cisco-sa-c9300-spi-ace-yejYgnNQ states vulnerability fixed with ROMMON/firmware 17.3.7r which is supposed to be bundled in IOS-XE with IOS 17.3.7. After IOS upgrade I did get a ROMMON/firmware upgrade but to only 17.3.2r. Yes I could try another IOS train however have found 17.6.x to be buggy in various ways generating crashinfo entries multiple times a day and breaking Dynamic VLAN assignment.(This is across hundreds of switches). So does anyone know if there is a separate ROMMON to be installed or another way around this?
Thanks Leo, I figured that the ROMMON was only bundled with the IOS and yes I thought about upgrading to a higher IOS version but I need to bench test any new train, especially after all the problems I ran into with 17.6.x and Dynamic VLAN assignment. Also I just prepped a few hundred switches with 17.3.7 thinking this was going to fix the vuln per the cisco-sa-c9300-spi-ace-yejYgnNQ. Got a TAC case open to see if I might be able to get an "engineering" release of the next 17.3.x train(if they do that anymore). If no luck there I will try the upgrade for the ROMMON, then downgrade for the version I know works with everything else. I agree that your suggestion is likely a solution and will check it out.
@ThomasDorsey1955 wrote: Got a TAC case open to see if I might be able to get an "engineering" release of the next 17.3.x train(if they do that anymore).
That is a very risky and dangerous move.
I have never recommended anyone to request for an engineering special release. And I do not want to start now.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
