cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
584
Views
0
Helpful
5
Replies

I need Advices about upgrade IOS

Dear Mister

I need to do a Upgrade in a SUP720 with MSFC3, in router 7606.

Well, this router have two cards, aparte of Supervisors. This cards permit the next softwares: 12.2(18)SXF17 ; 12.2(33)srb7 ; 12.2(33)SRC5 and 12.2(33) SRD3.

I read the Release Notes, and this versiĆ³n have some bugs, than does not affect to my plattform.

But,searching all versions; al these images has Catastrofic Bugs.And this bugs, affect some features configured in my equipments.

Also, this version have Security Advisories, with TCP and BGP.

What can I do in this case??? I need to do the upgrade, because the currect softwares are really old and have a big lot of bugs, but still is funcioning ; or to do the upgrade, with the risk associated to the new catastrophic bugs.

Best Regards

5 Replies 5

Hi Rodrigo,

If there's a bug on the feature you are planning to use, that doesn't mean you are going to hit that bug,

must bugs need to meet very specific criterias to be triggered.

If you have a feature (I.E. BGP), this feature can be hitting a catastrofic bug, but probably only if you have peer groups.

So not all the bugs will apply to the exact configuration you have.

If the bug really affects you, you can call to the TAC and explain that a critical bug is affecting your network, and they can

try to give you the best IOS option for you or probably an internal one, until the Public one is release.

So at this time, I suggest to go the the latest release, put it under some tests and if one of this bugs matches your exact circumstances

check with the TAC for any further options.

regards

Yesua.

armangar wrote:

Hi Rodrigo,

If there's a bug on the feature you are planning to use, that doesn't mean you are going to hit that bug,

must bugs need to meet very specific criterias to be triggered.

If you have a feature (I.E. BGP), this feature can be hitting a catastrofic bug, but probably only if you have peer groups.

So not all the bugs will apply to the exact configuration you have.

If the bug really affects you, you can call to the TAC and explain that a critical bug is affecting your network, and they can

try to give you the best IOS option for you or probably an internal one, until the Public one is release.

So at this time, I suggest to go the the latest release, put it under some tests and if one of this bugs matches your exact circumstances

check with the TAC for any further options.

regards

Yesua.

I addition to Yesua's comment, you are not going to find an IOS version without any bugs. So, make sure you install it in the lab first before taking it to production.

Also, regarding this comment:


This is true, BUT it also depends on how much money you spent buying 6700 right Yesua!!!!

Reza

yes, totally agree,

all of them will have bugs, and some are high severity, so you should always test.

If that were the case, and you need an internal release, some internal versions are already three, and probably one of them with a fix for you.

Now if it's not, and it's a critical issue that can affect lots of customers, a fix will be created soon.    You already payed for your contract (or your device with guarantee)  so there's no extra cost for that.       

Dear Mister

I appreciate your answers. But, I have another doubt.

In the case of bug CSCek37177, this has a document, in this Page:

http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml

In this page, for instance, show that version 12.2.SRB is not affected por this bug.

But, when I ingress to the Bug description, in the zone "Known Affected Version ", are showing the next  IOS versions:

12.2(33)SRB                 12.2(33)SRB1                 12.2(33)SRB2                12.2(33)SRB3                12.2(33)SRB4                12.2(33)SRB5                12.2(33)SRB5a                12.2(33)SRB6                12.2(33)SRB7 

Why is the reason for this contradiction???

What link I should obey?

Thank you.

Best Regards

Well, the BUG affects this version,

however  BGP TTL Security Hack/Generalized TTL Security Mechanism is implemented on SRB.

this feature stops the DOS attack, and that's why it's protected.

So yes, it's affected by the bug, but it has a TCP filtering protetion so it's not affected by the FN.

- Allows you to filter based on the TTL of the packets.
- CSCee73956 introduces TCP filtering support for BTSH/GTSM.  integrated
releases include: 012.004(007.010) 12.0(32.01)S11 12.2(31.04.03)SX11
12.2(32.08.35)SRB 12.2(35.01)S 12.4(04.09)T 12.4(05.03)PI03a.
- Images prior to CSCee73956 cannot protect against this leak because
the packets are processed at the TCP layer

regards.

Armando

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco

Ā