Unlocking cisco devices for unsupported SFPs

Cisco as well as many other vendors locks their equipment to only work with their own branded SFPs. The problem is that none of the big vendors actually manufactures the modules themselves – they use 3rd parties like avago or finisar. This extremely shameful practice is wide spread so almost everyone does this – Cisco, Juniper, Brocade or NetApp all are guilty of this. One issue is price – the aforementioned companies are willing to ask you 10 or even 100 times more for a branded sfp under the pretense of supportability. 

So how does this protection work ? Technically it is very simple. Each SFP needs to have a limited set of information on it to identify vendor and type and similar useful things so the vendors just added a small CRC to check out with the platform. These CRCs might be different between platforms of the same vendor so now you can have overpriced module that is not working in your device due to artificial block. 

Some words before try the procedure below – unlocking and using unencoded fiber SM/MM SFPs will usually work. I’ve seen only couple extra cheap Chinese no-name modules that didn’t work at all. With copper SFP that is a completely different game and I would strongly recommend to use someone who has been thoroughly tested and sells the “encoded” modules. The reason being that the copper SFP has to deal with autonegotiation and way more signaling over the wire than a fible module and there is loads of potential for incompatibility in both direction. For this purposes I’ve used in the past 1GE copepr SFPs from prolabs and solid optics with good degree of success when unlocking was not a viable option. 

Most decent vendors will have some compatibility list so you can actually check if your sfp will work or not. There is also a good chance that if your device supports “Cisco” SFP manufactured by Finisar then Finisar branded SFP will work after the unlock.

The unlock procedure

error insertin the sfp while not unlocked

%GBIC_SECURITY_CRYPT-4-VN_DATA_CRC_ERROR: GBIC in port 65586 has bad crc
%PM-4-ERR_DISABLE: gbic-invalid error detected on Gi1/0/5, putting Gi1/0/5 in err-disable state

In conf t issue the following command:

service unsupported-transceiver

This will cause this to come up your screen:

Warning: When Cisco determines that a fault or defect can be traced to
the use of third-party transceivers installed by a customer or reseller,
then, at Cisco’s discretion, Cisco may withhold support under warranty or
a Cisco support program. In the course of providing support for a Cisco
networking product Cisco may require that the end user install Cisco
transceivers if Cisco determines that removing third-party parts will
assist Cisco in diagnosing the cause of a support issue.

if that did not scared you off just continue with the following:

no errdisable detect cause gbic-invalid

And you’re done.

Note this works on catalysts and ISRs this is not working on nexus platform as far as I know.

 

Leave a Reply

Your email address will not be published. Required fields are marked *