Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
919293949596979899100
93
OL-11615-01
For more information about CDP in Catalyst OS, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_5/cmd_ref/ses
_sete.htm#wp1026797
For more information about CDP in IOS, refer to the following URL:
http://www.cisco.com/en/US/partner/tech/tk962/technologies_tech_note09186a00801aa000.shtml
ICMP Redirects
By default, Cisco IOS and Catalyst OS software send ICMP redirect messages when the switch is forced
to resend a packet through the same interface on which it was received. By sending these redirect
messages the switch instructs the host the specific router to use to reach a particular destination. The
ICMP redirect messages can also reveal information that can potentially be used by an attacker for
discovering the network topology. Therefore, we recommend that you disable this service on all
interfaces:
On systems running Catalyst OS use the set ip redirect disable to globally disable IP redirects, as
shown in the following example:
Console> (enable) set ip redirect disable
On systems running Cisco IOS, IP redirects can be disabled per interface by using the no ip redirects
interface configuration command, as shown in the following example:
Router(config-if)# no ip redirects
For more information about the Catalyst OS set ip redirect command, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_5/cmd_ref/set_f
_l.htm#wp1026328
For more information about the Cisco IOS ip redirect command, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ipras_r/ip1
_i2g.htm#wp1081518
ICMP Unreachables
According to Internet standards (RFC 1812), whenever a router needs to drop a packet, it should return
an ICMP unreachable message to the source. Routers typically drop incoming packets either because
they cannot find a valid route or because the packet should be routed to the Null interface. The latter is
typically the case with black hole filtering. In some cases, it is possible to overwhelm a router by sending
large amounts of packets that require the creation of ICMP unreachables. For this reason it is highly
recommended to control the generation of ICMP unreachables by either rate-limiting or disabling it.
ICMP unreachables are generated by default on switches running Cisco IOS and Catalyst OS. Use one
of the following best practices to protect the switches from ICMP unreachable overload:
Disable ICMP unreachable messages
Rate limit ICMP unreachable traffic
The first workaround is to prevent the switch from sending ICMP unreachables:
On systems running Catalyst OS, ICMP unreachables can be globally disabled by using the set ip
unreachable disable command, as shown in the following example:
Console> (enable) set ip unreachable disable