This is a summary and command reference for Cisco Switch Security Best Practices from the Cisco CCNP material.
1. Configure secure passwords
- Use the enable secret command to set the enable password
- Use external AAA servers for administrative access
- Use the service password-encryption command to prevent casual observers from seeing password
2. Use the system banner
Use the banner motd command to warn unauthorized users that their actions could be grounds for prosecution. Also do not display any information regarding the network/switch, as this could be used by a malicious user.
3. Use HTTPS for the web interface and restrict access
Switch(config)# ip http secure server
Switch(config)# access-list 10 permit 10.0.99.0 0.0.0.255
Switch(config)# ip http access-class 10
4. Even if you have restricted physical access, use authentication on the console port
Switch(config-line)# login authentication default
OR if you are not using aaa new-model:
Switch(config-line)# login local
5. Restrict access to the VTY lines
Switch(config)# access-list 10 permit 10.0.99.0 0.0.0.255
Switch(config)# line vty 0 15
Switch(config-line)# access-class 10 in
6. Always manually set the port mode (access port)
Switch(config-if)# switchport access vlan (vlan-id)
Switch(config-if)# switchport mode access
7. Use SSH instead of telnet for remote access
Switch(config)# ip domain-name example.com
Switch(config)# crypto key generate rsa
Switch(config)# ip ssh version 2
Switch(config)# line vty 0 15
Switch(config-line)# transport input ssh
8. Do not use SNMP Read/Write (RW) Strings
If you are going to use SNMP, only use RO strings and limit access with an ACL
9. Secure unused switchports
Shutdown unused switchports and place them in a “parking lot” VLAN. You can also use the switchport host command macro to set several parameters
Switch(config-if)#switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
Switch(config-if)#switchport access vlan 888
Switch(config-if)#shutdown
10. Secure STP operation
Enable BPDU guard on access ports
Switch(config-if)# spanning-tree bpduguard enable
11. Secure CDP usage
CDP provide unecessary information on access ports (unless you are using Cisco IP phones, then do not disable)
Switch(config-if)#no cdp enable
12. Prevent VLAN Hopping
OPTION 1: Change the Native VLAN and then Prune the Native VLAN (CDP, PAgp and DTP will still function)
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport trunk native vlan 800
Switch(config-if)# switchport trunk allowed vlan remove 800
Switch(config-if)# switchport mode trunk
OPTION 2: Force the switch to tag the native VLAN (global cmd, must be done on both switches)
Switch(config)# vlan dot1q tag native
DANIEL KUCHENSKI 