Cisco Best Practices For Switches (and Routers)

           Ad – Amazon Networking Products

Last updated on November 17th, 2022 at 07:41 am

Here are my notes for the basic minimum Cisco switch best practices for configuration and security. It is important to understand each command or configuration before applying it to a switch in production. Some of these can also be applied to a Cisco router.

End Device Port Security:

interface GigabitEthernet1/1

switchport mode access

switchport nonegotiate

spanning-tree bpduguard enable

spanning-tree portfast

*****************************************

Trunk Interface:

switchport mode trunk

switchport trunk allowed vlan 10,20,50,100

Native VLAN Notes:

switchport trunk native vlan 2 <—for security, use a VLAN that is not used.

switchport trunk native vlan 2 <—if not used for security and is used as a VLAN for the device on the other side which does not support tagging and is not used for security (unused VLAN), then it must be allowed with other VLANs (switchport trunk allowed vlan).

Native VLAN must match on both sides of the trunk.

switchport trunk encapsulation dot1q (mostly needed on older devices). Dot1q (802.1q) is the default.

To add VLANs to an existing trunk link:

switchport trunk allowed vlan add 100

**********************************************************

Common services to disable:

no setup express <—–Not used on current switches

no ip domain-lookup

no ip finger

no service pad

no service tcp-small-servers

no service udp-small-servers

no ip http server

no ip http secure-server

no logging monitor

no logging console

*******************************************************

Best practice for timestamps and password security:

service timestamps log datetime msec localtime show-timezone

service password-encryption

****************************************************

NO VSTACK

no vstack

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-smartinstall

***********************************************************

Usernames

enable algorithm-type sha256 secret S3cr3tP@$$sw0rD!
username JohnDoe privilege 15 algorithm-type sha256 secret P@ssW0rD1234

https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2938313/nsa-publishes-best-practices-for-selecting-cisco-password-types/

************************************************************

Con 0 Security and Disable Reverse-Telnet:

aaa authentication login console local <—–For security & local access if AAA servers are not available. See line con 0 below.

line con 0

password P@ssW0rd <—-may not be needed.

transport output none

exec-timeout 5

login authentication console <—–See above aaa authentication command

exit

VTY Security:

Preferred access list method:

ip access-list extended vty-access

permit ip host 10.10.10.100 any

OR

access-list 1 permit 10.20.10.2

access-list 1 permit 10.17.0.5

access-list 1 permit 10.10.0.10

line vty 0 4

transport input ssh

session-timeout 5

exec-timeout 5

access-class 1 in OR access-class vty-access in

privilege level 15 <——–allow priv access after login

logging synchronous

line vty 5 15

no login (older versions) (new versions use “login authentication null”)

no exec

transport input none

exit

https://thwack.solarwinds.com/message/276903#276903

****************************************************************

SSH:

ip domain-name company.com <—-Optional

crypto key generate rsa usage-keys label sshkeys modulus 2048

ip ssh rsa keypair-name sshkeys

ip ssh time-out 120

ip ssh authentication-retries 3

ip ssh version 2

***************************************************************************

Disable IP Redirects & IP Unreachables – Per Layer 3 Interface:

no ip redirects

https://networklessons.com/ip-routing/icmp-redirect-on-cisco-ios/

no ip unreachables

http://packetlife.net/blog/2008/oct/9/disabling-unreachables-breaks-pmtud/

******************************************************************************

Login Failure Control:

login block-for 100 attempts 5 within 100

login quiet-mode access-class 1

login delay 2

*********************************************************************************

banner motd #

**********************************************************

* WARNING WARNING WARNING WARNING *

* *

* Unauthorized use, possession, duplication or *

* tampering with computer, data, information, *

* programs or services is a violation of policy and a *

* criminal offense. *

* Violators are subject to dismissal and prosecution *

* to the full extent of the law. *

**********************************************************

#

**************************************************************************************

Verify Unicast Reverse-Path – Per Layer 3 Interface:

ip verify unicast reverse-path

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_urpf/configuration/xe-3s/sec-data-urpf-xe-3s-book/cfg-unicast-rpf.html

https://networklessons.com/security/unicast-reverse-path-forwarding-urpf/

*****************************************************************************************

Discard IP Source-Route:

no ip source-route

https://supportforums.cisco.com/discussion/9501351/no-ip-source-route-question

*********************************************************************************************

Enable TCP Keepalives:

service tcp-keepalives-in

service tcp-keepalives-out

http://www.cisco.com/c/en/us/support/docs/dial-access/asynchronous-connections/14957-tcpkeepalive.html

http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

****************************************************************************************

Disable Proxy Arp – Per L3 Interface:

no ip proxy-arp

https://networklessons.com/network-services/proxy-arp-explained/

http://www.cisco.com/c/en/us/support/docs/ip/dynamic-address-allocation-resolution/13718-5.html

http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html#anc75

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/Baseline_Security/securebasebook/sec_chap4.html#wp1056530

Are VRFs used?

Check out my post on VRF for more information.

Copyright © Packet Passers 2024