08-04-2009 07:05 AM - edited 03-06-2019 07:04 AM
Hi all
Can anyone give me some tips for hardening my cisco 2960s for the access layer, I wont be using switchport security, I want some best practices, ie ssh, stp etc etc.
thanks
08-04-2009 07:10 AM
Hi Carl,
Take a look at this link:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
HTH
Reza
08-04-2009 07:16 AM
look into root guard, bpdu guard/filter...
also, statically set switchports:
switchport mode access
switchport nonegotiate
vtp transparent mode
don't use vlan 1, use a different native/mgmt vlan.
enable ssh version 2 only
put an access-class on the vty lines
enable aaa
statically define your spanning-tree root.
disable cdp where appropriate
service password-encryption
set up an ntp/syslog server,then:
service timestamps log datetime msec localtime
...to put timestamps on log messages
shutdown unused ports
those are off the top of my head.
08-04-2009 11:53 PM
Some other ideas for you :
If you dont like port security try using it with error disable recovery. This way you can be alerted to the breach and the port will recover itself in a configurable amount of time (prevents arp spoofing and DoS attacks)
Dynamic ARP inspection (prevents man in the middle attacks, now supported on the 2960 with the latest IOS)
IP Source Guard
DHCP Snooping
Private Vlans (great for helping to secure your client access vlans)
Broadcast / Multicast Suppression.
HTH.
08-05-2009 12:24 AM
Try this
http://www.cisecurity.org/bench_cisco.html
The Center for Internet Security ("CIS") provides benchmarks, scoring tools, software, data, information, suggestions, ideas, and other services and materials from the CIS website or elsewhere ("Products") as a public service to Internet users worldwide. Recommendations contained in the Products ("Recommendations") result from a consensus-building process that involves many security experts and are generally generic in nature. The Recommendations are intended to provide helpful information to organizations attempting to evaluate or improve the security of their networks, systems, and devices. Proper use of the Recommendations requires careful analysis and adaptation to specific user requirements. The Recommendations are not in any way intended to be a "quick fix" for anyone's information security needs.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide