through channeling is lost. In the example
illustrated in Figure , switch A is the root bridge. Due to a
unidirectional link failure on the link between switches B and
C, switch C is not receiving BPDUs from switch B. Without loop
guard, the STP blocking port on C transitions to the STP
listening state when the max age timer expires and then to the
forwarding state in two times the forward delay time, and a
loop is created. Figure demonstrates how loop guard works to
prevent loops during a unidirectional link failure. With loop
guard enabled, the blocking port on switch C transitions into
the STP loop-inconsistent state when the max age timer expires.
Because a port in the STP loop-inconsistent state does not pass
user traffic, no loop is created. The loop-inconsistent state
is effectively equal to the blocking state.
Content
8.5 Preventing STP Forwarding Loops
8.5.3 Configuring UDLD and Loop Guard To enable or
disable UDLD and loop guard, use the commands in Figure . These
commands are described in Figure .UDLD is used when a link
should be shut down because of a hardware failure that is
causing unidirectional communication. In an EtherChannel
bundle, UDLD shuts down only the physical link that has
failed. UDLD can be enabled globally for all fiber interfaces
or on a per-interface basis. To enable UDLD on an interface,
use the following command: Switch(config-if)#udld port
To enable UDLD globally on all fiber-optic interfaces, use the
following command: Switch(config)#udld enable UDLD shuts
down interfaces. To reset all interfaces that have been shut
down, use the following command: Switch#udld reset To
verify the UDLD configuration for an interface, use this
command: Switch#show udld interface This example
shows how to display the UDLD state for a single interface:
Switch#show udld GigabitEthernet2/2
Interface
Gi2/2
---
Port enable administrative configuration
setting: Follows device default
Port enable operational
state: Enabled
Current bidirectional state:
Bidirectional
Current operational state: Advertisement
Message interval: 60
Time out interval: 5
No multiple
neighbors detected
Entry 1
---
Expiration time:
146
Device ID: 1
Current neighbor state:
Bidirectional
Device name: 0050e2826000
Port ID: 2/1
Neighbor echo 1 device: SAD03160954
Neighbor echo 1
port: Gi1/1
Message interval: 5 Loop guard is enabled
on a per-port basis. When loop guard is enabled, it is
automatically applied to all the active VLAN instances to which
that port belongs. When you disable loop guard, it is disabled
for the specified ports. Disabling loop guard moves all
loop-inconsistent ports to the listening state. If loop guard
is enabled on an EtherChannel interface, the entire channel is
blocked for a particular VLAN, because EtherChannel is regarded
as one logical port from an STP point of view. Loop guard
should be enabled on the root port and the alternative ports on
access switches. To enable loop guard on a specific interface,
use this command: Switch(config-if)#spanning-tree guard loop
To disable loop guard, use this command:
Switch(config-if)#no spanning-tree guard loop Enabling
loop guard disables root guard if root guard is currently
enabled on the ports. Loop guard can be enabled globally on a
switch for all point-to-point links. A full-duplex link is
considered to be a point-to-point link. You can change the
status of loop guard on an interface even if the feature has
been enabled globally. To enable loop guard globally on a
Catalyst 4500 or 6500 running CatOS, use this command:
Switch(config)#spantree global-default loopguard enable
To globally disable loop guard, use this command:
Switch(config)#spantree global-default loopguard
disable To verify the loop guard status, use this command:
Switch#show spantree guard mod/port |
vlan For example: Switch#show spantree guard
3/13
Port VLAN Port-State Guard Type
------------------------ ---- ------------- ----------
3/13
2 forwarding loop
To enable loop guard globally on a
Catalyst 3560, use the following global command:
Switch(config)#spanning-tree loopguard default
Content 8.5 Preventing STP Forwarding Loops
8.5.4 Preventing STP Failures Due to Unidirectional
Links The functions of UDLD and loop guard partially
overlap in that both protect against STP failures caused by
unidirectional links. These two features are different in their
approach to the problem and also in the way they function.
Figure identifies the key differences. Depending on various
design considerations, you can choose either UDLD or loop
guard. UDLD provides no protection against STP failures caused
by software that results in the designated switch not sending
BPDUs. This type of failure, however, is less common than those
caused by hardware failure. On an EtherChannel bundle, UDLD
disables individual failed links. The channel itself remains
functional if other links are available. Loop guard puts the
entire channel in loop-inconsistent state if BPDUs are not
received across the EtherChannel. Loop guard does not work on
shared links or a link that has been unidirectional since its
initial setup. Enabling both UDLD and loop guard provides the
highest level of protection.
Content 8.6
Securing Network Switches 8.6.1 Describing
Vulnerabilities in CDP Attackers with knowledge of how CDP
works could find ways to take advantage of the clear-text CDP
packets to gain knowledge of the network. CDP runs at Layer 2
and allows Cisco devices to identify themselves to other Cisco
devices. However, the information sent through CDP is
transmitted in clear text and is unauthenticated. Utilizing a
packet analyzer, attackers could glean information about the
network device from CDP advertisements. CDP is necessary for
management applications and cannot be disabled without
impairing some network-management applications. However, CDP
can be selectively disabled on interfaces where management is
not being performed. The interface command no cdp
enable disables CDP on an individual interface. Figure
describes how CDP can be used maliciously.
Content
8.6 Securing Network Switches 8.6.2
Telnet Protocol Vulnerabilities Telnet has the following
vulnerabilities: - All usernames, passwords, and data
sent over the public network in clear text are vulnerable.
- A user with an account on the system could gain
elevated privileges.
- A remote attacker could crash
the Telnet service, preventing legitimate use of that service.
- A remote attacker could find an enabled guest account
that may be present anywhere within the trusted domains of the
server.
Content 8.6 Securing
Network Switches 8.6.3 Configuring the Secure
Shell Protocol SSH is a client and server protocol used to
log in to another device over a network, execute commands in a
remote machine, and move files from one machine to another. It
provides strong authentication and secure communications over
insecure channels. It is a replacement for rlogin, rsh, rcp,
rdist, and Telnet.When using the SSH login (instead of Telnet),
the entire login session, including password transmission, is
encrypted; therefore, it is almost impossible for an outsider
to collect passwords. Cisco’s implementation of SSH requires
Cisco IOS to support RSA authentication and minimum DES
encryption. Although SSH is secured, many vendors'
implementations of SSH contain vulnerabilities that could allow
a remote attacker to execute arbitrary code with the privileges
of the SSH process or cause a denial of service. Most of the
SSH vulnerabilities have been addressed in the latest Cisco IOS
software and in other vendors’ SSH server and client software.
CAUTION: SSH version 1 implementations are vulnerable to
various security compromises. Whenever possible, use SSH
version 2. To allow only SSH on a vty interface, use the