Cisco Switch Security Best Practices
This is a summary and command reference for Cisco Switch Security Best Practices from the Cisco CCNP material.
1. Configure secure passwords
- Use the
enable secretcommand to set the enable password - Use external AAA servers for administrative access
- Use the
service password-encryptioncommand to prevent casual observers from seeing password
2. Use the system banner
Use the banner motd command to warn unauthorized users that their actions could be grounds for prosecution. Also do not display any information regarding the network/switch, as this could be used by a malicious user.
3. Use HTTPS for the web interface and restrict access
(config)# ip http secure server
(config)# access-list 10 permit 10.0.99.0 0.0.0.255
(config)# ip http access-class 10
4. Even if you have restricted physical access, use authentication on the console port
(config-line)# login authentication default
OR if you are not using aaa new-model:
(config-line)# login local
5. Restrict access to the VTY lines
(config)# access-list 10 permit 10.0.99.0 0.0.0.255
(config)# line vty 0 15
(config-line)# access-class 10 in
6. Always manually set the port mode (access port)
(config-if)# switchport access vlan (vlan-id)
(config-if)# switchport mode access
7. Use SSH instead of telnet for remote access
(config)# ip domain-name example.com
(config)# crypto key generate rsa
(config)# ip ssh version 2
(config)# line vty 0 15
(config-line)# transport input ssh
8. Do not use SNMP Read/Write (RW) Strings
If you are going to use SNMP, only use RO strings and limit access with an ACL
9. Secure unused switchports
Shutdown unused switchports and place them in a "parking lot" VLAN. You can also use the switchport host command macro to set several parameters
(config-if)#switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
(config-if)#switchport access vlan 888
(config-if)#shutdown
10. Secure STP operation
Enable BPDU guard on access ports
(config-if)# spanning-tree bpduguard enable
11. Secure CDP usage
CDP provide unecessary information on access ports (unless you are using Cisco IP phones, then do not disable)
(config-if)#no cdp enable
12. Prevent VLAN Hopping
OPTION 1: Change the Native VLAN and then Prune the Native VLAN (CDP, PAgp and DTP will still function)
(config-if)# switchport trunk encapsulation dot1q
(config-if)# switchport trunk native vlan 800
(config-if)# switchport trunk allowed vlan remove 800
(config-if)# switchport mode trunk
OPTION 2: Force the switch to tag the native VLAN (global cmd, must be done on both switches)
(config)# vlan dot1q tag native