Cisco Security

Security Vulnerability Policy - Cisco

Security Vulnerability Policy

If you are experiencing a security vulnerability emergency, see the Reporting or Obtaining Support for a Suspected Security Vulnerability section of this document.


Cisco Product Security Incident Response
Reporting or Obtaining Support for a Suspected Security Vulnerability
General Security-Related Queries
Receiving Security Vulnerability Information from Cisco
Public Relations or Press Queries Regarding Cisco Security Vulnerability Information
Commitment to Product Security and Integrity at Cisco
Cisco Product Security Incident Response Process


This policy was created for customer guidance and information in the event of a reported vulnerability in a Cisco product or service. It is essential to ensure that Cisco customers have a consistent, unambiguous resource to help them understand how Cisco responds to events of this nature.


This policy must clearly state how Cisco addresses reported security vulnerabilities in Cisco products and services, including the timeline, actions, and responsibilities that apply equally to all customers.

Cisco Product Security Incident Response

The Cisco Product Security Incident Response Team (PSIRT) is responsible for responding to Cisco product security incidents. The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Cisco products and networks. Cisco defines a security vulnerability as an unintended weakness in a product that could allow an attacker to compromise the integrity, availability, or confidentiality of the product. The Cisco PSIRT adheres to ISO/IEC 29147:2014.

The on-call Cisco PSIRT works 24 hours a day with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security vulnerabilities and issues with Cisco products and networks.

Reporting or Obtaining Support for a Suspected Security Vulnerability

Individuals or organizations that are experiencing a product security issue are strongly encouraged to contact the Cisco PSIRT. Cisco welcomes reports from independent researchers, industry organizations, vendors, customers, and other sources concerned with product or network security. The minimal data needed for reporting a security issue is a description of the potential vulnerability.

Please contact the Cisco PSIRT using one of the following methods.

Emergency Support
Phone +1 877 228 7302 (toll-free within North America)  
+1 408 525 6532 (International direct-dial)
Hours 24 hours a day, 7 days a week


Nonemergency Support
Hours Support requests that are received via email are typically acknowledged within 48 hours. Ongoing status on reported issues will be determined as needed.


Cisco encourages the encryption of sensitive information that is sent to Cisco in email messages. The Cisco PSIRT supports encrypted messages via PGP/GNU Privacy Guard (GPG). The Cisco PSIRT public key (key ID 0x0BE0457A) is available at the following link:

General Security-Related Queries

For general security concerns about Cisco products, the Cisco Technical Assistance Center (TAC) can provide configuration assistance and technical assistance with security matters. The TAC can also help with nonsensitive security incidents and software upgrades for security bug fixes. Use the following information to contact the Cisco TAC.

TAC Support
Phone +1 800 553 2447 (Toll-free within North America)
+1 408 526 7209 (International direct-dial)
Additional TAC numbers: Customer Service Contacts
Hours 24 hours a day, 7 days a week


Receiving Security Vulnerability Information from Cisco

There are several ways to stay connected and receive the latest security vulnerability information from Cisco. Review the following table, and subsequent summaries, to determine the appropriate option.

The Cisco Security portal on provides Cisco security vulnerability documents and Cisco security functions information, including relevant security products and services.

For direct links to specific security functions, see the Types of Security Publications section of this document.


Cisco Security Advisories that provide information about Critical and High severity security vulnerabilities are clear signed with the Cisco PSIRT PGP public key and posted to the mailing list.

Only the initial release and major revisions to Cisco Security Advisories for Critical and High severity security vulnerabilities are posted via email. If a document undergoes a minor revision, the update will be posted to without an accompanying email message. Customers who require automated alerts for minor revisions should subscribe to the Cisco Security Advisory Really Simple Syndication (RSS) feed or My Notifications. All security advisories on are displayed in chronological order, with the most recent advisories and updates appearing at the top of the page.

Cisco Security Advisories that provide information about Medium severity security vulnerabilities are posted to and appear in the Cisco Security Advisory RSS feed.

The Cisco PSIRT may also send Informational advisories to the cust-security-announce mailing list. An Informational advisory is not used as a disclosure mechanism for any Cisco vulnerability, but as a method to share information on security incidents that may impact Cisco products and which may be of interest to Cisco customers.

This mailing list is an external list that allows subscribers to receive Cisco security announcements.

To subscribe to this mailing list, send an email message to (The content of the message does not matter.) You will receive confirmation, instructions, and a list policy statement.

Please note that requests must be sent to and not to the list itself.

To unsubscribe from this mailing list, send an email message to with the word "unsubscribe" in the subject of your message. (The content of the message does not matter.) You will receive a confirmation notice, to which you need to reply. On replying to this notice you will be unsubscribed from the cust-security-announce mailing list. You will not be unsubscribed unless you reply to this confirmation email.

Please note that requests to unsubscribe must be sent to and not to the list itself.

You must send messages from the account that will be subscribed to or unsubscribed from the list. We do not accept subscribe or unsubscribe requests for one account that are sent from a second account.

You may also request access to this mailing list by sending an email message to

RSS Feeds

Cisco security vulnerability information is also available via RSS feeds from These feeds are free and do not require an active registration. For information on how to subscribe to the RSS feeds, visit the Cisco Security RSS Feeds page.

Cisco PSIRT openVuln API

The Cisco PSIRT openVuln API is a RESTful API that allows customers to obtain Cisco security vulnerability information in different machine-consumable formats. To learn about accessing and using the API, visit the PSIRT page on the Cisco DevNet website.

My Notifications

The My Notifications website allows users to subscribe and receive important Cisco product and technology information, including Cisco Security Advisories. This service provides an improved unified subscription experience allowing users to choose the timing of notifications, as well as the notification delivery method (email message or RSS feed). The level of access will be determined by the subscriber's relationship with Cisco.

Procedure for Creating a Notification

  1. Log in to the My Notifications website on by using your registered account name and password.
  2. Click the Add Notification button and follow the instructions.


Public Relations or Press Queries Regarding Cisco Security Vulnerability Information

The following table shows the Cisco press contacts for Cisco security vulnerability information.

Press Contacts
Mark Hoskins Email:
Phone: +1 919 392 2756
Additional Public Relations


Commitment to Product Security and Integrity at Cisco

Cisco product development practices specifically prohibit any intentional behaviors or product features that are designed to allow unauthorized device or network access, exposure of sensitive device information, or a bypass of security features or restrictions. These include, but are not limited to:

  • Undisclosed device access methods or "backdoors"
  • Hardcoded or undocumented account credentials
  • Covert communication channels
  • Undocumented traffic diversion

Cisco considers such product behaviors to be serious vulnerabilities. Cisco will address any issues of this nature with the highest priority and encourages all parties to report suspected vulnerabilities to the Cisco PSIRT for immediate investigation. Internal and external reports of these vulnerabilities will be managed and disclosed under the terms of the Cisco Security Vulnerability Policy.

More information can be found on Cisco's CSDL website.

Cisco Product Security Incident Response Process

The following graphic illustrates the Cisco PSIRT process at a high level and provides an overview of the vulnerability lifecycle, disclosure, and resolution process.

Figure 1. Cisco Product Security Incident Response Process

response process cycle from awareness to feedback


The following are the steps in the process illustrated in Figure 1:

  1. Awareness: PSIRT receives notification of security incident.
  2. Active Management: PSIRT prioritizes and identifies resources.
  3. Fix Determined: PSIRT coordinates fix and impact assessment.
  4. Communication Plan: PSIRT sets timeframe and notification format.
  5. Integration and Mitigation: PSIRT engages experts and executives.
  6. Notification: PSIRT notifies all customers simultaneously.
  7. Feedback: PSIRT incorporates feedback from customers and Cisco internal input.

The Cisco PSIRT investigates all reports regardless of the Cisco software code version or product lifecycle status until the product reaches the Last Day of Support (LDoS). Issues will be prioritized based on the potential severity of the vulnerability and other environmental factors. Ultimately, the resolution of a reported incident may require upgrades to products that are under active support from Cisco. As a best practice, Cisco strongly recommends that customers periodically verify that their products are under active support for access to the latest software updates and other benefits.

Throughout the investigative process, the Cisco PSIRT strives to work collaboratively with the source of the report (incident reporter) to confirm the nature of the vulnerability, gather required technical information, and ascertain appropriate remedial action. When the initial investigation is complete, results will be delivered to the incident reporter along with a plan for resolution and public disclosure. If the incident reporter disagrees with the conclusion, the Cisco PSIRT will make every effort to address those concerns.

In the case of incidents whereby an agreement cannot be reached through the normal process, incident reporters may escalate by contacting the Cisco Technical Assistance Center and requesting the director of the global Cisco PSIRT team.

During any investigation, the Cisco PSIRT manages all sensitive information on a highly confidential basis. Internal distribution is limited to those individuals who have a legitimate need to know and can actively assist in the resolution. Similarly, the Cisco PSIRT asks incident reporters to maintain strict confidentiality until complete resolutions are available for customers and have been published by the Cisco PSIRT on the Cisco website through the appropriate coordinated disclosure.

With the agreement of the incident reporter, the Cisco PSIRT may acknowledge the reporter's contribution during the public disclosure of the vulnerability.

Cisco PSIRT works with third-party coordination centers such as CERT/CC, CERT-FI, JP-CERT, or CPNI to manage a coordinated industry disclosure for vulnerabilities reported to Cisco that may impact multiple vendors (for example, a generic protocol issue). In those situations, the Cisco PSIRT either will assist the incident reporter in contacting the coordination center, or may do so on that individual's behalf.

If a reported vulnerability involves a vendor product, the Cisco PSIRT will notify the vendor directly, coordinate with the incident reporter, or engage a third-party coordination center.

The Cisco PSIRT will coordinate with the incident reporter to determine the frequency of status updates of the incident and documentation updates.

In the event Cisco becomes aware of a vulnerability that does not affect a Cisco product, but does involve another vendor's product, our policy for reporting vulnerabilities to vendors is followed.

Disclosure of Security Vulnerabilities Discovered as Part of Cisco Services Delivery

If a new or previously undisclosed security vulnerability is found during a Cisco Services engagement with a customer, Cisco will follow the Cisco Product Security Incident Response Process. Vulnerabilities found in Cisco products will be handled by the Cisco PSIRT according to Ciscoís Security Vulnerability Policy. If the vulnerability is in another vendorís product, Cisco will follow the Cisco Vendor Vulnerability Reporting and Disclosure Policy unless the affected customer wishes to report the vulnerability to the vendor directly; in that case, Cisco will facilitate contact between the customer and the vendor, and will notify CERT/CC (or its national equivalent).

Cisco will protect customer-specific data at all times throughout this process. Specifically, Cisco will not share any customer-specific data unless directed to do so by the affected customer, or as required by a legal investigation.

Assessing Security Risk — Common Vulnerability Scoring System and the Security Impact Rating

Cisco uses version 3.1 of the Common Vulnerability Scoring System (CVSS) as part of its standard process of evaluating reported potential vulnerabilities in Cisco products. The CVSS model uses three distinct measurements or scores that include Base, Temporal, and Environmental calculations. Cisco will provide an evaluation of the Base vulnerability score, and in some instances, will provide a Temporal vulnerability score. End users are encouraged to compute the Environmental score based on their network parameters. The combination of all three scores should be considered the final score, which represents a moment in time and is tailored to a specific environment. Organizations are advised to use this final score to prioritize responses in their own environments.

Note: Cisco began transitioning to CVSS Version 3.1 (CVSSv3.1) in May 2020.

In addition to CVSS scores, Cisco uses the Security Impact Rating (SIR) as a way to categorize vulnerability severity in a simpler manner. The SIR is based on the CVSS Qualitative Severity Rating Scale of the base score, may be adjusted by PSIRT to account for Cisco-specific variables, and is included in every Cisco Security Advisory. Cisco uses the following guidelines to determine the Cisco Security Advisory type. Security Advisories for Critical and High SIRs include fixed software information.

Publication Type CVSS CVE Fix Information Machine-Readable Format
Cisco Security Advisory Critical 9.0–10.0 Yes Fix information in the Security Advisory and bug.

Detailed fix information for Cisco IOS and IOS XE Software obtained via Cisco IOS Software Checker.
High 7.0–8.9 Yes Fix information in the Security Advisory and bug.

Detailed fix information for Cisco IOS and IOS XE Software obtained via Cisco IOS Software Checker.
Medium 4.0–6.9 Yes Fix information in bug. RSS, CVRF
Informational N/A No Fix information in bug (if applicable). RSS


Issues with a Low SIR are typically published as a bug Release Note Enclosure (RNE) and not as part of a Security Advisory.

Cisco reserves the right to deviate from these guidelines in specific cases if additional factors are not properly captured in the CVSS score.

If there is a security issue with a third-party software component that is used in a Cisco product, Cisco typically uses the CVSS score provided by the third party. In some cases, Cisco may adjust the CVSS score to reflect the impact to the Cisco product.

Note: Cisco does not assign CVE identifiers for reported vulnerabilities until such vulnerabilities have been confirmed by Cisco.

For more information about CVSS, visit

Cisco Hosted Cloud Solutions

Cisco offers multiple hosted cloud solutions that are used by customers but are maintained, patched, and monitored by Cisco.

The Cisco PSIRT responds to vulnerabilities in Cisco hosted cloud solutions and works closely with the teams that own them. These teams ensure security vulnerabilities are fixed and patches are deployed to all customer instances in a timely manner.

Cisco addresses and discloses vulnerabilities through security advisories for Cisco hosted cloud solutions using the same documented disclosure process that is used for on-premises products.

In most cases, no user action is required because Cisco regularly patches hosted cloud solutions.

Service teams may communicate service-related security events to customers through direct notification or through the service dashboard or portal.

Third-Party Software Vulnerabilities

If there is a vulnerability in a third-party software component that is used in a Cisco product, Cisco typically uses the CVSS score provided by the component creator. Cisco may adjust the CVSS score to reflect the impact to Cisco products.

Cisco will consider a third-party vulnerability “high profile” if it meets the following criteria:

  • The vulnerability exists in a third-party component.
  • Multiple Cisco products are affected.
  • The CVSS score is 5.0 or above.
  • The vulnerability has gathered significant public attention.
  • The vulnerability is likely to have exploits available and is expected to be, or is being, actively exploited.

For high profile, third-party vulnerabilities, Cisco will begin assessing all potentially impacted products that have not reached End-of-Support (with priority given to those products that have not reached End-of-Software-Maintenance) and publish a Security Advisory within 24 hours after Cisco classifies the vulnerability as high profile. All known affected Cisco products will be detailed in an update to the initial Security Advisory, which will be published within 7 days of Cisco's initial disclosure. A Cisco bug will be created for each vulnerable product so that registered customers can view them via the Cisco Bug Search Toolkit. Third-party vulnerabilities that are not classified as high profile will be disclosed in a Release Note Enclosure.

Types of Security Publications

In all security publications, Cisco discloses the minimum amount of information required for an end user to assess the impact of a vulnerability and any potential steps needed to protect their environment. Cisco does not provide vulnerability details that could enable someone to craft an exploit.

Cisco provides the following types of security-related publications via the Cisco Security portal on

Cisco Security Advisories

Cisco Security Advisories provide detailed information about security issues that directly involve Cisco products and require an upgrade, fix, or other customer action. Security Advisories are used to disclose vulnerabilities with a Critical, High, or Medium Security Impact Rating.

All Cisco Security Advisories that disclose vulnerabilities with a Critical, High, or Medium Security Impact Rating include an option to download Common Vulnerability Reporting Framework (CVRF) content. CVRF is an industry standard designed to depict vulnerability information in machine-readable format (XML files). This machine-readable content can be used with other tools to automate the process of interpreting data contained in a Security Advisory. CVRF content can be downloaded directly from each Security Advisory. For more information about CVRF, see the preceding link.

The Informational type of Cisco Security Advisories addresses issues that require a response to information discussed in a public forum, such as a blog or discussion list. Informational advisories are normally published if a third party makes a public statement about a Cisco product vulnerability. Informational advisories may also be used to proactively notify customers about a security-related issue that is not a vulnerability.

Cisco Event Responses

Cisco Event Responses provide information about security events that have the potential for widespread impact on customer networks, applications, and devices. Cisco Event Responses contain summary information, threat analysis, and mitigation techniques that feature Cisco products. They are normally published under the following circumstances:

  • If a significant security vulnerability exists in a vendor's product that could affect a Cisco product due to interoperation with the vendor's product or use of the network as a vector for exploitation
  • In response to the release of Cisco IOS and IOS XE Software bundled publications


Release Note Enclosures

Release Note Enclosures are used to disclose issues with a Low Security Impact Rating. All Cisco bug IDs that are disclosed by Cisco are available for registered customers to view in the Cisco Bug Search Tool.

If a Cisco Security Advisory references a bug, the bug entry in the Cisco Bug Search Tool will link to the relevant Cisco Security Advisory.

Any Cisco bug that has been evaluated by the Cisco PSIRT will include a "PSIRT Evaluation" section in its Release Note Enclosure. This new section will include, where Cisco deems appropriate and relevant, base and temporal CVSS scores and a CVE ID. Customers are invited to use this additional information at their discretion and correlate Cisco bugs with industry events. This information is not intended to supplement any standard Cisco warranties applicable to the software as stated in the Cisco End User License Agreement.

Free software updates will not be provided for issues that are disclosed through a Release Note Enclosure. Customers who wish to upgrade to a software version that includes fixes for those issues should contact their normal support channels. Any exception to this policy will be determined solely at the discretion of Cisco.

The following table summarizes the methods used to notify customers about the aforementioned security publications. Exceptions may be made on a case-by-case basis to increase communication for a given document.

Publication Email Security Portal RSS CNS openVuln API Bug Search Tool
Cisco Security Advisory - Critical and High Severity
Cisco Security Advisory - Medium Severity
Cisco Security Advisory - Informational
Cisco Event Response
Release Note Enclosure


Communications Plan

If one or more of the following conditions exist, Cisco will publicly disclose Cisco Security Advisories:

  • The Cisco PSIRT has completed the incident response process and determined that enough software patches or workarounds exist to address the vulnerability, or subsequent public disclosure of code fixes is planned to address high-severity vulnerabilities.

  • The Cisco PSIRT has observed active exploitation of a vulnerability that could lead to increased risk for Cisco customers. For this condition, Cisco will accelerate the publication of a security announcement describing the vulnerability that may or may not include a complete set of patches or workarounds.

  • There is the potential for increased public awareness of a vulnerability affecting Cisco products that could lead to increased risk for Cisco customers. For this condition, Cisco will accelerate the publication of a security announcement describing the vulnerability that may or may not include a complete set of patches or workarounds.

All Cisco security publications are disclosed to customers and the public simultaneously.

When coordinating disclosure with third parties, the Cisco PSIRT will attempt to provide notification of any changes to the Cisco PSIRT public disclosure schedule.

As documented in the Receiving Security Vulnerability Information from Cisco section of this document, Cisco delivers technical security information about software fixes in Cisco products and distributes product updates through several channels. Cisco reserves the right to deviate from this policy on an exception basis to ensure access to for software patch availability.

Disclosure Schedule

Cisco IOS and IOS XE Software

In direct response to customer feedback, Cisco releases bundles of Cisco IOS and IOS XE Software Security Advisories at 1600 GMT on the fourth Wednesday in March and September each year. This schedule applies to the disclosure of Cisco IOS and IOS XE Software vulnerabilities and does not apply to the disclosure of vulnerabilities in other Cisco products.

All Other Products

Cisco generally discloses Cisco Security Advisories at 1600 GMT on any given Wednesday.


Cisco reserves the right to publish an individual Security Advisory for Cisco IOS Software, Cisco IOS XE Software, or other products outside the published schedule. Conditions under which an out-of-cycle publication may occur include, but are not limited to, the following:

  • Cisco detects heightened public awareness of a serious vulnerability
  • Cisco learns of active exploitation of a vulnerability
  • Cisco works with a third-party coordination center to publicly disclose a vulnerability

Incident Response Eligibility

All customers, regardless of contract status, are eligible to receive support from the Cisco TAC for a known or reasonably suspected security vulnerability in Cisco product and services. Refer here for more information about how to contact the TAC. Customers who contact the TAC should reference the URL of the Cisco security publication to assist in connecting with the proper support team.

Customers with paid service contracts for incident response and forensic assistance should request assistance through the contact methods specified in their contract.

Cisco, at its sole discretion, may offer customers additional security services free of charge. Cisco reserves the right to determine the type and degree of free assistance it may offer in connection with any incident and to withdraw from such an incident at any time.

Security Software Updates

PSIRT will investigate and disclose vulnerabilities in Cisco products and services from the date of First Commercial Shipment (FCS) to the Last Day of Support (LDoS). Cisco customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels, generally from the Cisco website for the relevant product. Cisco recommends contacting the TAC only with specific and imminent problems or questions.

As a special customer service, and to improve the overall security of the Internet, Cisco may offer customers free software updates to address high-severity security problems. The decision to provide free software updates is made on a case-by-case basis. Refer to the Cisco security publication for details. Free software updates will typically be limited to Critical and High severity Cisco Security Advisories.

If Cisco has offered a free software update to address a specific issue, noncontract customers who are eligible for the update may obtain it by contacting the Cisco TAC using any of the means described in the General Security-Related Queries section of this document.

Note: To verify their entitlement, individuals who contact the TAC should have available the URL of the Cisco document that is offering the update.

Customers may only download, install, and expect support for software versions and feature sets for which they have purchased a valid license that is current and active. By installing, downloading, accessing, or otherwise using such software updates, customers agree to follow the terms of the Cisco software license. In most cases the software update will be a maintenance release to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.

After End of Sale (EoS), the availability of security fixes for vulnerabilities is defined in the product’s EoS bulletin. (See the End-of-Life Policy for details.) The EoS bulletin may define one or both of the following milestones:

  • The End of SW Maintenance milestone identifies the last date Cisco may release a software maintenance release that could include security fixes.
  • The End of Security Fixes milestone identifies the last date that Cisco may provide security fixes for vulnerabilities.

Note: If the End of Security Fixes milestone is not defined, then the End of SW Maintenance milestone date will determine the last date Cisco will provide security fixes for vulnerabilities. If the End of SW Maintenance milestone is not defined, then Cisco will provide security fixes for vulnerabilities up to 1 year past EoS.

Cisco does not investigate or confirm reports of a potential security vulnerability in products that have already passed the EoS milestones detailed above.

Security Advisory Terms and Conventions

Fixed Release Availability: If a future release date is indicated for software, the date provided represents an estimate based on all information known to Cisco as of the Last Updated date at the top of the advisory. Availability dates are subject to change based on a number of factors, including satisfactory testing results and delivery of other priority features and fixes. If no version or date is listed for an affected component (indicated by a blank field and/or an advisory designation of Interim), Cisco is continuing to evaluate the fix and will update the advisory as additional information becomes available. After the advisory is marked Final, customers should refer to the associated Cisco bug(s) for further details.

Interim: The Cisco investigation is ongoing. Cisco will issue revisions to the advisory when additional information, including fixed software release data, becomes available.

Final: Cisco has completed its evaluation of the vulnerability described in the advisory. There will be no further updates unless there is a material change in the nature of the vulnerability.

All aspects of this process are subject to change without notice and on a case-by-case basis. No particular level of response is guaranteed for any specific issue or class of issues.


For purposes of this policy, the following definitions apply:

Term Definition
API application programming interface
CERT/CC Computer Emergency Response Team Coordination Center
CERT-FI Computer Emergency Response Team of Finland
CPNI Centre for the Protection of National Infrastructure
CSDL Cisco Secure Development Lifecycle
CVE Common Vulnerabilities and Exposures
GMT Greenwich Mean Time
GPG GNU Privacy Guard encryption software
ISO/IEC 29147:2014 Guidelines for disclosure of potential vulnerabilities established by the International Organization for Standardization
JP-CERT Japan Computer Emergency Response Team
LDoS Last Day of Support
PGP Pretty Good Privacy encryption software
REST representational state transfer, a software architectural style
RESTful API an API that conforms to the REST architectural style


Back to Top


Last Updated: 2020 July 30

This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.

Internal Reference Policy: Security Vulnerability Policy, EDCS-19443599

Owning Function: Cisco PSIRT

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.