Solved: Re: Cat6500 MSFC vulnerable?

cverheij · ‎07-18-2003

We have a 6509 with MSFC running on hybride software.

So CatOS for the switch and IOS for the MSFC modules.

As recent announced their is a vulnerability for routers running IOS, see http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml.

My question is if the MSFC is vulnerable, it runs IOS but is has no physical interfaces and the switch itselfs run CatOS

Prashanth Krishnappa · ‎07-18-2003

Yes..Virtual VLAN interfaces on the MSFC are vulnerable. CAT OS is not vulnerable to this issue

View solution in original post

Prashanth Krishnappa · ‎07-18-2003

Yes..Virtual VLAN interfaces on the MSFC are vulnerable. CAT OS is not vulnerable to this issue

cverheij · ‎07-18-2003

Thanks for your fast respond.

eric369 · ‎07-19-2003

According to Cisco Security Advisory document 44020 page 6, it is recommended to upgrade IOS to version 12.1(19)E. The problem is that the size of the Eneterprise IOS (filename : c6msfc2-jsv-mz.121-10.E1.bin) is 14.56 MB and the size of the boot image (filename : c6msfc2-boot-mz.121-10.E1.bin) is 1.82 MB. In other words, they need a total of 16.38MB of bootflash. However, there is only 16.0MB bootflash on board and it is not expandable.

In the middle of copying the new file, I got error and I erased the new one and put back the old one.

Any idea how to proceed ?

Prashanth Krishnappa · ‎07-19-2003

You have 3 options

1)If you have a PCMCIA card, load the image onto the PCMCIA card and boot from sup-slot0:. This is not recommended though. Best practice is to boot from bootflash

2)Since you have a MSFC2, you do not need a boot image. You can delete the boot image and fit the regualar IOS image. If you have a MSFC(1), boot image is a mandatory requirement.

3)Get 32MB bootflash upgrade kit from Cisco. I believe this is a free upgrade

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/cfgnotes/78_14703.htm

eric369 · ‎07-19-2003

Thanks for the quick reply. However, I believe even we have MSFC2, boot image(c6msfc2-boot-mz.121-10.E1.bin) is still required for the machine to bootup PROPERLY. Otherwise, why Cisco make such a file available to download ?

I am really hestitate to delete the bootimage and reload the box. If the switch really did not boot up, it will be a self-inficted DOS. Can you please double-check if boot image is really not required if we have MSFC2.

How to check whether we have MSFC1 or MSFC2 ?

Thanks you.

Prashanth Krishnappa · ‎07-19-2003

MSFC2 does *NOT* neccessarily need a boot image. It is uselful if your regular IOS gets deleted/corrupted.

sh mod 15 or sh mod 16 should tell you what MSFC you have

Console> (enable) sh mod 15

Mod Slot Ports Module-Type Model Sub Status

--- ---- ----- ------------------------- ------------------- --- --------

15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok

eric369 · ‎07-21-2003

Thanks for your advice. I deleted the bootimage and successfully upgrade the MSFC2 module. It appears to be working fine so far.

I will contact the salesguy to get the upgrade. Hopefully, it is free - just what you mentioned. Thanks again.