Cisco Switch Security Best Practices

This is a summary and command reference for Cisco Switch Security Best Practices from the Cisco CCNP material.

1. Configure secure passwords

1. Use the enable secret command to set the enable password
2. Use external AAA servers for administrative access
3. Use the service password-encryption command to prevent casual observers from seeing password

2. Use the system banner

Use the banner motd command to warn unauthorized users that their actions could be grounds for prosecution.  Also do not display any information regarding the network/switch, as this could be used by a malicious user.

3. Use HTTPS for the web interface and restrict access

Switch(config)# ip http secure server
Switch(config)# access-list 10 permit 10.0.99.0 0.0.0.255
Switch(config)# ip http access-class 10

4. Even if you have restricted physical access, use authentication on the console port

Switch(config-line)# login authentication default

OR if you are not using aaa new-model:

Switch(config-line)# login local

5. Restrict access to the VTY lines

Switch(config)# access-list 10 permit 10.0.99.0 0.0.0.255
Switch(config)# line vty 0 15
Switch(config-line)# access-class 10 in

6. Always manually set the port mode (access port)

Switch(config-if)# switchport access vlan (vlan-id)
Switch(config-if)# switchport mode access

7. Use SSH instead of telnet for remote access

Switch(config)# ip domain-name example.com
Switch(config)# crypto key generate rsa
Switch(config)# ip ssh version 2
Switch(config)# line vty 0 15
Switch(config-line)# transport input ssh

8. Do not use SNMP Read/Write (RW) Strings
If you are going to use SNMP, only use RO strings and limit access with an ACL

9. Secure unused switchports
Shutdown unused switchports and place them in a “parking lot” VLAN.  You can also use the switchport host command macro to set several parameters

Switch(config-if)#switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
Switch(config-if)#switchport access vlan 888
Switch(config-if)#shutdown

10. Secure STP operation
Enable BPDU guard on access ports

Switch(config-if)# spanning-tree bpduguard enable

11. Secure CDP usage
CDP provide unecessary information on access ports (unless you are using Cisco IP phones, then do not disable)

Switch(config-if)#no cdp enable

12. Prevent VLAN Hopping

OPTION 1: Change the Native VLAN and then Prune the Native VLAN (CDP, PAgp and DTP will still function)

Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport trunk native vlan 800
Switch(config-if)# switchport trunk allowed vlan remove 800
Switch(config-if)# switchport mode trunk

OPTION 2: Force the switch to tag the native VLAN (global cmd, must be done on both switches)

Switch(config)# vlan dot1q tag native

OSPF Neighbor Relationships

5 Requirements for OSPF to form a relationship with a neighbor:

1. Hello and Dead timers must match

2. Network mask must match

3. Area ID must match

4. Authentication password must match (if you are using OSPF authentication)

5. Stub Area Flag must match

Also found a great wiki on OSPF best practices: http://wiki.nil.com/OSPF_area_configuration_best_practices

IPv6 OSPF on a Cisco router

The big difference between IPv4 and IPv6 OSPF configuration on a Cisco router is that the initial configuration has moved to the interface level, instead of using the “network” statements to determine which interfaces will be part of the OSPF process. To get IPv6 OSPF up-and-running, here are the 4 basic commands:

1. Enable ipv6 routing between non-local subnets
router(config)# ipv6 unicast-routing

2. Go into the interface config and enable the OSPF process and area
router(config-if)# ipv6 ospf 100 area 0

3. Go into the ipv6 OSPF global configuration
router(config)# ipv6 router ospf 100

4. Set the ipv6 OSPF router id
router(config-rtr)# router-id X.X.X.X