Cisco Switch System Availability
Today I will discuss about Cisco Switch System Availability issue. Many attacks exist and more are being created that cause denial of service (DoS), either partially or completely, to systems or networks. Switches are just as susceptible to these attacks. These attacks focus on making resources (e.g., system processor, bandwidth) unavailable. [boxads]
The following counter measures will mitigate the vulnerabilities to system availability on each switch:
- To prevent fast flooding attacks and to guarantee that even the lowest priority processes get some processor time use the scheduler interval command. The following Cisco Switch System Availability example sets the maximum time before running the lowest priority process to 500 milliseconds access.
Switch(config)# scheduler interval 500
Another way to guarantee processor time for processes is to use the scheduler allocate command. This command sets the interrupt time and the process time.
The following Cisco Switch System Availability example makes 10 percent of the processor available for process tasks, with an interrupt time of 4000 microseconds and a process time of 400 microseconds.
Switch(config)# scheduler allocate 4000 400
- Use the following command on each interface to turn Flow Control off.
Switch(config-if)# flowcontrol receive off
-  UDLD should be disabled globally and on every interface where it is not required. To disable UDLD globally use the following command.
Switch(config)# no udld enable
To disable UDLD on each interface use one of the following commands, depending on the switch model and IOS version.
Switch(config-if)# no udld port
or
Switch(config-if)# udld disabled
- To help prevent the SYN Flood attack the administrator can set the amount of time the switchwill wait while attempting to establish a TCP connection. The following command sets the wait time to 10 seconds.
       Switch(config)# ip tcp synwait-time 10
- In order for voice traffic to have priority through a network it must be easy to determine which packets are voice, even if the voice signaling and data are encrypted. However, anyone with a network analyzer can also easily pick out the voice traffic. This additional risk must be considered in order to decide if Quality of Service (QoS) parameters will be configured for voice traffic.[bodyads]
The following command will turn on QoS features:
Switch(config)# mls qos
The following command will force best effort priority for an untrusted system.
Switch(config-if)# mls qos cos 0
Switch(config-if)# mls qos cos override
The following command will accept the priority assigned by a trusted system (e.g., voice gateway).
Switch(config-if)# mls qos trust dscp
The following commands will accept the priority assigned by an IP Phone but will force best effort priority for any attached computer.
Switch(config-if)# mls qos trust dscp
Switch(config-if)# mls qos trust device cisco-phone
Switch(config-if)# switchport priority extend cos 0
Isolate voice traffic in separate subnets using VLANs, and control the interactions between voice and data subnets.