Manualshelf

Release Notes

ManualsBrandsCisco ManualsStorage Networking SoftwareCisco MDS 9000 NX-OS Software Release 5.0
41424344454647484950
Send documentation comments to mdsfeedback-doc@cisco.com
45
)Cisco MDS 9000 Family Release Notes for Cisco MDS NX-OS Release 5.0(1a)
OL-21012-01
Caveats
For more information on IP Access Control Lists see the “Configuring ACLs” section in the Cisco
Nexus 5000 Series NX-OS Software Configuration Guide at the following location:
http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_rel_
4_0_1a/sec_ipacls.html
CSCte93754
Symptom: An IOA flow can take a few seconds to become active in certain events such as host or
target port flaps. PLOGIs from the hosts are buffered until the IOA flow becomes active. Once the
IOA flow becomes active, a RSCN is sent, which forces the host to perform a PLOGI again. Certain
target arrays perform a few back-to-back PLOGIs prior to the flow becoming active, which may
cause automatic path recovery to fail.
Workaround: To prevent exhausting PLOGI retries, set the wa-fcr-rule timeout to 5 seconds
through the CLI. Enter the tune wa-fcr-rule-timeout 5 command in the IOA cluster.
CSCtf16263
Symptom: Following an upgrade from Cisco MDS NX-OS Release 4.2(3a) to Release 5.0(1a) on
an MDS 9222i switch, the Encapsulating Security Protocol (ESP) configuration is not applied to
members of a PortChannel. This issue occurs only on the MDS 9222i switch.
Workaround: To workaround this issue, following these steps:
1. Enable Fibre Channel Security Protocol (FCSP) on the interface and enter
configuration-interface-esp submode.
switch(config)# interface po103
switch(config-if)# fcsp on
switch(config-if)# fcsp esp manual
2. Add the old egress Security Association (egress-sa) configuration on the switch. Egress-sa is the
other side of the active ingress-sa.
switch(config-if-esp)# egress-sa 258
3. Add a new ingress-sa on the switch. Do not use the previous SA.
switch(config-if-esp)# ingress-sa 256
4. On the other side of the PortChannel, reconfigure egress with 256.
switch(config)# interface po103
switch(config-if)# fcsp esp manual
switch(config-if-esp)# egress-sa 256
At this point, the link is fully secured on both sides.
5. Clean up the old ingress-sa, by deleting it. An error message displays, but the ingress-sa does get
deleted.
switch(config-if-esp)# no ingress-sa 258
ERROR: SA 258 not in ingress list
If you fail to delete the old ingress-sa, an error message displays:
switch(config-if-esp)# ingress-sa 258
ERROR: SA 258 already in ingress list
6. Add the old ingress-sa.
switch(config-if-esp)# ingress-sa 258
CSCty32238