Datasheet

ManualsBrandsCisco Manualschassis componentsFAN-MOD-6HS=

171

172

173

174

175

176

177

178

179

180

174

Release Notes for Cisco IOS Release 12.1E on the Catalyst 6500 and Cisco 7600 Supervisor Engine and MSFC

OL-2310-11

Caveats

Resolved General Caveats in Release 12.1(22)E6

• A document that describes how the Internet Control Message Protocol (ICMP) could be used to

perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol

(TCP) has been made publicly available. This document has been published through the Internet

Engineering Task Force (IETF) Internet Draft process, and is entitled “ICMP Attacks Against TCP”

(draft-gont-tcpm-icmp-attacks-03.txt).

These attacks, which only affect sessions terminating or originating on a device itself, can be of

three types:

1. Attacks that use ICMP “hard” error messages.

2. Attacks that use ICMP “fragmentation needed and Don’t Fragment (DF) bit set” messages, also

known as Path Maximum Transmission Unit Discovery (PMTUD) attacks.

3. Attacks that use ICMP “source quench” messages.

Successful attacks may cause connection resets or reduction of throughput in existing connections,

depending on the attack type.

Multiple Cisco products are affected by the attacks described in this Internet draft.

Cisco has made free software available to address these vulnerabilities. In some cases there are

workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.

The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security

Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple

vendors whose products are potentially affected. Its posting can be found at:

http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.

This problem is resolved in Release 12.1(22)E6. (CSCef44225, CSCef44699, CSCef60659,

CSCsa59600)

Resolved General Caveats in Release 12.1(22)E5

• For QoS filtering, extended ACLs that are configured to match DSCP parse 7 bits of the ToS byte

instead of 6 bits. This problem is resolved in Release 12.1(22)E5. (CSCec86976)

Resolved General Caveats in Release 12.1(22)E4

• With a Supervisor Engine 1 and an MSFC2, when the TCAM mask utilization reaches

approximately 50 percent, you might see these TCAM mask exception messages:

00:11:17: %QM-4-TCAM_ENTRY: Hardware TCAM entry capacity exceeded

00:11:17: %QM-SP-4-WARNING: TCAM request replace [lkup=2] status:1

00:11:17: SP: TCAM ASSERT FAILURE: label_alloc_tbl[label].num_if_using[lookup_type]

!= 0: ../const/native-sp/tcam_label.c: 1379

00:11:17: SP: -Traceback= 603C1090 603ACAE0 603AA018 603B7F38 603B8994 6039CE5C

603A53B8 6039D110 6039D254 6039D360 6039D6B4 6039D8E0 600FA6CC 600FA6B8

This problem is resolved in Release 12.1(22)E4. (CSCef73019)

• In IP packets with the IP options field populated, the IP type-of-service (ToS) byte might be

truncated to a 3-bit long field. This problem deletes 3 bits of the 6-bit DSCP value and causes

incorrect QoS operation. This problem is resolved in Release 12.1(22)E4. (CSCed93264)

• A reload might occur if the order-dependent ACL merge (ODM) algorithm fails. This problem is

resolved in Release 12.1(22)E4. (CSCin83455)