-
We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.
Upgrade your IOS!
- Thread starter jlazzaro
- Start date
Pay close attention to what versions are and are not affected - if you've kept updated in the last six months or so you should be fine.
Cisco's QA sucks now, and so IOS upgrades are a lot riskier than the past - don't go upgrading to the latest and greatest unless you actually need to.
Cisco's QA sucks now, and so IOS upgrades are a lot riskier than the past - don't go upgrading to the latest and greatest unless you actually need to.
InlineFive
Diamond Member
Darnit, when did this happen? Are there no decent companies left?
InlineFive
Diamond Member
Nobody good for switches then?
m1ldslide1
Platinum Member
I saw this too - we have a pair of 3600's at the edge and are going to have to update. They were sure short of technical details about the 'crafted attack'... probably so they don't encourage people.
RebateMonger
Elite Member
Yeah, but supposedly there are criminal types who like to try to reverse-engineer security patches to see exactly how to attack the UNPATCHED devices.
It's getting really hard to ignore patches nowadays. Nobody likes to upgrade stuff just for the sake of upgrading. In fact, if I went around upgrading every single piece of firmware and software at all my clients, I'd probably be doing UPGRADES full time. Forever.
But if somebody breaks in, and it turns out that they used a known exploit, and the device manufacturer had already released a patch six months ago......
question about these version numbers...
the TCP DoS base 12.4 table claims the rebuilds (first fixed releases) are 12.4(3e) and 12.4(7b). If your current IOS is the same or later than the rebuilds your ok.
what is your running a version inbetween the 2 listed versions? ie 12.4(3f), 12.4(5a), etc...
the TCP DoS base 12.4 table claims the rebuilds (first fixed releases) are 12.4(3e) and 12.4(7b). If your current IOS is the same or later than the rebuilds your ok.
what is your running a version inbetween the 2 listed versions? ie 12.4(3f), 12.4(5a), etc...
FreshPrince
Diamond Member
damned if you do, damned if you don't....
InlineFive, there is not currently any vendor for switches that I consider to be doing QA well enough. I've been buying SMC's switches lately for L2, and they're working well for me. If I'm not getting enterprise-class reliability, I'm not going to pay an enterprise-class price for it! I'm buying Extreme "i" switches for L3, and they're okay, the software is definitely a rough ride but their hardware is good. Those boxes are getting cheaper now, finally.
jlazzaro,
"i read somewhere theres no "known" public exploit script for these vulnerabilities"
Vendors rarely write security advisories that say "the bad guys have scripts to exploit these vulnerabilities" because that makes customers quite unhappy. They also rarely write security advisories that say "we found out about this bug a year ago, and the bad guys probably knew about it months before that. We fixed it six months ago, and we told the customers who are really important to us about it then. But we're only telling YOU about it now." Because that too makes customers quite unhappy.
Just because they don't explicitly say these things doesn't mean you can't -- and shouldn't -- read between the lines.
My understanding of how to read the version chart is that you are okay if you're running a version newer than the version listed as maintenance, that is, that's the version where it got put into the tree. However, they also took an older and recommended stable version and created a one-off branch version of that with the fix applied, and that's the rebuild version. So you're okay if you get that one particular version ("rebuild"), or if you are running a version newer than the maintenance version listed. I admit that I could be wrong here, it is definitely confusing.
In practice, I always interpret these things as telling me to update my boxes to the newest version available that's stable enough, and/or that's above the maintenance version listed. I figure if I'm going to take the test/upgrade/test pain at all I might as well get current.
RebateMonger, that's why you build a network with defense in depth. Software has bugs and applying patches sometimes creates new ones as well as brings operational risk into the picture. To the best of your ability, you should build a network so that an exploitable bug doesn't make you a sitting duck, you have other layers of defense such that malicious parties can't actually do the exploit.
jlazzaro,
"i read somewhere theres no "known" public exploit script for these vulnerabilities"
Vendors rarely write security advisories that say "the bad guys have scripts to exploit these vulnerabilities" because that makes customers quite unhappy. They also rarely write security advisories that say "we found out about this bug a year ago, and the bad guys probably knew about it months before that. We fixed it six months ago, and we told the customers who are really important to us about it then. But we're only telling YOU about it now." Because that too makes customers quite unhappy.
Just because they don't explicitly say these things doesn't mean you can't -- and shouldn't -- read between the lines.
My understanding of how to read the version chart is that you are okay if you're running a version newer than the version listed as maintenance, that is, that's the version where it got put into the tree. However, they also took an older and recommended stable version and created a one-off branch version of that with the fix applied, and that's the rebuild version. So you're okay if you get that one particular version ("rebuild"), or if you are running a version newer than the maintenance version listed. I admit that I could be wrong here, it is definitely confusing.
In practice, I always interpret these things as telling me to update my boxes to the newest version available that's stable enough, and/or that's above the maintenance version listed. I figure if I'm going to take the test/upgrade/test pain at all I might as well get current.
RebateMonger, that's why you build a network with defense in depth. Software has bugs and applying patches sometimes creates new ones as well as brings operational risk into the picture. To the best of your ability, you should build a network so that an exploitable bug doesn't make you a sitting duck, you have other layers of defense such that malicious parties can't actually do the exploit.
Randomly picked up a Dell 3424 for some dumb L2 closet aggregation and was pretty surprised at the feature set - 802.1x, qos, standard vlan stuffs, dynamic vlan/mac assignment, pretty much comparable to the 2950s and 3500s out there. Oh, and it has 2xCopper gigE and 2xSFPs. Pretty tough to beat a $300 switch that gets you all the features of a ~$1k green-box.
randal, many of the features in the 34xx series are not fully, or correctly, implemented. That is to say, they did enough to let them claim to support, say, 802.1x, but they did not do enough to make it *useful*. Also, Dell's support sucks very very much. "Award winning" is truly the most polite way I can put it 😉 The worst part is that their 33xx series actually were better quality products and had some useful features that they took out in the 34xx series (though the 34xx series added some other features, they turn out not to be useful). So they basically dumbed them down.
Dell's software quality for their switches has not been anywhere close to enterprise quality in my experience, and their support is incapable of fixing it. I'm pretty sure that Dell can only really ask the real OEM to fix bugs and neither party is very inclined to do that. So if you do run into a bug, you're basically SOL, in my experience.
I have to do an expensive forklift upgrade to rip out every Dell switch across several buildings and replace them with something better, because features on the 34xx data sheet don't actually work and Dell doesn't care.
All that said, the Dell switches can sometimes be had on the very cheap (esp. if you buy a lot of computers at the same time) and you could do worse. For example, I'd rather somebody get a 34xx switch for a business than an unmanaged switch.
Dell's software quality for their switches has not been anywhere close to enterprise quality in my experience, and their support is incapable of fixing it. I'm pretty sure that Dell can only really ask the real OEM to fix bugs and neither party is very inclined to do that. So if you do run into a bug, you're basically SOL, in my experience.
I have to do an expensive forklift upgrade to rip out every Dell switch across several buildings and replace them with something better, because features on the 34xx data sheet don't actually work and Dell doesn't care.
All that said, the Dell switches can sometimes be had on the very cheap (esp. if you buy a lot of computers at the same time) and you could do worse. For example, I'd rather somebody get a 34xx switch for a business than an unmanaged switch.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 25K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 24K
-
-
