Last updated on November 17th, 2022 at 07:41 am
Here are my notes for the basic minimum Cisco switch best practices for configuration and security. It is important to understand each command or configuration before applying it to a switch in production. Some of these can also be applied to a Cisco router.
End Device Port Security:
interface GigabitEthernet1/1
switchport mode access
switchport nonegotiate
spanning-tree bpduguard enable
spanning-tree portfast
*****************************************
Trunk Interface:
switchport mode trunk
switchport trunk allowed vlan 10,20,50,100
Native VLAN Notes:
switchport trunk native vlan 2 <—for security, use a VLAN that is not used.
switchport trunk native vlan 2 <—if not used for security and is used as a VLAN for the device on the other side which does not support tagging and is not used for security (unused VLAN), then it must be allowed with other VLANs (switchport trunk allowed vlan).
Native VLAN must match on both sides of the trunk.
switchport trunk encapsulation dot1q (mostly needed on older devices). Dot1q (802.1q) is the default.
To add VLANs to an existing trunk link:
switchport trunk allowed vlan add 100
**********************************************************
Common services to disable:
no setup express <—–Not used on current switches
no ip domain-lookup
no ip finger
no service pad
no service tcp-small-servers
no service udp-small-servers
no ip http server
no ip http secure-server
no logging monitor
no logging console
*******************************************************
Best practice for timestamps and password security:
service timestamps log datetime msec localtime show-timezone
service password-encryption
****************************************************
NO VSTACK
no vstack
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-smartinstall
***********************************************************
Usernames
enable algorithm-type sha256 secret S3cr3tP@$$sw0rD!
username JohnDoe privilege 15 algorithm-type sha256 secret P@ssW0rD1234
************************************************************
Con 0 Security and Disable Reverse-Telnet:
aaa authentication login console local <—–For security & local access if AAA servers are not available. See line con 0 below.
line con 0
password P@ssW0rd <—-may not be needed.
transport output none
exec-timeout 5
login authentication console <—–See above aaa authentication command
exit
VTY Security:
Preferred access list method:
ip access-list extended vty-access
permit ip host 10.10.10.100 any
OR
access-list 1 permit 10.20.10.2
access-list 1 permit 10.17.0.5
access-list 1 permit 10.10.0.10
line vty 0 4
transport input ssh
session-timeout 5
exec-timeout 5
access-class 1 in OR access-class vty-access in
privilege level 15 <——–allow priv access after login
logging synchronous
line vty 5 15
no login (older versions) (new versions use “login authentication null”)
no exec
transport input none
exit
https://thwack.solarwinds.com/message/276903#276903
****************************************************************
SSH:
ip domain-name company.com <—-Optional
crypto key generate rsa usage-keys label sshkeys modulus 2048
ip ssh rsa keypair-name sshkeys
ip ssh time-out 120
ip ssh authentication-retries 3
ip ssh version 2
***************************************************************************
Disable IP Redirects & IP Unreachables – Per Layer 3 Interface:
no ip redirects
https://networklessons.com/ip-routing/icmp-redirect-on-cisco-ios/
no ip unreachables
http://packetlife.net/blog/2008/oct/9/disabling-unreachables-breaks-pmtud/
******************************************************************************
Login Failure Control:
login block-for 100 attempts 5 within 100
login quiet-mode access-class 1
login delay 2
*********************************************************************************
banner motd #
**********************************************************
* WARNING WARNING WARNING WARNING *
* *
* Unauthorized use, possession, duplication or *
* tampering with computer, data, information, *
* programs or services is a violation of policy and a *
* criminal offense. *
* Violators are subject to dismissal and prosecution *
* to the full extent of the law. *
**********************************************************
#
**************************************************************************************
Verify Unicast Reverse-Path – Per Layer 3 Interface:
ip verify unicast reverse-path
https://networklessons.com/security/unicast-reverse-path-forwarding-urpf/
*****************************************************************************************
Discard IP Source-Route:
no ip source-route
https://supportforums.cisco.com/discussion/9501351/no-ip-source-route-question
*********************************************************************************************
Enable TCP Keepalives:
service tcp-keepalives-in
service tcp-keepalives-out
http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
****************************************************************************************
Disable Proxy Arp – Per L3 Interface:
no ip proxy-arp
https://networklessons.com/network-services/proxy-arp-explained/
http://www.cisco.com/c/en/us/support/docs/ip/dynamic-address-allocation-resolution/13718-5.html
http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html#anc75
Are VRFs used?
Check out my post on VRF for more information.
Copyright © Packet Passers 2024