Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts with replies and give us your feedback.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1384
Views
0
Helpful
3
Replies

Secure 2960 Internet switch

Richard Tapley
Level 3
Level 3

‎07-07-2016 10:10 PM - edited ‎03-05-2019 04:23 AM

I have an 8 port Cisco 2960 switch that is directly on the internet ( i.e. could have a public IP )

I would like to secure the switch but still be able to monitor it from the inside network through SNMP.

I have been advised by some I trust technically, to IP VLAN 1 ( due to LAN design ) and connect to internal LAN (e.g. Fa0/1) and then put the other ports into another vlan e.g. 5 with no IP on SVI ( as not possible to IP the SVI on default SDM template.)

I understand this will protect the admin LAN as traffic cannot route from 1 VLAN to the other as no routing capability but I can still monitor the switch through SNMP via the VLAN 1 interface.

I have turned off HTTP and set ACL's on the SNMP and SSH, is there anything specific I should include to ensure the switch is as secure as possible?

On a router I would configure Zone based firewall but don't believe it is possible on a switch.

Labels:
0 Helpful
3 Replies 3

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎07-08-2016 05:54 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

I'm unable to find exactly what I'm looking for, but on Cisco's main web site, they do have information on "best practices" for securing or hardening a device.

0 Helpful

W Greggs
Community Member

‎07-09-2016 07:32 AM

Hi,

The multiple VLAN (internal and external) with the SVI on the internal VLAN I would also recommend as the the safest approach. Do you have to manage the device from the big bad internet?

If you have to manage it with a Public IP then take a look at the 2960 configuration guide (I picked 12.2(50)SE) or this other one related to device hardening.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_50_se/configuration/guide/scg.html

http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

0 Helpful

Richard Tapley
Level 3
Level 3
In response to W Greggs

‎07-13-2016 07:19 AM

Hi thanks for the reply and confirmation that am on the right track.

There is no need to manage from the internet.

On the basis there is no need to manage it from the internet am I right in assuming that I only need to then protect it from internal potential issues?

For good measure and learning 🙂 I have done the following on each port:

switchport access vlan 333
switchport mode access
switchport nonegotiate
switchport port-security maximum 5
switchport port-security
no cdp enable
no vtp
spanning-tree portfast edge
spanning-tree bpduguard enable

On the interface to the admin lan I have configured an ACL and applied via "ip access-group xxxx in"

I have configured ssh and snmp with ACL's.

My biggest concern is unauthorized access ( a little paranoid ) to the admin network but with the fact there is no IP on the VLAN 333 which external devices connect to and no CDP will be going out those ports there should be extremely little to no risk?

Many thanks

0 Helpful
Customers Also Viewed These Support Documents