There are workarounds that address some of these vulnerabilities.
CVE-2021-27853
Administrators may drop packets that cannot have their ethertype detected using a Layer 2 access control list (ACL) or where tags are not expected to drop tagged traffic. If a single dot1P header is received, it will still be processed correctly if the network operating system supports it.
The following are examples of Layer 2 ACLs that could be implemented on access ports where FHS has been configured:
Cisco IOS Software ��� Switches
!
mac access-list extended CSCwa14271
permit any any 0x86DD 0x0
permit any any 0x800 0x0
permit any any 0x806 0x0
deny any any
!
interface GigabitEthernet1/0/1
switchport access vlan 5
switchport voice vlan dot1p
ipv6 nd raguard attach-policy HOSTS
mac access-group CSCwa14271 in
!
Cisco IOS XE Software ��� Switches
For Cisco IOS XE Software on switches, impact to all FHS features occurs on Cisco IOS Software releases 17.6.1 and later, but earlier than the first fixed release. The issue will not be seen if the access port VLAN also has an active switched virtual interface (SVI). If there are access ports in VLAN 5, for example, this issue will be observed only if interface vlan 5 is not configured. To mitigate this issue for vulnerable releases of Cisco IOS Software, administrators can ensure that each VLAN assigned to access ports has a corresponding SVI configured.
For Cisco IOS XE Software on switches, Dynamic ARP Inspection is affected on all releases. Administrators can configure static ARP entries for the default gateways and critical servers and hosts off the segments that are being protected to protect the critical assets in the environment.
Cisco IOS XE Software ��� Routers
For configurations that have a service instance with encapsulation priority-tagged and where the environment needs to examine only the first tag (depending on the platform), administrators can either add the keyword exact after the encapsulation priority-tagged or filter on the ethertype field with encapsulation priority-tagged etype ipv4 , ipv6.
For environments that do not have encapsulation priority-tagged assigned to a service instance, to prevent packets that are tagged with dot1p at the front of the headers from being forwarded, administrators can configure a service instance that is not assigned to a bridge domain with encapsulation priority-tagged.
Cisco IOS XR Software
For configurations that have an l2transport sub interface configured with encapsulation dot1q|dot1ad priority-tagged and where the environment needs to examine only the first tag (depending on the platform), administrators can add the keyword exact after the encapsulation dot1q|dot1ad priority-tagged.
For environments that do not have encapsulation dot1q|dot1ad priority-tagged assigned to an l2transport sub interface, to prevent packets that are tagged with dot1p at the front of the headers from being forwarded, administrators can configure l2transport sub interfaces that are not assigned to a bridge domain with encapsulation dot1q priority-tagged and encapsulation dot1ad priority-tagged.
Cisco NX-OS Software
!
mac access-list drop_three_tags
deny any any 0x8100
deny any any 0x88a8
permit any any
!
interface ethernet 1/4
mac port access-group drop_three_tags
!
Cisco Small Business Switches
To ensure that FHS works correctly on access ports, install a MAC ACL to deny only tagged frames (because they are not to be expected on an access port) or to permit only ARP, IPv4, and IPv6 on all access ports. The following is an example from the Cisco Sx250, 350, and 550 Series Smart Switches and the Cisco Business 250 and 350 Series Smart Switches:
mac access-list extended arp-ip-ip6
permit any any 806 0000 ace-priority 1
permit any any 800 0000 ace-priority 2
permit any any 86dd 0000 ace-priority 3
CVE-2021-27861
The principle for mitigating CVE-2021-27861 is to drop any packets that cannot have their Layer 3 protocol detected using a Layer 2 ACL.
The following are examples of Layer 2 ACLs that could be implemented on access ports where FHP has been configured:
Cisco IOS Software ��� Switches
No mitigations or workarounds.
Cisco IOS XR Software
No mitigations or workarounds.
Cisco NX-OS Software
!
interface Ethernet1/3
switchport
switchport access vlan 5
mac port access-group drop_non
ipv6 nd raguard attach-policy HOSTS
!
interface Ethernet1/4
switchport
switchport access vlan 5
mac port access-group drop_non
ipv6 nd raguard attach-policy CSCvw92154
!
mac access-list drop_non
10 permit any any 0x86dd
20 permit any any ip
30 permit any any 0x806
35 permit any 0100.0ccc.cccc 0000.0000.0000
40 deny any any
!
Cisco Small Business Switches
No mitigations or workarounds.
While these workarounds have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.