The generic security configuration used within Cisco CatOS switches is described in the following steps:
Step 1. | Shut down all unneeded services by issuing the following commands: set ip http server disable set cdp disable |
Step 2. | Set passwords and access restrictions. Enable AAA. To set passwords, use the following: set password set enable Set access restrictions with the following commands: set ip permit enable telnet set ip permit management-host-address 255.255.255.255 telnet Enable AAA with the following: set tacacs server tacacs-server-address set tacacs key key set authentication login local enable set authentication login tacacs enable set authorization exec enable tacacs+ none both aaa authorization exec default group tacacs+ local aaa accounting exec enable start-stop tacacs+ |
Step 3. | Turn on logging and SNMP capability. To enable Syslog, use the following commands: set logging syslog_server_address set logging timestamp enable To enable SNMP, use the following commands: set snmp community read-only community-string set ip permit enable snmp set ip permit management-host-address snmp |
Step 4. | Enable and secure NTP with these commands: set ntp authentication enable set ntp key 1 trusted md5 ntp-key set ntp trusted-key 1 set ntp server ntp-server-address key 1 set ntp client enable |
Step 5. | Enable the use of a banner message with the following: set banner motd # Banner Message Text # Refer to Example B-1 to see a typical banner text message. |
Remember that the commands and configurations that are shown in this appendix are just examples of the generic hardening of security on Cisco routers and switches and by no means define the limits to which these devices can be secured. Other best practices such as RFC 1918 and RFC 2827 filtering should also be adopted as well as those detailed in the various SAFE white papers, which you can review at Cisco.com by searching for "SAFE."