[c-nsp] ios roulette blues (6500/7600 SXF)
Jon Lewis
jlewis at lewis.org
Mon Mar 19 23:36:29 EST 2007
We've been trying to upgrade a pair of 6509/Sup7203bxl swouters to the
latest code in the name of IOS security. It hasn't gone well. They've
been running 12.2(18)SXD7 for the past year without any issues. We
upgraded one to 12.2(18)SXF7
(s72033-advipservicesk9_wan-mz.122-18.SXF7.bin) and soon found that the
upgraded switch would not forward certain traffic. It's similar to what
we used to occasionally see with 12.2S on the 7500 platform (dcef bugs [I
assume] where traffic between select src/dst IP pairs would not forward).
On the 7500, the solution that usually cleared it for us was ip cef (long
pause) ip cef dist. On the 6509s, we don't have dcef. We're seeing this
happen both for certain src/dst IPs inside of MPLS VPNs and in main table
IP routing. In both the cases we've encountered, other src/dst pairs
traversing the exact same path through the network work. Also the same
src/dst pairs are affected across reboots.
s72033-advipservicesk9_wan-mz.122-18.SXF8.bin apparently has the same
issue. Rolling back to 122-18.SXD7 with no other config changes, we don't
see this issue.
We've also had some issues getting the sup720's to boot SXF code.
Unfortunately, I haven't been on-site, and I don't have good intel on
exactly what happened, but with confreg set to 0x2102 and several valid
boot system flash disk0:... statements followed by a fallback boot system
flash sup-bootflash:... statement, the unit ended up refusing to boot
(stuck at rommon) until someone consoled in and told it to try again. In
going from SXD to SXF, the IOS size has jumped from ~40mb to ~80mb. Are
there issues with booting directly into these larger IOS's without an
intermediate boot bootldr first? I don't see that there even is boot code
for the sup720. Can an old IP version (say 12.2.17d-SXB10) be used as
bootldr code?
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the cisco-nsp
mailing list