Loading...
Loading...
This is a modification on the product to adopt new secure code best practices to enhance the security posture and resiliency of the product. In particular, traffic with a unicast destination IP address, but a multicast or broadcast destination MAC address was permitted between endpoint groups (EPGs) in the same bridge domain (BD), even if not permitted by the defined contract and even if no contract was defined at all. Likewise, ARP messages with a multicast source MAC address or a multicast sender hardware address were permitted through in these scenarios. This behavior is documented in the "How contracts work" section of the "Cisco ACI Contract Guide": https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-743951.html#Howcontractswork
This issue affects devices running Cisco NX-OS Software in ACI mode prior to release 15.2(5c) that are configured with multiple EPGs in the same BD.
None. Only solution is to upgrade to Cisco NX-OS Software in ACI mode release 15.2(5c) or later.
With these changes implemented, switches running Cisco NX-OS Software in ACI mode will apply both of the following rules to inter-EPG traffic: 1. Drop traffic with a broadcast or multicast destination MAC address, but non-broadcast/non-multicast destination IP address, if Multi-Destination Flooding is set to "Drop" at the BD level 2. Drop ARP messages which have either a broadcast or multicast source MAC address or a broadcast or multicast sender hardware address Customers who need to permit ARP messages with a multicast source MAC address for use cases like Microsoft's Network Load Balancing (NLB) can disable dropping of those message at the BD level by unchecking the "Drop ARP with Multicast SMAC" option under "Networking > Bridge Domains > [BD name] > Policy > Advanced/Troubleshooting".
* BDs that were created in releases prior to 15.2(5c) will retain the "Drop ARP with Multicast SMAC" setting
even after upgrade to 15.2(5c) or later for backward compatibility * BDs that are newly created in 15.2(5c) or later will have the "Drop ARP with Multicast SMAC" setting
by default
Cisco would like to thank Erlend Leiknes of mnemonic for reporting this issue.
The Cisco PSIRT has evaluated this issue and determined that it does not have a security impact that requires PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.