COMMAND

    Cisco

SYSTEMS AFFECTED

    Catalyst 5000 Series 802.1x

PROBLEM

    Following is based on a  Cisco Security Advisory.  When  an 802.1x
    frame is received by an affected Catalyst 5000 series switch on  a
    STP blocked  port it  is forwarded  in that  VLAN instead of being
    dropped.   This  causes  a  performance  impacting  802.1x  frames
    network storm in  that part of  the network, which  is made up  of
    the affected Catalyst  5000 series switches.   This network  storm
    only subsides when the source  of the 802.1x frames is  removed or
    one  of  the  workarounds  in  the  workaround section is applied.
    This vulnerability can be exploited to produce a denial of service
    (DoS) attack.

    This vulnerability is described in Cisco bug id CSCdt62732.

    Cisco Catalyst 5000 series switches based on any of the  following
    EARL (Encoded Address Recognition Logic) hardware revisions:

        * EARL 1
        * EARL 1+
        * EARL 1++

    and running any of the following switch software revisions:

        * 4.5 (11) or earlier
        * 5.5 (6) or earlier
        * 6.1 (2) or earlier

    are  affected  by  this  vulnerability.   This series includes the
    Catalyst models 5000, 5002, 5500, 5505, 5509, 2901, 2902 and  2926
    switches.  To determine  your hardware and software  revision type
    sh mod on the console prompt of the switch.

    When  an  802.1x  (IEEE  standard  for  port  based network access
    control) frame  is received  by an  affected Catalyst  5000 series
    switch  on  a  STP  (Spanning  Tree  Protocol)  blocked port it is
    forwarded in  that VLAN  (Virtual Local  Area Network)  instead of
    being dropped.  This causes a performance impacting 802.1x  frames
    network storm in  that part of  the network, which  is made up  of
    the affected Catalyst  5000 series switches.   This network  storm
    only subsides when the source  of the 802.1x frames is  removed or
    one of the workarounds in the workaround section is applied.

    When an affected Catalyst  5000 series switch network  receives an
    802.1x  frame  it  causes  an  802.1x  frames network storm.  This
    network storm  degrades the  performance of  the network.   Slower
    ports  on  the  affected  Catalyst  5000  series switches may stop
    passing user  data.   The affected  Catalyst 5000  series switches
    may not respond  to any management  inquiries via SNMP,  Telnet or
    HTTP.  However,  management via the  console port on  the switches
    is still possible and can be used to apply the workarounds.

SOLUTION

    Catalyst 5000 series  switches based on  EARL 2 or  later hardware
    revisions are not affected  by this vulnerability.   Catalyst 5000
    series switches regardless of the EARL hardware revision,  running
    the following switch software revisions

        * 4.5 (12) or later - expected general availability before 2001, May 1
        * 5.5 (7) or later
        * 6.1 (3) or later

    are not affected by this  vulnerability.  Software upgrade can  be
    performed via the console interface.

    No other Cisco product is  currently known to be affected  by this
    vulnerability.   This includes  the Catalyst  6000, 4000,  3500XL,
    2900XL and 2948G switches.

    The  following  workarounds  will  prevent  the 802.1x frames from
    causing an  802.1x frames  network storm  in an  affected Catalyst
    5000  series  switch  network.   These  workarounds  can  also  be
    applied to a network experiencing an 802.1x frames network storm.

    1. Configure permanent MAC address entries for the entire reserved
       STP range 01-80-c2-00-00-02 to 01-80-c2-00-00-0f to be directed
       out an unused port for each VLAN on each affected switch in the
       network.

       The commands to configure are given below.

        set cam permanent 01-80-c2-00-00-02 <mod#>/<port#> <VLAN>
        set cam permanent 01-80-c2-00-00-03 <mod#>/<port#> <VLAN>
        set cam permanent 01-80-c2-00-00-04 <mod#>/<port#> <VLAN>
        set cam permanent 01-80-c2-00-00-05 <mod#>/<port#> <VLAN>
        set cam permanent 01-80-c2-00-00-06 <mod#>/<port#> <VLAN>
        set cam permanent 01-80-c2-00-00-07 <mod#>/<port#> <VLAN>
        set cam permanent 01-80-c2-00-00-08 <mod#>/<port#> <VLAN>
        set cam permanent 01-80-c2-00-00-09 <mod#>/<port#> <VLAN>
        set cam permanent 01-80-c2-00-00-0a <mod#>/<port#> <VLAN>
        set cam permanent 01-80-c2-00-00-0b <mod#>/<port#> <VLAN>
        set cam permanent 01-80-c2-00-00-0c <mod#>/<port#> <VLAN>
        set cam permanent 01-80-c2-00-00-0d <mod#>/<port#> <VLAN>
        set cam permanent 01-80-c2-00-00-0e <mod#>/<port#> <VLAN>
        set cam permanent 01-80-c2-00-00-0f <mod#>/<port#> <VLAN>

    2. Break the STP loop by either
       a) Disabling the redundant (STP blocked ports) or
       b) Disconnecting the cable from these ports

       Remove all the sources of 802.1x frames before re-enabling  the
       ports or reconnecting the cables.

    3. Power  down  the  Catalyst  5000  switch(es)  that  create  the
       spanning-tree loop (any switch with STP blocked ports).  Remove
       all  the  sources  of  802.1x  frames  before  powering  up the
       switches.

    Microsoft  Windows  XP  attempts  802.1x authentication during its
    boot-up phase.  Following these configuration steps for  Microsoft
    Windows XP can disable this:
    1. Click  on the  associated Local  Area Connection  under Network
       Connections
    2. Click on the Authentication Tab at the top right.
    3. Uncheck "Network Access Control using IEEE 802.1x"