a recent publication from cisco PSIRT went out regarding a vulnerability in the ASR9000 that was taken over by various news sites.
since our team was directly involved with the detection of this item I wanted to share a few more details as I feel that the announcements and publications make it seem more severe then it really needs to be.
the issue surrounds the ability to crash the management plane through the secondary mgmt interface of the asr9000.
The asr9000 RSP has 2 mgmt interfaces, 0 and 1. in classic XR they are both bound to the XR control plane. in evolved XR (64 bit) port 0 is bound to the XR control plane, the second interface "1" is bound to the admin plane.
It is very important to call out that this situation is confined to 64bit eXR only for the ASR9000, it doesnt apply to classic 32bit XR nor any other platform for that matter.
Also it is not very common to have the secondary mgmt ethernet configured or in use.
In addition to that, if it is configured and in use, it is not likely to be exposed to the internet.
Finally the mgmt interfaces are not routed, that is, fabric doesnt have access to these interfaces, nor do the mgmt interfaces have an ability to inject packets into the fabric.
I just wanted to give a bit more context to the item described and published that yes we do acknowledge it is an issue, but realistically the exposure to it is limited based on the criterias mentioned above.
hopefully it helps putting some context around the "scare" that may have been raised!!
I'm currently working on improving our monitoring with IOS-XR and I noticed a limitation on IP SLA tag lenght which is not an issue on IOS-XE or NX-OS. The tag lenght is limited to 16 characters long.ipsla
type icmp echo
Hello Folks .im looking for ASR 9000 series .and i want Hardware can handle 60G bps Traffic AND upgradable to 100 G in future , so i need to choose right chases for that .Also with DOS protection on the Traffic .i would like it have like 10x of 10Gb...
I am reading the information contained in the following links:
"I inserted a new A9K-24X10GE-TR line card today, which prompted the following errors: RP/0/RSP1/CPU0:Jul 21 22:26:39.997 : pfm_node_rp: %PLATFORM-CROSSBAR-1-SERDES_ERROR_LNK1 : Set|fab_xbar|0x1017007|XBAR_0_Slot_3
Hi,it is my intention to trust incoming COS values on the UNI Ingress of an ASR903 (RSP3, IOS 3.18.05.SP.156-2.SP5 ). On the UNI port, a service instance ethernet with an associated bridge domain is configured. DSCP is not analyzable in this setup.In the ...