Cisco Cisco IOS Software Release 12.0 S Release Notes
1959
Cross-Platform Release Notes for Cisco IOS Release 12.0S
OL-1617-14 Rev. Q0
Resolved Caveats—Cisco IOS Release 12.0(23)S3
•
CSCea28131
A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a
Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by
default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the
malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject
a malformed packet. BGP MD5 is a valid workaround for this problem.
Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by
default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the
malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject
a malformed packet. BGP MD5 is a valid workaround for this problem.
Cisco has made free software available to address this problem. For more details, see the advisory
at
at
.
•
CSCea32226
Symptoms: A router may reload when the show ip bgp neighbors EXEC command is entered.
Conditions: This symptom is observed if the show ip bgp neighbors EXEC command is entered
while the neighbor soft-reconfiguration router configuration command is enabled, or when Border
Gateway Protocol (BGP) paths are dampened.
while the neighbor soft-reconfiguration router configuration command is enabled, or when Border
Gateway Protocol (BGP) paths are dampened.
Workaround: Disable the neighbor soft-reconfiguration router configuration command or avoid
dampening the BGP paths.
dampening the BGP paths.
•
CSCea42500
Symptoms: If the default-information originate router configuration command is entered on the
Virtual Private Network (VPN) routing/forwarding (VRF) instance of a Cisco 12000 series that has
the address-family ipv4 vrf vrf-name router configuration command configured using the Border
Gateway Protocol (BGP), the default route is learned correctly but the default route is entered
incorrectly in the BGP routing table. This behavior may result in unexpected behavior on the other
router if the other router does not have a correct default route.
Virtual Private Network (VPN) routing/forwarding (VRF) instance of a Cisco 12000 series that has
the address-family ipv4 vrf vrf-name router configuration command configured using the Border
Gateway Protocol (BGP), the default route is learned correctly but the default route is entered
incorrectly in the BGP routing table. This behavior may result in unexpected behavior on the other
router if the other router does not have a correct default route.
The default static route of the VRF is not advertised by BGP after the default static route is
configured under the VRF, and BGP may advertise the incorrect default route that is in the BGP
routing table.
configured under the VRF, and BGP may advertise the incorrect default route that is in the BGP
routing table.
Conditions: This symptom is observed on a Cisco 12000 series that is running BGP.
Workaround: Perform either of the following steps:
–
Enter a static default route under the VRF configuration.
–
Configure an access control list (ACL).
•
CSCea64725
Symptoms: If a peer group is slow to establish and comes up while other members of the peer group
are converging, the recently established member may not advertise the routes that were sent to the
other members.
are converging, the recently established member may not advertise the routes that were sent to the
other members.
Conditions: This symptom occurs only if the new peer group member comes up while the other
members of a peer group are converging. This symptom does not occur if the new peer group
member comes up after the other members of the peer group have finished converging.
members of a peer group are converging. This symptom does not occur if the new peer group
member comes up after the other members of the peer group have finished converging.
Workaround: The routes can be readvertised by entering the clear ip bgp peer-group-name soft out
privileged EXEC command for any peer that has missing routes.
privileged EXEC command for any peer that has missing routes.
•
CSCeb00172
Symptoms: When the neighbor {ip-address | peer-group-name} default-originate router
configuration command is used with a peer group, peers that belong to that peer group come up at
a different time from when the Border Gateway Protocol (BGP) is formatting updates. Because of
this behavior, the router may not advertise all routes to members of the peer group.
configuration command is used with a peer group, peers that belong to that peer group come up at
a different time from when the Border Gateway Protocol (BGP) is formatting updates. Because of
this behavior, the router may not advertise all routes to members of the peer group.
Conditions: This symptom is observed with IP version 4 (IPv4) unicast and Virtual Private Network
(VPN) routing/forwarding (VRF) address family (AF) packets.
(VPN) routing/forwarding (VRF) address family (AF) packets.