Cisco Switch System Availability

Today I will discuss about Cisco Switch System Availability issue. Many attacks exist and more are being created that cause denial of service (DoS), either partially or completely, to systems or networks. Switches are just as susceptible to these attacks. These attacks focus on making resources (e.g., system processor, bandwidth) unavailable. [boxads]

The following counter measures will mitigate the vulnerabilities to system availability on each switch:

To prevent fast flooding attacks and to guarantee that even the lowest priority processes get some processor time use the scheduler interval command. The following Cisco Switch System Availability example sets the maximum time before running the lowest priority process to 500 milliseconds access.

Switch(config)# scheduler interval 500

Another way to guarantee processor time for processes is to use the scheduler allocate command. This command sets the interrupt time and the process time.

The following Cisco Switch System Availability example makes 10 percent of the processor available for process tasks, with an interrupt time of 4000 microseconds and a process time of 400 microseconds.

Switch(config)# scheduler allocate 4000 400

Use the following command on each interface to turn Flow Control off.

Switch(config-if)# flowcontrol receive off

UDLD should be disabled globally and on every interface where it is not required. To disable UDLD globally use the following command.

Switch(config)# no udld enable

To disable UDLD on each interface use one of the following commands, depending on the switch model and IOS version.

Switch(config-if)# no udld port
or
Switch(config-if)# udld disabled

To help prevent the SYN Flood attack the administrator can set the amount of time the switchwill wait while attempting to establish a TCP connection. The following command sets the wait time to 10 seconds.

Switch(config)# ip tcp synwait-time 10

In order for voice traffic to have priority through a network it must be easy to determine which packets are voice, even if the voice signaling and data are encrypted. However, anyone with a network analyzer can also easily pick out the voice traffic. This additional risk must be considered in order to decide if Quality of Service (QoS) parameters will be configured for voice traffic.[bodyads]

The following command will turn on QoS features:

Switch(config)# mls qos

The following command will force best effort priority for an untrusted system.

Switch(config-if)# mls qos cos 0
Switch(config-if)# mls qos cos override

The following command will accept the priority assigned by a trusted system (e.g., voice gateway).

Switch(config-if)# mls qos trust dscp

The following commands will accept the priority assigned by an IP Phone but will force best effort priority for any attached computer.

Switch(config-if)# mls qos trust dscp
Switch(config-if)# mls qos trust device cisco-phone
Switch(config-if)# switchport priority extend cos 0

Isolate voice traffic in separate subnets using VLANs, and control the interactions between voice and data subnets.

Shahed Israr

Shahed Israr is a Network Engineer specializing in GPON, FTTH, and telecom access network technologies. With hands-on experience in Huawei OLT and ONT configuration, U2000 NMS deployment, iMaster NCE-FAN Lite management systems, firmware upgrades, and advanced network troubleshooting, he helps Internet Service Providers (ISPs) and network professionals deploy, manage, and optimize fiber optic networks efficiently. Through GPON Solution, he shares practical technical guides, real-world solutions, and professional knowledge to support engineers working in modern GPON infrastructure.

Comments

comments