HP Cisco MDS 8/24c Cisco MDS 9000 Family Release Notes for Cisco MDS NX-OS Rel - Page 36

Resolved Caveats, DDTS Number, NX-OS Software Release Open, or Resolved

Get HP Cisco MDS 8/24c PDF manuals and user guides View all HP Cisco MDS 8/24c manuals
Add to My Manuals
Save this manual to your list of manuals

Page 36 highlights

Caveats Send documentation comments to [email protected] Table 16 Open Caveats and Resolved Caveats Reference (continued) DDTS Number Severity 4 CSCtn68418 NX-OS Software Release (Open or Resolved) 5.0(4c) NX-OS Software Release (Open or Resolved) 5.0(4d) O O Resolved Caveats • CSCto68011 Symptom: The fcdomain service on both supervisor modules fails, which results in a reload of the device. An error message similar to the following is displayed: '' %SYSMGR-2-SERVICE_CRASHED: Service ''fcdomain'' (PID 4688) hasn't caught signal 11 (core will be saved)'' This issue affects the following products when they have SNMP configured: - Cisco MDS 9000 Series Multilayer switches - Cisco Nexus 5000 Series switches and Cisco Nexus 2000 Series, running in FC switching mode (NPV mode is not affected). The following products are confirmed not vulnerable: - Cisco Nexus 7000 Series switches - Cisco Nexus 4000 Series switches Workaround: This issue is resolved. The following workaround is available: Infrastructure Access Control Lists Caution Because the feature in this vulnerability uses UDP as a transport, it is possible to spoof the sender's IP address, which may defeat ACLs that permit communication to these ports from trusted IP addresses. Although it is often difficult to block traffic that transits a network, it is possible to identify traffic that should never be allowed to target infrastructure devices and block that traffic at the border of networks. Infrastructure Access Control Lists (iACLs) are a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The iACL example below should be included as part of the deployed infrastructure access-list which will protect all devices with IP addresses in the infrastructure IP address range: !--!--- Feature: SNMP !--!--!--- Permit SNMP traffic from trusted sources. !--ip access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD INFRASTRUCTURE_ADDRESSES WILDCARD eq port snmp ip access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD INFRASTRUCTURE_ADDRESSES WILDCARD eq port snmp !--!--- Deny SNMP traffic from all other sources. Cisco MDS 9000 Family Release Notes for Cisco MDS NX-OS Release 5.0(4d) 36 OL-21012-06

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
Send documentation comments to [email protected]
36
Cisco MDS 9000 Family Release Notes for Cisco MDS NX-OS Release 5.0(4d)
OL-21012-06
Caveats
Resolved Caveats
CSCto68011
Symptom
: The fcdomain service on both supervisor modules fails, which results in a reload of the
device. An error message similar to the following is displayed:
'' %SYSMGR-2-SERVICE_CRASHED: Service ''fcdomain'' (PID 4688) hasn't caught signal 11
(core will be saved)''
This issue affects the following products when they have SNMP configured:
Cisco MDS 9000 Series Multilayer switches
Cisco Nexus 5000 Series switches and Cisco Nexus 2000 Series, running in FC switching mode
(NPV mode is not affected).
The following products are confirmed not vulnerable:
Cisco Nexus 7000 Series switches
Cisco Nexus 4000 Series switches
Workaround
: This issue is resolved. The following workaround is available:
Infrastructure Access Control Lists
Caution
Because the feature in this vulnerability uses UDP as a transport, it is possible to spoof the sender's IP
address, which may defeat ACLs that permit communication to these ports from trusted IP addresses.
Although it is often difficult to block traffic that transits a network, it is possible to identify traffic
that should never be allowed to target infrastructure devices and block that traffic at the border of
networks. Infrastructure Access Control Lists (iACLs) are a network security best practice and
should be considered as a long-term addition to good network security as well as a workaround for
this specific vulnerability. The iACL example below should be included as part of the deployed
infrastructure access-list which will protect all devices with IP addresses in the infrastructure IP
address range:
!---
!--- Feature: SNMP
!---
!---
!--- Permit SNMP traffic from trusted sources.
!---
ip access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq port snmp
ip access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq port snmp
!---
!--- Deny SNMP traffic from all other sources.
Severity 4
CSCtn68418
O
O
Table 16
Open Caveats and Resolved Caveats Reference (continued)
DDTS Number
NX-OS Software Release (Open
or Resolved)
NX-OS Software Release (Open
or Resolved)
5.0(4c)
5.0(4d)