Cisco Switch Security Best Practices

This is a summary and command reference for Cisco Switch Security Best Practices from the Cisco CCNP material.

1. Configure secure passwords

  • Use the enable secret command to set the enable password
  • Use external AAA servers for administrative access
  • Use the service password-encryption command to prevent casual observers from seeing password

2. Use the system banner

Use the banner motd command to warn unauthorized users that their actions could be grounds for prosecution.  Also do not display any information regarding the network/switch, as this could be used by a malicious user.

3. Use HTTPS for the web interface and restrict access

(config)# ip http secure server
(config)# access-list 10 permit
(config)# ip http access-class 10

4. Even if you have restricted physical access, use authentication on the console port

(config-line)# login authentication default

OR if you are not using aaa new-model:

(config-line)# login local

5. Restrict access to the VTY lines

(config)# access-list 10 permit
(config)# line vty 0 15
(config-line)# access-class 10 in

6. Always manually set the port mode (access port)

(config-if)# switchport access vlan (vlan-id)
(config-if)# switchport mode access

7. Use SSH instead of telnet for remote access

(config)# ip domain-name
(config)# crypto key generate rsa
(config)# ip ssh version 2
(config)# line vty 0 15
(config-line)# transport input ssh

8. Do not use SNMP Read/Write (RW) Strings

If you are going to use SNMP, only use RO strings and limit access with an ACL

9. Secure unused switchports

Shutdown unused switchports and place them in a "parking lot" VLAN.  You can also use the switchport host command macro to set several parameters

(config-if)#switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
(config-if)#switchport access vlan 888

10. Secure STP operation

Enable BPDU guard on access ports

(config-if)# spanning-tree bpduguard enable

11. Secure CDP usage

CDP provide unecessary information on access ports (unless you are using Cisco IP phones, then do not disable)

(config-if)#no cdp enable

12. Prevent VLAN Hopping

OPTION 1: Change the Native VLAN and then Prune the Native VLAN (CDP, PAgp and DTP will still function)

(config-if)# switchport trunk encapsulation dot1q
(config-if)# switchport trunk native vlan 800
(config-if)# switchport trunk allowed vlan remove 800
(config-if)# switchport mode trunk

OPTION 2: Force the switch to tag the native VLAN (global cmd, must be done on both switches)

(config)# vlan dot1q tag native