Re: Security for Cisco 3650 from Attack

CSCO12094806 · ‎06-07-2018

Hi, we are in the process of rebuilding our datacenter.

we are planning to use Cisco 3650 switch (WS-C3650-24TD-S, with UNIVERSAL ios) will handle the L2 role (only vlan switching).

HL Network Diagram is attached below.

all devices have ha (two perimeter firewall, two 3650 switch, 2 vmware host server).

internal /data-center firewall as a virtual firewall running on vmware cluster, and its handle data-center intervlan routing (Vlan 110, 120, 140).

So CISCO 3650 only take Layer2 role (Vlan Tagging).

KINDLY HELP US /ADVICE HOW WE CAN PROTECT OUR INTERNAL SWITCH FROM ATTACK (like DoS /suggest possible protections to internal switch for our design)

Julio E. Moisa · ‎06-07-2018

Hi,

You can:

- configure storm-control under the interfaces

- configuring CoPP policy https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/16-1/configuration_guide/b_161_consolidated_3650_cg/b_161_consolidated_3650_cg_chapter_010001101.pdf

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Francesco Molino · ‎06-07-2018

Hi

In addition to what Julio said, you can harden your switch using different features like:
- storm-control
- CoPP policy for traffic
- Control-plan host to force only a dedicated interface as management with specific features..
- ....

Take a look on official Cisco doc: https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Security for Cisco 3650 from Attack

Port-Security - Configuração Básica

回复：【原创】Cisco Catalyst 9300, 9200, 3650, 3850等 Switch密码恢复

Cisco DNA Center : Stealthwatch Security Analyticsについて

Cisco ASA5525, ASA5545 & ASA5555 Series Security ApplianceのEOLについて

Cisco Security Connector(Umbrella/iOS Clarity)をMeraki MDMでDeployする方法