Switch and Router Best Practices

cratejockey · ‎12-18-2006

I figured I would drop this question in here. We are currently working with a client that would like to re-write their configs from scratch as a part of a migration from a Flat L2 Switched network to a structured VLAN Routed network. The client has asked us to provide a best practices list for deploying switches and routers as far a "hardening" the configs. I have used this resource in years past, http://www.cymru.com/gillsr/documents/catalyst-secure-template.htm

Do any of you have a template or checklist that you would care to share? As a consulting firm we are hoping to establish firm policies and standards for our client base.

Thanks ahead of time.

glen.grant · ‎12-18-2006

this might be a place to start .

http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a0080094713.shtml

autobot130 · ‎12-18-2006

I agree with the best practices as described by the previous post. That is very helpful... a few key points that I think should be added is:

1. Enable spanning-tree root guard

or Hard code the spanning-tree root bridge

2. BPDU-guard to avoid possible L2 loops if someone plugs in a brainless Netgear switch into two different VLANs.

3. Enable DHCP snooping (if using as access switch, if someone's workstation becomes a DHCP server... you will see lots of fun there if this isnt enabled).

4. VLAN Pruning and VTP domain passwords, so if another switch out-of-box is connected. Unable to join VTP or modify existin VLAN database automatically, etc.

5. Port-Security for max mac addresses recorded per port. It will help in preventing MAC flooding DoS and also prevent additional unauthorized switches to be inserted into the network without your knowledge.

Report Inappropriate Content · ‎12-18-2006

Report Inappropriate Content · ‎12-19-2006

Report Inappropriate Content · ‎12-19-2006

Report Inappropriate Content · ‎12-19-2006

Report Inappropriate Content · ‎12-20-2006