CISCO-SA-N3KN9K_ACI_LLDP_DOS-NDGRRRA3

Vulnerable Products:

This vulnerability affects the following Cisco products if they are running a vulnerable software release and have the LLDP feature enabled globally and on at least one interface:

Nexus 3000 Series Switches (CSCwi75282) ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwi75282"] Nexus 9000 Series Fabric Switches in ACI mode (CSCwq33193) ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwq33193"] Nexus 9000 Series Switches in standalone NX-OS mode (CSCwi75282) ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwi75282"] UCS X-Series Direct Fabric Interconnects 9108 100G (CSCwq60777 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwq60777"])

For information about which Cisco software releases are vulnerable, see the Fixed Software ["#fs"] section of this advisory.

Determine the Status of LLDP on Cisco NX-OS Software in Standalone Mode

The LLDP feature is disabled by default on Cisco Nexus Switches that are running Cisco NX-OS Software in standalone mode. To determine if the LLDP feature has been enabled, use the show feature | include lldp command at the device CLI. The following example shows that the LLDP feature is enabled:

switch# show feature | include lldp lldp 1 enabled

If the LLDP feature has been enabled, LLDP is also enabled on all interfaces by default. The processing of incoming LLDP packets can be selectively disabled on a specific interface by using the no lldp receive interface-level configuration command.

To determine the status of LLDP on a specific interface, use the show lldp interface ethernet module/interface command at the device CLI. If the enable (rx) status is set to Y, the interface accepts incoming LLDP packets, as shown in the following example:

switch# show lldp interface ethernet 1/1 Interface Information: Enable (tx/rx/dcbx): Y/Y/Y Port Mac address: 00:a6:ca:b6:84:5a

Determine the Status of LLDP on Cisco Nexus 9000 Series Fabric Switches in ACI...