• In Cisco IOS XE Release 3.11.3aE and later releases, SSH is enabled by default to connect to networks, and Telnet is disabled by default.

• TACACS legacy command: Do not configure the legacy tacacs-server host command; this command is deprecated. If the software version running on your device is Cisco IOS XE 3.11.3aE or a later release, using the legacy command can cause authentication failures. Use the tacacs server command in global configuration mode.

• RADIUS Server legacy command: In Cisco IOS XE Release 3.8.7E, the legacy radius-server host command is deprecated. Use the radius server host command if the software running on your device is Cisco IOS XE Release 3.8.7E or later.

• During an ISSU downgrade from IOS XE 3.11.1E to IOS XE 03.08.09 version, the standby is loaded with the main image. This is due to failure of configuration synchronization on device tracking and ACL.

  Workaround:

  • Before an ISSU downgrade, revert the device-tracking CLI to legacy CLI:

    Device# configure terminal
    Device(config)# device-tracking upgrade-cli revert

  • Before an ISSU downgrade, delete the numbered ACLs from the primary and reapply them after the downgrade process.

• ISSU or Fast Software Upgrade (FSU) limitations:

  • When upgrading to Cisco IOS XE Release 3.11.0E, or Cisco IOS XE Release 3.8.7E, or Cisco IOS XE Release 3.10.2E with ISSU or FSU, if you are using a multi-Gigabit Ethernet linecard, reload the linecard after the upgrade to avoid interface issues.

  • When downgrading from Cisco IOS XE Release 3.11.0E and later, or Cisco IOS XE Release 3.8.7E and later, or Cisco IOS XE Release 3.10.2E and later with ISSU or FSU, if you are using a multi-Gigabit Ethernet linecard, reload the linecard after upgrade to avoid interface issues.

• Starting with Cisco IOS XE Release 3.9.0E, Secure Shell (SSH) Version 1 is deprecated. Use SSH Version 2 instead.

• The maximum MTE supported on Catalyst 4500 switches is 8000, per direction.

• Although the show memory command is supported on Catalyst 4500 series switches, the CLI output for the command shows the value 0 for config total, on Catalyst 4500 series switches using a daughter card on Supervisor Engine 7-E. This issue is, however, not seen on switches with Supervisor Engine 7-E baseboard. (CSCup28930)

• The system allows you to delete policy maps related to these Auto QoS profiles:

  • Auto QoS enterprise

  • Auto QoS guest

  • blank.gif Auto QoS voice

  The problem is seen on a Catalyst 4500 series switch running Cisco IOS-XE release 3.7.0E, when you configure QoS using Auto Qos and you try to delete an Auto QoS profile related policy map.

  Workaround : To recover the deleted policy-map, remove all the policies related to that profile, remove Auto QoS configuration from the WLAN, and then reconfigure Auto QoS.

• Dot1x PEAP based authentication for wireless clients on Supervisor Engine 8-E is 3 auths/sec.

• Indirectly connected access points are not supported. Only access points directly connected to a trunk or access port is supported. On connecting more than one AP the following error message will be seen:

  3. Dec 5 03:57:24.121: %CAPWAP-3-ONE_AP_PER_PORT: AP (mac:6c20.56a6.4fc4) is not allowed on port:Po2. Only one AP per port is allowed.

• RPR mode cannot be configured when Supervisor Engine 8-E is booted in wireless mode.

• Flow Sampling is not supported on Supervisor Engine 8-E.

• Supported QoS features on wireless targets: The detailed QoS policy is the same as mentioned here, except that the port policy cannot be changed because it is a DC-interconnect port.

• VSS: Do not use SVLAN for routing in SP network on ingress switch (where the mapping is present). This is not an valid scenario.

• VSS is not supported in Wireless mode, on Supervisor Engine 8-E.

• Wired guest access does not work on Supervisor Engine 8-E, in multi-host or multi-authentication mode.

• The show exception files all command lists only crashinfo files from the active supervisor engine. You must issue the dir slavecrashinfo: and dir slvecrashinfo-dc: commands to obtain lists of crashinfo files from the standby supervisor engine.

• Performing an ISSU from a prior release to IOS XE 3.6.0E is not supported.

• The WS-X4712-SFP+E module is not supported in the WS-C4507R-E or WS-C4510R-E chassis and does not boot. This module is supported in the WS-C4503-E, WS-C4506-E, WS-C4507R+E, and WS-C4510R+E chassis.

• More than 16K QoS policies can be configured in software. Only the first 16K are installed in hardware.

• Adjacency learning (through ARP response frames) is restricted to roughly 1000 new adjacencies per second, depending on CPU utilization. This should only impact large networks on the first bootup. After adjacencies are learned, they are installed in hardware.

• Multicast fastdrop entries are not created when RPF failure occurs with IPv6 multicast traffic. In a topology where reverse path check failure occurs with IPv6 multicast, this may cause high CPU utilization on the switch.

• The SNMP ceImageFeature object returns a similar feature list for all the three license levels (LAN Base, IP Base, and EntServices). Although the activated feature set for a universal image varies based on the installed feature license, the value displayed by this object is fixed and is not based on the feature license level.

• Standard TFTP implementation limits the maximum size of a file that can be transferred to 32 MB. If ROMMON is used to boot an IOS image that is larger than 32 MB, the TFTP transfer fails at the 65,xxx datagram.

  TFTP numbers its datagrams with a 16 bit field, resulting in a maximum of 65,536 datagrams. Because each TFTP datagram is 512 bytes long, the maximum transferable file is 65536 x 512 = 32 MB. If both the TFTP client (ROMMON) and the TFTP server support block number wraparound, no size limitation exists.

  Cisco has modified the TFTP client to support block number wraparound. So, if you encounter a transfer failure, use a TFTP server that supports TFTP block number wraparound. Because most implementations of TFTP support block number wraparound, updating the TFTP daemon should fix the issue.

• An XML-PI specification file entry does not return the desired CLI output.

  The outputs of certain commands, such as show ip route and show access-lists, contain non-deterministic text. While the output is easily understood, the output text does not contain strings that are consistently output. A general purpose specification file entry is unable to parse all possible output.

  Workaround (1):

  While a general purpose specification file entry may not be possible, a specification file entry might be created that returns the desired text by searching for text that is guaranteed to be in the output. If a string is guaranteed to be in the output, it can be used for parsing.

  For example, the output of the show ip access-lists SecWiz_Gi3_17_out_ip command is this:

  Extended IP access list SecWiz_Gi3_17_out_ip
  10 deny ip 76.0.0.0 0.255.255.255 host 65.65.66.67
  20 deny ip 76.0.0.0 0.255.255.255 host 44.45.46.47
  30 permit ip 76.0.0.0 0.255.255.255 host 55.56.57.57 

  The first line is easily parsed because access list is guaranteed to be in the output:

  <Property name="access list" alias="Name" distance="1.0" length="-1" type="String" />

  The remaining lines all contain the term host. As a result, the specification file may report the desired values by specifying that string. For example, this line

  <Property name="host" alias="rule" distance="s.1" length="1" type="String" />

  produces the following for the first and second rules

  <rule>
  deny
  </rule> 

  and the following for the third statement

  <rule>
  permit
  <rule> 

  Workaround (2):

  Request the output of the show running-config command using NETCONF and parse that output for the desired strings. This is useful when the desired lines contain nothing in common. For example, the rules in this access list do not contain a common string and the order (three permits, then a deny, then another permit), prevent the spec file entry from using permit as a search string, as in the following example:

  Extended MAC access list MACCOY
  permit 0000.0000.ffef ffff.ffff.0000 0000.00af.bcef ffff.ff00.0000 appletalk
  permit any host 65de.edfe.fefe xns-idp
  permit any any protocol-family rarp-non-ipv4
  deny host 005e.1e5d.9f7d host 3399.e3e1.ff2c dec-spanning
  permit any any 

  The XML output of show running-config command includes the following, which can then be parsed programmatically, as desired:

  <mac><access-list><extended><ACLName>MACCOY</ACLName></extended></access-list></mac>
  <X-Interface> permit 0000.0000.ffef ffff.ffff.0000 0000.00af.bcef ffff.ff00.0000 appletalk</X-Interface>
  <X-Interface> permit any host 65de.edfe.fefe xns-idp</X-Interface>
  <X-Interface> permit any any protocol-family rarp-non-ipv4</X-Interface>
  <X-Interface> deny host 005e.1e5d.9f7d host 3399.e3e1.ff2c
  dec-spanning</X-Interface>
  <X-Interface> permit any any</X-Interface> 

  CSCtg93278

• When attaching a existing policy-map (that is already applied to a control-port) to another front-panel port, the following message displays:

  The policymap <policy-map name> is already attached to control-plane and cannot be shared with other targets.

  Workaround: Define a policy-map with a different name and then reattach. CSCti26172

• If the number of unique FNF monitors attached to target exceeds 2048 (one per target), a switch responds slowly:

  Workarounds:

  – Decrease the number of monitors.

  – Attach the same monitor to multiple targets. CSCti43798

• ciscoFlashPartitionFileCount object returns an incorrect file count for bootflash:, usb0:, slot0:, slaveslot0:, slavebootflash:, and slaveusb0:.

  Workaround: Use the dir device command (for example, dir bootflash:) to obtain the correct file count. CSCti74130

• If multicast is configured and you make changes to the configuration, Traceback and CPUHOG messages are displayed if the following conditions exist:

  – At least 10K groups and roughly 20K mroutes exist.

  – IGMP joins with source traffic transit to all the multicast groups.

  This is caused by the large number of updates generating SPI messages that must be processed by the CPU to ensure that the platform is updated with the changes in all the entries.

  Workaround: None. CSCti20312

• With traffic running, entering clear ip mroute * with larger number of mroutes and over 6 OIFs causes Malloc Fail messages to display.

  You cannot clear a large number of mroutes at one time when traffic is still running.

  Workaround: Do not clear all mroutes at once.

  CSCtn06753

• Although you can configure subsecond PIM query intervals on Catalyst 4500 platforms, such an action represents a compromise between convergence (reaction time) and a number of other factors (number of mroutes, base line of CPU utilization, CPU speed, processing overhead per 1 m-route, etc.). You must account for those factors when configuring subsecond PIM timers. We recommend that you set the PIM query interval to a minimum of 2 seconds. By adjusting the available parameters, you can achieve flawless operation; that is, a top number of multicast routes per given convergence time on a specific setup.

• Energywise WOL is not “waking up” a PC in hibernate or standby mode.

  Workaround: None. CSCtr51014

• The ROMMON version number column in the output of show module command is truncated.

  Workaround: Use the show version command. CSCtr30294

• IP SLA session creation fails randomly for various 4-tuples.

  Workaround: Select an alternate destination or source port. CSCty05405

• The system cannot scale to greater than 512 SIP flows with MSP and metadata enabled.

  Workaround: None. CSCty79236

• On the following linecards running IOS XE Release 3.2.3:

  – 10/100/1000BaseT Premium POE E Series WS-X4648-RJ45V+E (JAE1348OY52)

  – 4 Sup 7-E 10GE (SFP+), 1000BaseX (SFP) WS-X45-SUP7-E (CAT1434L0G4)

  the following restrictions apply:

  – Sub-interfaces are not supported on 1 Gigabit and Ten-Gigabit interfaces.

  – Port-channel members do not support multiple classification criteria for a QoS policy.

  – CEF is disabled automatically when uRFP is enabled and TCAM is fully utilized.

• When either the RADIUS-server test feature is enabled or RADIUS-server dead-criteria is configured, and either RADIUS-server deadtime is set to 0 or not configured, the RADIUS-server status is not properly relayed to AAA.

  Workaround: Configure both dead-criteria and deadtime.

  radius-server dead-criteria
  radius-server deadtime 

  CSCtl06706

• If you use the quick option in the issu changeversion command, the following might occur:

  – Links flap for various Layer 3 protocols.

  – A traffic loss of several seconds is observed during the upgrade process.

  Workaround: Do not use the quick option with the issu changeversion command. CSCto51562

• While configuring an IPv6 access-list, if you specify hardware statistics as the first statement in v6 access-list mode (i.e. before issuing any other v6 ACE statement), it will not take effect. Similarly, your hardware statistics configuration will be missing from the output of the show running command.

  You will not experience this behavior with IPv4 access lists.

  Workaround: During IPv6 access-list configuration, configure at least one IPv6 ACE before the "hardware statistics" statement. CSCuc53234

• Routed packets that are fragmented are not policed if the egress interface is on the VSS Standby switch. However, if the egress interface is on the VSS Active switch, these packets are policed.

  This applies to QoS policing only. QoS marking, shaping and sharing behave as expected.

  Workaround: None. CSCub14402

• When an IPv6 FHS policy is applied on a VLAN and an EtherChannel port is part of that VLAN, packets received by EtherChannel (from neighbors) are not bridged across the local switch.

  Workaround: Apply FHS policies on a non EtherChannel port rather than a VLAN. CSCua53148

• During VSS conversion, the switch intended as the Standby device may require up to 9 minutes to reach an SSO state. The boot up time depends on the configuration and on the number of line cards in the system.

  Workaround: None. CSCua87538

• Dual connectors (like, an SFP+ transceiver inserted into a CVR-X2-SFP10G module) on the WS-X4606-X2-E line card are not supported as a VSL.

  Workaround: Use any X2-pluggable module on its own in the WS-X4606-X2-E line card. CSCuc70321

• Memory allocation failures can occur if more than 16K IPv6 multicast snooping entries are present.

  Workaround: None. CSCuc77376

• The show interface capabilities command output does not show the correct linecard model.

  Workaround: Observe the show module command output. CSCua79513

• Beginning with IOS Release XE 3.5.0E, error messages that occur when a QoS policy is applied will no longer appear directly on the console when no logging console is configured. They will appear only when a logging method is active (e.g., logging buffered, logging console, …).

  Workaround: None. CSCuf86375

• Setting a cos value based on QoS group triggers the following error message in a VSS system

  set action fail = 9

  Workaround: None. QoS groups are not supported in VSS. CSCuc84739

• Auto negotiation cannot be disabled on the Fa1 port. It must be set to auto/auto, or fixed speed with duplex auto.

• The following messages are seen during boot up after POST check.

  Rommon reg: 0x00004F80
  Reset2Reg: 0x00000F00
   
  Image load status: 0x00000000
  #####
  Snowtrooper 220 controller 0x0430006E..0x044E161D Size:0x0057B4C5 Program Done!
  #########################
  [ 6642.974087] pci 0000:00:00.0: ignoring class b20 (doesn't match header type 01)
  Starting System Services
  Calculating module dependencies...
  Loading rtc-ds1307
  RTNETLINK answers: Invalid argument
  No Mountpoints DefinedJan 17 09:48:14 %IOSXE-3-PLATFORM: process sshd[5241]: error:
  Bind to port
   
  22 on :: failed: Address already in use
  Starting IOS Services
  Loading virtuclock as vuclock
  Loading gsbu64atomic as gdb64atomic
  /dev/fd/12: line 267: /sys/devices/system/edac/mc/edac_mc_log_ce: No such file or
  directory
  Aug 8 20:30:29 %IOSXE-3-PLATFORM: process kernel: mmc0: Got command interrupt
  0x00030000 even though no command operation was in progress.
   
  Aug 8 20:30:29 %IOSXE-3-PLATFORM: process kernel: PME2: fsl_pme2_db_init: not on
  ctrl-plane 

  These messages are cosmetic only, and no ssh services are available unless configured within IOS.

  Workaround: None CSCue15724

• When a logging discriminator is configured and applied to a device, memory leak is seen under heavy syslog or debug output. The rate of the leak is dependent on the quantity of logs produced. In extreme cases, the device may crash. As a workaround, disable the logging discriminator on the device (CSCur45606, CSCur28336).

Refer to the Cisco Catalyst 4500-X Series Switches Documentation Home for information:

https://www.cisco.com/c/en/us/support/switches/catalyst-4500-x-series-switches/tsd-products-support-series-home.html

Hardware Documents

Installation guides and notes including specifications and relevant safety information are available at the following URLs:

• Regulatory Compliance and Safety Information for the Catalyst 4500 Series Switches

  http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/hardware/regulatory/compliance/78_13233.html

• Installation notes for specific supervisor engines or for accessory hardware are available at:

  http://www.cisco.com/en/US/products/hw/switches/ps4324/prod_installation_guides_list.html

• Catalyst 4500-X hardware installation information is available at:

  http://www.cisco.com/en/US/products/ps12332/prod_installation_guides_list.html

Software Documentation

Software release notes, configuration guides, command references, and system message guides are available at the following URLs:

• Release Notes—Cisco IOS Release Notes for the Catalyst 4500-X Series Switches are available at:

  http://www.cisco.com/en/US/products/ps12332/prod_release_notes_list.html

• Guides—The Catalyst 4500-X Series Switches, and the Catalyst 4500-E Series Switches, leverage the same software configuration guide and command reference guide:

  – Software Configuration Guides:

  http://www.cisco.com/en/US/products/hw/switches/ps4324/products_installation_and_configuration_guides_list.html

  – Command Reference Guides: http://www.cisco.com/en/US/products/hw/switches/ps4324/prod_command_reference_list.html

Cisco IOS Documentation

Platform- independent Cisco IOS documentation is available at the following URLs:

• Cisco IOS configuration guides, Cisco IOS XE Release 3E: http://www.cisco.com/c/en/us/support/ios-nx-os-software/ios-xe-3e/products-installation-and-configuration-guides-list.html

• Cisco IOS Master Command List. All Releases: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mcl/allreleasemcl/all-book.html