securing my switches

amralrazzaz · ‎05-11-2021

hi all.. i need to know what is the best security practice for my below config on switch according to the network
diagram i have ( isp---ASA---Router---SW1----SW2) - im using PVST between sw1 and sw2 and divided the vlans ----
between these 2 cables primary and secondary and my questions are: (check attached )

1- is the below configuration for access port fine and fully secured or shall i modify or add/delete some?
2- for trunk ports between the switches(1 and 2) how to secure these ports or its already secured? (pvst are configured between switches)
3- shall i add on trunk ports connected between 2 switches 1&2 portfast , guard root , port-security or any protection commands?
3- in general is there any additional commands to add on both switches for more security ?
4- im using vtp v2 and how can i switch it to v3 ? need the commands to add it directly on both switches ( i have
sw1 vtp server and sw2 vtp client)
----
C2960X-SW1#show run
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname C2960X-SW1
!
boot-start-marker
boot-end-marker
!
logging buffered 32768 informational
logging rate-limit 10
logging console warnings
enable secret 5 xxxxxx
!
username xxx privilege 15 secret 5 xxxxxxx
no aaa new-model
clock timezone EET 2 0
switch 1 provision ws-c2960x-24ps-l
!
!
no ip domain-lookup
ip domain-name Exx.xxx.local
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree logging
spanning-tree extend system-id
spanning-tree vlan 1,x-8,xx-1x,xx-xx,xx-49,xx-x4,56-4094 priority 4096
spanning-tree vlan x-x,x,xx,xx,xx,xx priority 28672
!
!
!
!
!
errdisable recovery cause psecure-violation
!
vlan internal allocation policy ascending
!
ip ssh time-out 90
ip ssh version 2
ip scp server enable
!
!
!
!
!
interface FastEthernet0
no ip address
shutdown
!
interface GigabitEthernet1/0/1
description LAN-vlan2-vlan200-voice
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!

!
interface GigabitEthernet1/0/18
description Connected-to-SW2
switchport trunk native vlan xx
switchport mode trunk
!
interface GigabitEthernet1/0/19
description Connected-to-SW2
switchport trunk native vlan xx
switchport mode trunk
!
interface GigabitEthernet1/0/20
description Connected-to-2911Router
switchport trunk native vlan xx
switchport mode trunk
!

!

!
interface Vlan1
no ip address
shutdown
!
interface Vlan250
description MGMT
ip address 10.xx.xx.10 xx5.2xx.xx.0
!
ip default-gateway 10.xx.xx.xx
ip http server
ip http secure-server
!
!
ip access-list standard xxxxxx
permit x.x.x.x
ip access-list standard management
permit x.x.x.x
permit x.x.x.x
permit x.x.x.x x.x.x.x
deny any
logging trap notifications
logging source-interface Vlan2xx
logging host x.x.x.x
!
snmp-server community xxx RO xxxx
snmp-server location xxx DownTown EQUIPROOM PRTG
snmp-server contact D&O ICT Technology
snmp-server chassis-id C2960X-SW1
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps transceiver all
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps license
snmp-server enable traps auth-framework sec-violation
snmp-server enable traps cluster
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan
snmp-server enable traps energywise
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps event-manager
snmp-server enable traps power-ethernet group 1
snmp-server enable traps power-ethernet police
snmp-server enable traps cpu threshold
snmp-server enable traps rep
snmp-server enable traps vstack
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps stackwise
snmp-server enable traps errdisable
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server host x.x.x.x informs version 2c xxxx
snmp-server host x.x.x.x version 2c xxx
!

line con 0
password 7 xxxxx
login
line vty 0 4
location RemoteConnection
exec-timeout 15 0
logging synchronous
login local
transport input ssh
escape-character 3
line vty 5 15
location RemoteConnection
exec-timeout 15 0
logging synchronous
login local
transport input ssh
escape-character 3
!
ntp source Vlan2xx
ntp server xxxxxxx
ntp server xxxxxx
ntp server xxxxxx
ntp server xxxxxxx
ntp server xxxxxxxx
end

amr alrazzaz

Deepak Kumar · ‎05-11-2021

Hi,

There are multiple options and features for security in a switched environment but it is completely depends on your network design and requirements. Let me share a few options here:

1. I can see that you had configured "spanning-tree guard root" on the access switch but it is not a feature for the access port. It protects undesired switch become a root bridge. So you need to enable this feature in your root bridge ports which is going downstream switch. The root guard ensures that the port on which root guard is enabled is the designated port.

2. I can see, your two ports are connected between SW1 and SW2 so enable port-channel (Ether-channel) between both switches.

3. For making more secure connections between Sw1 to Sw2, you can use the MACsec security feature. Again, it completely depends on your environment and available resources. A Root Guard feature I can' see beneficial because I can see you have two Root bridges for different VLANs so it will make an issue for you.

4. There are multiple options are there First Hope security feature sets for layer 2 networks as DHCP Snooping, ARP inspection, etc. You can use Dot1x authentication on switch ports and as well for switch login. You can use New-Model for login.

5. For VTP version change you can use the following commands as

vtp domain domain-name

vtp version 3

vtp (mode Server/Client/Transperent/off)

I recommended checking this guide for Harden Cisco IOS Devices: Cisco Guide to Harden Cisco IOS Devices - Cisco

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

amralrazzaz · ‎05-12-2021

3. For making more secure connections between Sw1 to Sw2, you can use the MACsec security feature. Again, it completely depends on your environment and available resources. A Root Guard feature I can' see beneficial because I can see you have two Root bridges for different VLANs so it will make an issue for you.

- so no need for root guard to be enabled in my case on truck ports between sw1 and 2 because both are root bridges for different vlans ?? am i correct ?

- in that case is there any additional command for security to be configured under these 4 trunk ports between sw1 and 2 ?

- can you please guide me on how to create ethernet channel for these 2 trunk ports connected between sw1 and 2 both sides ? what kind of command to add?

- how to configure DAI and this should be enabled on each access port ? or can be configured on global mode?

- regarding these 2 command (no cdp enable and switchport nonegotiate) whats the purpose from ? and where excatly if it needed shall i configure? on access port and trunks aswell or where exactly)? thanks please check attached diagram

amr alrazzaz