Cisco MDS 9000 Family Release Notes for Cisco MDS NX-OS Release 5.0(4d) (OL-21012-06 B0, May 2011)
Send documentation comments to mdsfeedback-doc@cisco.com
36
Cisco MDS 9000 Family Release Notes for Cisco MDS NX-OS Release 5.0(4d)
OL-21012-06
Caveats
Resolved Caveats
• CSCto68011
Symptom: The fcdomain service on both supervisor modules fails, which results in a reload of the
device. An error message similar to the following is displayed:
'' %SYSMGR-2-SERVICE_CRASHED: Service ''fcdomain'' (PID 4688) hasn't caught signal 11
(core will be saved)''
This issue affects the following products when they have SNMP configured:
–
Cisco MDS 9000 Series Multilayer switches
–
Cisco Nexus 5000 Series switches and Cisco Nexus 2000 Series, running in FC switching mode
(NPV mode is not affected).
The following products are confirmed not vulnerable:
–
Cisco Nexus 7000 Series switches
–
Cisco Nexus 4000 Series switches
Workaround: This issue is resolved. The following workaround is available:
Infrastructure Access Control Lists
Caution Because the feature in this vulnerability uses UDP as a transport, it is possible to spoof the sender's IP
address, which may defeat ACLs that permit communication to these ports from trusted IP addresses.
Although it is often difficult to block traffic that transits a network, it is possible to identify traffic
that should never be allowed to target infrastructure devices and block that traffic at the border of
networks. Infrastructure Access Control Lists (iACLs) are a network security best practice and
should be considered as a long-term addition to good network security as well as a workaround for
this specific vulnerability. The iACL example below should be included as part of the deployed
infrastructure access-list which will protect all devices with IP addresses in the infrastructure IP
address range:
!---
!--- Feature: SNMP
!---
!---
!--- Permit SNMP traffic from trusted sources.
!---
ip access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq port snmp
ip access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq port snmp
!---
!--- Deny SNMP traffic from all other sources.
Severity 4
CSCtn68418 OO
Table 16 Open Caveats and Resolved Caveats Reference (continued)
DDTS Number
NX-OS Software Release (Open
or Resolved)
NX-OS Software Release (Open
or Resolved)
5.0(4c) 5.0(4d)