|
|
May 3, 1999
These release notes describe new features for the Cisco 7200 series routers that support Cisco IOS Release 11.3 AA, up to and including Cisco IOS Release 11.3(9)AA. Cisco IOS Release 11.3(9)AA is based on Cisco IOS Releases 11.3 and 11.3T. These release notes are updated with each maintenance release of the Cisco IOS software, which is typically every six weeks.
For a list of software caveats that apply to Release 11.3 AA, refer to the Caveats for Cisco IOS Release 11.3 T document and the "Important Notes and Caveats" section of the Cross-Platform Release Notes for Cisco IOS Release 11.3 . The caveats document is updated for every maintenance release and is located on Cisco Connection Online (CCO) and the Documentation CD-ROM. For more information, refer to the "Caveats" section.
Use these release notes with the cross-platform Release Notes for Cisco IOS Release 11.3 and the Release Notes for the Cisco 7000 Family for Cisco IOS Release 11.3 T located on Cisco Connection Online (CCO) and the Documentation CD-ROM.
This document includes the following sections:
Cisco IOS Release 11.3(2)AA was the first release of these platform-specific release notes. For more information on the release policy for Cisco IOS Release 11.3 AA, see the Cisco IOS Software Release 11.3AA product bulletin #738 on CCO.
Cisco Systems provides several software releases based on a single version of Cisco IOS software. Maintenance releases provide solutions to software caveats. For more information about the Cisco IOS software release process, see the Types of Cisco IOS Software Releases product bulletin #537 located on CCO and the Documentation CD-ROM.
For information on new features and Cisco IOS commands supported by Cisco IOS Release 11.3 AA, see the "New and Changed Information" section and the "Related Documentation" section.
This section describes the system requirements for Release 11.3(9)AA and includes the following sections:
Table 1 describes the memory requirements for Cisco 7200 series routers supported by Cisco IOS Release 11.3 AA.
Cisco 7200 series routers are shipped with a 16- or 20-MB Flash memory card.
| Feature Sets | Image Name | Software Image | Required Flash Memory | Required DRAM Memory | Release 11.3 AA Runs From |
|---|---|---|---|---|---|
Enterprise Standard Feature Sets | Enterprise | c7200-js-mz | 16 MB Flash | 32 MB DRAM | RAM |
Enterprise/IPSec 56 | c7200-js56i-mz | 16 MB Flash | 32 MB DRAM | RAM |
Cisco IOS Release 11.3 AA supports the Cisco 7200 series:
For detailed descriptions of the new hardware features, see the "New and Changed Information" section.
To determine the version of Cisco IOS software currently running on your Cisco 7200 series router, log in to the Cisco 7200 series router and enter the show version EXEC command. The following sample output from the show version command indicates the version number on the second output line:
Cisco Internetwork Operating System Software IOS (tm) 7200 Software (C7200-JS-MZ), Version 11.3(9)AA, RELEASE SOFTWARE
Additional command output lines include more information, such as processor revision numbers, memory amounts, hardware IDs, and partition information.
For information about upgrading to a new software release, refer to the Cisco IOS Software Release 11.3 Upgrade Paths and Packaging Simplification product bulletin located on CCO.
From CCO, click on this path:
Service & Support: Product Bulletins: Software
Under Cisco IOS 11.3, click on Cisco IOS Software Release 11.3 Upgrade Paths (#703: 12/97).
Cisco IOS software is available in different feature sets depending on the hardware platform. Cisco 7200 series routers support only the Enterprise feature set in Cisco IOS Release 11.3 AA. Table 2 lists the features supported by the Enterprise feature set for Cisco 7200 series routers.
| Feature | Enterprise Feature Set | IPSec |
|---|---|---|
| IBM Support |
|
|
APPN High-Performance Routing | No | No |
APPN MIB Enhancements | No | No |
APPN over Ethernet LAN Emulation | No | No |
APPN Scalability Enhancements | No | No |
Bisync Enhancements, includes:
| Yes | Yes |
Cisco MultiPath Channel (CMPC) | No | No |
Database Connection Feature | No | No |
DLSw+ Enhancements, includes:
| Yes | Yes |
FRAS Enhancements, includes:
| Yes | Yes |
TN3270 LU Nailing | No | No |
TN3270 Server Enhancements | No | No |
Token Ring LANE | No | No |
Tunneling of Asynchronous Security Protocols | Yes | Yes |
| Internet |
|
|
DRP Server Agent | Yes | Yes |
DRP Server Agent Enhancements | Yes | Yes |
| IP Routing |
|
|
Easy IP (Phase 1) | Yes | Yes |
Hot Standby Router Protocol (HSRP) over ISL in Virtual LAN Configurations | Yes | Yes |
IP Enhanced IGRP Route Authentication | Yes | Yes |
TCP Enhancements, includes:
| Yes | Yes |
| LAN Support |
|
|
AppleTalk Access List Enhancements | Yes | No |
DECnet Accounting | Yes | No |
IPX Named Access Lists | Yes | No |
IPX SAP-after-RIP | Yes | No |
NLSP Enhancements | Yes | No |
NLSP Multicast Support | Yes | No |
| Management |
|
|
Cisco Call History MIB Command Line Interface | No | No |
Cisco IOS Internationalization | Yes | Yes |
Entity MIB, Phase 1 | Yes | Yes |
SNMP Inform Requests/SNMP Manager | Yes | No |
SNMPv2C | Yes | Yes |
Virtual Profiles | Yes | Yes |
| Multimedia |
|
|
IP Multicast Load Splitting Across Equal-Cost Paths | Yes | Yes |
IP Multicast over ATM Point-to-Multipoint Virtual Circuits | Yes | Yes |
IP Multicast over Token Ring LANs | Yes | Yes |
PIM Version 2 | Yes | Yes |
Stub IP Multicast Routing | Yes | Yes |
| Quality of Service |
|
|
RTP Header Compression | Yes | Yes |
| Security |
|
|
Double Authentication | Yes | Yes |
Encrypted Kerberized Telnet | No | No |
HTTP Security | Yes | Yes |
Per-User Configuration | Yes | Yes |
Reflexive Access Lists | Yes | Yes |
TCP Intercept | Yes | No |
Vendor-Proprietary RADIUS Attributes | Yes | Yes |
| Switching |
|
|
AppleTalk Routing over ISL and IEEE 802.10 in Virtual LANs | Yes | No |
CLNS and DECnet Fast Switching over PPP | Yes | No |
DECnet/VINES/XNS over ISL, includes:
| Yes | No |
Fast-Switched Policy Routing | Yes | Yes |
IPX Routing over ISL Virtual LANs | Yes | No |
VIP Distributed Switching Support for IP Encapsulated in ISL | No | No |
| Terminal Services |
| No |
Virtual Templates for Protocol Translation | Yes | No |
| WAN Optimization |
|
|
ATM MIB Enhancements | No | No |
Enhanced ATM VC Configuration and Management | Yes | Yes |
PAD Enhancements | Yes | No |
PAD Subaddressing | Yes | No |
| WAN Services |
|
|
Bandwidth Allocation Control Protocol | Yes | Yes |
Dialer Watch | Yes | Yes |
Enhanced Local Management Interface (ELMI) | Yes | Yes |
Frame Relay Enhancements | Yes | Yes |
Frame Relay MIB Extensions | Yes | Yes |
Frame Relay Router ForeSight | Yes | Yes |
ISDN Advice of Charge | No | No |
ISDN Caller ID Callback | No | No |
ISDN NFAS | Yes | No |
Layer 2 Forwarding---Fast Switching | Yes | No |
Leased Line ISDN at 128 kbps | No | No |
MS Callback | Yes | Yes |
PPP over ATM | Yes | No |
Telnet Extensions for Dialout | No | No |
X.25 Enhancements | Yes | Yes |
X.25 on ISDN | No | No |
X.25 Switching between PVCs and SVCs | Yes | Yes |
X.28 Emulation | Yes | No |
 | Caution Cisco IOS images with strong encryption (including, but not limited to, 56-bit data encryption feature sets) are subject to U.S. government export controls and have a limited distribution. Images to be installed outside the U.S. require an export license. Customer orders may be denied or subject to delay due to U.S. government regulations. Contact your sales representative or distributor for more information, or send an e-mail to export@cisco.com. |
The following sections list the new features supported by Cisco 7200 series routers in Cisco IOS Release 11.3 AA. For Release 11.3 AA and other features for Cisco products, refer to the specific product's release notes.
The following new feature is supported by Cisco 7200 series routers in Release 11.3(9)AA. For easy online access, the feature modules are linked to the applicable Cisco IOS feature module if one exists. Click on the link to open the feature module.
The VPDN Per User Config feature sends the entire structured username to the AAA server the first time. This enables the Cisco IOS software to customize tunnel attributes for individual users using a common domain name or DNIS.
Previously, Cisco IOS sent only the domain name or DNIS to determine VPDN tunnel attribute information. Then, if no VPDN tunnel attributes were returned, Cisco IOS sent the entire username string. Because of this behavior, there is no way to define specific tunnel attributes for a particular user within a domain. It also limited the types of connections that are possible in a RADIUS Proxy VPDN roaming environment. All VPDN users are forwarded to the tunnel endpoint, even if they just need generic Internet access.
The following new features are supported by Cisco 7200 series routers in Release 11.3(8)AA. For easy online access, the feature descriptions are linked to the applicable Cisco IOS feature module if one exists. Click on the link to open the feature module.
L2TP Optimal Fastswitching Support is a user transparent performance enhancement that allows L2TP to have the same switching functionality as L2F (Layer2 Forwarding Protocol). This capability was added to L2F as part of the optimal fastswitching support for VPDN in Cisco IOS Release 11.3. This L2TP fastswitching support for LES (LAN emulation server) platforms, even on the LNS (L2TP Network Server), allows L2TP to scale to the large numbers of interfaces that L2F can support (1000+ sessions).
In this implementation, two route cache lookups used to forward a packet, one to switch to the virtual access interface and the other to switch from the virtual access interface to the output physical interface, have been reduced to one. This is accomplished by caching the complete IP/UDP/L2TP/PPP header, which is prepended to the packet that is to be tunneled, so that, when a packet is received on the input physical interface, the route cache lookup returns the output physical interface missing out the virtual interface. The cached header is then prepended to the packet and the appropriate reformatings are performed before the packet is switched as normal.
This feature in implemented in this way only for Cisco IOS Release 11.3 AA. In other releases, the scalability is provided by the FIB.
This security feature, also called, Per-Radius-server for key, timeout, and retransmit, adds per-server parameters to three global commands that apply to all RADIUS servers:
radius-server timeout m
radius-server retransmit n
radius-server key xyz
The parameters on a per-server basis define the "global" commands for each specified server. For example:
radius-server host 1.1.1.1 timeout n retransmit m key abc radius-server host 2.2.2.2 timeout k retransmit l key def
If the user does not define the per-server value, a "global" commands value is used. Anytime the per-server options are used, they override the "global" value. If neither global, nor per-server values are defined, the defaults are used: timeout (5 seconds), retransmit (3 retries), and no key (respectively).
The radius-server host is specified by additional keywords of the three changed command syntax.
The Configurable SLIP/PPP timeout message is an enhancement to the exec login process whereby the prompt string can be set to some value that does not contain the prompt, thereby keeping the user scripts from becoming confused. When the username or password prompt times out, the prompt string is included as part of the timeout message. The presence of the prompt string in the timeout message can be confused with the login prompt by some scripts. A new command is added that can set the prompt string in the timeout message to a different value. Configurable SLIPP/PPP timeout message is related to the User-Configurable SLIP/PPP Banner with Parameter Insertion feature. For additional information about User-Configurable SLIP/PPP Banner with Parameter Insertion, see the following subsection.
This User-Configurable SLIP/PPP Banner with Parameter Insertion feature is a compatibility enhancement that provides a Cisco IOS customizable SLIP command line parser for support of third party vendor equipment that is used to dial into a Cisco access router or server. This feature allows scripts designed to work with SLIP support on third party vendor equipment, such as Netcruiser negotiated parameters syntax, to negotiate compatibly when dialing into a Cisco access router or server.
Token Ring LANE allows Token Ring LAN users to take advantage of ATM's benefits without modifying end-station hardware or software. ATM uses connection-oriented service with point-to-point signaling or multicast signaling between source and destination devices. However, Token Ring LANs use connectionless service. Messages are broadcast to all devices on the network. With Token Ring LANE, routers and switches emulate the connectionless service of a Token Ring LAN for the end stations.
By using Token Ring LANE, you can scale your networks to larger sizes while preserving your investment in LAN technology.
There are no new features in Release 11.3(7)AA.
The following new features are supported by Cisco 7200 series routers in Release 11.3(6)AA. For easy online access, the feature modules are linked to the applicable Cisco IOS feature module if one exists. Click on the link to open the feature module.
You can now authenticate users to a particular AAA server based on the session's Dialed Number Identification Service (DNIS) number. RADIUS directed-request now supports this capability.
Any phone line (a regular home phone or a commercial T1/PRI line) can be associated with several phone numbers. The DNIS number identifies the number that was called to reach you.
For example, suppose you want to share the same phone number with several customers, but you want to know which customer is calling before you pick up the phone. You can customize how you answer the phone because DNIS lets you know which customer is calling when you answer.
Cisco routers with either ISDN or internal modems (Cisco 5200/5300) can receive the DNIS number. This functionality allows users to assign different RADIUS servers to different customers (that is, different RADIUS servers have different DNIS numbers).
Channel Port Adapter (CPA) microcode xcpa26-2 has been bundled into Release 11.3(6)AA for the Cisco 7200 series routers. For more information, refer to the Channel Port Adapter Microcode Release Note and Microcode Upgrade Requirements located on CCO.
The following new features are supported by the Cisco 7200 series routers in Release 11.3(5)AA. For easy online access, the feature modules are linked to the applicable Cisco IOS feature module if one exists. Click on the link to open the feature module.
Layer Two Tunneling Protocol (L2TP) is an emerging Internet Engineering Task Force (IETF) standard that combines the best features of two existing tunneling protocols: Cisco's Layer Two Forwarding (L2F) and Microsoft's Point-to-Point Tunneling Protocol (PPTP). L2TP is an extension to the Point-to-Point Protocol (PPP), which is an important component for access virtual private networks (VPNs). Access VPNs allow mobile users to connect to their corporate intranets or extranets, thus improving flexibility and reducing costs.
The show caller command is a network management feature that applies to dial protocols for public and private networks. It is a user interface command that displays information for incoming and outgoing connections. The show caller command supports ISDN and asynchronous modem connections and is supported for PPP, Multilink PPP, and SLIP. It also includes all NCPs running on PPP, including IP, IPX, and AppleTalk.
Microsoft Point-to-Point Protocol (PPP) clients have the ability to request either a primary or a secondary domain naming system (DNS) server from the network access server (NAS) during IP Control Protocol (IPCP) negotiation. To support this functionality using authentication, authorization, and accounting (AAA) security services, two new TACACS+ attribute-value (AV) pairs and two new vendor-proprietary RADIUS attributes have been added.
The following new features are supported by Cisco 7200 series routers in Release 11.3(4)AA. For easy online access, the feature modules are linked to the applicable Cisco IOS feature module if one exists. Click on the link to open the feature module.
Point-to-Point Protocol (PPP) over Asynchronous Transfer Mode (ATM) is now available on an ATM-CES port adapter in a Cisco 7200 series router, thereby providing a significant increase in the number of PPP over ATM sessions per router.
In previous versions of PPP over ATM, you configured permanent virtual circuits (PVCs) for PPP over ATM on point-to-point subinterfaces. In this release, each PPP over ATM connection no longer requires two interfaces, a virtual access interface and an ATM subinterface. Instead, you can configure multiple PVCs for PPP over ATM on multipoint subinterfaces.
Also in this release, PPP over ATM is enhanced to support virtual circuit (VC) multiplexed encapsulation and complies with the Internet Engineering Task Force (IETF) draft on multiplexed encapsulation titled PPP over AAL5 Internet Draft. The previous version of PPP over ATM supported only frame forwarding data encapsulation (aal5ciscoppp).
The ATM-CES port adapters (PA-A2-4T1C-OC3SM, PA-A2-4T1C-T3ATM,
PA-A2-4E1XC OC3SM, PA-A2-4E1XC-E3ATM, PA-A2-4E1YC-OC3SM, and PA-A2-4E1YC-E3ATM) are available on Cisco 7200 series routers. The ATM-CES has four T1 (1.544 Mbps) or four E1 (2.048 Mbps) ports (75- or 120-ohm) that can support both structured
(N x 64 kbps) and unstructured ATM Forum-compliant circuit emulation services (CES), and one port that supports an OC-3 (155 Mbps) single-mode intermediate reach interface or a T3 (45 Mbps) or E3 (34 Mbps) standards-based ATM interface. The target application of the ATM-CES port adapter is access to a broadband public or private ATM network where multiservice consolidation of voice, video, and data traffic over a single ATM link is a requirement.
The ATM-CES port adapter supports the following features:
The ATM-CES port adapters now support the following additional features:
In Release 11.3(2)T, the Enhanced ATM VC Configuration and Management feature set was introduced. The ATM-CES port adapters support the Enhanced ATM VC Configuration and Management feature, which includes new and enhanced capabilities that allow you to create and manage ATM PVCs and SVCs with more ease and improved integrity. This feature set includes the following features:
For additional information, refer to the PA-A2 ATM CES Port Adapter Installation and Configuration publication that accompanies the hardware.
The Cisco 7202 is the newest member of Cisco 7200 series routers, which consist of the 2-slot Cisco 7202, 4-slot Cisco 7204, and the 6-slot Cisco 7206. The Cisco 7202 supports multiprotocol, multimedia routing and bridging with a wide variety of protocols and any combination of Ethernet, Fast Ethernet, Token Ring, Fiber Distributed Data Interface (FDDI), Asynchronous Transfer Mode (ATM), Integrated Services Digital Network (ISDN), and serial media.
Network interfaces reside on port adapters that provide the connection between the router's Peripheral Component Interconnect (PCI) buses and external networks. The Cisco 7202 has two slots (slot 1 and slot 2) for the port adapters, one slot for an input/output (I/O) controller, and one slot for a network processing engine. You can install the port adapters in either of the two available port adapter slots.
There are bays for up to two AC-input or DC-input power supplies. The Cisco 7202 can operate with only one power supply. Although a second power supply is not required, it allows load sharing and increased system availability.
The Cisco 7202 provides the following features:
For additional information, refer to the Cisco 7202 Installation and Configuration Guide .
There are no new features for the Cisco 7200 series routers in Release 11.3(3)AA.
The following new features are supported by the Cisco 7200 series routers in Release 11.3(2)AA. For easy online access, the feature modules are linked to the applicable Cisco IOS feature module if one exists. Click on the link to open the feature module.
The number of physical and logical interfaces supported on Cisco 7200 series routers has been increased to 3000. This increase allows Cisco 7200 series routers to support applications like virtual private dial-up network (VPDN) and WAN aggregation, where Cisco 7200 series routers must handle a large number of interfaces. VPDN allows the forwarding of Point-to-Point Protocol (PPP) links from an Internet service provider (ISP) to a home gateway.
The Cisco IOS file system (IFS) feature provides a single interface to all file systems the router uses:
The conditionally triggered debugging feature limits debugging messages based on their related interface or subinterface. When this feature is enabled, the router generates debugging messages for packets entering or leaving the router on a specified interface. However, the router does not generate debugging output for packets entering or leaving through a different interface. This feature allows you to focus debugging output on the problematic interface or interfaces. You can specify the interfaces explicitly. For example, you may only want to see debugging messages for one interface or subinterface. You can also turn on debugging for all interfaces that meet specified conditions, such as a particular username, calling party number, or called party number. If you specify multiple conditions, the interface must meet at least one of the conditions.
The authentication, authorization, and accounting (AAA) scalability feature allows you to configure and monitor the number of background processes allocated by the PPP manager in the network access server (NAS) to deal with AAA authentication and authorization requests. In previous Cisco IOS releases, only one background process was allocated to handle all AAA requests for PPP. This meant that parallelism in AAA servers could not be fully exploited. The AAA Scalability feature lets you configure the number of processes used to handle AAA requests for PPP, thus increasing the number of users that can be simultaneously authenticated or authorized.
The OSPF LSA group pacing feature allows the router to group together Open Shortest Path First (OSPF) link state advertisements (LSAs) and pace the refreshing, checksumming, and aging functions. The group pacing results in more efficient use of the router.
OSPF has two new features related to point-to-multipoint networks. One feature applies to broadcast networks; the other feature applies to nonbroadcast networks.
Before this feature, some OSPF point-to-multipoint protocol traffic was treated as multicast traffic. Therefore, the neighbor command was not needed for point-to-multipoint interfaces because multicast took care of the traffic. Hellos, updates, and acknowledgments were sent using multicast. In particular, multicast hellos discovered all neighbors dynamically. If you were using point-to-multipoint on nonbroadcast media (such as classic IP over ATM), the routers could not dynamically discover neighbors. This feature allows the neighbor command to be used on point-to-multipoint interfaces. On any point-to-multipoint interface (broadcast or not), the Cisco IOS software assumes that the cost to each neighbor is equal. The cost is configured with the ip ospf cost command. In reality, the bandwidth to each neighbor is different, so the cost should be different. With this feature, you can configure a separate cost to each neighbor. This feature applies to point-to-multipoint interfaces only.
The following sections contain important notes about Cisco IOS Release 11.3 AA and can apply to Cisco 7200 series routers.
End of Engineering (EOE) means there are no more regularly scheduled maintenance releases. The last maintenance release scheduled on the EOE date is only available through CCO and Field Service Operations---not through manufacturing.
For the most up-to-date information on the status of EOS or EOE, refer to the Cisco IOS Software Release 11.3AA End of Sales and End of Engineering Milestones product bulletins located on CCO.
On CCO, click on this path:
Service & Support: Product Bulletins: Software
Under Cisco IOS 11.3, click on Cisco IOS Software 11.3AA End of Sales and Engineering (#820: 11/98)
Certain versions of Cisco IOS software may fail or hang when they receive invalid User Datagram Protocol (UDP) packets sent to their syslog ports (port 514). At least one commonly-used Internet scanning tool generates packets which can cause such problems. This fact has been published on public Internet mailing lists, which are widely read both by security professionals and by security crackers. This information should be considered in the public domain.
Attackers can cause Cisco IOS devices to repeatedly fail and reload, resulting in a completely disabled Cisco IOS device that will need to be reconfigured by its administrator. Some Cisco IOS devices have been observed to hang instead of failing when attacked. These devices do not recover until they are manually restarted by reset or power cycling. An administrator must personally visit an attacked, hung device to restart it, even if the attacker is no longer actively sending any traffic. Some devices have failed without providing stack traces; some devices may indicate that they were "restarted by power-on", even when that is not the case.
Customers should assume that any potential attacker is likely to know that the existence of this vulnerability and the ways to exploit it. An attacker can use tools available to the public on the Internet. An attacker does not need to write any software to exploit the vulnerability. Minimal skill is required. No special equipment is required.
Despite Cisco's specifically inviting such reports, Cisco has received no actual reports of malicious exploitation of this vulnerability.
This vulnerability notice was posted on Cisco's World Wide Web site:
http://www.cisco.com/warp/public/770/iossyslog-pub.shtml
This information was also sent to the following e-mail and Usenet news recipients:
Vulnerable devices and software versions are specified in Table 2 of Software Versions and Fixes. Affected versions include 11.3AA, 11.3DB, and all 12.0 versions (including 12.0 mainline, 12.0S, 12.0T, and any other regular released version whose number starts with 12.0), up to the repaired releases listed in Table 2. Cisco is correcting the vulnerability in certain special releases and will correct it in future maintenance and interim releases. See Software Versions and Fixes for details. Cisco intends to provide fixes for all affected IOS variants.
No particular configuration is needed to make a Cisco IOS device vulnerable. It is possible to filter out attack traffic using access lists. See "Workarounds" for techniques. However, except at Internet firewalls, the appropriate filters are not common in customer configurations. Carefully evaluate your configuration before assuming that any filtering you have already configured protects you against this attack.
The most commonly used or asked-about products are listed below. If you are unsure whether your device is running Cisco IOS software, log in to the device and issue the show version command. Cisco IOS software will identify itself simply as "IOS" or "Internetwork Operating System Software". Other Cisco devices will not have the show version command, or they will identify themselves differently in their output. The most common Cisco devices that run Cisco IOS software include the following:
Affected software versions, which are relatively new, are not necessarily available on every device listed above.
If you are not running Cisco IOS software, you are not affected by this vulnerability. The following Cisco devices are not affected:
This vulnerability has been assigned Cisco DDTS Caveat ID CSCdk77426.
Cisco offers free software updates to correct this vulnerability for all affected customers, regardless of their contract status. However, because this vulnerability information has been disseminated by third parties, Cisco has released this notice before updates are available for all software versions. Table 2 gives Cisco's projected fix dates.
Make sure your hardware had adequate RAM to support the new software before installing it. Amount of RAM is seldom a problem when you upgrade within a major release (say, from 11.2(11)P to 11.2(17)P), but it is often a factor when you upgrade between major releases (say, from 11.2 P to 11.3 T).
Because fixes will be made available for all affected releases, this vulnerability will rarely, if ever, require an upgrade to a new major release. Cisco recommends very careful planning for any upgrade between major releases. Make certain no known bugs will prevent the new software from working properly in your environment.
Further upgrade planning assistance is available on Cisco's World Wide Web site at:
http://www.cisco.com
Customers with service contracts should obtain new software through their regular update channels (generally via Cisco's World Wide Web site). They may upgrade to any software release, but they must remain within the boundaries of the feature sets they have purchased.
Customers without service contracts may upgrade to obtain only the bug fixes; they are not offered upgrades to versions newer than required to resolve the defects. In general, these customers will be restricted to upgrading within a single row of Table 2 below, except when no upgrade within the same row is available in a timely manner. Obtain updates by contacting one of the following Cisco Technical Assistance Centers (TACs):
Give the URL of this notice (http://www.cisco.com/warp/public/770/iossyslog-pub.shtml) as evidence of your entitlement to a free update. Free updates for non-contract customers must be requested through the TAC. Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software updates.
You can work around this vulnerability by preventing any affected Cisco IOS device from receiving or processing UDP datagrams addressed to its port 514. This can be done either using packet filtering on surrounding devices, or by using input access list filtering on the affected IOS device itself.
If you use an input access list, that list should be applied to all interfaces to which attackers may be able to send datagrams. Interfaces include not only physical LAN and WAN interfaces, but virtual subinterfaces of those physical interfaces, as well as virtual interfaces and/or interface templates corresponding to GRE, L2TP, L2F, and other tunneling protocols.
The input access list must block traffic destined for UDP port 514 at any of the Cisco IOS device's own IP addresses, as well as at any broadcast or multicast addresses on which the Cisco IOS device may be listening. Be sure to block both old-style "all-zeros" broadcasts and new-style "all-ones" broadcasts. It is not necessary to block traffic being forwarded to other hosts; only traffic actually addressed to the Cisco IOS device is of interest.
No single input access list works in all configurations. Know the effect of your access list in your specific configuration before activating it.
The following example shows a possible access list for a three-interface router, along with the configuration commands needed to apply the list. The example assumes input filtering is not needed, other than as a workaround for this vulnerability.
! Deny all multicasts, and all unspecified-net broadcasts, to port 514 access-list 101 deny udp any 224.0.0.0 31.255.255.255 eq 514 ! Deny old-style unspecified-net broadcasts access-list 101 deny udp any host 0.0.0.0 eq 514 ! Deny network-specific broadcasts. This example assumes that all of ! the local interfaces are on the class B network 172.16.0.0, subnetted ! everywhere with mask 255.255.255.0. This will differ from network ! to network. Note that we block both new-style and old-style broadcasts. access-list 101 deny udp any 172.16.0.255 0.0.255.0 eq 514 access-list 101 deny udp any 172.16.0.0 0.0.255.0 eq 514 ! Deny packets sent to the addresses of our own network interfaces. access-list 101 deny udp any host 172.16.1.1 eq 514 access-list 101 deny udp any host 172.16.2.1 eq 514 access-list 101 deny udp any host 172.16.3.3 eq 514 ! Permit all other traffic (default would be to deny) access-list 101 permit ip any any ! Apply the access list to the input side of each interface interface ethernet 0 ip address 172.16.1.1 255.255.255.0 ip access-group 101 in interface ethernet 2 ip address 172.16.2.1 255.255.255.0 ip access-group 101 in interface ethernet 3 ip address 172.16.3.3 255.255.255.0 ip access-group 101 in
Listing all possible addresses---especially all possible broadcast addresses---to which attack packets might be sent is complicated. If you do not need to forward any legitimate syslog traffic received on an interface, you can block all syslog traffic arriving on that interface. Remember that blocking will affect traffic routed through the Cisco IOS device as well as traffic destined to the device; if the IOS device is expected to forward syslog packets, you will have to do the detailed filtering. Because input access lists impact system performance, install them with caution, especially on systems running very near their capacity.
Many Cisco software images have been or will be specially reissued to correct this vulnerability. For example, regular released version 12.0(2) is vulnerable, as are interim versions 12.0(2.1) through 12.0(2.3). The first fixed interim version of 12.0 mainline software is 12.0(2.4). However, a special release, 12.0(2a), contains only the fix for this vulnerability and does not include any other bug fixes from later 12.0 interim releases.
If you are running 12.0(2), and want to fix this problem without risking possible instability presented by installing the 12.0(2.4) interim release, you can upgrade to 12.0(2a). Release 12.0(2a) is a "code branch" from the 12.0(2) base, which will merge back into the 12.0 mainline at 12.0(2.4).
Special releases, like 12.0(2a), are one-time, spot fixes, and they will not be maintained. Thus, the upgrade path from12.0(2a) is to 12.0(3).
Table 2 specifies information about affected and repaired software versions.
| Cisco IOS Major Release | Description | Special Fix1 | First Fixed Interim Release2 | Fixed Maintenance Release3 |
|---|---|---|---|---|
| Unaffected Releases | ||||
11.2 and earlier---all variants | Unaffected early releases (no syslog server) | Unaffected | Unaffected | Unaffected |
11.3, 11.3T, 11.3DA, 11.3MA, 11.3NA, 11.3WA, 11.3(2)XA | 11.3 releases without syslog servers | Unaffected | Unaffected | Unaffected |
|
|
|
| |
| Releases based on 11.3 |
|
|
|
|
11.3AA | 11.3 early deployment for AS58xx | 11.3(7)AA2, 8-JAN-19994 | 11.3(7.2)AA | 11.3(8)AA, 15-FEB-1999 |
11.3DB | 11.3 for Cisco NRP routing blade in Cisco 6400 xDSL DSLAM |
|
| 11.3(7)DB2, 18-JAN-1999 |
| Releases based on 12.0 | ||||
12.0 | 12.0 Mainline | 12.0(2a), 8-JAN-1999 | 12.0(2.4) | 12.0(3), 1-FEB-1999 |
12.0T | 12.0 new technology early deployment | 12.0(2a)T1, 11-JAN-1999 | 12.0(2.4)T | 12.0(3)T, 15-FEB-1999 |
12.0S | ISP support; 7200, RSP, GSR |
| 12.0(2.3)S, 27-DEC-1998 | 12.0(2)S5, 18-JAN-1999 |
12.0DB | 12.0 for Cisco 6400 universal access concentrator node switch processor (lab use) |
|
| 12.0(2)DB, 18-JAN-1999 |
12.0(1)W | 12.0 for Catalyst 8500 and LS1010 | 12.0(1)W5(5a) and 12.0(1a)W5(5b) (LS1010 platform only) | 12.0(1)W5(5.15) | 12.0(1)W5(6) (platform support for Catalyst 8540M will be in 12.0(1)W5(7)) |
12.0(0.6)W5 | One-time early deployment for CH-OC12 module in Catalyst 8500 series switches. | Unaffected; one-time release | Unaffected | Unaffected; general upgrade path is via 12.0(1)W5 releases. |
12.0(1)XA3 | Short-life release; merged to 12/0T at 12.0(2)T | Obsolete | Merged | Upgrade to 12.0(2a)T1 and/or to 12.0(3)T. |
12.0(1)XB | Short-life release for Cisco 800 series; merged to 12.0T and 12.0 (3)T | 12.0(1)XB1 | Merged | Upgrade to 12.0(3)T. |
12.0(2)XC | Short-life release for new features in Cisco 2600, Cisco 3600, ubr7200, ubr900 series; merged to 12.0T at 12.0(3)T. | 12.0(2)XC1, 7-JAN-1999 | Merged | Upgrade to 12.0(3)T |
12.0(2)XD | Short-life release for ISDN voice features; merged to 12.0T at 12.0(3)T. | 12.0(2)XD1, 18-JAN-1999 | Merged | Upgrade to 12.0(3)T |
12.0(1)XE | Short-life release | 12.0(2)XE, 18-JAN-1999 | Merged | Upgrade to 12.0(3)T |
Caveats describe unexpected behavior or defects in Cisco IOS software releases. This section contains open and resolved caveats only for the current Cisco IOS maintenance release.
All caveats in Cisco IOS Release 11.3 and Cisco IOS Release 11.3 T are also in Cisco IOS Release 11.3 AA.
For information on caveats in Cisco IOS Release 11.3, refer to the "Important Notes and Caveats for Release 11.3" section in the cross-platform Release Notes for Cisco IOS Release 11.3 document which is located on CCO and the Documentation CD-ROM. These release notes list severity 1 and 2 caveats affecting all maintenance releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious.
For information on caveats in Cisco IOS Release 11.3 T, refer to the Caveats for Cisco IOS Release 11.3 T document which is located on CCO and the Documentation CD-ROM.
This section describes possibly unexpected behavior by Release 11.3(9)AA. Unless otherwise noted, these caveats apply to all 11.3 AA releases up to and including 11.3(9)AA.
This section describes possibly unexpected behavior by Release 11.3(8)AA. Unless otherwise noted, these caveats apply to all 11.3 AA releases up to and including 11.3(8)AA.
This section describes possibly unexpected behavior by Release 11.3(7)AA. Unless otherwise noted, these caveats apply to all 11.3 AA releases up to and including 11.3(7)AA.
This section describes possibly unexpected behavior by Release 11.3(6)AA. Unless otherwise noted, these caveats apply to all 11.3 AA releases up to and including 11.3(6)AA. For additional caveats applicable to Release 11.3(6)AA, see the caveats sections for newer 11.3 releases. The caveats for newer releases precede this section.
All the caveats listed in this section are resolved in Release 11.3(7)AA.
This section describes possibly unexpected behavior by Release 11.3(5)AA. Unless otherwise noted, these caveats apply to all 11.3 releases up to and including 11.3(5)AA.
All the caveats listed in this section are resolved in Release 11.3(6)AA.
%SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=60CE15D8, count=0 -Traceback= 601D633C 60168750 601688BC 601DCC94 60712C84 60713128 607105AC 60710 BC4 60710220 601F0FB0 601F0F9C
This section describes possibly unexpected behavior by Release 11.3(4)AA. Unless otherwise noted, these caveats apply to all 11.3 releases up to and including 11.3(4)AA.
All the caveats listed in this section are resolved in Release 11.3(5)AA.
This section describes possibly unexpected behavior by Release 11.3(3)AA. Unless otherwise noted, these caveats apply to all 11.3 releases up to and including 11.3(3)AA. For additional caveats applicable to Release 11.3(3)AA, see the caveats sections for newer 11.3 releases. The caveats for newer releases precede this section.
All the caveats listed in this section are resolved in Release 11.3(4)AA.
Configuring a line for autoselect without also configuring autoselect during-login might cause the router to pause indefinitely or reload. If debug modem is enabled, you will see type 0 timer expiration messages appearing continuously.
This section describes possibly unexpected behavior by Release 11.3(2)AA. Unless otherwise noted, these caveats apply to all 11.3 AA releases up to and including 11.3(2)AA.
All the caveats listed in this section are resolved in 11.3(3)AA.
An unconfigured system might send an inappropriate number of bootp requests after powerup in an attempt to find a usable IP address for autoconfigure. On a system with very large numbers of interfaces (for example, ISDN PRI or channelized interface), a CPUHOG error might occur.
Packets are not classified to the correct conversation or precedence with Weighted Fair Queueing (WFQ) and Weighted Random Early Detection (WRED). This occurs only for IP netflow and optimum switching. The workaround is to disable optimum switching (in Cisco IOS feature sets identified by -p-) and enable netflow switching.
FRAS-Host Passthru does not work when dlsw local-peer is configured.
Workaround: Disable dlsw local-peer or configure fras-host dlsw-local-ack.
During session setup from an end node to a logical unit on a low-entry networking node (LEN) served by VTAM, the session setup can fail. In Release 11.3 the following message is seen on the failing node:
%APPN-3-logdsDS_NEWDSlfa_LOGMSG_04: DS - FSM(NNSolu): invalid input value = 8x %APPN-3-logdsDS_NEWDSlfa_LOGMSG_05: DS - FSM(NNSolu): state error, lcb: 8x pcid: 8x8x row: 1632511552 col: -715957806 inp: 8x
This caveat affects Release 11.3 only.
APPN/DLUR: A router reload can occur when DLUR processes a flow on the DLUS/DLUR connect that must be responded to negatively because the physical unit (PU) has disconnected. This is a regression defect introduced by CSCdj59639.
The POSIP interface might receive and switch packets even when it is in the administrative down state. This has been called a "duplicate packet problem" when the POSIP is in the administrative down state and connected to a protected circuit. There is no workaround.
Changing the MTU size on a PA-2CE1 port adapter has no effect until the system is reloaded.
Refer to CSCdk03050 for Release 11.1 integration information. Enhanced IGRP topology entries from the redistribution of connected routes where Enhanced IGRP is already using natively might not clear when the interface goes down.
The router might reload after the no area area-id command is used. There is no workaround.
DECnet discard routes cause the cached cluster alias and real entries to be transmitted out of the wrong interface.
Only Cisco 7200 routers are affected by this caveat, which might be exhibited as follows: the router might reload unexpectedly; existing calls are terminated prematurely or are not terminated when expected (based on the settings of the dialer idle timer); the time-to-disconnect listed on calls appears to be wrong.
Cisco 7200 routers that employ optimum/flow switching on dialer interfaces are subject to these symptoms; however, the likelihood of these conditions occurring is rare.
Workaround: Do not enable optimum/flow switching on dialer interfaces when using Release 11.3 images prior to 11.3(1.2). Upgrade to a newer image when available.
The following sections describe the documentation available for Cisco 7000 series routers. Typically, these documents consist of hardware and software installation guides, Cisco IOS configuration and command references, system error messages, feature modules, and other documents.
Documentation is available as printed manuals or electronic documents, except for feature modules, which are available online on CCO and the Documentation CD-ROM.
Use these release notes with the documents listed in the following sections:
The following documents are specific to Release 11.3. They are located on CCO and the Documentation CD-ROM.
Hardware documentation for the Cisco 7200 family is available on CCO and the Documentation CD-ROM. These documents ship with the Cisco 7200 family.
To access hardware documents on CCO, follow this path:
Service and Support: Documentation Home Page: Cisco Documentation: Core/High-End Routers
To access hardware documentation on the Documentation CD-ROM, follow this path:
Cisco Product Documentation: Core/High-End Routers
Feature modules describe new features supported by Release 11.3 AA and are an update to the Cisco IOS documentation set. Feature modules consist of a brief overview of the feature, benefits, configuration tasks, and a command reference. As updates, the features modules are available online only. The feature module information is included in the next printing of the Cisco IOS documentation set.
To reach the feature modules from CCO, click on this path:
Service & Support: Documentation Home Page: Cisco IOS Software Configuration: Cisco IOS Release 11.3: Release Notes for Cisco IOS Release 11.3: New Features in Release 11.3
To reach the feature modules on the Documentation CD-ROM, click on this path:
Cisco Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 11.3: Release Notes for Cisco IOS Release 11.3: New Features in Cisco IOS Release 11.3
The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS command references, and several other supporting documents. These documents are shipped with your order in electronic form on the Documentation CD-ROM---unless you specifically ordered the printed versions.
Each module in the Cisco IOS documentation set consists of two books: a configuration guide and a corresponding command reference. Chapters in a configuration guide describe protocols, configuration tasks, Cisco IOS software functionality, and contain comprehensive configuration examples. Chapters in a command reference provide complete command syntax information. Use each configuration guide with its corresponding command reference.
On CCO and the Documentation CD-ROM, two master hot-linked documents provide information for the Cisco IOS software documentation set: configuration guides and command references.
To reach these documents from CCO, click on this path:
Service & Support: Documentation Home Page: Cisco IOS Software Configuration: Cisco IOS Release 11.3: Cisco IOS Release 11.3 Configuration Guides, Command References: Configuration Guide Master Index or Command Reference Master Index
To reach these documents on the Documentation CD-ROM, click on this path:
Cisco Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 11.3: Cisco IOS Release 11.3 Configuration Guides, Command References: Configuration Guide Master Index or Command Reference Master Index
Table 4 describes the contents of the Cisco IOS Release 11.3 software documentation set. The document set is available in electronic form and also in printed form upon request.
To reach the Cisco IOS documentation set from CCO, click on this path:
Service & Support: Documentation Home Page: Cisco IOS Software Configuration: Cisco IOS Release 11.3
To reach the Cisco IOS documentation set on the Documentation CD-ROM, click on this path:
Cisco Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 11.3
.
| Books | Chapter Topics |
|---|---|
| Configuration Fundamentals Overview |
| IP Addressing |
| AppleTalk |
| Apollo Domain |
| ATM |
| AAA Security Services |
| Interface Configurations |
| Dial-In Port Setup |
| Switching Paths for IP Networks |
| Transparent Bridging |
| Voice over IP |
| Classification |
|
|
|
|
For service and support for a product purchased from a reseller, contact the reseller. Resellers offer a wide variety of Cisco service and support programs that are described in the "Service and Support" section of the Information Packet shipped with your product.
For service and support for a product purchased directly from Cisco, use CCO.
If you have a CCO login account, you can access the following URL, which contains links and helpful tips on configuring your Cisco products:
http://www.cisco.com/kobayashi/serv_tips.shtml
This URL is subject to change without notice. If it changes, point your Web browser to CCO and click on this path: Products & Technologies: Products: Technical Tips.
The following sections are provided from the Technical Tips page:
Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
You can reach CCO in the following ways:
For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.
Cisco documentation and additional literature are available in a CD-ROM package, which package that ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.
Posted: Fri May 21 16:38:55 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.