[nsp] 2950's vulnerable

Volodymyr Yakovenko vovik at dumpty.org
Sat Jul 19 20:03:14 EDT 2003


On Fri, Jul 18, 2003 at 03:21:14PM -0700, Siva Valliappan wrote:
>the Catalyst 2950 is a layer 2 device that runs IOS.  so your transit
>traffic will not be affected even if the device is dos-ed.  however your
>management interface to the box can be DOSed.  so you will need to
>take steps to protected the "Management VLAN" interface.

And the easiest solution could be applying inbound access-list on management
VLAN interface, like:

int vlanX
 ip access-group PROTECT-FROM-DOS in
ip access-list extended PROTECT-FROM-DOS
 deny 53 any any
 deny 55 any any
 deny 77 any any
 deny 103 any any
 permit ip any any 

>cheers
>.siva
>
>On Fri, 18 Jul 2003, Matt Stockdale wrote:
>
>> Any idea if Catalyst 2950's are vulnerable to the latest exploit, since
>> they don't actually route anything? I'm not looking forward to upgrading
>> 40+ of these.. I didn't see anything on the advisory about them..
>>
>> --
>> ------------------------------------------
>> Matt Stockdale              Logicworks
>> Sr. Network Engineer    www.logicworks.net
>> mstockda at logicworks.net  (212) 625-5307
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> http://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>http://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Regards,
Volodymyr.



More information about the cisco-nsp mailing list