Providing Network Professionals The Edge

Cisco Switch Security Checklist

What do you think of this post?
  • Interesting 
  • Sucks 
  • Awesome 
  • Useful 
  • Boring 

Security is a basic consideration which should always be kept in mind when building, engineering and deploying voice and data networks of any size.  The following is a quick checklist to reference for very basic router security.

-Physical Security

-Set Logon and Passwords

-Disable the web server(s) (i.e. http and https)

-(config)#no ip http server (no ip http secure)

-Limit the remote access subnets (access-list)

-Use SSH whenever possible

-Configure logging

-(config)#logging buffered 64000
-#show logging

-(config)#logging A.B.C.D (IP address of Syslog server ex. Kiwi Syslog)

-Limit CDP reach (when possible – required for IP phones).  CDP broadcasts being sent out by switch every 60 seconds which can be sniffed with all switch information.

-(config)#no cdp run

-(config-if)#no cdp enable

-Use BPDU Guard on portfast ports.  If a BPDU is detected by the switch on the port it will shut the port down since ‘portfast’ ports should not have other switches connected to them.

-(config-if)#spanning-tree bpduguard (Don’t accept BPDUs on this interface)

**BPDU Filter:  Do not send or receive BPDUs on the interface.  It will ignore BPDUs coming into the port; can be dangerous since detection is not available with BPDU filter turned on.

Sign Up for Free UoverIP Learning Letters

  • UC Networking Tips and How-To's
  • Useful links to Unified Communication resources
  • Detailed Tutorials on configuring Cisco systems and integrations
  • UC Tools and Tricks of the Trade - applications, software and more

Whatcha waiting for?

About Behzad Munir

Behzad Munir, P.Eng, is a Voice Solutions Consultant working in Toronto, Canada

%d bloggers like this: