HARDENING OF CISCO

SWITCHES
By Mahendra Bhosale
 Hardening of Cisco Switches by Mahendra Bhosale

TABLE OF CONTENTS
IOS_SW_1. Open Vulnerabilities in the Current IOS
IOS_SW_2. Device Enable Secret Password Not Set
IOS_SW_3. Password Encryption is Not Enabled
IOS_SW_4. Unprotected Access to Console Terminal
IOS_SW_5. Unencrypted Remote Administration
IOS_SW_6. Unrestricted Remote Administration
IOS_SW_7. User Authentication Not Configured
IOS_SW_8. No time out for idle sessions
IOS_SW_9. Unsafe log generation and log collection
IOS_SW_10. Incorrect Time & Time zone setting
IOS_SW_11. Time server not designated
IOS_SW_12. No timestamp on logs and debug information
IOS_SW_13. SNMPv1 or SNMPv2 is being used for device management and monitoring
IOS_SW_14. Default SNMP Community Strings are used
IOS_SW_15. Unnecessary services running
IOS_SW_16. CDP is running
IOS_SW_17. Device accepts IP source routed packets
IOS_SW_18. Device processes directed broadcasts
IOS_SW_19. UDP broadcast forwarding is enabled
IOS_SW_20. Device sends IP unreachable messages
IOS_SW_21. Device sends ICMP mask-reply
IOS_SW_22. Device sends IP redirects
IOS_SW_23. Anti-Spoof access control lists are not configured
IOS_SW_24. System statutory warning not set
IOS_SW_25. Proxy ARP is not disabled
IOS_SW_26. Unrestricted SNMP management and monitoring
IOS_SW_27. Older vulnerable version of SSH being used
IOS_SW_28. Port Security is not enabled
IOS_SW_29. Management Interface is assigned to VLAN1
IOS_SW_30. VTP (Virtual Trunking Protocol) security is not enabled
IOS_SW_31. Trunk Auto-Negotiation is not disabled on non-trunking interfaces
IOS_SW_32. VLAN Hopping Prevention is not enabled
IOS_SW_33. Spanning Tree Protocol Security is Not Enabled

1
 Hardening of Cisco Switches by Mahendra Bhosale
IOS_SW_1. Open Vulnerabilities in the Current IOS
Description
Like any other software, Cisco IOS has got the security vulnerabilities. These vulnerabilities
can be
exploited by attackers to compromise the devices. To avoid this, periodically, Cisco
Security
Advisories should be checked for presence of any vulnerability in the current version of
Cisco IOS.
And, if any vulnerability is found in the current IOS version, then IOS should be upgraded
to the
latest and stable version of IOS.
Impact
An attacker can use the known vulnerabilities and carry out malicious activities on the
device.
Risk Rating
High
Solution
Upgrade the Cisco device to the latest and stable IOS.

IOS_SW_2. Device Enable Secret Password Not Set

Description
Cisco devices have two different levels of administrative privileges, one is user exec mode,
and
other is the privileged mode (also called the enable mode). In user mode, one can only
read
configurations of the device. The privileged (enable) mode is for changing to configure the
device.
This mode should be secured by assigning a strong password, called enable secret.
Impact
A malicious user can break the weak encryption algorithm and get administrative access.
Enable
passwords use weak encryption and can be cracked easily. Enable secret passwords are
MD5 one
way hash of the original password and cannot be retrieved.
Risk Rating
High
Solution
Configure a strong enable password using following command at config prompt:
(config)#enable secret <strong_password>

2
 Hardening of Cisco Switches by Mahendra Bhosale

IOS_SW_3. Password Encryption is Not Enabled

Description
Passwords are stored in the clear text in the configuration of the device. Encryption must be
enabled so that nobody can see the clear text password while seeing the configuration file. The
encryption used for local storage of the passwords is also weak and can be easily decrypted.
Impact
A malicious user can steal terminal passwords and user passwords from the device
configuration
outputs.
Risk Rating
High
Solution
The following command enables the password encryption for the device.
(config)# service password-encryption

IOS_SW_4. Unprotected Access to Console Terminal

Description
Console port is the physical port on the Cisco device, which can be directly connected to the
serial
(COM) port of a computer using rollover cable for configuring the device. By default, access
through console terminal is not password protected. Hence, anyone with physical access to the
device can get user exec level access to the device. A strong password should be configured to
protect router against unauthorized access.
Impact
A malicious user with physical access to the router can gain user exec level access to the
device.
Risk Rating
Medium
Solution
Assign a strong password to the console terminal line by entering following commands at the
command prompt:
(config)#line con 0
(config-line)#password <it should be a strong_password>
(config-line)#login

3
 Hardening of Cisco Switches by Mahendra Bhosale
IOS_SW_5. Unencrypted Remote Administration
Description
Telnet protocol transmits all information, including login credentials in clear text. To prevent
password stealing, SSH should be used for remote administration, as SSH encrypts all the traffic
between the device and the SSH client.
Impact
A malicious user can sniff traffic on the wire and can steal user exec and privileged mode
passwords of the device.
Risk Rating
Medium
Solution
Configure the device to accept only SSH connection for remote administration by configuring
following commands.
Note: Following commands can be configured on the Cisco device only if the device is running
IOS,
which supports IPSEC and other cryptographic algorithms.
1. Generate RSA Keys for SSH:
(config)#crypto key generate rsa
2. Lower SSH Timeout for inactive session:
(config)#ip ssh time-out 60
3. Set number of SSH retries:
(config)#ip ssh authentication-retries 2
4. Specify SSH as only Transport input:
(config)#line vty 0 4
(config-line)#transport input ssh

4
 Hardening of Cisco Switches by Mahendra Bhosale

IOS_SW_6. Unrestricted Remote Administration

Description
To prevent unauthorized access, remote administration of the device should be restricted only to
the specific IP addresses. Moreover, Cisco device support connection only on 5 VTY (Telnet/SSH)
lines. Hence, login attempts by malicious users can stop legitimate administrator to connect to
the
device and cause denial of service.
Impact
An unauthorized user can connect to the device remotely. An unauthorized user can initiate
multiple simultaneous login attempts and cause denial of service.
Risk Rating
Medium
Solution
Create a standard access list which restricts some or one authorized IP address for remote login
to
the device and associate it with the device’s VTY lines.
Commands are as follows:
(config)#access-list <access-list_number> permit host <x.x.x.x> log
(config)#access-list <access-list_number> permit host <y.y.y.y> log
(config)#access-list <access-list_number> deny any log
(config)#line vty <line number>
(config-line)#access-class <access-list-number> in
Note: If the vty line is disabled by any of the following commands
(config-line)#no exec or
(config-line)#transport input none
This check is considered as safe.for that vty line.

IOS_SW_7. User Authentication Not Configured

Description
Default configuration in Cisco devices requires only password for authentication, resulting in
weaker security and lack of traceability of administrative activities. User authentication can
be enabled using locally stored user database or for more security remote authentication
server (such
as, AAA server) can be used.
Impact
A malicious user needs just a password (only one string) to gain access to the device.
It will be a case of inability to distinguish activities done by the different administrators.
Risk Rating
Medium
Solution
For authentication using local user database:*
Create username and assign passwords by entering following command:
(config)#username <username> privilege <0-15> password <0/7> <password>
Configure vty lines, aux lines and Console line to authenticate using username and
password:
(config)#line vty <line number>/ console/ aux
(config-line)#login local
For authentication using AAA:
Configure AAA authentication using RADIUS, TACACS or TACACS+ servers:
(config)#AAA new-model
(config)#AAA authentication login {default | list-name} group <radius/tacacs/tacacs+>
(config)#radius-server host <ip> key <key> timeout 20 (for Radius authentication)
(config)#line vty <line number>/ console/aux
(config-line)#login authentication {default | list-name}
*Since the local database user’s password in Cisco devices can be easily decryptable,
Paladion

5
 Hardening of Cisco Switches by Mahendra Bhosale
suggest to use remote server like TACAS or TACAS+ for user authentication.
Note: If the vty/console/aux lines are disabled by any of the following commands
(config-line)#no exec
or
(config-line)#transport input none
This check is considered as safe, for that vty/console/aux line.

IOS_SW_8. No time out for idle sessions

Description
Administrators may connect to the device for remote administration and may leave their
terminals
unattended, by mistake. The device should be configured to disconnect the idle sessions
automatically after a threshold time period.
Impact
A malicious user may get an administrative access to the device.
Risk Rating
Medium
Solution
Configure device to logoff user after 5 minutes of idle session time.
Enable idle timeout of 5 minutes 0 seconds on telnet/SSH sessions by entering following
commands:
(config)#line vty <line number>
(config-line)#exec-timeout 5 0
Enable idle timeout of 10 minutes 0 seconds on Console sessions by entering following
commands:
(config)#line con 0
(config-line)#exec-timeout 10 0

6
 Hardening of Cisco Switches by Mahendra Bhosale
IOS_SW_9. Unsafe log generation and log collection
Description
All important device logs should be enabled and collected to monitor all critical information and
system level activity.
Impact
Malicious activities may go unnoticed in the absence of logs. No information available for
investigation and forensics in case any intrusion occurs.
Risk Rating
Medium
Solution
Configure the device to send the logs to the syslog server by configuring command following
command
(config)#logging <Syslog_Server_IP_Address>.
Level of logging should be specified using logging trap <level>.
The following table shows the severity level and the Cisco keyword used for logging:
Severity Level Keyword Description
0 Emergencies System unusable
1 Alerts Immediate action required
2 Critical Critical condition
3 Errors Error conditions
4 Warnings Warning conditions
5 Notifications Normal but significant conditions
6 Informational Informational messages
7 Debugging Debugging messages
For example, logging trap critical will forward the logs of emergencies, alerts and critical to the
specified syslog server.
We suggest configuring the trap value to 4

IOS_SW_10. Incorrect Time & Time zone setting

Description
Correct date and time setting are important for log reviewing, correlation and forensics
purposes.
Time zone setting provides the common reference in the enterprise for all activities that are
logged
in a system.
Impact
Correlation of logs and establishment of timeline for any malicious activity detected cannot be
done.
Risk Rating
Medium
Solution
Set the time zone to the appropriate one and set the current time and date using the following
commands sequentially:
clock timezone <-23 – 23> (hours offset from UTC)
clock set hh:mm:ss day month year

7
 Hardening of Cisco Switches by Mahendra Bhosale

IOS_SW_11. Time server not designated

Description
Time server (using NTP) is used for synchronizing the system time on all devices and servers
across the organization. Once the time server is designated on the Cisco device, the device
refers
to time server for system time, instead of its local clock.
Impact
Mismatch in the time information in the logs from different devices, can lead to errors in the
correlated event information.
Risk Rating
Medium
Solution
Determine the IP address of the NTP server used in the organization and use following
command to
configure the device to update the time from NTP server:
(config)# ntp server <A.B.C.D.>

IOS_SW_12. No timestamp on logs and debug information

Description
It is important to add a timestamp on each event, in order to analyses the occurrence of the
event
and to determine sequence of the events from different devices.
Impact
Absence of timestamp on the log information leads to the complexity in analyzing and
correlating
the log information from different devices.
Risk Rating
Medium
Solution
Configure the device to add timestamp field in each log and debug entry by entering following
commands:
(config)# service timestamps log datetime show-timezone msec
(config)# service timestamps debug datetime show-timezone msec

8
 Hardening of Cisco Switches by Mahendra Bhosale

IOS_SW_13. SNMPv1 or SNMPv2 is being used for device management and

monitoring
Description
SNMPv1 and SNMPv2 use very weak authentication scheme based on community strings. Most
SNMP implementations send those strings repeatedly as part of periodic polling. SNMPv1 and
SNMPv2 use clear-text authentication strings. Moreover, they are easily spoofable, datagram-
based
transaction protocols.
Impact
A malicious user can gain administrative access of the device by stealing the community strings
and/or spoofing the IP address of SNMP manager.
Risk Rating
Medium
Solution
If SNMP is not required, then disable it by entering following command:
(config)#no snmp-server
If SNMP is required, configure the device to use SNMPv3 for communicating with SNMP
manager.
Following are the steps to configure SNMPv3 on a Cisco device:
Configure SNMP group:
(config)#snmp-server group <group_name> v3 auth
Configure SNMP user and configure a strong password for the user. This username will be used
for
authenticating to the SNMP manager:
(config)#snmp-server user <user_name> <group_name> v3 auth md5 <password>
Configure IP address of the SNMP manager to which SNMP traps will be sent:
(config)#snmp-server host traps <SNMP_MANAGER_IP> version 3 auth <user_name>

IOS_SW_14. Default SNMP Community Strings are used

Description
SNMP is used for monitoring and managing network devices. By default, SNMP communities are
configured as ‘Public’ for read only access and ‘Private’ for read write access. These community
strings should be changed to non-guessable strings.
Impact
An attacker can also configure the system with administrative privileges leading to denial of
service.
System information can be read by an attacker using the default SNMP strings.
Risk Rating
Medium
Solution
If SNMP is not required, then disable it by entering the following command:
no snmp-server
If SNMP is required, then use SNMPv3 instead of using community string based authentication
of
SNMPv1 or SNMPv2.
If SNMPv1 or SNMPv2 is required to be used, then configure strong non-guessable SNMP
strings by
entering following commands:
snmp-server community <community_string> ro
snmp-server community <community_string> rw
Note: Remove the rw community (if present in the system) if snmp is used only for monitoring.

9
 Hardening of Cisco Switches by Mahendra Bhosale

IOS_SW_15. Unnecessary services running

Description
By default many unnecessary services are installed with the Cisco IOS software including
echo,
chargen, DHCP etc. These services are not required for normal operation of the device and
can be
safely disabled.
Impact
A malicious user can compromise the Cisco device by exploiting the vulnerabilities of the
unnecessary services.
Risk Rating
Medium
Solution
If the services are not in use, disable them by entering following commands:
Service Name Secure Configuration
TCP small services no service tcp-small-servers
UDP small services no service udp-small-servers
Finger no service finger
BOOTP no ip bootp server
X.25 PAD no service pad
DNS no ip domain-lookup
DHCP no service dhcp
HTTP no ip http server
MOP no mop enabled
IDENTD no IP identd

IOS_SW_16. CDP is running

Description
CDP is Cisco’s proprietary layer 2 protocol which helps to get information of the neighbouring
Cisco
devices. It can fetch Layer 3 information like IP address also.
Impact
A malicious user can get the information (hardware platform, model number, IP address)
remotely
from Cisco device.
Risk Rating
Medium
Solution
Disable CDP on the device completely by entering following command:
(config)#no cdp run
If it is not possible to disable CDP completely on the device, use following commands to
disable
CDP on specific interfaces:
(config)#interface <interface_name>
(config)#no cdp enable

10
 Hardening of Cisco Switches by Mahendra Bhosale

IOS_SW_17. Device accepts IP source routed packets

Description
The IP protocol supports source routing option that allows the sender of an IP datagram to
control
the route that datagram takes toward its ultimate destination, and generally the route that any
reply takes. This option is rarely used for legitimate purposes in real networks and hence this
option should be disabled.
Impact
This can be used to bypass security settings of the network such as Firewalls.
Risk Rating
Medium
Solution
Disable IP source routing by entering following command in the global configuration mode:
(config)#no ip source-route
NOTE: - Not applicable for layer 2 switching

IOS_SW_18. Device processes directed broadcasts

Description
Directed broadcast is a packet destined for a specified broadcast IP address. A single copy of a
directed broadcast is routed to the specified network, where it is broadcast to all terminals on
that
network. This can be used by attackers to flood the network with the broadcast packets.
Directed
broadcast is rarely used for legitimate purposes. Hence, Cisco devices should be configured not
to
process directed broadcast packets.
Impact
A malicious user can perform DoS attack using directed broadcast packets.
Risk Rating
Medium
Solution
Configure Cisco device not to process directed broadcasts by the entering following command
in
the interface configuration mode:
no ip directed-broadcast
Enter this command for every physical interface of the Cisco device.
NOTE: - Not applicable for layer 2 switching

11
 Hardening of Cisco Switches by Mahendra Bhosale

IOS_SW_19. UDP broadcast forwarding is enabled

Description
UDP broadcast forwarding is used to redirect LAN broadcasts to a specific unicast address. The
most common use of this kind of configuration is when using a centralised DHCP server or a
centralised Domain Controller, to redirect the broadcasts to a specified IP address.
Impact
With several UDP protocols enabled, A malicious user can cause Denial of Service (DoS)
attack on
specific servers.
Risk Rating
Medium
Solution
Disable default forwarding UDP protocols. Use the following command:
(config)#no ip forward-protocol udp <port_number>
The following are the default protocols enabled for forwarding. Identify the protocols in use
and
disable the unessential protocols:
1. Time service (port 37)
2. IEN-116 Name Service (port 42)
3. TACACS service (port 49)
4. Domain Naming System (port 53)
5. Boot Protocol (BOOTP) client and server datagrams (ports 67 and 68)
6. Trivial File Transfer Protocol (TFTP) (port 69)
7. NetBIOS Name Server (port 137)
8. NetBIOS Datagram Server (port 138)
NOTE: - Not applicable for layer 2 switching

IOS_SW_20. Device sends IP unreachable messages

Description
Packets with invalid/unreachable destination address received by a Cisco device are discarded.
The
Cisco device then generates an IP unreachable message to notify the sender about the
unreachable
host. The device should be configured not to send these notification messages.
Impact
A malicious user can use layer 3 information contained in IP unreachable messages to initiate
malicious activity.
Risk Rating
Low
Solution
Configure Cisco device not to send IP unreachable messages by the entering following
command in
the interface configuration mode:
no ip unreachables
Enter this command for every physical interface of the Cisco device.
NOTE: - Not applicable for layer 2 switching

12
 Hardening of Cisco Switches by Mahendra Bhosale

IOS_SW_21. Device sends ICMP mask-reply

Description
A Cisco device sends an interface’s subnet mask in response to an ICMP mask request. This
option
is rarely used for legitimate purposes in the real networks and hence the device should be
configured not to send ICMP mask replies.
Impact
An attacker can map IP address and subnet mask of a particular network as part of network
reconnaissance. The information can be used to breach the network.
Risk Rating
Low
Solution
If ICMP mask-replies enabled on Cisco device to send ICMP mask-replies disable it by entering
the
following command in the interface configuration mode:
(Config-if)no ip mask-reply
NOTE: - Not applicable for layer 2 switching

IOS_SW_22. Device sends IP redirects

Description
Cisco device can send IP redirect messages to other devices trying to reach a destination
network
through bad gateways. This feature can be used by an attacker to alter the flow of the network
traffic.
Impact
A malicious user can cause DoS attack by sending IP redirect message.
Risk Rating
Low
Solution
Configure Cisco device not to send IP redirects by entering following command in the interface
configuration mode:
(config)#no ip redirects
Enter this command for every physical interface of the Cisco device.
NOTE: - Not applicable for layer 2 switching

13
 Hardening of Cisco Switches by Mahendra Bhosale

IOS_SW_23. Anti-Spoof access control lists are not configured

Description
Cisco devices have multiple network interfaces. Say a Cisco device has one internal interface
and
one external interface. If a packet arrives on the external interface and has source IP address
of
that of the internal network, it can be concluded that the source IP is spoofed. Similarly source
IP
addresses cannot be 127.x.x.x, 224.x.x.x, or 0.0.0.0 since these IP addresses are designed for
special use. Packets having source IP as these are IP spoofed packets.
Impact
A malicious user may gain unauthorized access to the internal resources or may launch DoS
attacks.
Risk Rating
Low
Solution
Configure following commands on the device:
(config)#access-list <number> deny icmp any any redirect
(config)#access-list <number> deny 127.0.0.0 0.255.255.255 any log
(config)#access-list <number> deny 224.0.0.0 0.255.255.255 any log (Deny all ip addresses
starting with 224 through 255)
(config)#access-list <number> deny ip host 0.0.0.0 any log
(config)#access-list <number> deny <reserved IP address> <netmask> any log
where <reserved IP address> denotes the IP address blocks that are reserved by IANA or
specified
by RFC1918 to be not valid.
Apply the access-list to the ingress and the egress physical interfaces.
NOTE: - Not applicable for layer 2 switching

14
 Hardening of Cisco Switches by Mahendra Bhosale
IOS_SW_24. System statutory warning not set
Description
Displaying appropriate warning messages when users access a system assists in prosecuting
computer crime cases and defending legal issues involving the system.
Impact
Absence of a statutory warning may lead to failure in the implication of an accused malicious
user.
Risk Rating
Low
Solution
Create an appropriate login warning message banner which shows that the system is for
authorized
use only and all the activities on the system are being monitored.
Use either of the commands:
(config)#banner login <message>
(config)#banner motd <message>
For AAA authentication:
(config)#AAA authentication banner <banner>

15
 Hardening of Cisco Switches by Mahendra Bhosale
IOS_SW_25. Proxy ARP is not disabled
Description
Proxy ARP is a method by which routers may make themselves available to hosts. A Cisco
router
can act as intermediary for ARP, responding to ARP queries on selected interfaces and thus
enabling transparent access between multiple LAN segments.
Impact
It breaks the LAN security perimeter; effectively extending a LAN at layer 2 across multiple
segments. Security can be undermined. A machine can claim to be another in order to intercept
packets.
Risk Rating
Medium
Solution
Disable proxy ARP on all interfaces by issuing the following command.
(config)#interface {interface_name}
(config-if)#no ip proxy-arp
NOTE: - Not applicable for layer 2 switching

IOS_SW_26. Unrestricted SNMP management and monitoring

Description
Verify all simple network management protocol (SNMP) access is restricted using an access
control
list (ACL).
Impact
If ACLs are not applied, then anyone with a valid SNMP community string can potentially
monitor and manage the router. An ACL should be defined and applied for all SNMP access to
limit access to a small number of authorized management stations segmented in a trusted
management
zone.
Risk Rating
Low
Solution
Access Control Lists (ACLs) can be configured as follows:
(config)#access-list <acl Number> permit <IP Adress from where snmp connection is allowed>
(config)#snmp-server community <Storng Community String> ro <acl Number>

IOS_SW_27. Older vulnerable version of SSH being used

Description
The SSH service is commonly used for encrypted command-based remote device management.
There are multiple SSH protocol versions and SSH servers will often support multiple versions
to
maintain backwards compatibility. Although flaws have been identified in implementations of
version 2 of the SSH protocol, fundamental flaws exist in SSH protocol version 1.
Impact
An attacker who was able to intercept SSH protocol version 1 traffic would be able to perform a
man-in-the-middle style attack. The attacker could then capture network traffic and possibly
authentication credentials.
Risk Rating
Low
Solution
SSH service be configured to support only version 2 of the SSH protocol. Version 2 of the SSH
protocol can be configured with the following command:
(config)#ip ssh version 2

16
 Hardening of Cisco Switches by Mahendra Bhosale

IOS_SW_28. Port Security is not enabled

Description
The Cisco IOS provides a feature called port security that lets you limit the MAC addresses that
are
allowed to use the ports on a switch. MAC addresses come preconfigured on a Network
Interface Card (NIC), and because of applied industry−wide standards, no two NIC cards have
the same MAC
address. By configuring certain MAC addresses to use a switch port, you greatly increase
control
over which PCs can access the switch.
Impact
A switch that does not provide port security allows an attacker to attach a system to an
unused,
enabled port and to perform information gathering or attacks.
Risk Rating
Low
Solution
Where possible, port security is enabled on all switch ports. Moreover all switch ports that are
not
used be shutdown.
Switch port security with MAC address learning and port shutdown on a violation can be
configured
on each interface with the following commands:
(config-if)# switchport port-security
(config-if)# switchport port-security violation shutdown
(config-if)# switchport port-security mac-address sticky
Unused interfaces can be disabled with the following interface command:
(config-if)# shutdown
The following should be noted before trying to apply port security:
Do not apply port security to trunk links, because they carry data from multiple VLANs and
MAC
addresses.
Port security cannot be enabled on a Switched Port Analyzer (SPAN) source or destination port
You
cannot configure dynamic or static Content Addressable Memory (CAM) entries on a secure
port.
After you enable port security on any switch port, any static or dynamic CAM entries associated
with the port are cleared, and any currently configured permanent CAM entries are treated as
secure MAC addresses.
When a port is in the error-disabled state, the administrator can bring it out of this state by
entering the “errdisable recovery cause psecure-violation” global configuration command or by
entering the “shutdown” and “no shutdown” interface configuration commands.

17
 Hardening of Cisco Switches by Mahendra Bhosale

IOS_SW_29. Management Interface is assigned to VLAN1

Description
All switch ports must be members of a VLAN, and, by default, it is VLAN 1. Because VLAN 1
was
selected as the default VLAN for all switch ports, it was also chosen to handle special traffic
such as
VLAN Trunking Protocol (VTP) advertisements, CDP, Port Aggregation Protocol (PAgP), or Link
Aggregation Control Protocol messages (LACP).
Impact
VLAN 1 may span the entire network if not appropriately pruned. It also provides attackers
easier
access and extended reach for their attacks.
Risk Rating
Low
Solution
Do not use VLAN 1 for either out-of-band management or in-band management. To provide
network-based, out-of-band management, dedicate a physical switch port and VLAN on each
switch
for management use. Do not allow the operational VLANs access to the management VLAN.
Also,
do not trunk the management VLAN off the switch.
The objective can be achieved by the following command
(config)# vlan <vlan number any thing greater than 1>
(config-vlan)# name ADMINISTRATION-VLAN
(config)# interface <vlan number any thing greater than 1>
Create a management IP address and restrict access to it. Also, enable the interface.
(config-if)# description ADMIN-VLAN
(config-if)# ip address <ip address for administratiive vlan>
(config-if)# ip access-group <acl-number> in24
Assign the management VLAN to the dedicated interface.
(config)# interface fastethernet 4/1
(config-if)# description Out-Of-Band Admin
(config-if)# switchport mode access
(config-if)# switchport access vlan vlan number any thing greater than 1>
(config-if)# no shutdown

18
 Hardening of Cisco Switches by Mahendra Bhosale
IOS_SW_30. VTP (Virtual Trunking Protocol) security is not enabled
Description
VTP is a Cisco-proprietary Layer 2 messaging protocol used to distribute VLAN configuration
information over trunks. VTP allows the addition, deletion and renaming of VLANs on a
networkwide
basis, which allows switches to have a consistent VLAN configuration within a VTP
management domain. All switches in the same management domain share their VLAN
information,
and a switch may participate in only one VTP management domain.
VTP Default Configuration as shown below
VTP domain name Null
VTP mode Server
VTP version Version 2 is disabled
VTP password None
VTP pruning Disabled
Impact
If VTP configurations are in default mode, an attacker can delete or modify local network's VLAN
structure by gaining knowledge of the local network's VLAN structure.
Risk Rating
Medium
Solution
If not required VTP, disable it by the following command
(config)# no vtp mode
(config)# no vtp password
(config)# no vtp pruning
If required change the default configurations by using the following command
(config)# vtp domain <A vtp domain name>
(config)# vtp password <strong password>
(config)# vtp pruning
(config)# vtp <mode> (modes can be server (by default) client or transparent. IF vtp mode is
server, all users having access to the switch can edit the vlan information.)

IOS_SW_31. Trunk Auto-Negotiation is not disabled on non-trunking interfaces

Description
A trunk is a point-to-point link between two ports, typically on different network systems, that
aggregates packets from multiple VLANs. A port may use the Dynamic Trunking Protocol (DTP)
to
automatically negotiate which trunking protocol it will use. By default, a Cisco Ethernet port's
default DTPmode is "dynamic desirable", which allows the port to actively attempt to convert
the
link into a trunk.
Impact
An attacker who can exploit DTP may be able to obtain useful information from the VLANs.
Risk Rating
Medium
Solution
Put non-trunking interfaces in permanent non-trunking mode without negotiation by using the
following command
(config)# interface <non-trunking interfaces>
(config-if)# switchport mode access
(config-if)# switchport nonegotiate

19
 Hardening of Cisco Switches by Mahendra Bhosale
IOS_SW_32. VLAN Hopping Prevention is not enabled
Description
VLAN hopping is a computer security exploit, a method of attacking networked resources on a
VLAN. The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to
gain
access to traffic on other VLANs that would normally not be accessible. There are two primary
methods of VLAN hopping: switch spoofing and double tagging
Impact
Using VLAN hopping, a malicious intruder who has access to one local network might inject
packets
into another local network in order to attack machines on the target network.
Risk Rating
Low
Solution
Assign a shutdown VLAN as the 'native' VLAN of each of the trunks using the following
command.
To shut down local traffic on a specified VLAN, use the “shutdown vlan” command.
(config)# shutdown vlan <vlan-id>
Do not use this VLAN for any other purpose.
(config)# interface <trunking interfaces>
(config-if)# switchport trunk native vlan <shutdown vlan-id>
(config-if)# no cdp enable

IOS_SW_33. Spanning Tree Protocol Security is Not Enabled

Description
Spanning Tree Protocol (STP) is a link management protocol, defined in the IEEE 802.1D, for
bridged networks. STP provides path redundancy while preventing undesirable loops in networks
consisting of multiple active paths. STP is a useful protocol but, unfortunately, both versions of
the
protocol were conceived with no security in mind and, as a result, are both vulnerable to several
types of attacks. STP does not implement any authentication and encryption to protect the
exchange of BPDUs. Because of the lack of authentication, anyone can speak to a STP-enabled
device.
Impact
An attacker could very easily inject bogus BPDUs, triggering a topology recalculation. A forced
change to the STP topology could lead to a denial of service condition, or leave the attacker as a
man-in-the-middle. In addition, because BPDUs are not encrypted, it is fairly simple to intercept
BPDUs in transit, revealing important topology information.
Risk Rating
Low
Solution
Enable "BPDU guard" and "Root guard" to enable STP security.
STP Portfast Bridge Protocol Data Unit (BPDU) Guard:
The STP Portfast BPDU Guard allows network administrators to enforce the STP topology on
ports
enabled with Portfast. Systems attached to ports with the Portfast BPDU Guard enabled will not
be
allowed to modify the STP topology. Upon reception of a BPDU message, the port is disabled and
stops passing all network traffic. This feature can be enabled both globally and individually for
ports configured with Portfast. By default, STP BPDU guard is disabled. Cisco suggest to use this

20
 Hardening of Cisco Switches by Mahendra Bhosale

command with interfaces that connect to end stations

The following command is used to globally enable this feature:
(config)# spanning-tree portfast bpduguard default
When configured globally, BPDU Guard is only effective on ports in the operational PortFast
state.BPDU Guard requires STP PortFast to be already configured on a port.
The following command is used to configure BPDU Guard on an interfaces that connect to end
stations
(config)# interface <type of interface> <number of interfaces that connect to end stations>
(config-if)# spanning-tree portfast
(config-if)# spanning-tree bpduguard enable
(Note: When STP BPDU guard disables a switch port, it can be configured to recover
automatically,
or it can be manually re-enabled by a network administrator. The following commands can be
used
to configure a
port to automatically recover when placed in a disabled state.
Switch(config)# errdisable recovery cause bpduguard
Switch(config)# errdisable recovery interval <recovery time in seconds (default value is
300s)>)
STP Root Guard:
STP root guard forces a port to become a designated port so that no switch on the other end
of the
link can become a root switch. If a port configured for root guard receives a superior BPDU,
the
port it is received on is blocked. In this way, STP root guard blocks other devices from trying
to
become the root bridge. STP root guard should be enabled on all ports that will never connect
to a
root bridge, for example, all end user ports. This ensures that a root bridge will never be
negotiated on those ports.STP root guard requires STP PortFast to be already configured on a
port.
STP root guard is configured on a per-port basis.
The following command is used to enable STP Root Guard:
(config)# interface <type of interface> <number of interfaces that connect to end
stations>(config-if)# spanning-tree guard root

21