Cisco Cisco MDS 9000 NX-OS Software Release 5.0
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
39
Cisco MDS 9000 Family Release Notes for Cisco MDS NX-OS Release 5.0(4)
OL-21012-02
Caveats
Caution
Because the feature in this vulnerability uses UDP as a transport, it is possible to spoof the sender's IP
address, which may defeat ACLs that permit communication to these ports from trusted IP addresses.
address, which may defeat ACLs that permit communication to these ports from trusted IP addresses.
Although it is often difficult to block traffic that transits a network, it is possible to identify traffic
that should never be allowed to target infrastructure devices and block that traffic at the border of
networks. Infrastructure Access Control Lists (iACLs) are a network security best practice and
should be considered as a long-term addition to good network security as well as a workaround for
this specific vulnerability. The iACL example below should be included as part of the deployed
infrastructure access-list which will protect all devices with IP addresses in the infrastructure IP
address range:
that should never be allowed to target infrastructure devices and block that traffic at the border of
networks. Infrastructure Access Control Lists (iACLs) are a network security best practice and
should be considered as a long-term addition to good network security as well as a workaround for
this specific vulnerability. The iACL example below should be included as part of the deployed
infrastructure access-list which will protect all devices with IP addresses in the infrastructure IP
address range:
!---
!--- Feature: SNMP
!---
!---
!--- Permit SNMP traffic from trusted sources.
!---
ip access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq port snmp
ip access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq port snmp
!---
!--- Deny SNMP traffic from all other sources.
!---
ip access-list 150 deny udp any any eq port snmp
ip access-list 150 deny tcp any any eq port snmp
!---
!--- Permit/deny all other Layer 3 and Layer 4 traffic in
!--- accordance with existing security policies and
!--- configurations. Permit all other traffic to transit the
!--- device.
!---
access-list 150 permit ip any any
!--- Apply access-list to management interface
interface serial 2/0
ip access-group 150 in
For more information on IP Access Control Lists see the “Configuring IPv4 and IPv6 Access
Control List” section in the Cisco MDS 9000 Family NX-OS Security Configuration Guide at the
following location:
Control List” section in the Cisco MDS 9000 Family NX-OS Security Configuration Guide at the
following location:
For more information on IP Access Control Lists see the “Configuring ACLs” section in the Cisco
Nexus 5000 Series NX-OS Software Configuration Guide at the following location:
Nexus 5000 Series NX-OS Software Configuration Guide at the following location:
•
CSCtf16263
Symptom: Following an upgrade from Cisco MDS NX-OS Release 4.2(3a) to Release 5.0(1a) on
an MDS 9222i switch, the Encapsulating Security Protocol (ESP) configuration is not applied to
members of a PortChannel. This issue occurs only on the MDS 9222i switch.
an MDS 9222i switch, the Encapsulating Security Protocol (ESP) configuration is not applied to
members of a PortChannel. This issue occurs only on the MDS 9222i switch.
Workaround: To workaround this issue, following these steps:
1.
Enable Fibre Channel Security Protocol (FCSP) on the interface and enter
configuration-interface-esp submode.
configuration-interface-esp submode.