Cisco Cisco IOS Software Release 12.4(23) Notas de publicación
481
Caveats for Cisco IOS Release 12.4
OL-7656-15 Rev. J0
Resolved Caveats—Cisco IOS Release 12.4(8d)
IP Routing Protocols
•
CSCec12299
Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol
Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite
(VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider
Edge (PE) devices may permit information to propagate between VPNs.
Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite
(VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider
Edge (PE) devices may permit information to propagate between VPNs.
Workarounds are available to help mitigate this vulnerability.
This issue is triggered by a logic error when processing extended communities on the PE device.
This issue cannot be deterministically exploited by an attacker.
Cisco has released free software updates that address these vulnerabilities. Workarounds that
mitigate these vulnerabilities are available.
mitigate these vulnerabilities are available.
This advisory is posted at
•
CSCek47667
Symptoms: A router may not clear BGP routes when you enter the clear bgp ipv6 unicast *
command.
command.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2SXF but
is not release-specific.
is not release-specific.
Workaround: There is no workaround.
•
CSCsf20947
Symptoms: A default route that is defined by the neighbor default-originate command may be
ignored by the BGP neighbor.
ignored by the BGP neighbor.
Conditions: This symptom is observed on a Cisco router after a route flap in the network causes the
default route to be relearned.
default route to be relearned.
Workaround: Manually clear the BGP neighbor to enable the router to correctly relearn the default
route.
route.
•
CSCsg00860
Symptoms: Enabling NAT outside on the public interface terminates the VPN connection as
GREoverIPSEC. Inbound ACL applied on the public interface starts to drop decrypted GRE traffic.
GREoverIPSEC. Inbound ACL applied on the public interface starts to drop decrypted GRE traffic.
Conditions: This symptom has been observed with the use of IP NAT outside on the public VPN
interface.
interface.
Workaround: There are 2 workarounds:
1.
Configure NAT translations for all traffic, to force NAT processing on the packet even if no
address will actually be translated. Example:
address will actually be translated. Example:
ip nat inside source static 172.16.68.5 172.16.68.5
It is not a scalable workaround but may work for some deployments.
2.
Configure an additional ACL entry in the inbound access-list to permit the incoming GRE
traffic.
traffic.
•
CSCsh02161
Symptoms: A Route Reflector (RR) does not withdraw a prefix that redistributes itself even if this
prefix is removed from the BGP table.
prefix is removed from the BGP table.