Wednesday, 1 March 2017

Cisco Switch Setup Checklist (Best Practise, Hardening etc.)

This is a short list of initial management / setup tasks that can be used a a base template:

Setting up AAA

Setting up remote access (SSH)

Setting up SNMP

Setting up logging / syslog

Automatic configuration backups


Setting up NTP

If (like me) you prefer to disable DNS lookups - you can find the IP addresses of stratum 1 and 2 providers here.

(Ideally it's best that the stratum 1 provider takes precedence)

ntp server 81.168.77.149 prefer
ntp server 194.164.127.6
ntp server 194.164.127.4

Hardening / Disabling Unnecessary Services 

no ip http server

no ip http secure-server

Ensure there are no vty lines with telnet enabled.

no ip domain-lookup

If you do not need any DHCP services - including DHCP relay (ip helpers) - you can issue:

no service dhcp

Unless you are connecting to an X.25 network - you can safely issue the 'pad' (packet assembler/disassembler service):

no service pad

EXEC Timeout: This defines how long on the session will remain available on a line before logging you out - by default this is commonly set at 10 minutes - although this should generally be much shorter:

line vty 0
exec timeout <minutes>

TCP Keepalives: By enabling these it allows the switch to identify if remote connections (inbound or outbound via SSH, Telnet etc.) are still active or not:

service tcp-keepalives-in
service tcp-keepalives-out


Sources:

Cisco Guide to Harden Cisco IOS Devices: http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html#anc19

NTP Servers UK List: http://www.atomic-clock.galleon.eu.com/ntp-servers/time/ntp-servers-uk.html

0 comments:

Post a comment