FroDo Comware Upgrade
We would like to announce a staged upgrade of the version of Comware running on our HPE 5510 FroDos. This blog entry aims to answer the majority of questions that this work will raise. Please, however, feel free to contact the Networks team with any further questions at networks@it.ox.ac.uk
Why?
As part of ongoing maintenance it is essential that we keep our FroDo software up to date. The new version of software being deployed addresses a number of vulnerabilities and bugs, as well as introducing some useful new features.
In Service Software Upgrade (ISSU)
This feature aims to reduce the downtime required for software upgrades. For Option 2 customers who have a pair of FroDos this means that, for future software upgrades, service will usually remain up while each member of the pair is upgraded and reloaded.
The ISSU feature also supports so-called hot patches which can be implemented without rebooting a device. This is of benefit to both Option 1 and Option 2 customers. There may be a small service interruption for these patches but it will be significantly less than a full reboot.
Bug Fixes
Symptom: On an MPLS L2VPN or VPLS network, PIM packets and IGMP packets cannot be
transparently forwarded between PEs.
Condition: This symptom might occur if IP multicast routing is configured on the MPLS L2VPN
or VPLS network.
Symptom: When a large number of MAC address entries are deleted from member ports of an
aggregation group, memory leak occurs at both the local end and the remote end of the
aggregate link.
Condition: This symptom might occur if a large number of MAC address entries are deleted
from member ports of an aggregation group.
Addressed Vulnerabilities
This release addresses the following CVE
CVE2016-[5195,7431,7428,7427]
CVE2017-[3731,3732]
Information about the detail of these vulnerabilities can be found at https://cve.mitre.org/cve/cve.html
Impact
The expected impact is ~5-10 minutes during which time the FroDo will reload and external services will not be available.
We will be carrying out the upgrades between 07:30 and 09:00 to minimise impact.
I am an Option 2 customer – will I be affected?
For this upgrade yes you will. This is the first software release we have been happy with that also offers In Service Software Upgrades (ISSU). The good news is that future upgrades will be able to leverage ISSU so that your service is not likely not be affected by compatible firmware upgrades moving forward.
Timescale
We plan to upgrade approximately 30 Frodo’s every Tuesday, Wednesday and Thursday over the firs three weeks of August until all of the HPE 5510 devices in service are up to date.
Schedule
We have attempted where possible to group devices around main sites and annexes so that those sites will only see one period of disruption. Detailed schedules listing devices and dates can be found at https://docs.ntg.ox.ac.uk/pub/reference/odin-frodo-software-upgrade-august-2017