatee is

1s the

lity

hone

thee port orno

ress

TTPto open

em.raffic

• New vulnerabilities in the OpenSSH implementation for SSH servers have been announced. affected network device, running an SSH server based on the OpenSSH implementation, mavulnerable to a Denial of Service (DoS) attack when an exploit script is repeatedly executed agthe same device.

Workaround: There are workarounds available to mitigate the effects of these vulnerabilities. Rto the advisory at this URL:

http://www.cisco.com/warp/public/707/cisco-sa-20030917-openssh.shtml

This problem is resolved in software release 7.6(3a). (CSCec33092)














OL-1982-25

http://www.cisco.com/warp/public/707/cisco-sa-20030917-openssh.shtml



o the

to

e, thestill

nuous802.3

n 4-bytebytes.ket)

CBLeennnel

nnel

lved

urst








• A WS-X6348 module port that is connected to a PC with a 60-meter cable may experience contilink state changes. These changes occur when a PC has a NIC that does not conform to the IEEEpulse shape mask for MLT3. This problem is resolved in software release 7.6(3). (CSCdz46928)

• Packets to be sent out the WS-X6548-GE-TX or WS-X6148-GE-TX modules that are less tha64 bytes are dropped. This occurs when a device forwards a packet that is 60 bytes and thedot1q tag is added to create a valid 64 byte packet. When the tag is removed, the packet is 60If the destination is out a port on the WS-X6548-GE-TX or WS-X6148-GE-TX modules, the pacis dropped by the module. This problem is resolved in software release 7.6(3). (CSCeb67650

• With the spanning tree mode set to MISTP-PVST+, when a port leaves or joins a channel, thefor that port might not be set, resulting in no traffic going through that port. This problem was swith an 8-port channel with the channel mode set to “on” and occurred when the ports in the chawere disabled and then enabled or when the module was reset.

Workaround: Disable and then reenable the port (this does not always work), or change the chamode to “desirable.” This problem is resolved in software release 7.6(3). (CSCea48516)

• It is not possible to configure port security on a dot1q tunnel access port. This problem is resoin software release 7.6(3). (CSCeb54461)

• The maximum burst value that could be configured for a policer was 32,000 kb. The maximum brate should have been 256,000 kb. This problem is resolved in software release 7.6(3).(CSCeb22622)


OL-1982-25


he

expect

DN:

ce

re

of

ved

p

ang

allyual

ftware

t istartup

sed

• The switch fails to return the complete Fully Qualified Domain Name (FQDN) when polled for tfollowing:

sysName

.1.3.6.1.2.1.1.5

The switch returns the host name only. This situation is not compliant with the definition ofsysName stated in RFC 1907. This problem has a tendency to break NMS applications that the switch to respond back with the correct sysName.

Workaround: Specify the complete FQDN on the switch so sysName returns the complete FQ

Enter the following on the switch:

nms-6506a> (enable) set system name nms-6506a.sys.etcSystem name set.nms-6506a> (enable) exitConnection closed by foreign host.

Enter the following on the NMS:

nms-server2> snmpwalk -c public nms-6506a sysNameSNMPv2-MIB::sysName.0 = STRING: nms-6506a.sys.etc


• Setting the SNMP trace level to 7 or higher could cause the system to print out inaccurate tramessages followed by a system lockup. This problem is resolved in software release 7.6(3).(CSCeb53928)

• The switch might crash in the getPermTypeValue function. This problem is resolved in softwarelease 7.6(3). (CSCea11480)

• With a WS-X6381-IDS module installed, you might experience a memory leak over a period weeks.

Workaround: Reload the switch every few weeks to regain lost memory. This problem is resolin software release 7.6(3). (CSCeb59206)

• When you specify the destination device as slot0:, slot1:, disk0:, or disk1: for the syslog dumfeature using theset system syslog-filedevice:[filename] command, the system will hang during thesystem failure and will not reload. You must power-cycle the system. Note that the system will honly if there is a system failure.

Workaround: Write the file to bootflash. This problem is resolved in software release 7.6(3).(CSCeb51638)

• With a switch configured as a VMPS client and server, there might be problems with dynamicassigning ports to VLANs. Ports stay in the “inactive” state for more than 5 minutes or until manintervention is used to correct the problem. This problem has been seen after upgrades to sorelease 7.6(1). This problem is resolved in software release 7.6(3). (CSCeb36856)

• After a reset in text configuration mode, you might lose part of a port channel configuration thaformed between modules even though the port channel configuration appears correctly in the sconfiguration.

Workaround: Use binary configuration mode or use “desirable” for the channel mode (as oppoto “on”). This problem is resolved in software release 7.6(3). (CSCeb56573)


OL-1982-25


link,his

on

n

.0.9ckets

to

d.nalystraffic

cene.e

n

terblem

with

a):

• When a port is configured for a host connection using theset port hostmod/port command, its CBLshould remain in forwarding state when the port is disconnected. This assures that when thecomes up, traffic is switched immediately. The problem is that when the port is disconnectedspanning tree sends the correct CBL state but dot1x authorization sets the CBL to disable. Tproblem is resolved in software release 7.6(3). (CSCeb52364)

• With MISTP configured, when a nonroot switch attempts to be the root switch, a TLB exceptimight occur. This problem is resolved in software release 7.6(3). (CSCeb60477)

• Using theshow snmp ifalias command might cause a memory leak. This problem is resolved isoftware release 7.6(3). (CSCeb86760)

• Theset port disable andset port enable commands might not work correctly if a port list isspecified. This problem is resolved in software release 7.6(3). (CSCdw73671)

• In IGMP fallback mode, the switch might only forward UDP packets destined to address 224.0to a multicast router port. This behavior could break the exchange of RIP version 2 update pabetween RIP version 2 routers in the VLAN when the IGMP mode goes to fallback.

Workaround: Configure a static multicast MAC entry for 01-00-5e-00-00-09 on ports connectedRIP version 2 routers. This problem is resolved in software release 7.6(3). (CSCeb53428)

• A switch with either a WS-X6K-SUP1A-2GE or WS-X6K-S2U-2GE supervisor engine and aWS-F6K-MSFC2 running boot loader image version 12.1(19)E with the main image on thePCMCIA Flash card in slot0: may not pass traffic to or from the MSFC on VLAN 1 after a reloaThis situation affects only traffic that is routed to or from VLAN 1. Traffic being switched withiVLAN 1 is not affected by this issue. This issue may be seen when running any version of Catsoftware on the supervisor engine and a boot loader IOS version 12.1(19)E on the MSFC2. Twill still pass to and from the MSFC2 for all other VLANs.

• Workarounds: There are two workarounds: 1) Shut and then no shut the VLAN 1 virtual interfaon the MSFC2. This will fix the problem until the next reload of the MSFC2 or supervisor engi2) If MSFC2 redundancy is not being provided by single router mode (SRM), this issue can bavoided by downgrading only the boot loader image to 12.1(13)E. This problem is resolved isoftware release 7.6(3). (CSCeb02380)

• The WS-X6348-RJ-45 module might excessively reset. When this particular reset occurs, thelogging buffer contains a message indicating that the module is online, butdoes not contain apreceding message showing the module resetting. This problem is resolved in softwarerelease 7.6(3). (CSCeb35612)

• Different VLANs on a switch might have the same VlanIfIndex. This problem usually occurs afa high availability switchover caused by an exception on the active supervisor engine. This prois resolved in software release 7.6(3). (CSCeb61525)

• With a Firewall Services Module (FWSM), LTLs might not be set properly if VTP pruning isenabled. This problem is resolved in software release 7.6(3). (CSCea04936)

• If you use the maximum character length for a VACL name (31 characters), the switch might reseta TLB exception after entering theshow config command.This problem is resolved in softwarerelease 7.6(3). (CSCeb37804)





OL-1982-25


tatee is

1s the

lity

hone

thee port or

o

ved

TTPto open

em.raffic


the

to

e, thestill






• With 802.1X authentication, if a high-availability switchover occurs during an authentication, afterswitchover completes, single authentication and port security are in the authenticated state but thmight not get added to spanning tree. If this situation occurs, then the port would not receive CBLLTLs. Theshow port security command shows the port MAC address is secured but there is nMAC address in the CAM table. (CSCin20244)

• With 802.1X authentication, when a configured supplicant logs off, their MAC address is remofrom the configured list. (CSCin25663)










OL-1982-25


onger a

):

tatee is

1s the

ility

hone

thee port

L oro

ved

TTPto open

em.raffic


• With MISTP configured, when a nonroot switch attempts to be the root switch, a TLB exceptimight occur. These TLB exceptions can occur each time there is a root change, which can trigMISTP_VM update on all the nonroot switches for the new root. This problem is resolved insoftware release 7.6(2a). (CSCeb60477)









• With 802.1X authentication, if a high-availability switchover occurs during an authentication, afterswitchover completes, single authentication and port security are in the authenticated state but thmight not get added to spanning tree. If this situation occurs, then the port would not receive CBLTLs. Theshow port security command shows the port MAC address is secured but there is nMAC address in the CAM table. (CSCin20244)





OL-1982-25



the

to

e, thestill

ce.

engineured

ion

ing








• Theclear config all command does not clear the text configuration mode auto-save relatedconfigurations.This problem is resolved in software release 7.6(2).(CSCin41958)

• In rare circumstances, IPX traffic may be interrupted when the IP-input access list is applied.

Workaround: Create an IPX access list permitting everything and apply it on the input interfaThis problem is resolved in software release 7.6(2). (CSCdx17914)

• A Catalyst 6500 series switch running dual supervisor engines might display the followingmessages:

2001 Nov 06 13:23:59 met +01:00 %SYS-2-MOD_NOINBANDRESPONSE:Module 2 not respondingover inband2001 Nov 06 13:24:09 met +01:00 %SYS-2-MOD_INBANDOK:Module 2 inband ok

These messages indicate that the active supervisor engine is polling the redundant supervisorbut cannot get a timely response. This situation occurs when a feature on the switch is not configcorrectly (for example, an incorrect NDE server or SNMP community string) and the destinathost replies with excessive ICMP messages. These ICMP messages may interfere with thesupervisor engine inband ping process.

Workaround: Reconfigure the feature correctly. This problem is resolved in softwarerelease 7.6(2). (CSCdx03048)

• With a WS-X6348 module, a port might be errdisabled by a late collision and display the followerror messages:

2002 Oct 03 11:09:22 JST +09:00 %PAGP-5-PORTFROMSTP:Port 3/1 left bridge port 3/1 2002Oct 03 11:09:24 JST +09:00 %PAGP-5-PORTTOSTP:Port 3/1 joined bridge port 3/1 2002 Oct03 11:10:45 JST +09:00 %SYS-3-PORT_COLL:Port 3/1 late collision (100) detected 2002Oct 03 11:10:45 JST +09:00 %SYS-3-PORT_COLLDIS:Port 3/1 disabled due to collision 2002Oct 03 11:10:45 JST +09:00 %PAGP-5-PORTFROMSTP:Port 3/1 left bridge port 3/1



OL-1982-25


)

acency

cy noe

se

ssibled ping8736)

ted”

s atse all

up.

re

lows.re

not

blem

tly.

is

• After a VLAN is cleared from a channeled port by entering theclear trunk command, channeledports disappear from the list of ports when you enter theshow spantree mistp-instancecommand.This problem is resolved in software release 7.6(2). (CSCeb13778)

• Powering on the Content Switching Module in hybrid mode causes the switch to hang forapproximately 8 seconds. This problem is resolved in software release 7.6(2). (CSCea88971

• If you enter the set mls cef per-prefix-stats disable command and multiple routes are pointing tothe same next-hop adjacency, wrong CEF adjacencies in hardware may result because the adjentries hash to the same memory location in hardware.

Workaround: Change the IP address of one of the next-hop adjacencies so that the adjacenlonger hashes to the same memory location in hardware. This problem is resolved in softwarrelease 7.6(2). (CSCea93959)

• Entering theshow rgmp groupmight crash the switch. This problem is resolved in software relea7.6(2). (CSCea84886)

• The system message “Check possible fault in standby supervisor” is misleading because the pocauses might not be related to the standby supervisor engine. This message is part of the inbanfailure message and NVLOGs. This problem is resolved in software release 7.6(2). (CSCeb1

• The TDR test gives the wrong result and shows that a shorted cable has a status of “terminainstead of “shorted.” This problem is resolved in software release 7.6(2). (CSCea90053)

• A WS-X6148-GE-TX or WS-X6548-GE-TX module may experience a very low (.005 percent)frame loss when transmitting at 100 Mbps. Additionally, when the module is transmitting frame10 Mbps with auto-mdix enabled, a rare condition might cause the transmission to hang and lothe frames to be transmitted.

Workarounds: There are three workarounds:

1. Disable/enable the affected port.

2. Unplug and plug in the cable for the affected port.

3. Perform any action on the link partner that results in the link going down and coming back

4. Disable auto-mdix to prevent the 10 Mbps and auto-mdix condition.


• NDE is not exporting statistics for software-installed flows. This problem is resolved in softwarelease 7.6(2). (CSCdz70415)

• IP address entries are not updated in the MLS table which hinders hardware switching for new fNDE is not exporting statistics for software-installed flows. This problem is resolved in softwarelease 7.6(2). (CSCea19439)

• When traffic ingresses from a WAN interface, the Layer 2 entry that is installed by MMLS doeshave the router (MSFC) port included.

Workaround: Disable multicast MLS globally on the MSFC with theno mls ip multicast globalcommand and then reenable it with themls ip multicast global command. Be careful whenperforming this workaround because it can cause a high CPU condition on the MSFC. This prois resolved in software release 7.6(2). (CSCea07101)

• Supervisor Engine 1 may stop hardware switching multicast flows if the xtag is not set correc

Workaround: Reset the xtag using theclear ip mroute group-addresscommand. This problem isresolved in software release 7.6(2). (CSCea58832)

• With RMON enabled, a user may see a crash in the mediaIndependentTable when a moduleremoved and reinserted. This problem is resolved in software release 7.6(2). (CSCea70981)


OL-1982-25


able5)

ighte fixes

his

This

PU

proper

d in

are

ese

s to

• The single-character tag behaves incorrectly when being configured in the snmpCommunityTand snmpTargetAddrTable. This problem is resolved in software release 7.6(2). (CSCea8190

• The switch might crash with the crashing function name: polarisGetPktByteCount. This crash mhappen when recovering from sequence errors. In some cases, reseating the supervisor enginthe problem. This problem is resolved in software release 7.6(2). (CSCdy83905)

• A switch with Supervisor Engine 1 installed might crash in the getPermTypeValue function. Tproblem is resolved in software release 7.6(2). (CSCdy11480)

• The system message SYS-3-EOBC_CHANNELREINIT is assigned a severity that is too high.problem is resolved in software release 7.6(2). (CSCea42533)

• When IGMP snooping is configured on a switch, the PIMv2 Hello packets are not sent to the Cand the multicast traffic reduction feature does not work. This problem is resolved in softwarerelease 7.6(2). (CSCea63674)

• The NVRAM log may not completely clear itself after registering an exception (and logging aswitching bus timeout). Subsequent exceptions may have truncated stack pointers due to imclearing of the NVRAM log.

Workaround: Manually clear the NVRAM log using theclear log command. This problem isresolved in software release 7.6(2). (CSCeb28192)

• Running the TDR test on a 1-Gbps link gives the wrong cable length. This problem is resolvesoftware release 7.6(2). (CSCeb25429)

• The dot1dBasePortTable of the bridge MIB does not contain all of the ports where VLAN 1 isdeclared. This problem is resolved in software release 7.6(2). (CSCeb08072)

• SNMP polling for memory pool utilization is performed too frequently. This problem is resolved insoftware release 7.6(2). (CSCeb38474)

• In text configuration mode, you might see the following message when booting the switch:

%SYS-3-PORT_DEVICENOLINK:Device on port <mod>/<port> powered but no link up

The ports recover and continue to function normally when you are running the following softwreleases:

– 6.3(7) and earlier

– 7.1(x) and 7.2(x)

In addition to the above behavior, some ports might be powered down randomly followed by thmessages after a reload:

%SYS-3-PORT_DEVICENOLINK:Device on port <mod>/<port> powered but no link up%SYS-3-PORT_BADPORT:Bad port <mod>/<port> detected, inline power is turned off

The messages might display when you are running the following software releases:

– Software release 6.3(8-10) and later

– Software release 7.3(2) and 7.4(2-3)

Workaround: The workaround is as follows:

– Run the configuration in binary mode (the default)

– When it is not possible to run in binary mode (such as when you have a fully loadedCatalyst 6513 switch or heavily configured Catalyst 6509 switch), set the inline power statuautomatic after every reload.



OL-1982-25


):

tatee is

1s the

ility

hone

thee port

L oro

ved

TTPto open

em.raffic


o the





• Theclear config all command does not clear the text configuration mode auto-save relatedconfigurations. (CSCin41958)





• With 802.1X authentication, if a high-availability switchover occurs during an authentication, afterswitchover completes, single authentication and port security are in the authenticated state but thmight not get added to spanning tree. If this situation occurs, then the port would not receive CBLTLs. Theshow port security command shows the port MAC address is secured but there is nMAC address in the CAM table. (CSCin20244)









OL-1982-25


to

e, thestill

re

. Thisppingping

f youS

521)

y for




• All VLANs come up in the “down” state after a Supervisor Engine 1 or Supervisor Engine 2 isreset/upgraded. This problem is seen when the following conditions are present:

– The MSFC/MSFC2 is loaded from slot0: or disk0:

– Single router mode (SRM) redundancy is enabled

– Switches are running software release 7.5(1) or 7.6(1)

Workarounds: The three workarounds are as follows:

– Load the MSFC/MSFC2 images from the MSFC/MSFC2 bootflash:

– Once both MSFCs/MSFC2s come online, reset the active MSFC/MSFC2. The standbyMSFC/MSFC2 will come up with the correct VLAN status.

– Do a shut/no shut on each VLAN interface on the active MSFC/MSFC2.

(CSCdy51093,CSCea72554)

Note The problems documented in caveats CSCdy51093 and CSCea72554 require softwarelease 7.6(1)and one of the following bootloader images on the MSFC/MSFC2:

MSFC2 boot loader: c6msfc2-boot-mz.121-13.E10MSFC boot loader: c6msfc-boot-mz.121-13.E10

• The automatic QoS feature shipped with the signaling CoS-to-DSCP mapping of CoS 3 to DSCP 24value is QoS-baseline compliant. However, other automatic QoS implementations today use a maof CoS 3 to DSCP 26. All releases after software release 7.5(1) will ship with CoS 3 to DSCP 26 mapto have interoperability with other automatic QoS implementations. This issue is only a problem iare deploying automatic QoS at the edge of your network with uplinks or connections to Cisco IOrouters that use DSCP markings to implement their Per-Hop Behavior (PHB).

Workaround: After executing theset qos autoqoscommand, execute theset qos cos-dscp-map 010 18 26 34 46 48 56command. This problem is resolved in software release 7.6(1). (CSCea11

• The ARP entry learned by the supervisor engine for the MSFC is incorrect. If your default gatewathe sc0 management interface is the MSFC, you will not be able to use the sc0 interface.

Workaround: ping the sc0 interface from the MSFC. This problem is resolved in softwarerelease 7.6(1). (CSCdz68358)


OL-1982-25


se, doon

h

at you engine

and the

ated

ort,t. The

m is

abledups

are

• If an ATA Flash PC card (disk0:) gets full, the file system driver may get into a state where no filecan be modified on the disk. To fix the file system driver problem, you should either reload thsupervisor engine or reformat the ATA Flash PC card. To prevent this problem from occurringnot let the ATA Flash PC card get full and do not delete, copy, or modify a large number of filesthe ATA Flash PC card without reformatting it.

Workaround: Use a linear Flash PC card (slot0:). This problem is resolved in softwarerelease 7.6(1). (CSCdz60967,CSCdy50029,CSCdz31304)

• If you copy a file to the ATA Flash PC card (disk0:), the file might be corrupted on subsequent switcresets. If this situation happens, delete the corrupted file, run thefsck utility on disk0:, and attempt tocopy the file again. If disk0: is used to store the supervisor engine boot image, we recommend thstore a supervisor engine boot image on bootflash so you can recover if the bootable supervisorimage on disk0: gets corrupted.

Workaround: Use a linear Flash PC card (slot0:). This problem is resolved in softwarerelease 7.6(1). (CSCdz60967, CSCdy50029, CSCdz31304)

• When configuring the “local user” authentication feature, you configure user A with password Bwith Telnet, the feature works using user A and password B. However with SSH, if you enterusername as A and password B, it fails. You must use the password set through theset password..command. This problem is resolved in software release 7.6(1). (CSCea21326)

• In a redundant system with Supervisor Engine 1A/MSFC and high availability and configurationsynchronization enabled, the system might experience a “PID=SyncTask” exception if the designMSFC is continuously reloaded.This problem is resolved in software release 7.6(1).(CSCdw13647)

• With SPAN configured and a permanent multicast CAM entry configured on the SPAN source ppackets destined to the multicast address might not be forwarded on the SPAN destination porpackets are forwarded on the source port.

Workarounds: There are three workarounds:

1. Configure the SPAN session before configuring the multicast address on the source port.

2. Clear the multicast address and reapply it with the SPAN session configured.

3. Use a static multicast CAM entry instead of a permanent entry.

This problem is resolved in software release 7.6(1). (CSCdw30315)

• In very rare circumstances, NetFlow collector data might have incorrect end times. This probleresolved in software release 7.6(1). (CSCdy04889)

• On a switch running software release 7.5(1), all members of a PAgP port channel may not be ento forward traffic for some multicast groups when appropriate. As a result, traffic for these gromay be intermittently received, or not received at all.

Workaround: Disable and then enable IGMP snooping. This problem is resolved in softwarerelease 7.6(1). (CSCdz07412)

• In text configuration mode, you might see the following message when booting the switch:

%SYS-3-PORT_DEVICENOLINK:Device on port <mod>/<port> powered but no link up

The ports recover and continue to function normally when you are running the following softwreleases:

– 6.3(7) and earlier

– 7.1(x) and 7.2(x)


OL-1982-25


ese

s to

p inht

the7291)

ablene to

utes

ports

.

eare

In addition to the above behavior, some ports might be powered down randomly followed by thmessages after a reload:

%SYS-3-PORT_DEVICENOLINK:Device on port <mod>/<port> powered but no link up%SYS-3-PORT_BADPORT:Bad port <mod>/<port> detected, inline power is turned off

The messages might display when you are running the following software releases:

– Software release 6.3(8-10) and later

– Software release 7.3(2) and 7.4(2-3)


– Run the configuration in binary mode (the default)

– When it is not possible to run in binary mode (such as when you have a fully loadedCatalyst 6513 switch or heavily configured Catalyst 6509 switch), set the inline power statuautomatic after every reload.


• The switch might crash with a QoS-related issue and display the following information:

Last software reset by user: 10/18/2002,13:13:27 Last Exception occurred on Nov 18 2002 01:27:11 ... Software version = 7.4(2) Error Msg: PID = 26 ProtocolT EPC: 804EF45C

This problem has no impact on traffic or performance.

Workaround: Disabletrust-device on all ports in the switch (enter theset port qos trust-devicenone command). You do not have to disable QoS. This problem is resolved in softwarerelease 7.6(1). (CSCdz35748)

• When trying to enable flow control with software releases 7.x or later, the feature might come uthe “disagree” state even though it is set correctly on both sides of the link. This problem migoccur when a Gigabit Ethernet NIC connects to a WS-X6516-GBIC module. This problem isresolved in software release 7.6(1). (CSCdz46595, CSCdz29818)

• In a redundant configuration, a functional Supervisor Engine 2 may incorrectly switch over tosecondary Supervisor Engine 2. This problem is resolved in software release 7.6(1). (CSCdz5

• A Supervisor Engine 2 might experience a TLB exception caused by a fatal system controller “tmanager npp parity error.” This type of error should not be fatal and cause the supervisor engicrash. This problem is resolved in software release 7.6(1). (CSCdz61561)

• Under certain conditions, a switch may overwhelm the console with log messages for 4 to 5 minwhen BPDU guard and port security are enabled.

Workaround: Disable console logging using theset logging console disable command. Thisproblem is resolved in software release 7.6(1). (CSCdz70110)

• In software release 7.5(1), memory leaks might occur when setting and clearing extra SNMPcommunity strings. This problem is resolved in software release 7.6(1). (CSCdz84693)

• In a redundant Catalyst 6500 series switch configuration with core dump enabled, the uplinkremain connected after a supervisor engine reset. This behavior causes spanning tree andconnectivity problems. These problems continue for the duration of the core dump operation

Workaround: Disable the core dump feature on each supervisor engine, or make sure that thuplink ports are not in use when the core dump is enabled. This problem is resolved in softwrelease 7.6(1). (CSCea03215)


OL-1982-25


s anis

S

ght6(1).

timed

in

6348

es.

etsThis

are

ofen theies to

engineh isICMPved in

utput

.

• Under certain conditions, the IGMP group table might not be deleted when the MSFC receiveIGMP version 2 leave. This problem results in the MMLS entry not being deleted. This problemresolved in software release 7.6(1). (CSCea03345)

• WAN multicast traffic might not function correctly if software release 7.5(1) is used with Cisco IORelease 12.1E-based WAN images.

Workaround: Downgrade the Catalyst image to software release 6.3 or 6.4. This problem isresolved in software release 7.6(1). (CSCea06676)

• If the SCP communication channel is not functioning on the supervisor engine, the switch mireset without producing a core file (crashdump). This problem is resolved in software release 7.(CSCea16448)

• Certain QoS ACL names are not read correctly, and the system fails to commit the ACLs to runand to clear them. For example, configuring and committing a QoS ACL named “ipphone” ananother ACL named “ipphone17-18” does not work. As a consequence, the ACL named“ipphone17-18” is not committed to runtime and will not be cleared. This problem is resolvedsoftware release 7.6(1). (CSCea18569)

• On a Catalyst 6500 series switch running software release 6.4(1), the WS-X6148 and WS-Xmodules respond differently to theset feature agg-link-partner enable globalcommand. Thisproblem is resolved in software release 7.6(1). (CSCea19099)

• The ciscoMemoryPoolUsed MIB and ciscoMemoryPoolFree MIB report incorrect NVRAM valuSNMP reports more NVRAM used. This problem is resolved in software release 7.6(1).(CSCea46369)

• A TTL of 32 is too low for some implementations. A TTL of 32 may decrement before the packget out of a MPLS network. This situation can cause problems with any IP-based application.problem is resolved in software release 7.6(1). (CSCea48092)

• The system does not synchronize local time through Network Time Protocol (NTP) whensummertime is configured or changed. This problem is resolved in software release 7.6(1).(CSCdx42695)

• Startup diagnostics may fail when a module fails to boot up. This problem is resolved in softwrelease 7.6(1). (CSCdy03002)

• IGMP snooping in the fallback mode freezes the state of host ports that can lead to the loss multicast router ports and associated multicast MLS shortcuts on the supervisor engine. Whrouter port age out timer kicks in, Layer 2 entries get cleared which also causes Layer 3 entrbe cleared. This problem is resolved in software release 7.6(1). (CSCdz89562)

• In a redundant configuration, you might see the following messages:

2001 Nov 06 13:23:59 met +01:00 %SYS-2-MOD_NOINBANDRESPONSE:Module 2 not respondingover inband2001 Nov 06 13:24:09 met +01:00%SYS-2-MOD_INBANDOK:Module 2 inband ok

These messages indicate that the active supervisor engine is polling the redundant supervisorbut is not able to get a timely response. This problem may occur when a feature on the switcincorrectly configured, and the destination host replies with excessive ICMP messages. Thesemessages may interfere with the supervisor engine inband ping process. This problem is resolsoftware release 7.6(1). (CSCdx03048)

• With a WS-X6148 module, the runtime trust-dscp and trust-ipprec values are reversed in the oof theshow port qosmod/port command for that module. This problem is resolved in softwarerelease 7.6(1). (CSCdz88155)

• Theset module power downmod command might not work when a faulty module is in the slotThis problem is resolved in software release 7.6(1). (CSCea57097)


OL-1982-25


):

. Thisppingping

f yous that

y for

tatee is

1s the

lity

a IPms to





• All VLANs come up in the “down” state after a Supervisor Engine 1 or Supervisor Engine 2 isreset/upgraded. This problem is seen when the following conditions are present:

– MSFC/MSFC2 is loaded from slot0: or disk0:

– Single router mode (SRM) redundancy is enabled

– Switches are running software release 7.5(1) or 7.6(1)

Workarounds: The three workarounds are as follows:

– Load the MSFC/MSFC2 images from the MSFC/MSFC2 bootflash:

– Once both MSFCs/MSFC2s come online, reset the active MSFC/MSFC2. The standbyMSFC/MSFC2 will come up with the correct VLAN status.

– Do a shut/no shut on each VLAN interface on the active MSFC/MSFC2.

(CSCdy51093,CSCea72554)

• The automatic QoS feature shipped with the signaling CoS-to-DSCP mapping of CoS 3 to DSCP 24value is QoS-baseline compliant. However, other automatic QoS implementations today use a maof CoS 3 to DSCP 26. All releases after software release 7.5(1) will ship with CoS 3 to DSCP 26 mapto have interoperability with other automatic QoS implementations. This issue is only a problem iare deploying automatic QoS at the edge of your network with uplinks or connections to IOS routeruse DSCP markings to implement their Per-Hop Behavior (PHB).

Workaround: After executing theset qos autoqoscommand, execute:set qos cos-dscp-map 0 1018 26 34 46 48 56. (CSCea11521)

• The ARP entry learned by the supervisor engine for the MSFC is incorrect. If your default gatewathe sc0 management interface is the MSFC, you will not be able to use the sc0 interface.

Workaround: ping the sc0 interface from the MSFC. (CSCdz68358)




• After a high-availability switchover, an 802.1X port security enabled-port will shutdown due tosecurity violation. This problem happens if the supplicant is connected to the port through anphone and the port was authenticated and was previously in a guest VLAN. The problem seehappen only with externally powered IP phones. (CSCdz60394)


OL-1982-25


intes,dded

ress

se, doTA

h

aage on

ine 1n and

253)

TTPto open

em.raffic


o the

to

• With 802.1X authentication, if a high-availability switchover occurs while an authentication isprogress, after the high-availability switchover on the newly active supervisor engine complesingle-authentication and port security are in the authenticated state but the port might not get ato spanning tree, in which case it would not receive CBL or LTLs. Theshow port securitycommandshows the port MAC address is secured but there is no MAC address in the CAM table.(CSCin20244)


• If an ATA Flash PC card (disk0:) gets full, the file system driver may get into a state where no filecan be modified on the disk. To fix the file system driver problem, you should either reload thsupervisor engine or reformat the ATA Flash PC card. To prevent this problem from occurringnot let the ATA Flash PC card get full and do not delete, copy, or modify a lot of files on the AFlash PC card without reformatting it.

Workaround: Use a linear Flash PC card (slot0:). (CSCdz60967)

• If you copy a file to the ATA Flash PC card (disk0:), the file might be corrupted on subsequent switcresets. If this happens, delete the corrupted file, run thefsck utility on disk0:, and attempt to copy the fileagain. If disk0: is used to store the supervisor engine boot image, we recommend that you storesupervisor engine boot image on bootflash so you can recover if the bootable supervisor engine imdisk0: gets corrupted.

Workaround: Use a linear Flash PC card (slot0:).

• The software release 7.5(1) CiscoView images are over 16 MB and do not fit into a Supervisor Engbootflash. An MSFC/MSFC2 image also does not fit into the MSFC/MSFC2 bootflash because aMSFC/MSFC2 image plus bootloader is over 16 MB. The solution is to put both the MSFC imagethe supervisor engine image onto a 64-MB linear Flash PCcardstarting with the 7.5(1) CiscoView imagerelease. If the Supervisor Engine 1 does not have an MSFC/MSFC2, a 24-MB linear Flash PCcardcouldbe used to load the 7.5(1) CiscoView image. Non-CiscoView images are not affected. (CSCdz31









OL-1982-25


e, thestill

ld 4queue.

ited.

g”

therenges

d in

MPiggeronse3)

with

engine.5(1).

hesults6899)

not

re



• When you configure standard QoS receive-queue tail-drop thresholds, do not set the threshovalue less than 75 percent because packets might get dropped on ports associated with the This problem is resolved in software release 7.5(1). (CSCdu75029)

• The packets that are sent to the MSFC as a result of a bridge action from an ACL are not rate limOnly those packets that are sent to the MSFC from a FIB hit are rate limited. This problem isresolved in software release 7.5(1). For details on the “Rate Limiting for Cisco IOS ACL Logginfeature, refer to the “Configuring Access Control” chapter of theCatalyst 6500 Series SwitchSoftware Configuration Guide, Release 7.5 publication. (CSCdr99239)

• In rare circumstances, when a Gigabit Ethernet GBIC port is in autonegotiation enable mode,is a small time window when configuration changes may occur. If the remote side of the link chaflow-control parameters within this window, the port on this end of the link may miss theconfiguration changes and fail to enter the correct flow-control mode. This problem is resolvesoftware release 7.5(1). (CSCdu02663)

• After either enabling IGMP after a disable or after a reset or a high-availability switchover, the IGsnooping floods in each of the active VLANs an IGMP Leave for 0.0.0.0. This action is done to tran IGMP-General Query or an IGMP-GS Query for each of the active Groups in that network in respto the IGMP Leave for 0.0.0.0.This problem is resolved in software release 7.5(1). (CSCdz4314

• As an aid to debugging, we now distinguish an IGMP version 3 router from a non-version 3 routera “$” symbol next to it.This problem is resolved in software release 7.5(1). (CSCdw20426)

• In a redundant configuration, the following messages might display:

%SYS-2-MOD_NOINBANDRESPONSE:Module 2 not responding over inband%SYS-2-MOD_INBANDOK:Module 2 inband ok

These messages indicate that the active supervisor engine is polling the redundant supervisorbut is unsuccessful in getting a timely response. This problem is resolved in software release 7(CSCdx93107)

• The ifindex field is zero for the corresponding source or destination IP address of the flow if tdefault route is the forwarding entry for the specific IP address. Using a more specific route rein the correct ifindex numbers. This problem is resolved in software release 7.5(1). (CSCdz0

• After a supervisor engine switchover, the MSFC on the new standby supervisor engine may come online.

Workaround: Reload the MSFC. This problem is resolved in software release 7.5(1).(CSCdz16855)

• After a supervisor engine switchover with high availability enabled, the moduleIPAddress MIBvariable of the NAM might not list the IP address of the NAM. This problem is resolved in softwarelease 7.5(1). (CSCdx48332)


OL-1982-25


p

d or88)

due to

on,urrent

1).

e andwith

edandessing,Perversingrver.

ware

eew in

xed in

• Entering theset crypto rsa key 2048command might cause high CPU utilization for a period of uto 18 minutes.

Workaround: There is no workaround other than generating the key at a nonpeak traffic periousing a lower bit crypto key. This problem is resolved in software release 7.5(1). (CSCdx766

• In rare circumstances, the switch might experience a red status light on the supervisor enginean NVRAM checksum error. Under this condition, you will observe the following:

– Theshow version command shows a checksum failure of some type.

– Theshow test 1 command show an NVRAM failure (NVRAM: F).

This problem does not have any impact on switch operation as long as you do not make anyconfiguration changes while the switch is in this condition. If you reset the switch in this conditisome configuration data may be lost. Before you reset the switch, make sure that you have a ccopy of your configuration stored on another device.

Workaround: Reset the supervisor engine. This problem is resolved in software release 7.5((CSCdx87646)

• With IGMP snooping enabled, a switch running software release 6.3(7) on the supervisor enginCisco IOS Release 12.1(8b)E9 on the MSFC might not establish a PIM neighbor relationshipa directly connected router running PIM v1.


– 1) Use PIM v2 on the directly connected router.

– 2) Disable IGMP snooping using theset igmp disable command.

This problem is resolved in software release 7.5(1). (CSCdy17806)

• If you enable an HTTP server on a switch running an affected CiscoView image, the embeddHTTP server can receive a very long HTTP query. This situation can result in a buffer overflowa software reset of the switch. Once the switch has recovered and has resumed normal procit is vulnerable again. It remains vulnerable until you disable the HTTP server, block the HTTqueries to the switch management port, or upgrade the switch to a fixed version. The HTTP sis disabled by default. It is typically enabled to allow web-based management of the switch uCiscoView. Only a small subset of Catalyst software images contain the embedded HTTP se

Workaround: Disable the HTTP server on the switch (using theset ip http server disablecommand). The default setting for the HTTP server is disabled. This problem is resolved in softrelease 7.5(1). (CSCdy26428)

• With a NAM module installed, after a supervisor engine switchover, the new supervisor enginmight not try to reconnect with the NAM over EOBC. As a result, the NAM does not have the nIP address of the supervisor engine and SNMP functionality is lost. This problem is resolvedsoftware release 7.5(1). (CSCdy26871)

• If you have two EtherChannels on a switch, after an upgrade, you might see the same ifIndeassigned in the ifTable for the interfaces that represent both channels. This problem is resolvsoftware release 7.5(1). (CSCdy52937)


OL-1982-25


not

terr localor

. Thevisor

This

sent,cable

withed in

oesfrom a

his

Arvisor

is

is

d

0.

ugheen

• With dual MSFC redundancy using Supervisor Engine 1 with the MSFC or MSFC2, you mightbe able to boot from sup-slot0:. With Catalyst software release 6.3(6) or later and Cisco IOSRelease 12.1(12c)E1 or later bootloader image, fixes were incorporated to allow booting fromsup-slot0. However, there may be a delay in booting the second MSFC/MSFC2, until the firstMSFC/MSFC2 finishes booting from sup-slot0:. With Catalyst software releases 7.5(1) and laand Cisco IOS Release 12.1E, the delay has been eliminated and the MSFCs boot from theisupervisor engine sup-slot0: (you must have the MSFC images in sup-slot0: of both supervisengines). (CSCdy55525)

• The inband IBC interface may be declared up even though the inband port is not synchronizedfix involves running a ping test between the SP and RP on both the active and standby superengines. If the IBC interface is broken, the ping test fails and appropriate actions are taken. problem is resolved in software release 7.5(1). (CSCdx95456)

• “Group Specific” report statistics might not display using theshow igmp statisticscommand. WhenIGMP packets with group address 01-00-5e-00-00-xx (where xx= 01, 02, 04, 05, 06, 0d) are the group-specific reports field display is empty. Even though report packets are sent, the applifields are not incremented in the statistical display. This problem is not seen with other groupaddresses. This problem is resolved in software release 7.5(1). (CSCdy64989)

• An IGMP querier packet that is sent by a switch running software release 7.3(2) and configuredtheset igmp querier enablecommand, is corrupted (ip-protocol-error=94). With this problem, thmulticast client does not respond and the multicast stream times out. This problem is resolvesoftware release 7.5(1). (CSCdy66299)

• On a WS-C6513 switch with an 8-port T1 PSTN interface module (WS-X6608-T1), the switch dnot generate an SNMP trap reflecting the state of the port connection when you unplug a cablethe WS-X6608-T1 module. Also, there is no local entry in the logging buffer when you unplugcable. This problem is resolved in software release 7.5(1). (CSCdy68593)

• After entering theset msfcautostate enable command, OSPF adjacencies for FlexWAN moduleinterfaces are lost.

Workaround: Do a shut/no shut on the FlexWAN module interfaces to bring traffic back up. Tproblem is resolved in software release 7.5(1). (CSCdy74216)

• Under rare conditions, a WS-X6348 module installed in a system with a Supervisor Engine 1might stop forwarding packets due to a synchronization error between the module and the supeengine. This problem is resolved in software release 7.5(1). (CSCdz10526)

• The switch might crash with “mgd_timer_initialized” when RMON is enabled and an alarmEntrybeing set through SNMP. This problem is resolved in software release 7.5(1). (CSCdz36469)

• Under rare conditions, the Rx port buffers on a WS-X6548 module can lock up. This problemresolved in software release 7.5(1). (CSCdz39293)

• A problem occurs with a Supervisor Engine 2 and a configuration similar to the following:

– The switch has one trunk and one access port.

– The trunk has VLAN 999 as the native VLAN, and all VLANs except VLAN 999 are clearefrom the trunk.

– The access port is in VLAN 777.

– The spanning-tree mode is MST; VLAN 999 is in instance 1, and VLAN 777 is in instance

If a frame is received on the trunk tagged with ID 777, it is forwarded to the access port, even thothat VLAN is not allowed. If VLAN 777 is mapped to any other instance, this problem is not s(VLAN 999 and VLAN 777 are used as examples only).


OL-1982-25


T

sk

g

):

TTPto open

em.raffic


o the

ldqueue.

ited.

to

Workaround: Map VLAN 777 to any other MST instance, or to map all of the VLANs to the IS(instance 0). This problem is resolved in software release 7.5(1). (CSCdz50980)

• On a Supervisor Engine 2, theshow mls command output is missing information about the totalactive MLS entries in the NetFlow table. Theshow mls statistics protocol command can only beused with full-flow masks. There is no other way to get this information with different flow masettings. This problem is resolved in software release 7.5(1). (CSCdz51038)

• The integrated CiscoView image sends the wrong user ID to the RADIUS server duringauthentication. This problem is resolved in software release 7.5(1). (CSCdz18313)

• Under certain circumstances, the switch might crash due to “fill_mbuf_ids_que” when runninsoftware release 6.3(8). This problem is resolved in software release 7.5(1). (CSCdy80039)











• When you configure standard QoS receive-queue tail-drop thresholds, do not set the thresho4 value less than 75 percent because packets might get dropped on ports associated with the(CSCdu75029)

• The packets that are sent to the MSFC as a result of a bridge action from an ACL are not rate limOnly those packets that are sent to the MSFC from a FIB hit are rate limited. (CSCdr99239)



OL-1982-25


therenges

, thet was.4(3).

ight

bility.ed in

s are3).

te to

e

witchhis

ed

op

• In rare circumstances, when a Gigabit Ethernet GBIC port is in autonegotiation enable mode,is a small time window when configuration changes may occur. If the remote side of the link chaflow-control parameters within this window, the port on this end of the link may miss theconfiguration changes and fail to enter the correct flow-control mode. (CSCdu02663)


• With a Supervisor Engine 1 and a 10000BASE-GX Ethernet module (WS-X6502-10G) installedswitch might crash when the span test is run on the 10000BASE-GX Ethernet module. This tesdesigned to run only on a Supervisor Engine 2. This problem is resolved in software release 7(CSCdy24428)

• Theset port flowcontrol mod/portsend desiredcommand causes a DTP “link down” on thespecified port and the port is not added to spanning tree.

Workaround: Disable and then reenable the port. This problem is resolved in softwarerelease 7.4(3). (CSCdu43064)

• With high availability enabled, removing and then reinserting the standby supervisor engine mcause it to reset with a TLB exception. This problem is resolved in software release 7.4(3).(CSCdx38593)

• The switch might accept a BPDU with the contents zeroed out and process it as BID0000.0000.0000, priority 0, and msg age expiry 0. Processing the BPDU causes switch instaThe switch should discard BPDUs if any parameters are out of range. This problem is resolvsoftware release 7.4(3). (CSCdy46624)

• Topology change traps were not generated for MST topology changes. Topology change trapnow generated for MST topology changes. This problem is resolved in software release 7.4((CSCdy71614)

• With high availability enabled, MAC address reduction might be changed from the enabled stathe disabled state after a switchover. This problem is resolved in software release 7.4(3).(CSCdy83789)

• When using theset spantree rootcommand with a network diameter of 2 and a hello time of 1, thresulting calculation for “max age” is changed to 5 which is unacceptable to other switches.

Workaround: Set the max age to a minimum value of 6 (use theset spantree maxage agingtimecommand). This problem is resolved in software release 7.4(3). (CSCdy85719)

• In rare conditions, PVST+ systems may advertise an incorrect bridge priority. This problem isresolved in software release 7.4(3). (CSCdy88023)

• If larger than normal Spanning Tree Protocol (STP) packets are received on a dot1q trunk, the smight experience memory corruption. The memory corruption could lead to a system reset. Tproblem is resolved in software release 7.4(3). (CSCdz02959)

• Theshow vlan counterscommand might not show the real counter values. This problem is resolvin software release 7.4(3). (CSCdz04194)

• In rare circumstances, heavy IP/MAC address and IP multicast traffic might cause MSFC2s to stswitching packets. This problem would only occur with software releases 7.3.(2) and 7.4(2). Thesoftware release of the Cisco IOS image is not a factor. This problem is resolved in softwarerelease 7.4(3). (CSCdy52827)


OL-1982-25


ameasested

ds in628)

d yet.dule

s has

thebands

howcurd in

cessort is

later

ageed in

• Prior to software release 7.4(3), an IGMP version 3 packet with more than one group in the spacket was discarded. This problem has been fixed in software release 7.4(3). Software rele7.4(x) run IGMP version 2 and there is no support for version 3. An IGMP version 3 report is treaas a set of IGMP version 2 reports for each of the multicast groups that form the group recorIGMP version 3 reports regardless of the filter mode of the IGMP version 3 report. (CSCdw61

• When you enter theshutdown command on a WS-SVC-NAM-1 or WS-SVC-NAM-2 module, themodule LED changes immediately to orange even though the shutdown may not have completeThis problem occurs regardless of whether the shutdown was issued from the switch CLI, moCLI, or by pushing the shutdown button on the front of the module.

Workaround: Enter the CLIshow module command and wait for the WS-SVC-NAM-1 orWS-SVC-NAM-2 module status to change to “shutdown” to ensure that the shutdown procescompleted. This problem is resolved in software release 7.4(3). (CSCdx52211)

• Troubleshooting inband issues is somewhat difficult due to a lack of information. To facilitatedebugging of inband failures, additional data regarding CPU usage, backplane traffic, and inreceive and transmit rates have been added to the NVRAM logs and syslogs. This problem iresolved in software release 7.4(3). (CSCdy62612)

• A Catalyst 6500 series switch with dual MSFCs running Cisco IOS 12.1(8a)E3 and PIM might shigher than normal CPU utilization on the NDR MSFC. An increase in input drops might also ocon the VLAN interface connected downstream of the multicast traffic. This problem is resolvesoftware release 7.4(3). (CSCdx78283)

• You might experience a problem with disabling IEEE 802.1Q tunneling on a WS-X6248 orWS-X6348 module port. When you disable 802.1Q tunneling on the port, the port is now an acport but the port still accepts tagged traffic for VLANs other than its native VLAN. An access pshould only accept untagged traffic or traffic tagged with the port's native VLAN. This problemresolved in software release 7.4(3). (CSCdy11767)

• The NAM application image release 1.1(1a) is not supported with software releases 6.3(2) anddue to an SCP incompatibility.

Workaround: Upgrade the NAM application image to release 1.2(1). The NAM maintenance imalso needs to be upgraded from release 1.1(1a)m to release 1.2(1)m. This problem is resolvsoftware release 7.4(3). (CSCdv81351)


OL-1982-25


):

d yet.dule

s has

TTPto open

em.raffic


to the9)

ldqueue.

ited.

to






Workaround: Enter the CLIshow module command and wait for the WS-SVC-NAM-1 orWS-SVC-NAM-2 module status to change to “shutdown” to ensure that the shutdown procescompleted. (CSCdx52211)





– Enable and configure QoS before forming any LACP channels.

– When assigning the administrative key to a set of ports, make sure that the ports belongsame channel and that no other ports are assigned that administrative key. (CSCdv6868


Workaround: Disable and then reenable the port. (CSCdu43064)





OL-1982-25


therenges

dbyonline,ThisrtsN 1

stop

to theenmoteak the and

nd

the This

cs

e

resshuts

tware



• The text configuration file for module 2 (standby supervisor engine) might run before the stansupervisor engine ports are actually up. For example, the standby supervisor engine comes the text configuration file starts first, and then the standby supervisor engine ports come online.problem causes some of the configuration in the text configuration file to not be applied to po2/1–2. This problem results in the standby supervisor engine uplink ports being put into VLAand the ports are disabled (default port status disable). This problem ismore noticeable if the systemis not fully populated.This problem is resolved in software release 7.4(2). (CSCdv87897)

• A switch with redundant supervisor engines might display the following error messages and functioning correctly:

SYS-3-SUP_ASENDFAIL:gentcp_act unable to send data to standbySYS-3-SUP_ACONNFAIL:gentcp_act unable to connect with standby

This problem might occur when a command that requires remote execution (such asdir 2/ , squeeze2/slot0) is entered on the switch. When you enter these type of commands, a message is sentstandby supervisor engine. If the time that is taken to execute this command is significant, thduring this time you could enter the commands on the active supervisor engine that require reexecution. Entering a second remote-execution command before the first one finishes can breremote execution connection between the supervisor engines. With software releases 7.4(2)later, entering a second command causes the following error to be displayed:

File system in use (3). Try again later.

Workaround: Do not enter a second remote-execution command before the previous commafinishes. This problem is resolved in software release 7.4(2). (CSCdv20161)

• Multicast traffic coming from a WAN interface might not be switched.

Workaround: Disable multicast MLS. This problem is resolved in software release 7.4(2).(CSCdv65393)

• In extremely rare conditions, a switch with a PFC (not PFC2) running Multicast MultilayerSwitching (MMLS) may stop forwarding traffic for a (S,G) flow. This problem occurs becauseentry, although installed in the NetFlow, may not be marked in the correct state (used state).problem is resolved in software release 7.4(2). (CSCdw93241)

• When executing theshow top bytes command, the command does not display the traffic statistifor any IDSM modules. This problem is resolved in software release 7.4(2). (CSCdx42128)

• Parity errors might cause the supervisor engine to reset. This problem is resolved in softwarrelease 7.4(2). (CSCdx86436)

• A Layer 2 protocol tunnel port, with drop and shut-down thresholds enabled, receives high ingtraffic and shuts down correctly by going into the error disabled state. However, after the port sdown correctly and you stop the traffic and reenable the port, the port might go into the errordisabled state again even though there is no incoming traffic. This problem is resolved in sofrelease 7.4(2). (CSCdx95234)


OL-1982-25


rror

in

T+

ht

f the

ot4)

ap.

s

ur.

s, the

thatt to

lnet.4(2).

erlyrrectly

lved

e stops. Yous

• The switch might reset when the Layer 2 protocol tunnel process tries to put a port into the edisabled state after the port’s threshold is exceeded. This problem is resolved in softwarerelease 7.4(2). (CSCdx95958)

• Creating an RSPAN VLAN through SNMP might change the VTP mode to “client” mode. Thisproblem is not seen when using the CLI to create an RSPAN VLAN. This problem is resolvedsoftware release 7.4(2). (CSCdy01216)

• BPDUs might pass through on a port that is configured for spanning tree BPDU filtering. Thisproblem might happen when the port is in a MST environment and is connected to a PVST+environment.

Workaround: Disable and then reenable the link between the MST environment and the PVSenvironment. This problem is resolved in software release 7.4(2). (CSCdy08291)

• If a WS-X6516 module has a faulty GBIC, SCP communication to the WS-X6516 module migfail. This problem might lead to spanning tree loops. This problem is resolved in softwarerelease 7.4(2). (CSCdy09795)

• In extremely rare conditions, when a VLAN mapping change occurs in the root switch, some ononroot switches might not get updated with the new mapping.

Workaround: Modify the VLAN mapping on the root switch or disable and then reenable the roport on the nonroot switch. This problem is resolved in software release 7.4(2). (CSCdy1616

• With a WS-X6K-SUP1A-2GE supervisor engine, the switch might not send an NVRAM failure trThis problem is resolved in software release 7.4(2). (CSCdy18916)

• An SNMP MIBwalk over CISCO-PAGP-MIB might cause the switch to reset. This problem waobserved after an LACP channel was configured with the distribution set as “set port channel alldistribution session both.” If the channel distribution is set to its default, the reset does not occThis problem is resolved in software release 7.4(2). (CSCdy20189)

• With a Supervisor Engine 2 running software release 7.3(1) and with more than 240,000 routeswitch might reset and after entering theshow log command would display the following error:

Last Exception occurred on Aug 01 2002 12:10:37 ...Software version = 7.3(1)Error Msg: Stack in process "Fib" whose ID is 28 is overflownPID = 27 Fib

This problem is resolved in software release 7.4(2). (CSCdy26060)

• When you use Secure Shell (SSH) encryption with a RADIUS server for authentication, and server is configured to allow you to go directly to the enable mode, you might only be able to gethe user mode. To get to the enable mode, you might have to authenticate one more time byproviding the enable password again (you must configure the $enab15$ username). With Tesessions, you can go directly to the enable mode. This problem is resolved in software release 7(CSCdy26331)

• Packets smaller than 64 bytes that are transmitted by the supervisor engine might be improppadded with an excess 4 bytes due to improper length settings. The excess 4 bytes were incoadded for CRC. This problem is resolved in software release 7.4(2). (CSCdy43680)

• An SNMP trap might only be sent to the last entry of the SNMP manager. This problem is resoin software release 7.4(2). (CSCdy44665)

• A switch might hang when you enter theping command (from enable mode) through a Telnetsession and then terminate the Telnet session. When this problem occurs, the supervisor enginprocessing all protocols but continues to switch traffic that could create a spanning tree loopshould use aggressive UDLD and loop guard to prevent a spanning tree loop. This problem iresolved in software release 7.4(2). (CSCdy00355)


OL-1982-25


k of

n in.4(2).

youd onlved

theorktable.

ingftware

et thein the.

):

d yet.dule

s has

TTPto open

em.raffic

• On a network of Catalyst 6500 series switches, when BackboneFast is enabled, there is a riscreating a loop of RLQ BPDUs (backbone fast BPDUs) if (and only if) there is a device in thenetwork that is transparently bridging BPDUs between at least three VLANs (such as aLocalDirector attached in three VLANs or a hub). This problem can cause high CPU utilizatiothe StpBPDUrx process on the problem switch. This problem is resolved in software release 7(CSCdy53023)

• When 802.1X authentication is enabled globally and also enabled on some individual ports, might not be able to enable high availability. However, when 802.1X authentication is disablethe port level but enabled globally, you are able to enable high availability. This problem is resoin software release 7.4(2). (CSCdx20757)

• In very rare circumstances, IGMP packets destined to address 224.0.0 [1,4,5,6,d] can reachsupervisor engine at an excessive rate causing high CPU utilization. Depending on the netwtopology and the network condition, this problem may cause other processes to become unsThis problem is resolved in software release 7.4(2). (CSCdx09717)

• Reserved address 01-00-5e-00-00-xx traffic is flooded throughout the VLAN with IGMP snoopenabled even when you enter the set cam permanent command. This problem is resolved in sorelease 7.4(2). (CSCdx86394)

• With the release 6.3(8), 6.3(9), and 7.3(1) software images, the software might erroneously resout-of-band management channel causing subsequent FIB updates to be improperly installedhardware that affects Layer 3 forwarding. This problem is resolved in software release 7.4(2)(CSCdy75968)






Workaround: Enter the CLIshow module command and wait for the WS-SVC-NAM-1 orWS-SVC-NAM-2 module status to change to “shutdown” to ensure that the shutdown procescompleted. (CSCdx52211)




OL-1982-25



to the9)

ationsplayhis

eset

.3(1)

ldqueue.

ited.

to

therenges





• With a Switch Fabric Module installed and the switch in flow-through mode, resetting afabric-enabled module during high traffic periods might cause other modules to reset. This situcan cause temporary traffic loss until the reset module comes back online. The system might dia “Send message to mod_num failed” message for the module that you are trying to reset. Tproblem is only seen when the diagnostics are set tominimal or complete (set test diaglevelcommand).


Note This problem has not been seen in later releases.

• In extremely rare conditions, the following configuration might cause the supervisor engine to rwhen the MSFC2 is reloaded:

– Supervisor Engine 2 (with MSFC2) running supervisor engine software release 6.2(2) or 6

– FlexWAN module with ATM port adapter

– Unicast RPF enabled on VLAN interfaces

Workaround: Disable Unicast RPF on the VLAN interfaces. (CSCdv20407)









OL-1982-25


dbyonline,Thisrts

the

IPem

eiveeingers,irs,

LAN), thet of the

2This

thefigurednnelby

fwn.

the

• The text configuration file for module 2 (standby supervisor engine) might run before the stansupervisor engine ports are actually up. For example, the standby supervisor engine comes the text configuration file starts first, and then the standby supervisor engine ports come online.problem causes some of the configuration in the text configuration file to not be applied to po2/1–2. This results in the standby supervisor engine uplink ports being put into VLAN 1 and ports are disabled (default port status disable). This problem is more noticeable if the system is notfully populated.(CSCdv87897)


• A Cisco IP Phone 7940 connected to a Catalyst 6500 series switch might initially receive an address from the data VLAN rather than the auxiliary VLAN configured on the port. This problis resolved in software release 7.3(2). (CSCdx66655)

• Testing has shown that for small frames (64 bytes to 86 bytes), the sum of the VLAN Layer 3 rec(Rx) rates is much lower than the configured policer rate. This problem of small packets not bpoliced at the full rate configured for the aggregate policer is also seen with VLAN and port policnative VLAN and trunk links, various policer and transmit (Tx) rates, single SA/DA address paand a range of source/destination IP address pairs (512 pairs).

For all frame sizes above 86 bytes (various frame size, policer rate, Tx rate), the sum of the VLayer 3 Rx rates was equal to the policer. The smaller the packet size (starting with 64 byteslower the Rx rate. When packets are 86 bytes and larger, the Rx rate possible is 100 percenconfigured rate. This problem is resolved in software release 7.3(2). (CSCdx92093)

• When the backup supervisor engine takes over in a system configured for Supervisor Engineredundancy, the trunking information tables are not built correctly on the Gigabit Ethernet port.problem is also evidenced by the absence of the “TrunkFramesTx” counter in the output of theshowtrunk detail command. The problem occurs when a switchover takes place from the active toredundant supervisor engine and ports 1/1 and 2/1 on the supervisor engines have been confor channeling. A port on the formerly active supervisor engine is not participating in the chaeven though it is in trunking mode. The only way to recover and rebuild the trunking table is entering theshutdowncommand followed by theno shutdowncommand on the affected port. Thisproblem is resolved in software release 7.3(2). (CSCdy12940)

• With a Network Analysis Module (WS-SVC-NAM-1) installed, a high-availability switchover oSupervisor Engine 2 might cause the standby Switch Fabric Module (SFM) to be powered doThis problem is resolved in software release 7.3(2). (CSCdy04624)

• In rare circumstances, with a Supervisor Engine 2 installed in a Catalyst 6500 series switch,following messages might be seen in the log after the Supervisor Engine 2 resets:

09. 6/12/2002,15:11:22: send_scp:MCP/EOBC not responding10. 6/12/2002,15:12:27: ProcessStatusPing:Module 1 local SCP errordetected... resetting module11. 6/12/2002,15:12:27: ProcessStatusPing:Module 1 SLCP not responding...resettingmodule

This problem is resolved in software release 7.3(2). (CSCdx88297)


OL-1982-25


):

d yet.dule

s

TTPto open

em.raffic

n thed. Ine keyyouthers

to the9)

eming to






Workaround: Enter the CLIshow module command and wait for the WS-SVC-NAM-1 orWS-SVC-NAM-2 module status to change to “shutdown” to ensure the shutdown process hacompleted. (CSCdx52211)



• When enabling and disabling QoS on the switch, some channeling ports may leave and rejoichannel. This problem occurs only when using LACP channels. PAgP channels are not affecteparticular, the problem may occur when some ports are associated to the same administrativbut not all of them belong to the same channel. For example, the problem might occur when have four ports with the same administrative key and two of them are channeling while the oare disabled or belong to another channel because of an incompatibility on the partner link.




• With a Switch Fabric Module installed and the switch in flow-through mode, resetting afabric-enabled module during periods of high traffic might cause other modules to reset. Thissituation can cause temporary traffic loss until the reset module comes back online. The systmight display a “Send message to mod_num failed” message for the module that you are tryreset. This problem is only seen when the diagnostics are set tominimal or complete (set testdiaglevel command).



OL-1982-25


eset

.3(1)

ldqueue.

ited.

to

small

dbyonline,This

This

ound..1(2).

s nots

not IOSine











• In rare circumstances, when a GBIC Gigabit port is in autonegotiation enable mode, there is atime window when configuration changes may occur. If the remote side of the link changesflow-control parameters within this window, the port on this end of the link may miss theconfiguration changes and fail to enter the correct flow-control mode. (CSCdu02663)

• The text configuration file for module 2 (standby supervisor engine) might run before the stansupervisor engine ports are actually up. For example, the standby supervisor engine comes the text configuration file starts first, and then the standby supervisor engine ports come online.causes some of the configuration in the text configuration file to not be applied to ports 2/1–2.results in the standby supervisor engine uplink ports being put into VLAN 1 and the ports aredisabled (default port status disable). This problem is more noticeable if the system is not fullypopulated.(CSCdv87897)


• The WS-X6624-FXS analog voice module fails to come online and register with theCisco CallManager when using supervisor engine software release 7.2(2). There is no workarIf you have this module, we recommend that you stay with an earlier software release such as 7This problem is resolved in software release 7.3(1). (CSCdx30559)

• Layer 2 protocol tunneling on uplink ports with channels between two supervisor engines doework after a high-availability switchover until the standby supervisor engine ports are up. Thiproblem is resolved in software release 7.3(1). (CSCdx37411)

• After a supervisor engine switchover, the MSFC on the new standby supervisor engine may come online. The workaround is to reload the MSFC. This problem only happens if the Ciscosoftware 12.1(11b)E image is loaded on the MSFC and is independent of the supervisor engsoftware version used. This problem is resolved in software release 7.3(1). (CSCdw79129)


OL-1982-25


ed byt innds

not

is

rrs

efaultgest to thetion.

onies ind for

nossiont still

h forrcent

e isis

hes:

the

AGP

• If a host sends an IGMPv1 report during the max-query-response-interval (the default is10 seconds) after another host sends an IGMPv2 report, the IGMPv1 report will be suppressthe supervisor engine and connected routers will not see this report. This situation can resulconnected routers not falling back to IGMPv1 compatibility mode. Later, if an IGMPv2 host sean IGMP Leave, the routers will send IMGPv2 GS queries in response (which IGMPv1 hosts dounderstand). If there are no other IGMPv2 hosts for this group on the VLAN, then the routerremoves this VLAN from its outgoing interface list. This problem is resolved in softwarerelease 7.3(1). (CSCdu83776)

• On the 24-port FXS analog interface module (WS-X6624-FXS), theshow spantree commanddisplays the port status as “not-connected.” This error does not affect operation. This problemresolved in software release 7.3(1). (CSCds00575)

• The total number of all received error packets (as represented in the CLI by theshow maccommandand its InLost counter) is not available through SNMP because the dot3StatsInternalMacRxEMIB is incorrect. This problem is resolved in software release 7.3(1). (CSCdw86025)

• When a reachable host and an unreachable host are configured as “syslog server” without a dgateway, only the first syslog message appears on the syslog server. No other syslog messaappear on the server. After clearing the unreachable host, messages that were not sent are senreachable host all at once. The workaround is to clear the unreachable host from the configuraThis problem is resolved in software release 7.3(1). (CSCdx52404)

• Switches with a redundant Supervisor Engine 2/MSFC2 might experience high CPU utilizationthe MSFC2 that is the PIM nondesignated router. This situation is caused by missing (s,g) entrthe mroute table on the nondesignated router, which results in no MMLS entries being createthose flows. This problem is resolved in software release 7.3(1). (CSCdv04376)

• LACP behavior for half-duplex links has changed in software release 7.3(1), LACP ports are longer suspended if they become half duplex. Instead of suspending a port, LACP PDU transmi(if any) is suppressed. If the port is part of a channel, the port is detached from the channel bufunctions as a nonchannel port. This problem is resolved in software release 7.3(1). (CSCdv58977)

• On a switch with a large number of FIB entries (around 50,000), and with more than one pateach of those entries, the supervisor engine CPU utilization might reach and remain at 90 pefor a considerable period of time. This problem is resolved in software release 7.3(1).(CSCdw89942)

• When the dot3adAggPortAttachedAggID SNMP MIB object value is queried, the returned valuwrong. As a result, applications that rely on the value returned from this object might fail. Thproblem impacts CiscoView. In CiscoView, the following fields show “N/A” when a port isconfigured for the LACP protocol on the Catalyst 6500 series and Catalyst 4000 family switc

– [a] “Dot1Q Tunnel” field in Port -> Config -> Physical dialog

– [b] All fields in Port -> Config -> VTP Pruning dialog

– [c] When device is in MST Spanning tree mode “Preferred MST Instances” field in Port ->Config -> Spanning Tree -> MST Port Status dialog does not work.


• With IGMP snooping enabled, the switch might flood multicast traffic for a few seconds whenlast receiver leaves the multicast group. This problem is resolved in software release 7.3(1).(CSCdx08613)

• For WAN interfaces, in Netflow Data Export, the Ifindex and next-hop information might bereported as 0. This problem is resolved in software release 7.3(1). (CSCdx13885)

• With spanning tree in MST mode, the stpxLongStpPortPathCost object cannot be set on any Por LACP channels. This problem is resolved in software release 7.3(1). (CSCdx23200)


OL-1982-25


ot

up

)

ed byisplay3(1).

in

blem

n

. The

rootte, it

n is

abled in

rvalyou

tednd

• In MST mode, “set” and “get” actions on a channel port’s dot1dStpPortPriority object might nwork properly. This problem is resolved in software release 7.3(1). (CSCdx23217)

• With high availability enabled, the active supervisor engine might intermittently reset, bringingthe standby supervisor engine. The active supervisor engine might do this when there is noidentifiable fault condition. This problem is resolved in software release 7.3(1). (CSCdx25470

• CAM entries are installed when sending a query to a VMPS server but the entries are not clearthe client when there is an invalid response. This problem causes the CAM entry output to dthe wrong VLAN-to-MAC address mappings. This problem is resolved in software release 7.(CSCdx45232)

• You might experience a memory leak in the ciscoFlashCopyTable object when you do a “set”operation. This problem is resolved in software release 7.3(1). (CSCdx55656)

• You might experience a memory leak when hot swapping a module. This problem is resolvedsoftware release 7.3(1). (CSCdx58476)

• You might experience a memory leak when RMON is enabled and a module is reset. This prois resolved in software release 7.3(1). (CSCdx61519)

• An SNMP MIBwalk with a community string in the format <community string>@<vlan> returns aincorrect value. This problem is resolved in software release 7.3(1). (CSCdx66883)

• When using RADIUS authentication, you might not be able to reach enable mode. IfAttribute 18 (replymessage) is put before the service-type=6 attribute, the system fails to put you in enable modefollowing server configuration can cause the problem:

– Username = swi

– Reply message = PASSCODe Accepted

– Service-Type = Administrative

If you put the “Service-Type” before the “Reply message,” then the configuration works. The cause is that while the supervisor engine software is processing the “Reply message” attribucorrupts the attribute following it. This problem is resolved in software release 7.3(1).(CSCdx70904)

• In supervisor engine software release 7.2(2), when a Layer 2-protocol tunneling configuratioremoved from a channel port (and it is the last Layer-2 protocol tunnel in the switch), the “llcregistration” entries corresponding to the configured protocols are not removed from the llc tand the EARL register with the encapsulation address is not cleared. This problem is resolvesoftware release 7.3(1). (CSCdw87449)

• If you enable the IGMP querier on a VLAN, the query interval (qi) and/or the other query inte(oqi) values are set, and then IGMP querier is disabled on the VLAN, the qi and oqi values thatconfigured are lost. This problem is resolved in software release 7.3(1). (CSCdv71090)

• When “dot1q-isl” and “res-nonres” mappings exist, the vlanTrunkMappingToVlan is not populafor dot1q-isl when the dot1q VLAN is less than the lowest reserved VLAN. This problem is fouin software release 7.2(2). This problem is resolved in software release 7.3(1).(CSCdx83204)

• The switch might crash if a Layer 2 protocol tunnel port receives a CDP BPDU with the wrongSSAP/DSAP. This problem is resolved in software release 7.3(1). (CSCdx83886)


OL-1982-25


ory

bled

):

ound..1(2).

s not

TTPto open

em.raffic


• With a Supervisor Engine 1A/2 running software release 6.3(3), you might experience a memleak/depleted memory that results in the switch crashing. The problem causes the followingmessages to display:

2002 Mar 01 14:25:28 %SYS-3-SYS_MEMLOW:Malloc usage exceeded 90%2002 Mar 01 14:25:28 %SYS-3-SYS_MEMLOW:Malloc usage exceeded 90%2002 Mar 01 14:25:28 %SYS-3-SYS_MEMLOW:Malloc usage exceeded 90%2002 Mar 01 14:25:28 %SYS-3-SYS_MEMLOW:Malloc usage exceeded 90%

This problem is resolved in software release 7.3(1). (CSCdx19098)

• In some circumstances, the switch might experience a TLB exception if IGMP snooping is disawhile RGMP packets are being received by the switch.

Workaround: Disable RGMP before disabling IGMP snooping. This problem is resolved insoftware release 7.3(1). (CSCdx60209)





• The WS-X6624-FXS analog voice module fails to come online and register with theCisco CallManager when using supervisor engine software release 7.2(2). There is no workarIf you have this module, we recommend that you stay with an earlier software release such as 7(CSCdx30559)

• Layer 2 protocol tunneling on uplink ports with channels between two supervisor engines doework after a high-availability switchover until the standby supervisor engine ports are up.(CSCdx37411)







OL-1982-25


to the9)

teming to

not

b)Eused.

ed byt innds

not

eset

.3(1)

oSset

ldqueue.

ited.

75)

to




• With a Switch Fabric Module installed and the switch in flow-through mode, resetting afabric-enabled module during periods of high traffic might cause other modules to reset. Thissituation can cause temporary traffic loss until the reset module comes back online. The sysmight display a “Send message to mod_num failed” message for the module that you are tryreset. This problem is only seen when the diagnostics are set tominimal or complete (set testdiaglevel command).


• After a supervisor engine switchover, the MSFC on the new standby supervisor engine may come online.

Workaround: Reload the MSFC. This problem only happens if the Cisco IOS software 12.1(11image is loaded on the MSFC and is independent of the supervisor engine software version (CSCdw79129)

• If a host sends an IGMPv1 report during the max-query-response-interval (the default is10 seconds) after another host sends an IGMPv2 report, the IGMPv1 report will be suppressthe supervisor engine and connected routers will not see this report. This situation can resulconnected routers not falling back to IGMPv1 compatibility mode. Later, if an IGMPv2 host sean IGMP Leave, the routers will send IMGPv2 GS queries in response (which IGMPv1 hosts dounderstand). If there are no other IGMPv2 hosts for this group on the VLAN, then the routerremoves this VLAN from its outgoing interface list. (CSCdu83776)











• On the 24-port FXS analog interface module (WS-X6624-FXS), theshow spantree commanddisplays the port status as “not-connected.” This error does not affect operation. (CSCds005



OL-1982-25


small

as thethe

er

dbyonline,This

This

and

rviceware

m

s

el are.2(2).

, whenht

nd”

Data

ate2(2).

is



• The text configuration file for module 2 (standby supervisor engine) might run before the stansupervisor engine ports are actually up. For example, the standby supervisor engine comes the text configuration file starts first, and then the standby supervisor engine ports come online.causes some of the configuration in the text configuration file to not be applied to ports 2/1–2.results in the standby supervisor engine uplink ports being put into VLAN 1 and the ports aredisabled (default port status disable). This problem is more noticeable if the system is not fullypopulated. (CSCdv87897)


• If a RACL fails to get mapped to an interface in a system with either a Supervisor Engine 1 or 2high availability configured, an incorrect TCAM look up might result after one of the MSFCsreloads. This problem is resolved in software release 7.2(2). (CSCdx14864)

• In systems running software release 7.1(1) or 7.1(2) with MST configured, connections to a seprovider over redundant channels may become err-disabled. This problem is resolved in softrelease 7.2(2). (CSCdw30552)

• Traffic flows exiting through a FlexWAN are exported with a next-hop value of zero. This probleis resolved in software release 7.2(2). (CSCdx18492)

• Polling the vlanTrunkPortTable MIB object from the CISCO-VTP-MIB causes high CPUutilization. This problem is resolved in software release 7.2(2). (CSCdx07214)

• Protocol information is not reported in NDE if a full VLAN flow mask is specified. This problem iresolved in software release 7.2(2). (CSCdx01951)

• In a system with a Supervisor Engine 2 and an MSFC2, packets forwarded over a GRE tunndropped or forwarded over a non-GRE interface. This problem is resolved in software release 7(CSCdx06944)

• In rare circumstances, in systems with redundant supervisor engines and high availability enableda POS Optical Services Moduleinterface is going from down to up, the standby supervisor engine migcrash. This problem is not seen with other interface types.This problem is resolved in softwarerelease 7.2(2).(CSCdw64846)

• When you try to delete snmpVacmAccessEntry, the system might respond with an “Entry not foumessage. This problem is resolved in software release 7.2(2). (CSCdw36075)

• On Supervisor Engine 2, source and destination indices might be reported as 0 in the NetFlowExport (NDE) record. To fix the problem, the source and destination ifindices and next hopinformation is now filled in by looking up the FIB table. Note that this may not always yield accurresults, especially in times of route changes. This problem is resolved in software release 7.(CSCdt21216)

• All active ports are missing from the dot1dBridge MIB on switches running in MST mode. Thproblem is resolved in software release 7.2(2) (CSCdv31077)


OL-1982-25


me is

dSFC,ll sendn),

alystbase

m is8)

e This

t09)

heThis

tion This

nter2).

h

lved

roing

• In extremely rare conditions, some VTP operations may be dropped when the VTP domain nabeing modified. This problem is resolved in software release 7.2(2) (CSCdv75656)

• If you have switches running Cisco IOS software on the supervisor engine and the MSFC answitches running Catalyst software on the supervisor engine with Cisco IOS software on the Mand these switches are in the same VTP domain, some older releases of Cisco IOS software wiout VTP updates containing the Token Ring-translated VLAN configuration (default configuratiowhich is not properly handled by Catalyst software prior to software release 6.3(3). With Catsoftware release 6.3(3), a temporary mechanism was introduced to protect the local VLAN databy changing the VTP mode to transparent. With Catalyst software release 7.2(2), this probleresolved and the Catalyst software works properly with the Cisco IOS software. (CSCdv7744

• With a 2-port LACP channel misconfiguration (one side set to on, the other side set to off), thSpanning Tree Protocol might not detect a loop and fail to put the ports into errdisable state.problem is resolved in software release 7.2(2). (CSCdv83868)

• If you pressCtrl-C from an SSH window while performing a TFTP download, the switch mighreset with a TLB exception. This problem is resolved in software release 7.2(2). (CSCdw049

• When running Multicast Multilayer Switching (MMLS) on a Supervisor Engine 1, on reloading tMSFC, the “mroute entry” may not be created when the RPF interface is Packet over SONET.problem is resolved in software release 7.2(2). (CSCdw30626)

• Under some circumstances, the configuration for EtherChannels might fail when the configurais taken from a TFTP server or Flash memory if the ports that belong to that channel are up.problem is resolved in software release 7.2(2). (CSCdw30990)

• When a module transitions from the “OK” state to the “Other” state, there is no log messagespecifically indicating that such a change has occurred. This problem is resolved in softwarerelease 7.2(2). (CSCdw35101)

• With a Supervisor Engine 1 and ATM and/or WAN modules, the switch might crash when you etheshow mls entry ip protocol udpcommand. This problem is resolved in software release 7.2((CSCdw42749)

• On a Supervisor Engine 1 with large ACLs configured and high availability enabled, the switcmight crash with a watchdog timeout after entering theclear config all command. This problem isresolved in software release 7.2(2). (CSCdw31430)

• The exported NDE records might contain a zero value in the dstIndex field. This problem is resoin software release 7.2(2). (CSCdw57664)

• When setting the MIB object caqIpAceProtocolType in the CISCO-CATOS-ACL-QOS-MIB to ze(0) to create a QoS ACL matching all IP traffic, the created ACL only matches IP traffic carry“0” in the protocol field of the IP header. This problem is resolved in software release 7.2(2).(CSCdw59270)


OL-1982-25


E

ace

lved

p inn

tion.

is

tiveNhe

re

blem

dule

d) and).

in

toe

• You might not be able to configure an access port in an 802.1Q tunnel on the WS-X6502-10Gmodule. The following message is displayed:

Console> (enable) set port dot1qtunnel 9/1 access 2002 Jan 25 01:29:58 %SYS-2-DTP_SCPFAIL:SCP Failure: cfg porttrunk-hw failed 9/1 Failed to set the dot1q tunnel feature to access mode on port(s) 9/1.Console> (enable)


• A switch running IGMP snooping may stop adding multicast router ports to the outgoing interflist of all multicast groups.

Workaround: Disable and then reenable IGMP snooping on the switch. This problem is resoin software release 7.2(2). (CSCdw59483)

• When you set the IGMP mode to “igmp-cgmp” and reset the switch, the switch might come uthe “igmp-only” mode when it should be in the “igmp-cgmp” mode. This problem is resolved isoftware release 7.2(2). (CSCdw60417)

• When a link goes up and down repeatedly, the autostate mechanism might fail and the VLANinterface state on the MSFC and the VLAN state on the supervisor engine go out of synchroniza

Workaround: Enable spanning tree for the VLAN and enable PortFast on the port. This problemresolved in software release 7.2(2). (CSCdw75382)

• On a switch configured with MISTP-PVST+ and 802.1Q tunneling, an attempt to change the naVLAN for the 802.1Q trunk port results in BPDUs continuing to be sent with the 1q-tag as VLAID=1 which was originally configured as the default. While this problem is occurring, adding tnative VLAN to the trunk port’s “allowed” list causes the root bridge to stop sending BPDUs.

Workaround: Put the native VLAN into the MISTP instance. This problem is resolved in softwarelease 7.2(2). (CSCdw77209)

• After a high-availability switchover, NetFlow version 7 might not export flows. This problem isresolved in software release 7.2(2). (CSCdw80772)

• PortFast might not work on access ports. After you enter theset spantree portfastmod_num/port_numenable trunk command on an access port, theshow port spantree commandindicates that PortFast is enabled but the port is still listening and learning STP states. This prois resolved in software release 7.2(2). (CSCdw85694)

• The syslog message SYS-5-MOD_DCPWRMISMATCH should be changed toSYS-1-MOD_DCPWRMISMATCH because the message indicates a severe problem (faulty moneeds to be replaced). This problem is resolved in software release 7.2(2). (CSCdw75441)

• PortFast is mistakenly considered enabled when per-port PortFast is set to the default (disableglobal PortFast is disabled in MST mode. This problem is resolved in software release 7.2(2(CSCdw61567)

• The switch does not respond correctly to community strings containing a forward slash (/).

Workaround: Remove the forward slash from the community string. This problem is resolvedsoftware release 7.2(2). (CSCdx03088)

• On a switch with high availability enabled, a switchover might cause UDLD in a neighbor switchput its connecting link port (that was connected to the active supervisor engine undergoing thswitchover) into an errdisable state. This situation occurs when the banner (set banner motdtext)is really long on the switch experiencing the switchover. This problem is resolved in softwarerelease 7.2(2). (CSCdw71357)


OL-1982-25


oinghest.

is

ts are

EF

ledsful.

aulth

nds.

PP

s ortion

ST

• You might see a loss of unicast forwarding across a 4-port Gigabit EtherChannel between twCatalyst 6500 series switches if RSPAN is configured on a VLAN and you have IGMP joins comon a port that is part of the EtherChannel. If RSPAN is not configured, there is no problem. Tproblem appears shortly after enabling multiple “Symantec Ghost” sessions using IP multicaBroadcast, multicast, and unknown unicast traffic are not affected.

Workaround: Disable and then reenable channel ports on one side of the link. This problem resolved in software release 7.2(2). (CSCdw70357)

• Runts may increment on Gigabit Ethernet ports that are in a not-connected state if those porconfigured with theset port negotiationmod/portdisable command. This problem is resolved insoftware release 7.2(2). (CSCdw52996)

• Unicast RPF traffic might not be dropped properly when configured on an MSFC doing MLS Cswitching. This problem is resolved in software release 7.2(2). (CSCdw84636)

• Using the SNMP to download a configuration file to a Catalyst 6509 switch with TACACS enabfails without producing an error message. If TACACS is not enabled, the operation is succesThis problem is resolved in software release 7.2(2). (CSCdw85913)

• Learned dynamic CAM entries are no longer aged out if the CAM aging time is set to the def(300 seconds). This situation results in the stale CAM entries pointing to incorrect ports whiccauses dropped traffic. This problem exists in 7.1(1), 7.1(2), and 7.2(1).

Workaround: Set the default CAM aging time to any value less than or greater than 300 secoAnother workaround is to change the STP mode to PVST+ and then to MST. This problem isresolved in software release 7.2(2). (CSCdx23694,CSCdx29395)

• IGMP snooping enhancement with IGMP fast leave is disabled. This enhancement adds aconfiguration option to cause the switch to send a straight IGMP general query(DMAC=0100.5e00.0001, DIP=224.0.0.1, IGMP GDA=0.0.0.0), rather than a MAC-based IGMgeneral query (DMAC=group MAC, DIP=224.0.0.1, IGMP GDA=0.0.0.0) upon receipt of an IGMleave from a host. This configuration option allows you to interoperate with third party switcheother devices that drop IGMP packets where the DMAC does not match the DIP. The configurais as follows:set igmp leave-query-type [mac-gen-query | general-query]. The default ismac-gen-query. To display the current setting, use the show igmp leave-query-type command.(CSCdu58314)

• IGMP snooping may stop when you change the default VLAN for an access port if you are running Mwith supervisor engine software releases 7.1(1), 7.1(2), or 7.2(1).

Workaround: Disable and then reenable IGMP snooping.This problem is resolved in softwarerelease 7.2(2). (CSCdx38455)


OL-1982-25


):

, whenht

TTPto open

em.raffic

SFMdules

t case,39)


to the9)

eming to





• In rare circumstances, in systems with redundant supervisor engines and high availability enableda POS Optical Services Moduleinterface is going from down to up, the standby supervisor engine migcrash. This problem is not seen with other interface types. (CSCdw64846)



• In systems with redundant supervisor engines and Switch Fabric Modules (SFMs), when the activeis powered down, fails, or is removed or reset, the supervisor engines and other fabric-enabled motry to synchronize to the newly-active SFM if the system is not in flow-through mode. During thisprocess, sometimes the fabric-enabled modules (or the standby supervisor engine) that cannotsynchronize with the SFM are reset and the system recovers after the module is online. In the worsthe newly active SFM is powered down and brings the system to flow-through mode. (CSCdw097








• With a Switch Fabric Module installed and the switch in flow-through mode, resetting afabric-enabled module during periods of high traffic might cause other modules to reset. Thissituation can cause temporary traffic loss until the reset module comes back online. The systmight display a “Send message to mod_num failed” message for the module that you are tryreset. This problem is only seen when the diagnostics are set tominimal or complete (set testdiaglevel command).


OL-1982-25


ed byt innds

not

eset

.3(1)

oSset

ldqueue.

ited.

75)

to

small

as thethe

er

ems

,

ort is.2(x)

















• The 7.1(1) and 7.1(2) CiscoView + SSH images may fail to boot on Supervisor Engine 1 systwith 64-MB DRAM. This problem applies to all models of Supervisor Engine 1(WS-X6K-SUP1-2GE, WS-X6K-SUP1A-2GE, WS-X6K-SUP1A-PFC, WS-X6K-SUP1A-MSFCWS-X6K-S1A-MSFC2). Due to this problem, the cat6000-supcvk9.7-1-1.bin andcat6000-supcvk9.7-1-2.bin CCO images have been deferred. As an alternative, thecat6000-supcvk8.7-1-1.bin or the cat6000-supcvk8.7-1-2.bin images may be used if SSH suppnot required. If both CiscoView and SSH support is required, the 6.3(x) supcvk9 images or the 7and later supcvk9 images should be used. (CSCdw70549)


OL-1982-25


the

mre

tion.

psHSRPheedRP

ntirerom

andce or

visorer the

rver.1(2).

DMDM


• MST problem—Designated (DESG) ports might get stuck in the listening state after changingmaximum hop count using theset spantree mstmaxhops command. In general, if the maximumhops is “n,” then the “nth” switch will exhibit this problem. For example, if you set the maximuhops to 20, there will be a problem in the twentieth switch. This problem is resolved in softwarelease 7.1(2). (CSCdw03133)

• When accessing the switch through an HTTP interface, the switch might reset with a TLB excepThis problem is resolved in software release 7.1(2). (CSCdw02887)

• HSRP switchover is not always reliable on VLAN interfaces configured with multiple HSRP grouas well as secondary IP addresses. The MSFC software shows that the switch is active for angroup, but the supervisor engine hardware might not be properly programmed to recognize tHSRP MAC as a router MAC. Traffic destined to the HSRP MAC of the problem group is switchin software, causing high interrupt-driven CPU utilization. In some cases, initiating another HSswitchover for the problem group resolves the problem. In some cases, you must reset the eswitch to force correct MAC address programming (resetting the MSFC only does not recover fthe problem). This problem is resolved in software release 7.1(2). (CSCdw32821)

• In rare circumstances, a designated port might get stuck in the spanning tree “listening” statestill transmit BPDUs. This situation does not introduce problems with spanning tree convergencause loops. This problem is resolved in software release 7.1(2) (CSCdv89566)

• If you have two switches with redundant supervisor engines that are connected through anEtherChannel configured on port 1/1 and 2/1 on both chassis, if you remove the active superengine in one chassis and then power cycle the second chassis, you might lose connectivity ovchannel. This problem only occurs if the channel mode is set toon on both chassis.

Workaround: Set the channel mode todesirable. This problem is resolved in softwarerelease 7.1(2). (CSCdv01221)

• The switch might reset with a TLB exception after entering theset tacacs server host command.This problem is resolved in software release 7.1(2). (CSCdv37751)

• A supervisor engine configured as an NTP client might lose synchronization with the NTP seeven though NTP updates are being received. This problem is resolved in software release 7(CSCdv39229)

• When you connect a Catalyst 6500 series switch Gigabit Ethernet port to a partner through DWequipment, the switch might experience autonegotiation timing issues dependent on the DWconfiguration.Under these conditions, autonegotiation will fail and the link will not come up.

Workaround: Remove autonegotiation from both ends of the link or change the DWDMconfiguration. This problem is resolved in software release 7.1(2).

To address the timing issues, two new CLI commands are introduced in softwarerelease 7.1(2):

set port sync-restart-delaymod/port delay

show port sync-restart-delaymod/port

Refer to theCatalyst 6500 Series Switch Command Reference, Release 7.1 for command usageinformation. (CSCdv58675)


OL-1982-25


alentil the into

oet with

notis

P

e.

(1).

FIB

eis

tedlved

thesuchn theitch.curs3)

value

or

rtup

stillult).

is

• When the switch is running out of Layer 4 operators, it attempts to expand an ACE into an equivset of multiple ACEs. In certain cases, the expansion logic is not optimal enough and may faoperation. This situation could result in a syslog message that reports a failure to fit the ACLthe TCAM. This problem is resolved in software release 7.1(2). (CSCdv79139)

• Due to the Secure Shell (SSH) CRC-32 integrity check vulnerability, unauthorized attempts taccess a number of networked Catalyst 6500 series switches might cause the switches to reswatchdog timeouts. This problem is resolved in software release 7.1(2). (CSCdv85279)

• Changing the CISCO-STP-EXTENSIONS-MIB object “stpxUplinkFastEnabled” to enable doeschange the required bridge parameters as the equivalent CLI command does. This problem resolved in software release 7.1(2). (CSCdw07008)

• The vlanPortIslOperStatus MIB returns incorrect trunking status. This problem is resolved insoftware release 7.1(2). (CSCdw24363)

• When IGMP snooping is enabled, multicast control-plane traffic, such as PIM Hellos and IGMjoin/leaves, are not correctly handled by the switch when arriving over a WS-X6101 (LANEmodule). This situation disrupts multicast traffic to receivers that are connected to this modul

Workaround: Disable IGMP snooping. This problem was in software releases 6.3(2) and 7.1This problem is resolved in software releases 6.3(4) and 7.1(2). (CSCdw24562)

• When an interface IP address is updated or removed using theip addressA.B.C.Dor no ip addresscommands, the received FIB entry for the old IP address is not removed. This results in staleentries on the supervisor engine. This problem is resolved in software release 7.1(2).(CSCdw12196)

• Theshow modulecommand display fields “Mod Sub-Type” and “Sub-Model” are inaccurate for thWS-X6502-10GE module and the WS-G6488 Optical Interface Module (OIM). This problem resolved in software release 7.1(2). (CSCdw31739)

• If a high-availability switchover occurs after deleting 500 or more VLANs, some already-deleextended VLANs might reappear on the newly active supervisor engine. This problem is resoin software release 7.1(2). (CSCdv85719)

• On a Supervisor Engine 1 with MSFC or MSFC2, multicast traffic is not being routed across switch for mroute entries that are partial shortcuts when the input interface is a WAN interface (as FlexWAN or OSM). The problem is caused by the misprogramming of a hardware index osupervisor engine. The problem is triggered if the MSFC is rebooted without rebooting the swOnce the problem manifests, the indexes will remain in the incorrect state. This problem only ocin software release 7.1(1). This problem is resolved in software release 7.1(2). (CSCdw0892

• Supervisor engine software release 7.1(1) introduced theset mls agingtime long-durationcommand. On Supervisor Engine 2, you cannot verify the long-duration value. You can see theon Supervisor Engine 1 using theshow mlscommand. With software release 7.1(2), theshow mlscommand now displays the long-duration value on Supervisor Engine 2.

Caveat CSCdw28551 fixes one other problem that affects Supervisor Engine 1 and SupervisEngine 2: If you set the configuration mode to “text” (either NVRAM or Flash), even if thelong-duration aging timer value had been set, it does not show up in either the running or staconfigurations and is not retained after a reset. This problem does not affect binary modeconfiguration. With software release 7.1(2), the granularity for theset mls agingtime long-durationcommand has been reduced to 8 seconds. (CSCdw28551)

• If you start a Telnet session to the switch and you get the login prompt but do not log in, youmight be able to view the logging on the switch if session logging is enabled (this is the defa

Workaround: Disable Telnet logging or use an IP permit list to restrict access. This problem resolved in software release 7.1(2). (CSCdw39634)


OL-1982-25


witchsh.

ACaffic

,

s are

6500on 3eachrently,

n

n

only

• In a redundant system with Secure Shell (SSH) encryption, you might get disconnected from the swhen entering thedir orshow flashcommands on the standby supervisor engine bootflash or slot0 FlaThis problem is resolved in software release 7.1(2). (CSCdw29826)

• When a port at the boundary of the MST region changes to an alternate port role, only the Mentries for the port in VLANs that are mapped to Internal Spanning Tree (IST) are flushed. Trin other VLANs may be affected until the entries are aged out.

Workaround: Configure all the VLANs going out of the region to IST. To prevent the problemavoid partitioning the bridged network into multiple MST regions. This problem is resolved insoftware release 7.1(2). (CSCdw49581)

• In a redundant system, ToS bytes might not be marked for multicast packets; unicast packetmarked correctly.

Workaround: Set the default action for IP totrust-dscp as follows:set qos acl default-action iptrust-dscp. This problem is resolved in software release 7.1(2). (CSCdv67672)

• Improper handling of IGMP version 3 packets might cause the switch to crash. The Catalyst series switches currently do not officially support IGMP version 3 but can handle IGMP versipackets. IGMP version 3 provides support for multiple groups to be included in a message andgroup can be associated with a number of IP addresses that can result in large packets. Curthe switch cannot parse multiple groups.

Workaround: Downgrade IGMP version 3 hosts to send only IGMP version 2 joins and whensending version 3 joins, have only one group in the join message. This problem is resolved isoftware release 7.1(2). (CSCdu80305) (CSCdv45868) (CSCdw46716).

• A new CLI command has been added to include Layer 4 ports in a load-balancing hash. Whemultiple paths are available to reach a destination (seeFigure 1), the new hash is applied to pick thepath to be used for forwarding. Prior to this enhancement, the CEF load balancing on PFC2 used a source IP/destination IP based-hash.

Figure 1 Network Example

For the above network topology, we recommend the following configuration:

– Use the defaults for load balancing in routers R01, R21, R22, R23, and R24

– Include Layer 4 ports for load balancing in routers R11 and R12

Use the following command to include or exclude Layer 4 ports in the hash:

set mls cef load-balance { full | source-destination-ip }

This problem is resolved in software release 7.1(2). CSCdv64614

R21

R24

R01

R22R11

R22

R12

R31


OL-1982-25


ityandS)

ted

ed

a):

SFModules

t case,39)

• Some Cisco Catalyst switches, running certain Catalyst software releases, have a vulnerabilwhere a buffer overflow in the Telnet option handling can cause the Telnet daemon to crash result in a switch reload. This vulnerability can be exploited to initiate a denial of service (Doattack.

This vulnerability is documented as Cisco bug ID CSCdw19195.

Workaround: There are workarounds available to mitigate the vulnerability. An advisory is posat this URL:

http://www.cisco.com/warp/public/707/catos-telrcv-vuln-pub.shtml

The following workarounds can be implemented.

– If SSH is available in the code base, use SSH instead of Telnet and disable Telnet.

For instructions on how to do this, refer to this URL:

http://www.cisco.com/warp/public/707/ssh_cat_switches.html.

– Apply access control lists (ACLs) on routers/switches/firewalls in front of the vulnerableswitches so that traffic destined for Telnet port 23 on the vulnerable switches is only allowfrom the network management subnets.

(CSCdw19195)

• An error can occur with management protocol processing. Use the following URL for furtherinformation:http://www.cisco.com/cgi-bin/bugtool/onebug.pl?bugid=CSCdw67458






• In systems with redundant supervisor engines and Switch Fabric Modules (SFMs), when the activeis powered down, fails, or is removed or reset, the supervisor engines and other fabric-enabled mtry to synchronize to the newly-active SFM if the system is not in flow-through mode. During thisprocess, sometimes the fabric-enabled modules (or the standby supervisor engine) that cannotsynchronize with the SFM are reset and the system recovers after the module is online. In the worsthe newly active SFM is powered down and brings the system to flow-through mode. (CSCdw097




OL-1982-25

http://www.cisco.com/warp/public/707/catos-telrcv-vuln-pub.shtml

http://www.cisco.com/warp/public/707/ssh_cat_switches.html

http://www.cisco.com/cgi-bin/bugtool/onebug.pl?bugid=CSCdw67458



to the9)

the

mre

ingend

em is

aore

hileevenly

tting

ed byt innds

not






• With a Switch Fabric Module installed and the switch in flow-through mode, resetting afabric-enabled module during periods of high traffic might cause other modules to reset caustemporary traffic loss until the reset module comes back online. The system might display a “Smessage to mod_num failed” message for the module that you are trying to reset. This problonly seen when the diagnostics are set tominimal or complete (set test diaglevel command).


• In a 3-slot chassis with Supervisor Engine 1 installed in slot 1 or slot 2 (no MSFC/MSFC2),removing one power supply while traffic is running might cause switching modules to go into “power deny” state and reset even if there is ample power for the modules. A “System drawing mpower than the power supply rating” error message might erroneously display.

Workaround: Do not remove any power supplies in a 3-slot chassis during periods of traffic.(CSCdw07328)

Note CSCdw07328 has not been seen in other releases.

• In a 3-slot chassis with Supervisor Engine 1 (no MSFC/MSFC2), removing one power supply wthere is traffic running might cause switching modules to go into a “power deny” state and resetif there is ample power for the modules. A “System drawing more power than the power supprating” error message might also erroneously display. This might be followed by the switch resewith a Bus Timeout NMI.





OL-1982-25


eset

.3(1)

oSset

ld 4ociated

ited.

75)

to

small

ems

,

ort is.2(x)







• Theset port flowcontrol mod/portsend desiredcommand causes a DTP “link down” on thespecified port and the port is not added to the spanning tree.


• When you configure standard QoS receive-queue tail-drop thresholds, do not set the threshovalue less than 75 percent. Failure to do so might cause packets to be dropped on ports asswith the queue. (CSCdu75029)







OL-1982-25


):

SFMdules

t case,39)


to the9)

the

mre


• An error can occur with management protocol processing. Use the following URL for furtherinformation:http://www.cisco.com/cgi-bin/bugtool/onebug.pl?bugid=CSCdw67458

This problem is resolved in software release 7.1(1a). (CSCdw67458)





• In systems with redundant supervisor engines and Switch Fabric Modules (SFMs), when the activeis powered down, fails, or is removed or reset, the supervisor engines and other fabric-enabled motry to synchronize to the newly-active SFM if the system is not in flow-through mode. During thisprocess, sometimes the fabric-enabled modules (or the standby supervisor engine) that cannotsynchronize with the SFM are reset and the system recovers after the module is online. In the worsthe newly active SFM is powered down and brings the system to flow-through mode. (CSCdw097









OL-1982-25

http://www.cisco.com/cgi-bin/bugtool/onebug.pl?bugid=CSCdw67458


ingend

em is

aore

hileevenly

tting

ed byt innds

not

eset

.3(1)

oSset

• With a Switch Fabric Module installed and the switch in flow-through mode, resetting afabric-enabled module during periods of high traffic might cause other modules to reset caustemporary traffic loss until the reset module comes back online. The system might display a “Smessage to mod_num failed” message for the module that you are trying to reset. This problonly seen when the diagnostics are set tominimal or complete (set test diaglevel command).


• In a 3-slot chassis with Supervisor Engine 1 installed in slot 1 or slot 2 (no MSFC/MSFC2),removing one power supply while traffic is running might cause switching modules to go into“power deny” state and reset even if there is ample power for the modules. A “System drawing mpower than the power supply rating” error message might erroneously display.



• In a 3-slot chassis with Supervisor Engine 1 (no MSFC/MSFC2), removing one power supply wthere is traffic running might cause switching modules to go into a “power deny” state and resetif there is ample power for the modules. A “System drawing more power than the power supprating” error message might also erroneously display. This might be followed by the switch resewith a Bus Timeout NMI.










• Theset port flowcontrol mod/portsend desiredcommand causes a DTP “link down” on thespecified port and the port is not added to the spanning tree.



OL-1982-25


ld 4ociated

ited.

75)

to

small

ems

,

ort is.2(x)

one

on highse, ife do.1(1).

reed

ol

rvisorware

• When you configure standard QoS receive-queue tail-drop thresholds, do not set the threshovalue less than 75 percent. Failure to do so might cause packets to be dropped on ports asswith the queue. (CSCdu75029)







• On the Intrusion Detection System Module (IDSM), WS-X6381-IDS, the standard-time time zname that is entered using theset timezonezone_name command is missing when the IDSMrequests a time update from the supervisor engine. This problem is resolved in softwarerelease 7.1(1). (CSCdv32362)

• Prior to enabling Single Router Mode (SRM) on the MSFC, you must enable high availabilitythe supervisor engine. Currently, no syslog message is generated when SRM is enabled andavailability is disabled on the supervisor engine. In the next supervisor engine software releayou enable SRM and high availability is disabled on the supervisor engine, a syslog messagdisplays indicating that high availability must be enabled prior to enabling SRM and failure toso could result in unexpected system behavior. This problem is resolved in software release 7(CSCdu78927)

• After an MSFC reload, you might not see any packets being switched to the interfaces that areplicated by the MSFC when the incoming interface is a WAN interface for a partially switchflow. This problem is resolved in software release 7.1(1). (CSCdv54808)

• The 8-port T1 PSTN interface module (WS-X6608-T1) ports do not come online when protocfiltering is enabled.

Workaround: Reset the module. This problem is resolved in software release 7.1(1).(CSCdu43330)

• When the MAC address is changed on the MSFC, the change might not show up in the supeengine’s FIB table. This problem could cause inconsistencies. This problem is resolved in softrelease 7.1(1). (CSCdu55854)


OL-1982-25


al

ingre

tate.

n-RJ-4549)

llmal

6)

3(4),

hee 21(1).

s not

P is

• Theset port broadcastcommand “rounds off” any fractional value to the lowest numeric value.For example, if you enterset port broadcastmod/port 0.99%, it would round the threshold valueto 0 percent (you would not have a threshold value). Another example is if you enterset portbroadcastmod/port 1.99%, it would set the threshold to 1 percent (the lowest numeric nonfractionvalue). This problem is resolved in software release 7.1(1). (CSCdv32874)

• In certain instances, disabling IGMP snooping may cause a Catalyst 6500 series switch runnsoftware release 6.3(2) to crash with a watchdog timeout. This problem is resolved in softwarelease 7.1(1). (CSCdv73706)

• When using text configuration mode, the standby MSFC port may come up in an errdisabled s

Workaround: Reset the standby MSFC. This problem is resolved in software release 7.1(1).(CSCdv34269)

• The 48-port 10/100BASE-TX Ethernet module (WS-X6548-RJ-45) might drop frames smaller tha68 bytes. The problem was observed when a non-Catalyst device was connected to a WS-X6548module through an 802.1Q trunk.This problem is resolved in software release 7.1(1). (CSCdv861

• When sending a large amount of CDP neighbor announcements, it is possible to consume aavailable router memory. This problem could cause the switch to reset or exhibit other abnorbehavior.

Workaround: Disable CDP. This problem is resolved in software release 7.1(1). (CSCdv5757

• In a Catalyst 6500 series switch with a Supervisor Engine 2 running software prior to release 6.multicast packet loss might be seen in either of the following circumstances:

– When an output interface (OIF) is deleted from the MMLS shortcut entry

– When IGMP Fast Leave is enabled

This problem is resolved in software release 7.1(1). (CSCdv67153)

• When you query for SNMP object “portOperStatus” from the CISCO-STACK MIB, the ports on t8-port T1 PSTN interface module (WS-X6608-T1) might report the wrong value such as valu(OK) even if the port is down or not connected. This problem is resolved in software release 7.(CSCdv53207)

• On a Supervisor Engine 1 with MSFC, the inband FX1000 port might receive packets but doetransmit them. When the port is in this state, you might see the following symptoms:

– The switch generates the following message every minute on every connected port if CDenabled:

2001 Aug 21 15:25:46 EDT -04:00 %CDP-3-SENDFAIL:Transmit failure on port 3/2

– The switch is not able to ping its default gateway

– No devices are able to ping the sc0 interface

– Traffic through the switch is being forwarded

Workaround: Reboot the switch. This problem is resolved in software release 7.1(1).(CSCdv15176)


OL-1982-25

Catalyst Software Image Upgrade Procedure

re

ioning

both

ftware) to

ctiveocess.g the

n the

er orr, thelon to

ndbyocol

one to

visor

ionthe

The

tusigh

Catalyst Software Image Upgrade ProcedureThe high-availability image versioning feature allows you to perform a software upgrade with theminimal downtime associated with the high-availability feature. Compatibility between the softwaimages is determined during the procedure inStep 12.

Note Enable high-availability versioning only when upgrading Catalyst software. Implement imagesynchronization (high-availability versioning is disabled) for normal operating conditions.

Image versioning is supported in supervisor engine software releases 5.4(1) and later. Image versis not supported with images prior to release 5.4(1). Therefore, when you enable high-availabilityversioning, you can have active and standby supervisor engines run different images as long as images are release 5.4(1)or later.

The high-availability versioning feature and Catalyst software upgrade should only be used whenapplying a maintenance release of Catalyst software. A maintenance release is a new version of sowith incremental feature upgrades and bug fixes such as upgrading from software version 5.5.(15.5.(2). Major releases might not be high-availability compatible.

Versioning is feature dependent requiring that the high-availability feature is enabled in a dualsupervisor engine configuration. Versioning allows different but compatible images to run on the aand standby supervisor engines, disabling the default supervisor engine image synchronization prVersioning allows you to upgrade the supervisor engine software while the system is running usinstateful supervisor engine switchover of the high-availability feature.

You also have the ability to maintain a previously used and tested version of Catalyst software ostandby supervisor engine as a fallback if anything goes wrong with the software upgrade.

There are no restrictions as to which supervisor engine (active or standby) can be running a newolder image version allowing you to upgrade or downgrade the Catalyst software images. Howevetwo versions of Catalyst software must be high-availability compatible to make possible a statefusoftware upgrade. The active and standby supervisor engines exchange image version informatidetermine if the two software images are compatible.

Image versions are defined to be one of three options: compatible, incompatible, or upgradable:

• Compatible versions support stateful protocol redundancy between the different images. Allconfiguration settings made to the NVRAM on the active supervisor engine are sent to the stasupervisor engine. Two Catalyst software versions are incompatible if synchronizing the protstate databases between the two versions is not possible.

• Incompatible software versions impact system operation because they require greater than athree second switchover time of a high-availability switchover and no NVRAM configurationchanges are synchronized between supervisor engines in the software upgrade process.

• The upgradable option is a special case of incompatible versions. The high-availability superengine switchover is not available, but configuration changes to the NVRAM on the activesupervisor engine can be synchronized to the standby supervisor engine. Therefore, the optallows two different software versions to be run with synchronized configurations but without ability for a high-availability failover.

If the Catalyst software images are not compatible, the high-availability switchover is not possible.operation status output from the commandshow system highavailability should be monitored todetermine the high-availability compatibility of two Catalyst software images. The operational stacan either beON or OFF (with some system specific status messages). The following shows that havailability is enabled and that the Catalyst software versions are high-availability compatible(Operational status: ON).


OL-1982-25


llow

ervisor

e

e

Console-A> (enable) show system highavailabilityHighavailability: enabledHighavailability versioning: enabledHighavailability Operational-status: ON

Refer to Chapter 22, “Configuring Redundancy,” in theCatalyst 6500 Series Switch SoftwareConfiguration Guide.

Caution You must follow these steps in this section exactly to successfully upgrade your system. Failure to fothese instructions exactly might result in an unusable system.

Perform these steps with the supervisor engine in slot 1 as the active supervisor engine and the supengine in slot 2 in the standby mode:

Note You must have a console connection available for both supervisor engines in this procedure.

Step 1 Disable the high-availability feature on the active supervisor engine:

Console_A> (enable) set system highavailability disableSystem high availability disabled.Console _A> (enable)

Note The high-availability feature is disabled by default.

Step 2 Load the new Catalyst software image into the bootflash (via slot0, disk0, TFTP, etc.) of the activsupervisor engine only.

Note In the following steps, the software versions are shown as a variable (x). When performing theseprocedures, use the image numbers you are using for your system. For available softwarversions, see the“Orderable Software Images” section on page 16 of these release notes.

Console_A> (enable) copy slot0:cat6000-sup2.6-1-X.bin bootflash:cat6000-sup2.6-1-X.bin

5786532 bytes available on device bootflash, proceed (y/n) [n]? y

... display text truncatedConsole_A> (enable)

Step 3 Verify that the new image is now located in the bootflash of the active supervisor engine.

Console_A> (enable) dir bootflash:

Step 4 Set the boot variable to boot the new image.

Console_A> (enable) set boot system flash bootflash:cat6000-sup2.6-1-X.bin prepend

Step 5 Synchronize the configuration files automatically to the standby supervisor engine.

Console_A> (enable) set boot sync now


OL-1982-25


perly

en of

ifer an

hould

rvisorrvisor

e new

ctive

Step 6 Verify that the new image is located on the standby supervisor engine and the boot variable is proset.

Console_A> (enable) dir 2/bootflash:Console_A> (enable) show boot 2

The new Catalyst software image is on both supervisor engines.

Step 7 Enable high-availability versioning on the active supervisor engine.

Console_A> (enable) set system highavailability versioning enable

Before the standby supervisor engine becomes active running the new software, you must enablhigh-availability versioning to allow the standby supervisor engine to reboot under the new versioCatalyst software while remaining the standby supervisor engine.

Note These upgrade procedures allow for a fallback plan using the old Catalyst software imageproblems occur. The now-active supervisor engine must maintain that older image (even aftaccidental reboot).

Step 8 Enable high-availability on the active supervisor engine.

Console_A> (enable) set system highavailability enable

Step 9 Change the boot variable on the active supervisor engine back to its original setting (this setting sstill be stored in the bootflash):

Console_A> (enable) set boot system flash bootflash:cat6000-sup2.old.bin prepend

Note Because high-availability versioning is enabled, setting the boot variable on the activesupervisor engine does not cause an image synchronization.

Step 10 Reset the standby supervisor engine.

Console_A> (enable) reset 2This command will reset the system.Do you want to continue (y/n) [n]? y

... display text truncatedConsole_A> (enable)

The standby supervisor engine reboots with the new Catalyst software image. The standby supeengine remains the standby supervisor engine and does not affect the operation of the active supeengine.

Step 11 After the standby supervisor engine reboots, verify that the standby supervisor engine is running thCatalyst software image.

Console_A> (enable) show module

The standby supervisor engine should show that the new software version is different from the asupervisor engine’s software version.

Step 12 Verify that the two different Catalyst software images are high-availability compatible.

Console_A> (enable) show system highavailability


OL-1982-25

Troubleshooting

litywill

lot 2

are).The

enow

can be

byctive

n and

IOSre.

For the high-availability switchover to occur, it is critical that the operational status of high-availabiis ON. If not, the system will be upgraded with a fast switchover (non-stateful) and the protocols need to be restarted. This is the “Go, No-Go” decision point for continuing the upgrade.

If the Catalyst software images are not high-availability compatible, you cannot proceed with theupgrade. Individual modules might be compatible or incompatible and get reset (even during anotherwise high-availability switchover).

Step 13 Reset the active supervisor engine. Change the console connection to the supervisor engine in s(Sup-B) to maintain command line operation.

Console_A> (enable) reset 1

The standby supervisor engine takes over as the active supervisor engine (running the new softwThe previously active supervisor engine is now rebooted as the new standby supervisor engine. switchover should take under 3 seconds.

Step 14 Verify that the system is performing as expected. The supervisor engine in slot 2 is now the activsupervisor engine running the new version of Catalyst software. The supervisor engine in slot 1 isthe standby supervisor engine running the old software version. The standby supervisor engine used as a fallback to revert to the old version of Catalyst software.

Step 15 If the system is operating as expected, then you must update the boot configuration on the standsupervisor engine (now, supervisor engine B) by disabling high-availability versioning on the new asupervisor engine, which automatically enables the image synchronization feature.

Console_B> (enable) set system highavailability versioning disable

Wait for the sync to occur before you reset.

Console_B> (enable) reset 1

This completes the Catalyst software upgrade procedure.

TroubleshootingThis section describes troubleshooting guidelines for the Catalyst 6500 series switch configuratiois divided into the following subsections:

• System Troubleshooting, page 172

• Module Troubleshooting, page 172

• VLAN Troubleshooting, page 173

• STP Troubleshooting, page 174

Note Refer to theRelease Notes for Catalyst 6500 Series Switch Multilayer Switch Feature Card—CiscoRelease 12.0(3)XEpublication for information about how caveat CSCdm83559 affects the MLS featuCSCdm83559 is resolved in Release 12.1(2)E.


OL-1982-25

Troubleshooting

ine,ert

ableether

re thermal

a, you

at the

upply,

t isthe

duleany

akingfere

use

ule,.

System TroubleshootingThis section contains troubleshooting guidelines for system-level problems:

• When the system is booting and running power-on diagnostics, do not reset the switch.

• After you initiate a switchover from the active supervisor engine to the standby supervisor engor when you insert a redundant supervisor engine in an operating switch, always wait until thsupervisor engines have synchronized and all modules are online before you remove or insemodules or supervisor engines or perform another switchover.

• After you download a new Flash image, the next reboot might take longer than normal if ErasProgrammable Logic Devices (EPLDs) on the supervisor engine need to be reprogrammed. Whthis happens depends on which software version was running on the supervisor engine befodownload and which software version is downloaded. This can add up to 15 minutes to the noreboot time.

• If you have a port whose port speed is set toauto connected to another port whose speed is set tofixed value, configure the port whose speed is set to a fixed value for half duplex. Alternatelycan configure both ports to a fixed-value port speed and full duplex.

Module TroubleshootingThis section contains troubleshooting guidelines for module problems:

• When you hot insert a module, be sure to use the ejector levers on the front of the module to sebackplane pins properly. Inserting a module without using the ejector levers might cause thesupervisor engine to display incorrect messages about the module. For module installationinstructions, refer to theCatalyst 6500 Series Module Installation Guide.

• The Catalyst 6000 chassis has an EMI gasket on top of the frame member above the power sand each module has an EMI gasket on the top of its faceplate. (Blank slot covers also have EMIgaskets.)These EMI gaskets must contact the adjacent module to be effective. The EMI gaskemade from a flat spring material, folded and cut so that it looks like many parallel strips acrosstop of the faceplate.

When you insert a module, it must compress its own EMI gasket and the EMI gasket on the mobelow it. Some force is required to compress each EMI gasket. When a majority of the slots inchassis are filled, the pressure from the EMI gaskets forces the modules toward empty slots, minsertion of the last module difficult. This effect can also cause the top of the faceplate to interslightly with the module above.

When assembling a system, use Solution 1. When replacing a module on an active system, Solution 2.

Note In all cases, use proper ESD protection.

– Solution 1, when assembling a system:

Start from the top of the chassis and work toward the bottom. When inserting the last modpress the faceplate down approximately 1 mm (~.040”) when interference is encounteredTighten all the thumb screws after the last card is inserted.


OL-1982-25

Troubleshooting

assis

ulesf the

nseat

orceages

andating

kingvicen

unkedrtu can

tocol

gitch

sed,

– Solution 2, when replacing or troubleshooting a module on an active switch:

1. First, before removing any module, make sure the thumbscrews on all modules in the chare tight. This action will assure that the space for the module that is removed will bemaintained. If the thumbscrews are not tightened, the EMI gaskets on the remaining modwill push them toward the open space created by removing the module, reducing the size ospace needed for the replacement module.

2. Next, loosen the thumbscrews on the module to be removed and use the extractors to uthe connectors. Remove the module and put it in an antistatic bag.

3. Finally, open the extractors and insert the replacement module with a slight downward fagainst the top edge of the faceplate, deflecting it approximately 1 mm (~.040”) when it engthe adjacent module. Once the extractors begin to close, use them to fully engage theconnectors.

4. Tighten the thumbscrews.

• If the switch detects a port-duplex misconfiguration, the misconfigured switch port is disabledplaced in the “errdisable” state. The following syslog message is reported to the console indicthat the misconfigured port has been disabled due to a late collision error:

SYS-3-PORT_COLL:Port 8/24 late collision (0) detected%SYS-3-PORT_COLLDIS:Port 8/24 disabled due to collision%PAGP-5-PORTFROMSTP:Port 8/24 left bridge port 8/24

Reconfigure the port-duplex setting and use theset port enable command to reenable the port.

• Whenever you connect a port that is set to autonegotiate to an end station or another networdevice, make sure that the other device is configured for autonegotiation as well. If the other deis not set to autonegotiate, the autonegotiating port will remain in half-duplex mode, which cacause a duplex mismatch resulting in packet loss, late collisions, and line errors on the link.

VLAN TroubleshootingThis section contains troubleshooting guidelines for VLAN problems.

Note Catalyst 6500 series switches do not support ISL-encapsulated Token Ring frames. To support trToken Ring traffic in your network, make trunk connections directly between switches that suppoISL-encapsulated Token Ring frames. When a Catalyst switch is configured as a VTP server, yoconfigure Token Ring VLANs from the switch.

Catalyst 6500 series switches ship with ports in a nontrunking state and the Dynamic Trunking Pro(DTP) feature in theauto mode. In this mode, if a port sees a DTPon or DTPdesired frame, ittransitions into the trunking state. Although DTP is a point-to-point protocol, some internetworkindevices might forward DTP frames. To avoid connectivity problems that might be caused by a swacting on these forwarded DTP frames, do the following:

• For ports connected to non-Catalyst family devices in which trunking is not currently being uconfigure Catalyst ports tooff by entering theset trunk mod_num/port_numoff command.

• When manually enabling trunking on a link to a Cisco router, use theset trunk mod_num/port_numnonegotiate command. Thenonegotiate keyword transitions a link into trunking mode withoutsending DTP frames.


OL-1982-25

Troubleshooting

s)

to the

ockedithin

rosshe

rtsor

rossthe

ortsr

icalh or

het

e 1ceM

m.

r

r

STP TroubleshootingThis section contains troubleshooting guidelines for spanning tree problems:

The Spanning Tree Protocol (STP) blocks certain ports to prevent physical loops in a redundanttopology. On a blocked port, the switch receives spanning tree bridge protocol data units (BPDUperiodically from its neighboring device. You can configure the frequency with which BPDUs arereceived by entering theset spantree hello command (the default frequency is set to 2 seconds). If aswitch does not receive a BPDU in the time period defined by theset spantree maxage command(20 seconds by default), the blocked port transitions to the listening state, the learning state, andforwarding state. As it transitions, the switch waits for the time period specified by theset spantreefwddelay command (15 seconds by default) in each of these intermediate states. Therefore, a blspanning tree port moves into the forwarding state if it does not receive BPDUs from its neighbor wapproximately 50 seconds.

Use the following guidelines to debug STP problems:

Note For a given topology, MST converges faster than PVST+ and MISTP.

• On a Catalyst 6500 series switch with default STP parameters:

– With Supervisor Engine 2 configured for MST only, ensure that the sum of the logical ports acall instances of spanning tree for different VLANs does not exceed 127,000 (with or without thigh-availability feature enabled).

– With Supervisor Engine 2 configured for MISTP only, ensure that the sum of the logical poacross all instances of spanning tree for different VLANs does not exceed 127,000 (with without the high-availability feature enabled).

– With Supervisor Engine 2 configured for PVST+, ensure that the sum of the logical ports acall instances of spanning tree for different VLANs does not exceed 14,000 (with or withouthigh-availability feature enabled).

– With Supervisor Engine 2 configured for Rapid PVST+, ensure that the sum of the logical pacross all instances of spanning tree for different VLANs does not exceed 14,000 (with owithout the high-availability feature enabled).

– With Supervisor Engine 2 configured for PVST+ and MISTP, ensure that the sum of the logports across all instances of spanning tree for different VLANs does not exceed 8,000 (witwithout the high-availability feature enabled).

– With Supervisor Engine 1 configured for Rapid PVST+ with 128-MB DRAM, ensure that tsum of the logical ports across all instances of spanning tree for different VLANs does noexceed 4,000 (with or without the high-availability feature enabled). If a Supervisor Enginhas 64-MB DRAM, it might run out of clusters and crash during Rapid PVST+ convergenwith a high number of VLAN ports (STP instances). The workaround is to upgrade the DRAto 128 MB to support a higher number of logical ports (1000 and above) when running inRapid-PVST+ mode. Reducing the number of VLAN ports could also eliminate the proble

– With Supervisor Engine 1 configured for MISTP only and with the high-availability featureenabled, ensure that the sum of the logical ports across all instances of spanning tree fodifferent VLANs does not exceed 35,000 (28,000 without high availability).

– With Supervisor Engine 1 configured for MST only and with the high-availability featureenabled, ensure that the sum of the logical ports across all instances of spanning tree fodifferent VLANs does not exceed 35,000 (28,000 without high availability).


OL-1982-25

Additional Documentation

of4000

ctive

. When

these

ndby

cked

ypeDUs.

tsing

is set

k.

y

the

– With Supervisor Engine 1 configured for PVST+ or PVST+ and MISTP, ensure that the sumthe logical ports across all instances of spanning tree for different VLANs does not exceed(with or without the high-availability feature enabled).

The sum of all logical ports equals the number of trunks on the switch times the number of aVLANs on the trunks, plus the number of nontrunking ports on the switch.

Caution Lowering the values of any STP timers reduces the number of STP instances that can be supportednumerous protocol features (such as VTP pruning, Fast EtherChannel, and RMON) are enabledconcurrently, the number of supported logical spanning tree ports are reduced. Also, to achieve numbers, we recommend that you keep switched traffic off the management VLAN.

• After a switchover from the active to the standby supervisor engine, the uplink ports on the stasupervisor engine take longer to come up than other switch ports.

• Keep track of all blocked spanning tree ports in each switch in your network. For each of the blospanning tree ports, keep track of the output of the following commands:

– show port—Check to see if the port has registered a lot of alignment, FCS, or any other tof line errors. If these errors are incrementing continuously, the port might drop input BP

– show mac—If the Inlost counter is incrementing continuously, the port is losing input packebecause of a lack of receive buffers. This problem can also cause the port to drop incomBPDUs.

• On a blocked spanning tree port, check the duplex configuration to ensure that the port duplexto the same type as the port of its neighboring device.

• On trunk ports, make sure that the trunk configuration is set properly on both sides of the lin

• On trunk ports, make sure that the duplex is set to full on both sides of the link to prevent ancollisions under heavy traffic conditions.

Additional DocumentationThe following documents are available for the Catalyst 6500 series switches:

• Catalyst 6500 Series Switch Quick Software Configuration

• Catalyst 6500 Series Switch Installation Guide

• Catalyst 6500 Series Switch Module Installation Guide

• Catalyst 6500 Series Switch Software Configuration Guide

• Catalyst 6500 Series Switch Command Reference

• System Message Guide—Catalyst 6500 Series, Catalyst 4500 Series, Catalyst 2948G, andCatalyst 2980G Switches

• ATM Configuration Guide and Command Reference

Obtaining DocumentationCisco documentation and additional literature are available on Cisco.com. This section explains product documentation resources that Cisco offers.


OL-1982-25

Documentation Feedback

ium.e and

byber

r Cisco

y

Cisco.comYou can access the most current Cisco documentation at this URL:

http://www.cisco.com/techsupport

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Product Documentation DVDThe Product Documentation DVD is a library of technical product documentation on a portable medThe DVD enables you to access installation, configuration, and command guides for Cisco hardwarsoftware products. With the DVD, you have access to the HTML documentation and some of thePDF files found on the Cisco website at this URL:

http://www.cisco.com/univercd/home/home.htm

The Product Documentation DVD is created and released regularly. DVDs are available singly orsubscription. Registered Cisco.com users can order a Product Documentation DVD (product numDOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco Marketplace at the Product DocumentationStore at this URL:

http://www.cisco.com/go/marketplace/docstore

Ordering DocumentationYou must be a registered Cisco.com user to access Cisco Marketplace. Registered users may ordedocumentation at the Product Documentation Store at this URL:


If you do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do

Documentation FeedbackYou can provide feedback about Cisco technical documentation on the Cisco Support site area bentering your comments in the feedback form available in every online document.

Cisco Product Security OverviewCisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

From this site, you will find information about how to do the following:

• Report security vulnerabilities in Cisco products


OL-1982-25

http://www.cisco.com/techsupport

http://www.cisco.com

http://www.cisco.com/public/countries_languages.shtml

http://www.cisco.com/univercd/home/home.htm





Product Alerts and Field Notices

s

e, youRSS)

them,lity

hichered

G) tobeen

your

nding

Fields tooltion.

• Obtain assistance with security incidents that involve Cisco products

• Register to receive security information from Cisco

A current list of security advisories, security notices, and security responses for Cisco products iavailable at this URL:

http://www.cisco.com/go/psirt

To see security advisories, security notices, and security responses as they are updated in real timcan subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRTfeed. Information about how to subscribe to the PSIRT RSS feed is found at this URL:

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco ProductsCisco is committed to delivering secure products. We test our products internally before we releaseand we strive to correct all vulnerabilities quickly. If you think that you have identified a vulnerabiin a Cisco product, contact PSIRT:

• For emergencies only—[email protected]

An emergency is either a condition in which a system is under active attack or a condition for wa severe and urgent security vulnerability should be reported. All other conditions are considnonemergencies.

• For nonemergencies—[email protected]

In an emergency, you can also reach PSIRT by telephone:

• 1 877 228-7302

• 1 408 525-6532

Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPencrypt any sensitive information that you send to Cisco. PSIRT can work with information that hasencrypted with PGP versions 2.x through 9.x.

Never use a revoked encryption key or an expired encryption key. The correct public key to use incorrespondence with PSIRT is the one linked in the Contact Summary section of the SecurityVulnerability Policy page at this URL:


The link on this page has the current PGP key ID in use.

If you do not have or use PGP, contact PSIRT to find other means of encrypting the data before seany sensitive material.

Product Alerts and Field NoticesModifications to or updates about Cisco products are announced in Cisco Product Alerts and CiscoNotices. You can receive these announcements by using the Product Alert Tool on Cisco.com. Thienables you to create a profile and choose those products for which you want to receive informa


OL-1982-25

http://www.cisco.com/go/psirt

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

mailto:[email protected]

mailto:[email protected]


Obtaining Technical Assistance

access

you

gt

have

l

b page

To access the Product Alert Tool, you must be a registered Cisco.com user. Registered users canthe tool at this URL:

http://tools.cisco.com/Support/PAT/do/ViewMyProfiles.do?local=en

To register as a Cisco.com user, go to this URL:


Obtaining Technical AssistanceCisco Technical Support provides 24-hour-a-day award-winning technical assistance. TheCisco Support website on Cisco.com features extensive online support resources. In addition, if have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers providetelephone support. If you do not have a valid Cisco service contract, contact your reseller.

Cisco Support WebsiteThe Cisco Support website provides online documents and tools for troubleshooting and resolvintechnical issues with Cisco products and technologies. The website is available 24 hours a day athis URL:

http://www.cisco.com/en/US/support/index.html

Access to all tools on the Cisco Support website requires a Cisco.com user ID and password. If youa valid service contract but do not have a user ID or password, you can register at this URL:


Note Before you submit a request for service online or by phone, use theCisco Product Identification Toolto locate your product serial number. You can access this tool from the Cisco Support websiteby clicking theGet Tools & Resources link, clicking theAll Tools (A-Z) tab, and then choosingCisco Product Identification Tool from the alphabetical list. This tool offers three search options:by product ID or model name; by tree view; or, for certain products, by copying and pastingshowcommand output. Search results show an illustration of your product with the serial number labelocation highlighted. Locate the serial number label on your product and record the informationbefore placing a service call.

Tip Displaying and Searching on Cisco.com

If you suspect that the browser is not refreshing a web page, force the browser to update the weby holding down the Ctrl key while pressingF5.

To find technical information, narrow your search to look in technical documentation, not theentire Cisco.com website. After using the Search box on the Cisco.com home page, click theAdvanced Search link next to the Search box on the resulting page and then click theTechnical Support & Documentation radio button.

To provide feedback about the Cisco.com website or a particular technical document, clickContacts & Feedback at the top of any Cisco.com web page.


OL-1982-25

http://tools.cisco.com/Support/PAT/do/ViewMyProfiles.do?local=en


http://www.cisco.com/en/US/support/index.html


Obtaining Additional Publications and Information

3 andire

rvice

hone.ded.)ness

erity

ns.

yourCisco

tionsrvice

, or

nline

iscos that

Submitting a Service RequestUsing the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (SS4 service requests are those in which your network is minimally impaired or for which you requproduct information.) After you describe your situation, the TAC Service Request Tool providesrecommended solutions. If your issue is not resolved using the recommended resources, your serequest is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telep(S1 or S2 service requests are those in which your production network is down or severely degraCisco engineers are assigned immediately to S1 and S2 service requests to help keep your busioperations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411Australia: 1 800 805 227EMEA: +32 2 704 55 55USA: 1 800 553 2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request SeverityTo ensure that all service requests are reported in a standard format, Cisco has established sevdefinitions.

Severity 1 (S1)—An existing network is “down” or there is a critical impact to your business operatioYou and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects ofbusiness operations are negatively affected by inadequate performance of Cisco products. You andwill commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of the network is impaired while most business operaremain functional. You and Cisco will commit resources during normal business hours to restore seto satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installationconfiguration. There is little or no effect on your business operations.

Obtaining Additional Publications and InformationInformation about Cisco products, technologies, and network solutions is available from various oand printed sources.

• The Cisco Online Subscription Center is the website where you can sign up for a variety of Ce-mail newsletters and other communications. Create a profile and then select the subscriptionyou would like to receive. To visit the Cisco Online Subscription Center, go to this URL:

http://www.cisco.com/offer/subscribe


OL-1982-25

http://www.cisco.com/techsupport/servicerequest

http://www.cisco.com/techsupport/contacts


Obtaining Additional Publications and Information

ns forludes

logo

newother

lscan

d at

lsith

the

ou

e

• TheCisco Product Quick Reference Guide is a handy, compact reference tool that includes briefproduct overviews, key features, sample part numbers, and abbreviated technical specificatiomany Cisco products that are sold through channel partners. It is updated twice a year and incthe latest Cisco channel product offerings. To order and find out more about theCisco Product QuickReference Guide, go to this URL:

http://www.cisco.com/go/guide

• Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

• Cisco Press publishes a wide range of general networking, training, and certification titles. Bothand experienced users will benefit from these publications. For current Cisco Press titles andinformation, go to Cisco Press at this URL:

http://www.ciscopress.com

• Internet Protocol Journalis s a quarterly journal published by Cisco for engineering professionainvolved in designing, developing, and operating public and private internets and intranets. Youaccess theInternet Protocol Journal at this URL:

http://www.cisco.com/ipj

• Networking products offered by Cisco, as well as customer support services, can be obtainethis URL:

http://www.cisco.com/en/US/products/index.html

• Networking Professionals Connection is an interactive website where networking professionashare questions, suggestions, and information about networking products and technologies wCisco experts and other networking professionals. Join a discussion at this URL:

http://www.cisco.com/discuss/networking

• “What’s New in Cisco Documentation” is an online publication that provides information aboutlatest documentation releases for Cisco products. Updated monthly, this online publication isorganized by product category to direct you quickly to the documentation for your products. Ycan view the latest release of “What’s New in Cisco Documentation” at this URL:

http://www.cisco.com/univercd/cc/td/doc/abtunicd/136957.htm

• World-class networking training is available from Cisco. You can view current offerings atthis URL:

http://www.cisco.com/en/US/learning/index.html

This document is to be used in conjunction with the documents listed in the“Additional Documentation” section on page 175.

CCVP, the Cisco Logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a servicemark of CiscoSystems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS,Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow MeBrowsing, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study,LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar,Packet, PIX, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StackWise, ThFastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationshipbetween Cisco and any other company. (0612R)

Copyright © 2001–2007, Cisco Systems, Inc.All rights reserved. Printed in USA.


OL-1982-25


http://www.cisco.com/go/guide

http://www.cisco.com/go/marketplace/

http://www.ciscopress.com

http://www.cisco.com/ipj

http://www.cisco.com/en/US/products/index.html

http://www.cisco.com/discuss/networking

http://www.cisco.com/univercd/cc/td/doc/abtunicd/136957.htm

http://www.cisco.com/en/US/learning/index.html

WS-X6816-GBIC

Documents

Transcript of WS-X6816-GBIC