cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6125
Views
5
Helpful
4
Replies

hardening access layer switches / security

carl_townshend
Spotlight
Spotlight

Hi all

Can anyone give me some tips for hardening my cisco 2960s for the access layer, I wont be using switchport security, I want some best practices, ie ssh, stp etc etc.

thanks

4 Replies 4

Reza Sharifi
Hall of Fame
Hall of Fame

look into root guard, bpdu guard/filter...

also, statically set switchports:

switchport mode access

switchport nonegotiate

vtp transparent mode

don't use vlan 1, use a different native/mgmt vlan.

enable ssh version 2 only

put an access-class on the vty lines

enable aaa

statically define your spanning-tree root.

disable cdp where appropriate

service password-encryption

set up an ntp/syslog server,then:

service timestamps log datetime msec localtime

...to put timestamps on log messages

shutdown unused ports

those are off the top of my head.

Some other ideas for you :

If you dont like port security try using it with error disable recovery. This way you can be alerted to the breach and the port will recover itself in a configurable amount of time (prevents arp spoofing and DoS attacks)

Dynamic ARP inspection (prevents man in the middle attacks, now supported on the 2960 with the latest IOS)

IP Source Guard

DHCP Snooping

Private Vlans (great for helping to secure your client access vlans)

Broadcast / Multicast Suppression.

HTH.

zubair-shaikh
Level 1
Level 1

Try this

http://www.cisecurity.org/bench_cisco.html

The Center for Internet Security ("CIS") provides benchmarks, scoring tools, software, data, information, suggestions, ideas, and other services and materials from the CIS website or elsewhere ("Products") as a public service to Internet users worldwide. Recommendations contained in the Products ("Recommendations") result from a consensus-building process that involves many security experts and are generally generic in nature. The Recommendations are intended to provide helpful information to organizations attempting to evaluate or improve the security of their networks, systems, and devices. Proper use of the Recommendations requires careful analysis and adaptation to specific user requirements. The Recommendations are not in any way intended to be a "quick fix" for anyone's information security needs.

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco