Cisco Switch Security Best Practices

This is a summary and command reference for Cisco Switch Security Best Practices from the Cisco CCNP material.

1. Configure secure passwords

  1. Use the enable secret command to set the enable password
  2. Use external AAA servers for administrative access
  3. Use the service password-encryption command to prevent casual observers from seeing password

2. Use the system banner

Use the banner motd command to warn unauthorized users that their actions could be grounds for prosecution.  Also do not display any information regarding the network/switch, as this could be used by a malicious user.

3. Use HTTPS for the web interface and restrict access

Switch(config)# ip http secure server
Switch(config)# access-list 10 permit
Switch(config)# ip http access-class 10

4. Even if you have restricted physical access, use authentication on the console port

Switch(config-line)# login authentication default

OR if you are not using aaa new-model:

Switch(config-line)# login local

5. Restrict access to the VTY lines

Switch(config)# access-list 10 permit
Switch(config)# line vty 0 15
Switch(config-line)# access-class 10 in

6. Always manually set the port mode (access port)

Switch(config-if)# switchport access vlan (vlan-id)
Switch(config-if)# switchport mode access

7. Use SSH instead of telnet for remote access

Switch(config)# ip domain-name
Switch(config)# crypto key generate rsa
Switch(config)# ip ssh version 2
Switch(config)# line vty 0 15
Switch(config-line)# transport input ssh

8. Do not use SNMP Read/Write (RW) Strings
If you are going to use SNMP, only use RO strings and limit access with an ACL

9. Secure unused switchports
Shutdown unused switchports and place them in a “parking lot” VLAN.  You can also use the switchport host command macro to set several parameters

Switch(config-if)#switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
Switch(config-if)#switchport access vlan 888

10. Secure STP operation
Enable BPDU guard on access ports

Switch(config-if)# spanning-tree bpduguard enable

11. Secure CDP usage
CDP provide unecessary information on access ports (unless you are using Cisco IP phones, then do not disable)

Switch(config-if)#no cdp enable

12. Prevent VLAN Hopping

OPTION 1: Change the Native VLAN and then Prune the Native VLAN (CDP, PAgp and DTP will still function)

Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport trunk native vlan 800
Switch(config-if)# switchport trunk allowed vlan remove 800
Switch(config-if)# switchport mode trunk

OPTION 2: Force the switch to tag the native VLAN (global cmd, must be done on both switches)

Switch(config)# vlan dot1q tag native

Cisco SPAN (Port-Mirror) Configuration

Example: On my Cisco switch I want to mirror port 10 to port 20 so I can plug in my laptop (into port 20) with wireshark and do packet captures

switch (config) #monitor session 1 source interface fastethernet0/10
switch (config) #monitor session 1 destination interface fastethernet0/20

and then verify the configuration

switch #show monitor session 1