[c-nsp] Sup2T CoPP
Couple of questions for people running Sup2T CoPP. First, has anyone had crash/reload when fiddling with the CoPP policy under 15.1(2)SY2? We had a box die the other day, and I'm wondering if there's a safe way to work with it. I have a TAC case open, but no response as yet. Second, for my own curiosity I'm wondering if anyone has any deep insight into the special built-in CoPP class-maps e.g. class-map match-any class-copp-icmp-redirect-unreachable class-map match-all class-copp-glean class-map match-all class-copp-receive class-map match-all class-copp-options class-map match-all class-copp-mtu-fail class-map match-all class-copp-ttl-fail ...and so on. Their functions are pretty obvious - although they lack match statements in the IOS config, they seem to correspond pretty closely to the type control-plane / match exception class-maps under NX-OS, and presumably offer a way to use CoPP rather than platform (nee mls) rate-limits on a type of punt traffic. (I note sup2t comes with the glean RL enabled by default, rather than using the special glean class-map in the default CoPP - anyone know why) What I'm specifically curious about are what those match precisely; the command sh platform hardware acl tcam A ip qos shows the TCAM matches pretty clearly, but for the special stuff there appear to be mysterious non-zero ACOS/AS values which I assume are some internal fields. Finally, in the dumped TCAM, there appears to be a fair bit of duplication, in particular for value/mask entries of 224.0.0.13/255.255.255.255 and 224.0.0.0/255.255.255.0. Anyone know why? The reason I ask is that before my crash, it looked like there had been some horrible combinatorial explosion of value/mask entries after my CoPP edits, and I'm wondering if this was my fault or IOS. Cheers, Phil ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software
On Wed, Apr 09, 2014 at 12:05:46PM -0400, Cisco Systems Product Security Incident Response Team wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Multiple Vulnerabilities in Cisco ASA Software Advisory ID: cisco-sa-20140409-asa Revision 1.0 For Public Release 2014 April 9 16:00 UTC (GMT) Has anyone had any luck finding the fixed 8.3(2.40) images? The latest interims I can find are 2.39. Emailed TAC, but no response yet. -- Brandon Ewing(nicot...@warningg.com) pgprRSnkMrcu4.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software
Hello. We had to request some of the images when we upgraded all our firewalls. Got a response from TAC an hour or so later, Bästa hälsningar / Best regards, Gustav Uhlander Senior Communication Infrastructure Engineer Steria AB Kungsbron 13 Box 169 SE-101 23 Stockholm Sweden Tel: +46 8 622 42 15 Fax: +46 8 622 42 23 Mobile: +46 70 962 71 03 gustav.ulan...@steria.se www.steria.se -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Brandon Ewing Sent: den 15 april 2014 20:14 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software On Wed, Apr 09, 2014 at 12:05:46PM -0400, Cisco Systems Product Security Incident Response Team wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Multiple Vulnerabilities in Cisco ASA Software Advisory ID: cisco-sa-20140409-asa Revision 1.0 For Public Release 2014 April 9 16:00 UTC (GMT) Has anyone had any luck finding the fixed 8.3(2.40) images? The latest interims I can find are 2.39. Emailed TAC, but no response yet. -- Brandon Ewing(nicot...@warningg.com) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/