Release Notes for the Catalyst 4500 Series Switch, Cisco IOS Release 15.2(2)Ex

Release Notes for the Catalyst 4500 Series Switch, Cisco IOS Releases 15.2(2)Ex

---

Current release

IOS 15.2(2)E10—May 31, 2019
Prior releases
IOS 15.2(2)E9—September 12, 2018, IOS 15.2(2)E8—January 31, 2018, IOS 15.2(2)E7—July 10, 2017, IOS 15.2(2)E5a—October 14, 2016, IOS 15.2(2)E5—June 07, 2016, IOS 15.2(2)E4, IOS 15.2(2)E3, IOS 15.2(2)E2, IOS 15.2(2)E1, IOS 15.2(2)E0—June 27, 2016

These release notes describe the features, modifications, and caveats for Cisco IOS Release 15.2(2)Ex on the Catalyst 4500 series switch.

Support for Cisco IOS Software Release 15.2(2)Ex follows the standard Cisco Systems® support policy, available at

http://www.cisco.com/en/US/products/products_end-of-life_policy.html

For more information on the Catalyst 4500 Series Switches, visit:

http://www.cisco.com//en/US/products/hw/switches/ps4324/index.html

---

Note Although their Release Notes are unique, the platforms Catalyst 4900M/Catalyst 4948E/Catalyst 4948E-F and Catalyst 4500 leverage the same Software Configuration Guide, Command Reference Guide, and System Message Guide.

Contents

This publication consists of these sections:

• Cisco IOS Software Packaging
• Cisco Classic IOS Release Strategy
• System Requirements
• New and Changed Information
• Upgrading the System Software
• Limitations and Restrictions
• Caveats
• Related Documentation
• Notices
• Obtaining Documentation and Submitting a Service Request

Cisco IOS Software Packaging

The Enterprise Services image supports all Cisco Catalyst 4500 Series software features based on Cisco IOS Software, including enhanced routing. Customers planning to enable BGP for Supervisor Engine IV, V, or V-10GE will no longer need to purchase a separate BGP license (FR-IRC4) because BGP is included in the Enterprise Services package. Beginning with 12.2(53)SG2, we support the Enterprise Services image on Supervisor Engine 6L-E.

The IP Base image supports Open Shortest Path First (OSPF) for Routed Access, Enhanced Interior Gateway Routing Protocol (EIGRP) "limited" Stub Routing, Nonstop Forwarding/Stateful Switchover (NSF/SSO), and RIPv1/v2. The IP Base image does not support enhanced routing features such as BGP, Intermediate System-to-Intermediate System (IS-IS), Full OSPF, Full Enhanced Interior Gateway Routing Protocol (EIGRP) & Virtual Routing Forwarding (VRF-lite).

Cisco IOS Release 12.2(46)SG1 introduced a new LAN Base software and an IP upgrade image. These complement the existing IP Base and Enterprise Services images. The LAN base image is supported on Supervisor Engine 6L-E starting with Cisco IOS Release 12.2(52)XO. LAN Base image is primarily focused on customer access and Layer 2 requirements and therefore many of the IP Base features are not required. The IP upgrade image is available if at a later date you require some of those features.

Starting with Cisco IOS Release 15.0(2)SG, on the Catalyst 4500 Series Switch, support for NEAT feature has been extended from IP Base to LAN Base and support for HSRP v2 IPV6 has been extended from Enterprise Services to IP Base.

Starting with Cisco IOS Release 15.2(1)E, OSPF Routed Access in IP Base support rose to 1000 routes.

Cisco Classic IOS Release Strategy

Customers using Supervisor Engine 6-E or 6L-E with Catalyst 4500 Series Switches who need the latest hardware and software features should migrate to Cisco IOS Release 15.2(2)E.

The Catalyst 4500 Series Switch has three extended maintenance (EM) trains: 15.2(2)Ex, 15.1(2)SGx, and 15.0(2)SGx. Cisco IOS Release 12.2(54)SG, 15.1(1)SG, and 15.2(1)E are standard maintenance releases.

Figure 1 displays the maintenance trains for the Catalyst 4500 series switch.

Figure 1 Software Release Strategy for the Catalyst 4500 Series Switch

 

System Requirements

This section describes the system requirements:

• Supported Hardware on Catalyst 4500 Series Switch
• Supported Hardware on Catalyst 4500 E-Series Switch
• Feature Support by Image Type
• MIB Support
• Features Not Supported on the Cisco Catalyst 4500 Series Switch
• Orderable Product Numbers

New and Changed Information

These sections describe the new and changed information for the Catalyst 4500 series switch running Cisco IOS software:

• New Software Features in Release 15.2(2)E3
• New Hardware Features in Release 15.2(2)E1
• New Software Features in IOS Release 15.2(2)E1
• New Software Features in Release IOS 15.2(2)E

Upgrading the System Software

In most cases, upgrading the switch to a newer release of Cisco IOS software does not require a ROMMON upgrade. However, if you are running an early release of Cisco IOS software and plan to upgrade, refer to the following tables for the minimum Cisco IOS image and the recommended ROMMON release, respectively.

---

Note You must upgrade to at least ROMMON Release 12.2(44r)SG5 to run Cisco IOS Release 15.1(2)SG on the Supervisor Engine 6-E and Supervisor Engine 6L-E. 12.2(44r)SG9 is recommended.

---

 

The following sections describe how to upgrade your switch software:

• Identifying an +E Chassis and ROMMON
• Upgrading the Cisco IOS Software

Limitations and Restrictions

These sections list the limitations and restrictions for the current release of Cisco IOS software on the Catalyst 4500 series switch.

• We recommend that you configure the access-session interface-template sticky timer timer-value command at the global or interface configuration mode, and not within the template.
• The show exception files all command lists only crashinfo files from the active supervisor engine. You must issue the dir slavecrashinfo: and dir slvecrashinfo-dc: commands to obtain lists of crashinfo files from the standby supervisor engine.
• Starting with Release IOS 15.1(1)SG, the seven RP restriction was removed.
• A Span destination of fa1 is not supported.
• The "keepalive" CLI is not supported in interface mode on the switch, although it will appear in the running configuration. This behavior has no impact on functionality.
• TDR is only supported on interfaces Gi1/1 through Gi1/48, at 1000BaseT under open or shorted cable conditions. TDR length resolution is +/- 10 m. If the cable is less than 10 m or if the cable is properly terminated, the TDR result displays "0" m. If the interface speed is not 1000BaseT, an "unsupported" result status displays. TDR results will be unreliable for cables extended with the use of jack panels or patch panels.
• The following guidelines apply to Fast UDLD:

– Fast UDLD is disabled by default.

– Configure fast UDLD only on point-to-point links between network devices that support fast UDLD.

– You can configure fast UDLD in either normal or aggressive mode.

– Do not enter the link debounce command on fast UDLD ports.

– Configure fast UDLD on at least two links between each connected network device. This reduces the likelihood of fast UDLD incorrectly error disabling a link due to false positives.

– Fast UDLD does not report a unidirectional link if the same error occurs simultaneously on more than one link to the same neighbor device.

• A XML-PI specification file entry does not return the desired CLI output.

The outputs of certain commands, such as show ip route and show access-lists, contain non-deterministic text. While the output is easily understood, the output text does not contain strings that are consistently output. A general purpose specification file entry is unable to parse all possible output.

Workaround (1):

While a general purpose specification file entry may not be possible, a specification file entry might be created that returns the desired text by searching for text that is guaranteed to be in the output. If a string is guaranteed to be in the output, it can be used for parsing.

For example, the output of the show ip access-lists SecWiz_Gi3_17_out_ip command is this:

The first line is easily parsed because access list is guaranteed to be in the output:

The remaining lines all contain the term host. As a result, the specification file may report the desired values by specifying that string. For example, this line

will produce the following for the first and second rules

and the following for the third statement

Workaround (2):

Request the output of the show running-config command using NETCONF and parse that output for the desired strings. This is useful when the desired lines contain nothing in common. For example, the rules in this access list do not contain a common string and the order (three permits, then a deny, then another permit), prevent the spec file entry from using permit as a search string, as in the following example:

The XML output of show running-config command includes the following, which can then be parsed programmatically, as desired:

• Although the Catalyst 4500 series switch still supports legacy 802.1X commands used in Cisco IOS Release 12.2(46)SG and earlier releases (that is, they are accepted on the CLI), they do not display in the CLI help menu.
• Current IOS software cannot support filenames exceeding 64 characters.
• All software releases support a maximum of 32,768 IGMP snooping group entries.
• Although you can configure subsecond PIM query intervals on Catalyst 4500 platforms, such an action represents a compromise between convergence (reaction time) and a number of other factors (number of mroutes, base line of CPU utilization, CPU speed, processing overhead per 1 m-route, etc.). You must account for those factors when configuring subsecond PIM timers. We recommend that you set the PIM query interval to a minimum of 2 seconds. By adjusting the available parameters, you can achieve flawless operation; that is, a top number of multicast routes per given convergence time on a specific setup.
• With Cisco IOS Release XE 3.2.1SG, memory configuration is enabled:

This configuration had been removed erroneously in a prior release.

• The Catalyst 4510R switch does not support Supervisor Engines 6L-E. Installing an unsupported supervisor engine causes unpredictable hardware behavior that cannot be controlled by the software. Using an unsupported supervisor engine in a redundant slot might cause a supported supervisor engine in the other slot to malfunction.
• The MAC address table is cleared while you switch between supervisor engines if either the 802.1s or 802.1w Spanning Tree Protocol is configured. To minimize address clearing and subsequent packet flooding, configure the edge ports as spanning-tree portfast and the link type as spanning-tree link-type point-to-point.
• IP classful routing is not supported; do not use the no ip classless command; it will have no effect, because only classless routing is supported. The command ip classless is not supported because classless routing is enabled by default.
• A Layer 2 LACP channel cannot be configured with the spanning tree PortFast feature.
• Netbooting using a boot loader image is not supported.
• When you deploy redundant supervisors in a Catalyst 4507R, for hardware that does not exist while the startup configuration file is being parsed, the configuration file for the hardware is not applied.

For example, if the active supervisor engine is in slot 1, and you have configured interface Gi1/1, the supervisor engine in slot 2 becomes active if you remove the active supervisor engine from the chassis. In addition, while the startup configuration file is being parsed, you will receive an error message indicating that interface Gi1/1 is no longer present. This behavior is correct. When the formerly active supervisor engine is reinserted into slot 1, there is no configuration for interface Gi1/1.

This situation will not occur when both supervisor engines are physically in the chassis.

Workaround: Copy the startup configuration file into the running configuration:

• An unsupported default CLI for mobile IP is displayed in the HSRP configuration. Although this CLI will not harm your system, you might want to remove it to avoid confusion.

Workaround: Display the configuration with the show standby command, then remove the CLI. Here is an example of show standby GigabitEthernet1/1 command output:

• For HSRP preempt delay to function consistently, you must use the standby delay minimum command. Be sure to set the delay to more than 1 hello interval, thereby ensuring that a hello is received before HSRP leaves the initiate state.

Use the standby delay reload option if the router is rebooting after reloading the image.

• When you attempt to run OSPF between a Cisco router and a third party router, the two interfaces might get stuck in the Exstart/Exchange state. This problem occurs when the maximum transmission unit (MTU) settings for neighboring router interfaces do not match. If the router with the higher MTU sends a packet larger than the MTU set on the neighboring router, the neighboring router ignores the packet.

Workaround: Ensure that the MTUs match.

• You can run only.1q-in-.1q packet pass-through with Supervisor Engine 6-E.
• For PVST and Catalyst 4500 E-Series switch VLAN, Cisco IOS Release 12.1(13)EW support a maximum of 3000 spanning tree port instances. If you want to use more instances, use MST rather than PVST.
• Because the Supervisor Engine 6-E supports the FAT filesystem, the following restrictions apply:

– The verify and squeeze commands are not supported.

– The rename command is supported in FAT file system.

For Supervisor Engine 6-E, the rename command is available for bootflash and slot0. For all other supervisor engines, the rename command is supported for nvram devices only.

– The fsck command is supported for slot0 device. It is not supported in the file systems on supervisor engines other than 6-E.

– In the FAT file system, the IOS format bootflash: command erases user files only. It does not erase system configuration.

– The FAT file system supports a maximum of 63 characters for file/directory name. The maximum for path length is 127 characters.

– The FAT file system does not support the following characters in file/directory names:{}#%^ and space characters.

– The FAT file system honors the Microsoft Windows file attribute of read-only and read-write, but it does not support the Windows file hidden attribute.

– Supervisor Engine 6-E uses the FAT file system for compact flash (slot0). If a compact flash is not formatted in FAT file system (such as compact flash on a supervisor engine other than 6-E), the switch does not recognize it.

• If an original packet is dropped because of transmit queue shaping or sharing configurations, a SPAN packet copy can still be transmitted on the SPAN port.
• All software releases support a maximum of 16,000 IGMP snooping group entries.
• To maximize performance, use the no ip unreachables command on all interfaces that are configured for ACLs.
• The threshold for the Dynamic Arp Inspection err-disable function is set to 15 ARP packets per second per interface. You should adjust this threshold depending on the network configuration. The CPU should not receive DHCP packets at a sustained rate greater than 1000 pps.
• If you first configure an IP address or IPv6 address on a Layer 3 port, then change the Layer 3 port to a Layer 2 port with the switchport command, and finally change it back to a Layer 3 port, the original IP/IPv6 address is lost.
• In a redundant system, do not remove and reinsert the standby supervisor engine while the active supervisor engine is booting. Doing so may cause the online diagnostics test to fail.

Workaround: Remove and reinsert the standby supervisor engine after the active supervisor engine boots. (CSCsa66509)

• The switchport private-vlan mapping trunk command supports a maximum of 500 unique private VLAN pairs. For example, 500 secondary VLANs could map to one primary VLAN, or 500 secondary VLANs could map to 500 primary VLANs.
• Support for PoE depends on the use of the following line cards and power supplies.

PoE switching modules:

– WS-X4148-RJ45V

– WS-X4224-RJ45V

– WS-X4248-RJ45V

– WS-X4248-RJ21V

– WS-X4524-GB-RJ45V

– WS-X4548-GB-RJ45V

– WS-X4648-RJ45V-E

– WS-X4648-RJ45V+E

– WS-X4548-GB-RJ45V+

PoE enabled power supplies:

– PWR-C45-1300ACV

– PWR-C45-1400DC

– PWR-C4K-2800AC

– PWR-C45-1300ACV

– PWR-C45-6000ACV

• If a Catalyst 4500 series switch requests information from the Cisco Secure Access Control Server (ACS) and the message exchange times out because the server does not respond, a message similar to this appears:

If this message appears, ensure network connectivity exists between the switch and the ACS. Also check that the switch has been properly configured as an AAA client on the ACS.

• For IP Port Security (IPSG) for static hosts, the following apply:

– As IPSG learns the static hosts on each interface, the switch CPU may achieve 100 percent if there are a large number of hosts to learn. The CPU usage will drop after the hosts are learned.

– IPSG violations for static hosts are printed as they occur. If multiple violations occur simultaneously on different interfaces, the CLI displays the last violation. For example, if IPSG is configured for 10 ports and violations exist on ports 3,6, and 9, the violation messages are printed only for port 9.

– Inactive host bindings will appear in the device tracking table when either a VLAN is associated with another port or a port is removed from a VLAN. So, as hosts are moved across subnets, the hosts appear in the device tracking table as inactive.

– Autostate SVI does not work on EtherChannel.

• When IPv6 is enabled on an interface with any CLI, you might see the following message:

In such a scenario, the IPv6 MTU value programmed in hardware differs from the IPv6 interface MTU value. This occurs if no room exists in the hardware MTU table to store additional values.

To create room, unconfigure some unused MTU values. Then, either disable or re-enable IPv6 on the interface, or reapply the MTU configuration.

• To stop IPSG with static hosts on an interface, use the following commands in interface configuration submode:

To enable IPSG with static hosts on a port, enter the following commands:

---

---

Note The preceding condition also applies to IPSG with static hosts on a PVLAN host port.

• uRPF supports up to four paths. If a packet arrives at one of the valid VLANs that is not programmed as one of the RPF VLAN in hardware, it is dropped. If traffic may arrive from any other interfaces without RPF configured, it can be switched.
• Input and output ACLs cannot override or filter traffic received on an uRPF interface.
• No CLI command exists to reflect uRPF drop packets during hardware switching. The sh ip traffic and show cef int commands do not reflect uRPF drops.
• IPv6 ACL is not supported on a switchport. IPv6 packets cannot be filtered on switchports using any of the known methods: PACL, VACL, or MACLs.
• Class-map match statements using match ip prec | dscp match only IPv4 packets, whereas matches performed with match prec | dscp match both IPv4 and IPv6 packets.
• IPv6 QoS hardware switching is disabled if the policy-map contains IPv6 ACL and match CoS in the same class-map with the IPv6 access-list has any mask within the range /81 and /127. This situation causes forwarding packets to software, which efficiently disables the QoS.
• When the following data-only Catalyst 4500 linecards are used in a Catalyst 4507R-E or 4510R-E chassis with Supervisor Engine 6-Es, the capacity of the power supply may be exceeded:

– WS-X4148-FX-MT Cisco Catalyst 4500 Fast Ethernet Switching Module, 48-port 100BASE-FX (MT-RJ)

– WS-X4448-GB-RJ45 Cisco Catalyst 4500 48-port 10/100/1000 Module (RJ-45)

The Catalyst 4503-E and Catalyst 4506-E have no caveats. The Catalyst 4507R-E configurations that use power supplies rated at 1400 W or above also have no caveats.

The following replacement switching modules will not exceed the power supply capacity for any Catalyst 4500-E chassis:

 

Refer to the Catalyst 4500 Series Module Installation Guide to determine the power requirements for all of the Catalyst 4500 linecards and the power capacities of the Catalyst 4500 power supplies.

• Supervisor Engine 6-E only supports Catalyst 4500 Series linecards in slots 8-10.
• If you remove a line card from a redundant switch and initiate an SSO switch-over, then reinsert the line card, all interfaces are shutdown. The remaining configuration on the original line card is preserved.

This situation only occurs if a switch reached SSO before you removed the line card.

• On Supervisor Engine 6-E, upstream ports support flow control auto negotiation in 1G mode only, and flow control is forced in 10G mode. If the interface is configured to auto-negotiate the flow control, and the interface is operating in 10G mode, the system forces flow control to ON and does not auto-negotiate.
• Supervisor Engine 6-E supports fast UDLD on a maximum of 32 ports.
• With Cisco IOS Release 12.2(53)SG3 (and 12.2(54)SG), we changed the default behavior such that your single supervisor, RPR, or fixed configuration switch does not reload automatically. To configure automatic reload, you must enter the diagnostic fpga soft-error recover aggressive command. (CSCth16953)
• Energywise WOL is not “waking up” a PC in hibernate or standby mode.

Workaround: None. CSCtr51014

• The ROMMON version number column in the output of show module command is truncated.

Workaround: Use the show version command. CSCtr30294

• IP SLA session creation fails randomly for various 4-tuples.

Workaround: Select an alternate destination or source port. CSCty05405

• The system cannot scale to greater than 512 SIP flows with MSP and metadata enabled.

Workaround: None. CSCty79236

• On the following linecards running IOS Release 15.0(2)SG3:

– 48 10/100/1000BaseT Premium POE E Series WS-X4648-RJ45V+E (JAE14310RHU)

– 6 Sup 6-E 10GE (X2), 1000BaseX (SFP) WS-X45-SUP6-E (JAE13104VVY)

the following restrictions apply:

– Sub-interfaces are not supported on 1 Gigabit and Ten-Gigabit interfaces.

– Port-channel members do not support multiple classification criteria for a QoS policy.

– CEF is disabled automatically when uRFP is enabled and TCAM is fully utilized.

• When you enter the ip http secure-server command (or if the system reads it from the startup configuration), the device searches for a persistent self-signed certificate during boot up.

– If such a certificate does not exist and the device's hostname and default_domain are set, then a persistent self-signed certificate is generated.

– If such a certificate exists, the FQDN in the certificate is compared with the current device's hostname and default_domain. If either differs from the FQDN in the certificate, the existing persistent self-signed certificate is replaced with a new one with the updated FQDN. Be aware that the existing key pair is used in the new certificate.

On a switch that supports redundancy, the generation of the self-signed certificate occurs independently on the active and the standby supervisor engines, and the certificates differ. After switchover, the HTTP client that holds the old certificate cannot connect to the HTTPS server.

Workaround: Reconnect. CSCsb11964

• When policing IEEE 802.1Q tagged non-IP traffic and calculating traffic conformance, the policer excludes the four bytes that constitute the 802.1Q tag even when you enter the
  qos account layer2 encapsulation command.

Workaround: None. CSCsg58526

• When hard-coded duplex and speed settings are deleted after an interface shuts down, an a- is added to the duplex and speed in the output from the show interface status command.

This does not affect performance.

Workaround: Enter the no shutdown command. CSCsg27395

• When a transceiver is removed rapidly from one port and placed in another on the same chassis, occasionally a duplicate seeprom message appears and the port is not able to handle traffic.

Workaround: Remove the transceiver from the new port and place it in the old port. After the SFP is recognized in the old port, remove it slowly and insert it in the new port. (CSCse34693)

• When performing an ISSU upgrade and the versions of the active and standby supervisor engines differ, you see the following message in the standby supervisor engine console:

Workaround: None. This is an informational message. CSCsi60898

• An IP unnumbered configuration is lost after a switch reloads.

Workarounds: Do one of the following:

– After a reload, copy the startup-config to the running-config.

– Use a loopback interface as the target of the ip unnumbered command.

– Change the CLI configuration so that during bootup the router port is created first.

CSCsq63051

• In SSO mode, when a port channel is created, deleted, and recreated on an active supervisor engine with the same channel number, the standby port channel state goes out of sync. After a switch over, the following message displays:

Workaround: When the port channel starts to flap, enter shut and no shut on the port channel. After the first switchover and after deleting the port channel, create a new channel. CSCsr00333

• When you remove a line card containing ports configured with IGMP snooping while booting a standby supervisor engine, the active supervisor engine does not synchronize this configuration to the standby supervisor engine as a part of a bulk synchronization. When you reinstall the line card, the configuration in the active and standby supervisor engines will differ.

Workaround: Do one of the following:

– Reload the standby switch again with the line card in place.

– Remove and reenter the commands on the active supervisor engine. The standby supervisor engine will acquire this change. CSCsv44866

• After posture validation succeeds, the following benign traceback messages may appear after you unconfigure the global RADIUS and IP device tracking commands:

This applies to classic or E-series Catalyst 4500 supervisor engines running
Cisco IOS Release 12.2(50)SG

Workaround: None. CSCsw14005

• The host's MAC address is not synchronized to the standby supervisor engine after you unconfigure 802.1X on the port and reconnect the host to a IP phone (with CDP port status TLV support) that is connected to the switch.

If the switch were to run a supervisor switchover while in this state, the host's MAC address would not be present in the new active supervisor engine’s MAC address table, causing possible connectivity interruption on the host.

Workaround: Enter the shutdown command, followed by the no shutdown command on the interface. This triggers relearning and synchronizing of the host's MAC to the standby supervisor engine. CSCsw91661

• On a wireless control system (WCS), some device information is incorrectly displayed for PCs sitting behind an lldp-med capable phone. Specifically, WCS displays the phone's serial number, model number, and software version in the PC's device information. All other information about the PC is correctly displayed on WCS.

This only happens when the switch is running network mobility service protocol (nmsp). It does not happen if the phone is CDP enabled.

Workaround: Use the VLAN ID or name to differentiate the IP phone and the PC sitting behind the phone on the WCS.

The IP phone is detected on the voice VLAN, and the displayed information of serial number, model number, and software version is correct. However, a PC sitting behind the phone is detected on a data VLAN, and the displayed device information is wrong and should be ignored.

CSCsz34522

• If time is not specified in the link debounce command, the default value depends on the supervisor engine. The default is 10 mS for a Catalyst 4900M switch, Supervisor Engine 6-E, and Supervisor Engine 6L-E. The default is 100 mS for all other supervisor engines.

Despite the different default value, you can configure any value in the time range.

Workaround: None. CSCte51948

• On a peer interface on a Catalyst 4948E Ethernet Switch, if errdisabled mode flap detection is set to a very small number (such as 2 flaps in 10 sec), a 10GE link flap may cause the peer interface to enter the errdisabled state.

Workarounds: The Cisco switch default link-flap detection value is 5 flaps in 10 seconds. Use the default value or larger numbers. CSCtg07677

• After you have enabled EPM logging and the client is authenticated via MAB or Webauth, the value of AUTHTYPE is DOT1X in EPM syslog messages irrespective of the authentication method.

Similarly, the show epm sessions command always displays the authentication method as DOT1X.

Workaround: To view the authentication method used for a client, enter the
show authentication sessions command. CSCsx42157

• With CFM enabled globally as well as on an ingress interface, CFM packets received on the interface are not policed with hardware control plane policing.

Workaround: None. CSCso93282

• When either the RADIUS-server test feature is enabled or RADIUS-server dead-criteria is configured, and either RADIUS-server deadtime is set to 0 or not configured, the RADIUS-server status is not properly relayed to AAA.

Workaround: Configure both dead-criteria and deadtime.

CSCtl06706

• Occasionally, if you use an X2 SR transceiver on a WS-X4706-10GE running
  Cisco IOS Release 12.2(40)SG, you observe CRC errors after a reload or power cycle upon inserting the card or X2.

Workaround: Reinsert the X2. CSCsk43618

• Uplinks go down when you upgrade the ROMMON of an WS-X45-SUP6-E supervisor from version 12.2(40r)SG1 to a later version.

This behavior occurs in a redundant switch when the active supervisor engine is running Cisco IOS, the standby supervisor engine is in ROMMON, and the standby supervisor engine’s ROMMON is upgraded from version 0.34 or to a later version. The upgrade process causes the uplinks on the standby supervisor engine to go down but the active supervisor engine is unaware of this.

Workarounds: To resume normal operation, do one of the following:

– Reload both supervisor engines with the redundancy reload shelf command.

– Power-cycle the standby supervisor engine by briefly pulling it from the chassis.

There is no workaround for the link flap issue. CSCsm81875

• Changing the flow control configuration with traffic and pause frames causes some traffic loss.

This problem can happen when pause frames are sent to a switch port and the flow control receive configuration is toggled on a 10-Gigabit Ethernet port.

Workaround: Change the flow control receive configuration when no traffic exists. CSCso71647

• When you configure vlan dot1q tag native globally on Supervisor Engine 6-E, MST control packets are tagged on egress on the native VLAN. This conflicts with 802.1s. The Cisco 7600 Series router drops its MST proposal agreements (because it expects the native VLAN MST control packets to be untagged), causing 30 seconds of traffic loss while spanning tree converges.

Workaround: Disable native VLAN tagging on the trunk port of the switch by entering the
no switchport trunk native vlan tag command. CSCsz12611

• If a large number of VLAN mappings are configured, a member port might fail to join a port channel and no warning is issued.

Workaround: Reduce the number of VLAN mappings. CSCtn56208

• If an interface whose IP address is being used as the router ID is deleted or shuts down, and you configure a service group with a multicast group address, packet redirection to CE stops and packets are forwarded directly to the destination.

Workaround: Unconfigure and reconfigure the service group. CSCtn88087

• Global WCCP service configuration fails to enable (WCCP global configuration is accepted but nvgen fails) on a newly deployed switch if the switch is not enabled for SVI or a Layer 3 interface.

Workaround: Enable a Layer 3 interface in the running configuration. CSCsc88636.

• If you use the quick option in the issu changeversion command, the following might occur:

– Links flap for various Layer 3 protocols.

– A traffic loss of several seconds is observed during the upgrade process.

Workaround: Do not use the quick option with the issu changeversion command. CSCto51562

• When you enter the ip pim register-rate-limit command, the following error message displays:

Workaround: None. The ip pim register-rate-limit command does not function. CSCub32679

• For packets with the same ingress and egress Layer 3 interface, ingress QoS marking policy does not work.

Workaround: Turn off ICMP redirect through the ip redirect command. CSCua71929

• While configuring an IPv6 access-list, if you specify hardware statistics as the first statement in v6 access-list mode (i.e. before issuing any other v6 ACE statement), it will not take effect. Similarly, your hardware statistics configuration will be missing from the output of the show running command.

You will not experience this behavior with IPv4 access lists.

Workaround: During IPv6 access-list configuration, configure at least one IPv6 ACE before the "hardware statistics" statement. CSCuc53234

• When an IPv6 FHS policy is applied on a VLAN and an EtherChannel port is part of that VLAN, packets received by EtherChannel (from neighbors) are not bridged across the local switch.

Workaround: Apply FHS policies on a non EtherChannel port rather than a VLAN. CSCua53148

• Memory allocation failures can occur if more than 16K IPv6 multicast snooping entries are present.

Workaround: None. CSCuc77376

• For any configuration where the source-interface keyword is used, if you provide an SVI that is associated with a secondary private VLAN, configuration involving the secondary VLAN may be lost when the switch is reloaded. In such scenarios, always use the primary private VLAN.
• The show interface capabilities command output does not show the correct linecard model.

Workaround: Observe the show module command output. CSCua79513

• When performing an ISSU between any releases prior to Cisco IOS 15.1(1)SG or 3.3.0SG to release Cisco IOS 15.1(1)SG (or 3.3.0SG) or higher, a switch performing multicast routing may persistently drop traffic after the upgrade completes. You can recover multicast traffic by reloading the chassis. Alternately, you can remove all multicast configuration prior to ISSU, and add it back when ISSU completes. CSCuj42672
• When a logging discriminator is configured and applied to a device, memory leak is seen under heavy syslog or debug output. The rate of the leak is dependent on the quantity of logs produced. In extreme cases, the device may crash. As a workaround, disable the logging discriminator on the device (CSCur45606, CSCur28336).