Manualshelf

Release Notes

ManualsBrandsCisco ManualsStorage Networking SoftwareCisco MDS 9000 NX-OS Software Release 5.0
41424344454647484950
Send documentation comments to mdsfeedback-doc@cisco.com
44
)Cisco MDS 9000 Family Release Notes for Cisco MDS NX-OS Release 5.0(1a)
OL-21012-01
Caveats
This issue affects the following products when they have SNMP configured:
Cisco MDS 9000 Series Multilayer switches
Cisco Nexus 5000 Series switches and Cisco Nexus 2000 Series, running in FC switching mode
(NPV mode is not affected).
The following products are confirmed not vulnerable:
Cisco Nexus 7000 Series switches
Cisco Nexus 4000 Series switches
Workaround: The following workaround is available:
Infrastructure Access Control Lists
Caution Because the feature in this vulnerability uses UDP as a transport, it is possible to spoof the sender's IP
address, which may defeat ACLs that permit communication to these ports from trusted IP addresses.
Although it is often difficult to block traffic that transits a network, it is possible to identify traffic
that should never be allowed to target infrastructure devices and block that traffic at the border of
networks. Infrastructure Access Control Lists (iACLs) are a network security best practice and
should be considered as a long-term addition to good network security as well as a workaround for
this specific vulnerability. The iACL example below should be included as part of the deployed
infrastructure access-list which will protect all devices with IP addresses in the infrastructure IP
address range:
!---
!--- Feature: SNMP
!---
!---
!--- Permit SNMP traffic from trusted sources.
!---
ip access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq port snmp
ip access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq port snmp
!---
!--- Deny SNMP traffic from all other sources.
!---
ip access-list 150 deny udp any any eq port snmp
ip access-list 150 deny tcp any any eq port snmp
!---
!--- Permit/deny all other Layer 3 and Layer 4 traffic in
!--- accordance with existing security policies and
!--- configurations. Permit all other traffic to transit the
!--- device.
!---
access-list 150 permit ip any any
!--- Apply access-list to management interface
interface serial 2/0
ip access-group 150 in
For more information on IP Access Control Lists see the “Configuring IPv4 and IPv6 Access
Control List” section in the Cisco MDS 9000 Family NX-OS Security Configuration Guide at the
following location:
http://www.cisco.com/en/US/docs/switches/datacenter/mds9000/sw/5_0/configuration/guides/sec/
nxos/ipacl.html