Cisco Catalyst 6500 and 6800 Series Switches running Cisco IOS Software, and Cisco Nexus 7000 and Nexus 7700 Series Switches with an M1 Series Gigabit Ethernet Module running Cisco NX-OS Software are vulnerable when LISP is configured. LISP is not enabled by default on either platform.
For information about which Cisco IOS and NX-OS Software versions are vulnerable, see the "Fixed Software" section of this advisory.
Cisco Catalyst 6500 and 6800 Series Switches
LISP support was first introduced in release 15.1(1)SY1. To determine if LISP is configured on the device, use the show running-config | include lisp
command to see if router lisp
is configured, as shown in the following example:
iosRouter# show running-config | include lisp
Determining the Cisco IOS Software Release
To determine which Cisco IOS Software release is running on a Cisco product, administrators can log in to the device and issue the show version
command to display the system banner. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software
or Cisco IOS Software
. The image name displays in parentheses, followed by the Cisco IOS Software release number and release name.
The following example identifies a Cisco product that is running Cisco IOS Software Release 15.2(1)SY1 with an installed image name of c6880x-ADVENTERPRISEK9-M:
iosRouter# show version
Cisco IOS Software, c6880x Software (c6880x-ADVENTERPRISEK9-M), Version 15.2(1)SY1, RELEASE SOFTWARE (fc5)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Mon 11-May-15 00:26 by prod_rel_team
Additional information about Cisco IOS Software release naming conventions is available in White Paper: Cisco IOS and NX-OS Software Reference Guide
Nexus 7000 and 7700 Series Switches
The Nexus 7000 and 7700 Series Switches added LISP support in software release 5.2(1). The Nexus 7000 and 7700 Series Switches with LISP configured are vulnerable only if the LISP packet is input on an M1 Series Gigabit Ethernet Module. Use the show module | include M1
command to check whether an M1 module is installed in the Nexus 7000 chassis, as shown in the following example:
nxosRouter# show module | include M1
3 48 10/100/1000 Mbps Ethernet XL Module N7K-M148GT-11L powered-up
If there is an M1 Series Gigabit Ethernet Module installed, it will be vulnerable only if LISP packets are input to interfaces configured on this module. To check whether the LISP feature is enabled, use the show feature | include lisp
command, as in the following example:
nxosRouter# show feature | include lisp
lisp 1 enabled
The show ip lisp
command can be used to determine the LISP configuration for the M1 interfaces:
nxosRouter# show ip lisp
LISP IP Configuration Information for VRF "default" (iid 1)
Ingress Tunnel Router (ITR):enabled
Egress Tunnel Router (ETR):disabled
Proxy-ITR Router (PTR):disabled
Proxy-ETR Router (PETR):disabled
Map Resolver (MR):disabled
Map Server (MS):disabled
For more information on the Nexus 7000 and 7700 Series Switches LISP Configuration, see Configuring Locator/ID Separation Protocol
Determine the Cisco NX-OS Software Release
To determine the Cisco NX-OS Software release that is running on a Cisco Nexus 7000 Series switch, administrators can log in to the device and issue the show version
command. The following example identifies the 6.2(14) release:
nxosRouter# show version
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2015, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
BIOS: version 2.12.0
kickstart: version 6.2(14)
system: version 6.2(14)
Note: The following Cisco M1 Series Gigabit Ethernet Module Series modules are no longer supported as of Cisco NX-OS Release 7.3(0)D1(1):
No other Cisco products are currently known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS-XR and Cisco IOS-XE.
Cisco 7600 Series Routers are not affected by this vulnerability.