Portfolio Website of CCIE Jiwan

Comprehensive approach for router and switch configuration hardening:

Below are the Comprehensive approach for router and switch configuration hardening general practices.
  1. Disable Unused Services and Interfaces
  • Disable unnecessary services like HTTP, Telnet, FTP, and SNMP

no ip http server

no ip http secure-server

no ip telnet server

no ip ftp server

no snmp-server

  • Shut down unused interfaces and switch ports

interface <interface>

shutdown

  1. Enable Secure Management Access
  • Configure SSH for remote management

ip domain-name <domain-name>

crypto key generate rsa modulus 2048

line vty 0 15

transport input ssh

  • Implement strong passwords

enable secret <password>

line console 0

password <password>

login

  1. Implement Access Control
  • Configure Access Control Lists (ACLs) to restrict traffic

access-list 10 permit <source-ip> <destination-ip>

interface <interface>

ip access-group 10 in

  • Enable port security on switches

interface <interface>

switchport port-security

switchport port-security violation shutdown

switchport port-security maximum 1

switchport port-security mac-address sticky

  1. Configure Logging and Monitoring
  • Set up logging

logging host <syslog-server-ip>

logging trap <severity-level>

logging buffer <buffer-size>

  • Enable service timestamps

service timestamps debug datetime msec show-timezone localtime

service timestamps log datetime msec show-timezone localtime

  1. Secure Routing and Switching Protocols
  • Enable Unicast Reverse-Path Forwarding

interface <interface>

ip verify unicast reverse-path

  • Disable IP source-route and directed broadcast

no ip source-route

interface <interface>

no ip directed-broadcast

  1. Implement VLAN Security
  • Separate network segments using VLANs

vlan <vlan-id>

name <vlan-name>

interface <interface>

switchport mode access

switchport access vlan <vlan-id>

  1. Configure Authentication, Authorization, and Accounting (AAA)
  • Set up AAA

aaa new-model

aaa authentication login default local-case

aaa authentication enable default enable

  1. Secure Management Protocols
  • Configure SNMPv3 with strong authentication and encryption

snmp-server group <group-name> v3 priv

snmp-server user <username> <group-name> v3 auth sha <auth-password> priv aes 128 <priv-password>

 

  1. Implement Additional Security Features
  • Enable DHCP snooping

ip dhcp snooping

interface <interface>

ip dhcp snooping trust

  • Configure STP protection

spanning-tree portfast bpduguard default

  1. Regular Maintenance
  • Keep firmware up-to-date
  • Regularly review and update security measures

Remember to test these configurations in a lab environment before applying them to production systems.

Adapt the commands to your specific network requirements and device configurations.

Leave a Comment

Your email address will not be published. Required fields are marked *