hardening access layer switches / security

Unanswered Question
Aug 4th, 2009
User Badges:

Hi all

Can anyone give me some tips for hardening my cisco 2960s for the access layer, I wont be using switchport security, I want some best practices, ie ssh, stp etc etc.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
srue Tue, 08/04/2009 - 07:16
User Badges:
  • Blue, 1500 points or more

look into root guard, bpdu guard/filter...

also, statically set switchports:

switchport mode access

switchport nonegotiate

vtp transparent mode

don't use vlan 1, use a different native/mgmt vlan.

enable ssh version 2 only

put an access-class on the vty lines

enable aaa

statically define your spanning-tree root.

disable cdp where appropriate

service password-encryption

set up an ntp/syslog server,then:

service timestamps log datetime msec localtime

...to put timestamps on log messages

shutdown unused ports

those are off the top of my head.

cbeswick Tue, 08/04/2009 - 23:53
User Badges:

Some other ideas for you :

If you dont like port security try using it with error disable recovery. This way you can be alerted to the breach and the port will recover itself in a configurable amount of time (prevents arp spoofing and DoS attacks)

Dynamic ARP inspection (prevents man in the middle attacks, now supported on the 2960 with the latest IOS)

IP Source Guard

DHCP Snooping

Private Vlans (great for helping to secure your client access vlans)

Broadcast / Multicast Suppression.


zubair-shaikh Wed, 08/05/2009 - 00:24
User Badges:

Try this


The Center for Internet Security ("CIS") provides benchmarks, scoring tools, software, data, information, suggestions, ideas, and other services and materials from the CIS website or elsewhere ("Products") as a public service to Internet users worldwide. Recommendations contained in the Products ("Recommendations") result from a consensus-building process that involves many security experts and are generally generic in nature. The Recommendations are intended to provide helpful information to organizations attempting to evaluate or improve the security of their networks, systems, and devices. Proper use of the Recommendations requires careful analysis and adaptation to specific user requirements. The Recommendations are not in any way intended to be a "quick fix" for anyone's information security needs.



This Discussion