[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Multiple Vulnerabilities in Cisco ASA Software Advisory ID: cisco-sa-20150408-asa Revision 1.0 For Public Release 2015 April 8 16:00 UTC (GMT) +- Summary === Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA Failover Command Injection Vulnerability Cisco ASA DNS Memory Exhaustion Vulnerability Cisco ASA VPN XML Parser Denial of Service Vulnerability Successful exploitation of the Cisco ASA Failover Command Injection Vulnerability would allow an attacker to submit failover commands to the failover units, which may result in an attacker taking full control of the systems. Successful exploitation of the Cisco ASA DNS Memory Exhaustion Vulnerability may result in system instability and dropped traffic. Successful exploitation of the Cisco ASA VPN XML Parser Denial of Service Vulnerability may result in a crash of the WebVPN process, which may lead to the reset of all SSL VPN connections, system instability, and a reload of the affected system. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available for the Cisco ASA Failover Command Injection Vulnerability and Cisco ASA DNS Memory Exhaustion Vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-asa -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (SunOS) iQIVAwUBVSVT84pI1I6i1Mx3AQJwxw//as14VQOywXvym9zWeAnTr/znAvfoBlKx W4GkFk+00lI7n39cc9AD4qsTSBi+LJjDSc/Qsp2ocJVislsTrE57KG4oPP9mQS7f 1RU7Z8eDZLYH5rcU/Gb7dahIs0GLNr3ZO4m1ArA01J49W5wCN6R6PL4Qt2H41RNT +/Xo+ULufjKEIub+6hqsF4AyTB3Hg/S8u/NHrRn6xi+SPUv83JwAPTGRiJjZkWrD Q7N7vLTTj6kNhtDbn2AO0N5j0ZfHf/DAPs6lsR3Q7tcF+eJVMEKNFczSQWCWEiq4 gejIu6Hg4dY6gZsr+0aGx9plPYdp4Ofeu8JrhSPQbkUcnZ7RUjKnPwMcUIvETG3C 0FGsFsEC2DQtJJ8/SRDHWfDEb2p+ROlqGVKmGaYoavxFdPPOlvBDo4Mmhiy61Y5y orjqJk7iCBAv8VUDp9H6A1TkewXA6VHXKpXKbZ3vx+/JsmqQb1cSKVfSQMiiGPu/ +0OHZvyaOh2GGGnit6qk1/1sUerDZNLjlTeQ+TYDwPRGIeduwJfibnaXLp9wOkTv UoicR7laeB9oqwWpUxzmH6J5NrFdb2rP8ZgH8f1QDB3bHAJFmQ4Pp9ZkhydEMxAH 7ZyK2FmwElXVrqd7tqgrY5VUcsgKwTH6/SRD7Et+MAAhKFueDKQC3FJkfELzUk9D h4MUiEy8rJ0= =n67F -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco Security Advisory: Cisco ASA FirePOWER Services and Cisco ASA CX Services Crafted Packets Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco ASA FirePOWER Services and Cisco ASA CX Services Crafted Packets Denial of Service Vulnerability Advisory ID: cisco-sa-20150408-cxfp Revision 1.0 For Public Release 2015 April 8 16:00 UTC (GMT) +- Summary === A vulnerability in the virtualization layer of the Cisco ASA FirePOWER Services and Cisco ASA Context Aware (CX) Services could allow an unauthenticated, remote attacker to cause the a reload of the affected system. Cisco has released free software updates that address this vulnerability. The resolution includes upgrading the Cisco ASA FirePOWER Services Software or the Cisco ASA CX Services Software and the Cisco ASA Software. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-cxfp Note: Cisco ASA Software is affected by several other vulnerabilities described in the Cisco Security Advisory Multiple Vulnerabilities in Cisco ASA Software, cisco-sa-20150408-asa. Cisco ASA customers should review cisco-sa-20150408-asa before determining an upgrade release for Cisco ASA Software. Cisco Security Advisory Multiple Vulnerabilities in Cisco ASA Software is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-asa -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (SunOS) iQIVAwUBVSVUHopI1I6i1Mx3AQIyoA/+LQvVAb1/gU23W7r0uLdiv9YyIHJsVWl1 FeiGbiXTkyXGXL5ear+If/7mFA6PMpvM49mYAM7KvlWs/xcJnTc1iiH7kmT4636e LrlGBTRQDKCEMT2mscc2BJCdAbrpHc3VpCuJ+9DZ1rgOkafXOQxe5Y4+j7M7Rbit gt0wbr0u3lDydoaqyuj9fzVup1JJXC5HeHp5S7RUbXS2KBMHgze5xdxxtshsu4/y qgB/aE/QGIqkdEAIKtHFQ77t/EU/M1CQdoExGEG5LtCjqedkwgsXsBPLwEddaCv/ Jv7FRpaDhuOLxzi3n4LGsF+xKQDCI/0FGacZsUxi3XHznKoSwWeoAOxtpQZG9DF7 thyaTD0xa4Nw/5kaw+3yyVwyqigjuBhOWx83kf03P/MEO+x4FHEvEUHR6TLErkD0 E00KajL38Ci5DKZjQN3tb1IulbtmrMjGDmoFZiuCGhMiik1f7V1Q8Qi1wh2lVpek D38XYQTblbGmpr5voiEgZPL7aw/0JShM3WjXaXy/Qerue4qru/oY/YRmB5QG35dc 4AbpRzDAFyZOX6IrLlHUPTfMNPr8K0xHZn1B8/7dmuALtm2D+AEYFUitDzjII1Kn Z6Z9NM94PRexJ+S9DNDFxPVkgmmzlQdnRfBJzreb6K0IJFhpNjHKu+gCnKaanfjj tN9ezCk4DH8= =0yWw -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Trigger for IP FRR
Hi I have a question for trigger on IP FRR, apart from Link/Protocol Adj down can IP FRR be triggered by Link down LSA/LSP updates. I am using below topology:- RTR-C /\ / \ / \ RTR-A -SWRTR-B A and B are connected via switch. A and C and B and C are connected directly. A and B are running BFD with higher BFD timers with detection is approx. equal to 1 secs. What i noticed when we fail the link between RTR-A and SW , RTR-A switches to alternate path as port connected with SW is down. However B also converge to C before BFD timer expire, and traffic loss is approx. 200 msecs.(B---A) I did some packet captures and noticed link down LSA on B is arriving earlier then BFD control timer expiration. Is it possible for IP/FRR to trigger based on Link down LSA/LSP updates. Thanks Amit Dhamija ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPLS : Loop avoidance
I think split horizon loop avoidance is a default behavior for pw's under a vfi context. So with that in mind , you should have no forwarding of frames between the (2) neighbor pw statements under the 6880's l2 vfi. I believe that is treated like an etree service whereas the root of the tree is the interfaces bound to vlan 582 and the leafs of the etree are the pw's under the vfi. Root talks to leafs Leafs talk to root Roots talk to roots (roots being other non-vfi interfaces/pw's on this box such is h-vpls pw) - you may need to consider loop avoidance mechanism's there Leafs don't talk to leaf's - default shg behavior is I understand it So interestingly each vpls member I think is it's own etree. About this second interface you speak of, I might need to see that config in order to feel better about commenting on it. Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nicolas KARP Sent: Wednesday, April 08, 2015 9:21 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] VPLS : Loop avoidance Hello, We are going to interconnect two of our datacenters. In one datacenter we have a 6880-X configured with VSS and on the other hand, we have a pair of ASR 1001-X. We would like to configure the VPLS and I have some questions about the redundancy and loop avoidance. You can find a diagram attached to my email.. *6880 VSS : * *l2 vfi VPLS-VLAN-582 manual* * vpn id 582* * neighbor ASR-2 24 encapsulation mpls* * neighbor ASR-1 23 encapsulation mpls* *interface Vlan582* * mtu 9180* * no ip address* * xconnect vfi VPLS-VLAN-582* *ASR 1: * interface GigabitEthernet0/0/5 service instance 100 ethernet description VLAN582 encapsulation dot1q 582 exact rewrite ingress tag pop 1 symmetric bridge-domain 582 ! l2 vfi VPLS-VLAN-582 manual vpn id 582 bridge-domain 582 mtu 9180 neighbor VSS-6880 23 encapsulation mpls ! *ASR 2 : * interface GigabitEthernet0/0/5 service instance 100 ethernet description VLAN582 encapsulation dot1q 582 exact rewrite ingress tag pop 1 symmetric bridge-domain 582 ! l2 vfi VPLS-VLAN-582 manual vpn id 582 bridge-domain 582 mtu 9180 neighbor VSS-6880 24 encapsulation mpls ! At the moment, I've enabled one interface on the ASR-1 (g0/0/5), the g0/0/5 on ASR-2 is still shut. VPLS is working like a charm between the 6880 and ASR-1 but now I would like to activate the second interface on ASR-2 :-) I have some doubts about a loop in this case... I guess there should be no loop because the 6880 is configured with split-horizon but I just wanted to be sure that I will not break my network if I activate the second port. Can you please help me ? Thank you. # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # - - Nicolas KARP # - - Network and Security Engineer # - -Email : li...@karp.fr nico...@karp.fr # - -Linkedin : http://www.linkedin.com/in/nicolaskarp # - -Viadeo : http://www.viadeo.com/fr/profile/nicolas.karp http://www.viadeo.com/fr/profile/nicolas.karp%20 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VPLS : Loop avoidance
Hello, We are going to interconnect two of our datacenters. In one datacenter we have a 6880-X configured with VSS and on the other hand, we have a pair of ASR 1001-X. We would like to configure the VPLS and I have some questions about the redundancy and loop avoidance. You can find a diagram attached to my email.. *6880 VSS : * *l2 vfi VPLS-VLAN-582 manual* * vpn id 582* * neighbor ASR-2 24 encapsulation mpls* * neighbor ASR-1 23 encapsulation mpls* *interface Vlan582* * mtu 9180* * no ip address* * xconnect vfi VPLS-VLAN-582* *ASR 1: * interface GigabitEthernet0/0/5 service instance 100 ethernet description VLAN582 encapsulation dot1q 582 exact rewrite ingress tag pop 1 symmetric bridge-domain 582 ! l2 vfi VPLS-VLAN-582 manual vpn id 582 bridge-domain 582 mtu 9180 neighbor VSS-6880 23 encapsulation mpls ! *ASR 2 : * interface GigabitEthernet0/0/5 service instance 100 ethernet description VLAN582 encapsulation dot1q 582 exact rewrite ingress tag pop 1 symmetric bridge-domain 582 ! l2 vfi VPLS-VLAN-582 manual vpn id 582 bridge-domain 582 mtu 9180 neighbor VSS-6880 24 encapsulation mpls ! At the moment, I've enabled one interface on the ASR-1 (g0/0/5), the g0/0/5 on ASR-2 is still shut. VPLS is working like a charm between the 6880 and ASR-1 but now I would like to activate the second interface on ASR-2 :-) I have some doubts about a loop in this case... I guess there should be no loop because the 6880 is configured with split-horizon but I just wanted to be sure that I will not break my network if I activate the second port. Can you please help me ? Thank you. # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # - - Nicolas KARP # - - Network and Security Engineer # - -Email : li...@karp.fr nico...@karp.fr # - -Linkedin : http://www.linkedin.com/in/nicolaskarp # - -Viadeo : http://www.viadeo.com/fr/profile/nicolas.karp http://www.viadeo.com/fr/profile/nicolas.karp%20 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPLS : Loop avoidance
Hi Aaron, Both interfaces configuration on the two asr have been provided on my first email. It's just an interface with some service instances configured with some vfi. In fact in my case, the leafs are connected together via a layer2 network (switches) and the the two leafs are connected to the root via a vfi. Thanks for your advice. Nick Le 8 avr. 2015 18:38, Aaron aar...@gvtc.com a écrit : I think split horizon loop avoidance is a default behavior for pw's under a vfi context. So with that in mind , you should have no forwarding of frames between the (2) neighbor pw statements under the 6880's l2 vfi. I believe that is treated like an etree service whereas the root of the tree is the interfaces bound to vlan 582 and the leafs of the etree are the pw's under the vfi. Root talks to leafs Leafs talk to root Roots talk to roots (roots being other non-vfi interfaces/pw's on this box such is h-vpls pw) - you may need to consider loop avoidance mechanism's there Leafs don't talk to leaf's - default shg behavior is I understand it So interestingly each vpls member I think is it's own etree. About this second interface you speak of, I might need to see that config in order to feel better about commenting on it. Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nicolas KARP Sent: Wednesday, April 08, 2015 9:21 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] VPLS : Loop avoidance Hello, We are going to interconnect two of our datacenters. In one datacenter we have a 6880-X configured with VSS and on the other hand, we have a pair of ASR 1001-X. We would like to configure the VPLS and I have some questions about the redundancy and loop avoidance. You can find a diagram attached to my email.. *6880 VSS : * *l2 vfi VPLS-VLAN-582 manual* * vpn id 582* * neighbor ASR-2 24 encapsulation mpls* * neighbor ASR-1 23 encapsulation mpls* *interface Vlan582* * mtu 9180* * no ip address* * xconnect vfi VPLS-VLAN-582* *ASR 1: * interface GigabitEthernet0/0/5 service instance 100 ethernet description VLAN582 encapsulation dot1q 582 exact rewrite ingress tag pop 1 symmetric bridge-domain 582 ! l2 vfi VPLS-VLAN-582 manual vpn id 582 bridge-domain 582 mtu 9180 neighbor VSS-6880 23 encapsulation mpls ! *ASR 2 : * interface GigabitEthernet0/0/5 service instance 100 ethernet description VLAN582 encapsulation dot1q 582 exact rewrite ingress tag pop 1 symmetric bridge-domain 582 ! l2 vfi VPLS-VLAN-582 manual vpn id 582 bridge-domain 582 mtu 9180 neighbor VSS-6880 24 encapsulation mpls ! At the moment, I've enabled one interface on the ASR-1 (g0/0/5), the g0/0/5 on ASR-2 is still shut. VPLS is working like a charm between the 6880 and ASR-1 but now I would like to activate the second interface on ASR-2 :-) I have some doubts about a loop in this case... I guess there should be no loop because the 6880 is configured with split-horizon but I just wanted to be sure that I will not break my network if I activate the second port. Can you please help me ? Thank you. # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # - - Nicolas KARP # - - Network and Security Engineer # - -Email : li...@karp.fr nico...@karp.fr # - -Linkedin : http://www.linkedin.com/in/nicolaskarp # - -Viadeo : http://www.viadeo.com/fr/profile/nicolas.karp http://www.viadeo.com/fr/profile/nicolas.karp%20 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPLS : Loop avoidance
Hello Nicolas, Right the split horizon is there so packets coming from a PW will not be forwarded to another PW in the same VFI so that takes care of loops in MPLS. However you need to take care of the loops created via LAN/DC side so you need to have a dedicated forwarder for the BUM traffic on one of the ASRs or break the loop. adam -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nicolas KARP Sent: 08 April 2015 15:21 To: cisco-nsp@puck.nether.net Subject: [c-nsp] VPLS : Loop avoidance Hello, We are going to interconnect two of our datacenters. In one datacenter we have a 6880-X configured with VSS and on the other hand, we have a pair of ASR 1001-X. We would like to configure the VPLS and I have some questions about the redundancy and loop avoidance. You can find a diagram attached to my email.. *6880 VSS : * *l2 vfi VPLS-VLAN-582 manual* * vpn id 582* * neighbor ASR-2 24 encapsulation mpls* * neighbor ASR-1 23 encapsulation mpls* *interface Vlan582* * mtu 9180* * no ip address* * xconnect vfi VPLS-VLAN-582* *ASR 1: * interface GigabitEthernet0/0/5 service instance 100 ethernet description VLAN582 encapsulation dot1q 582 exact rewrite ingress tag pop 1 symmetric bridge-domain 582 ! l2 vfi VPLS-VLAN-582 manual vpn id 582 bridge-domain 582 mtu 9180 neighbor VSS-6880 23 encapsulation mpls ! *ASR 2 : * interface GigabitEthernet0/0/5 service instance 100 ethernet description VLAN582 encapsulation dot1q 582 exact rewrite ingress tag pop 1 symmetric bridge-domain 582 ! l2 vfi VPLS-VLAN-582 manual vpn id 582 bridge-domain 582 mtu 9180 neighbor VSS-6880 24 encapsulation mpls ! At the moment, I've enabled one interface on the ASR-1 (g0/0/5), the g0/0/5 on ASR-2 is still shut. VPLS is working like a charm between the 6880 and ASR-1 but now I would like to activate the second interface on ASR-2 :-) I have some doubts about a loop in this case... I guess there should be no loop because the 6880 is configured with split-horizon but I just wanted to be sure that I will not break my network if I activate the second port. Can you please help me ? Thank you. # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # - - Nicolas KARP # - - Network and Security Engineer # - -Email : li...@karp.fr nico...@karp.fr # - -Linkedin : http://www.linkedin.com/in/nicolaskarp # - -Viadeo : http://www.viadeo.com/fr/profile/nicolas.karp http://www.viadeo.com/fr/profile/nicolas.karp%20 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ --- This email has been scanned for email related threats and delivered safely by Mimecast. For more information please visit http://www.mimecast.com --- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Nightmare for load balancing of L2VPN traffic on CRS (traffic from ME3600)
Hi Guys, We are a fixed line operator with majority of L2VPN xconnect traffic on our network. Our equipments are CRS-8- Core P router ME3600 - Access PE router Most L2VPN xconnect traffic starts and ends at ME3600. We are beginning to see our CRS-8 not being able to load balance among the bundle LACP links due to hashing algorithm of CRS-8 box. Cisco CRS-8 team suggested FAT-PW config at the ME3600 xconnect, but ME3600 team claims there's no roadmap for FAT-PW. Anyone face similar issues mind to share some options available? Thanks ! Rgds Darren ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/