a recent publication from cisco PSIRT went out regarding a vulnerability in the ASR9000 that was taken over by various news sites.
since our team was directly involved with the detection of this item I wanted to share a few more details as I feel that the announcements and publications make it seem more severe then it really needs to be.
the issue surrounds the ability to crash the management plane through the secondary mgmt interface of the asr9000.
The asr9000 RSP has 2 mgmt interfaces, 0 and 1. in classic XR they are both bound to the XR control plane. in evolved XR (64 bit) port 0 is bound to the XR control plane, the second interface "1" is bound to the admin plane.
It is very important to call out that this situation is confined to 64bit eXR only for the ASR9000, it doesnt apply to classic 32bit XR nor any other platform for that matter.
Also it is not very common to have the secondary mgmt ethernet configured or in use.
In addition to that, if it is configured and in use, it is not likely to be exposed to the internet.
Finally the mgmt interfaces are not routed, that is, fabric doesnt have access to these interfaces, nor do the mgmt interfaces have an ability to inject packets into the fabric.
I just wanted to give a bit more context to the item described and published that yes we do acknowledge it is an issue, but realistically the exposure to it is limited based on the criterias mentioned above.
hopefully it helps putting some context around the "scare" that may have been raised!!
hi, guys thanks for time and help i have the next configuration: class-map match-any VOIP
match protocol h323
match protocol sip
match protocol rtcp
match protocol rtp
set dscp ef
Good Morning everyone. I have a question regarding basic bandwidth policing and shaping profiles for customers provisioned from ME3800's/ASR9K's/C4900's. My profiles are usually something simple like this to limit a customer to 50Mb/s (add...
Try to verify if your image supports IS-IS, search by platform:
Also check the following link:
Hello guys, Based on this awesome blog https://xrdocs.io/design/blogs/2018-05-09-metro-design-implementation-guide/ with a bit of redesign (also coming from Jiri's idea of non inline PE), would you agree with this topology? Purpose is ...
Hello guys, Need your help to understand below highlighted.I am getting exceed drops in QOS voice class and value is showing as -ve.Anyone having any idea about this? is it is a bug or what? Please suggest your ideas. Thanks. Class-map: VO...