Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
12345678910
7
OL-11615-01
Warning banners—Login banners should be used not only to dissuade possible attackers but also
because in some jurisdictions they are required by law. Banners must give notice that any
unauthorized use of the system is unlawful, and can be subject to civil or criminal penalties. Also
important, banners should not reveal any platform or configuration-related information.
Implementing role-based access—Role-based access allows administrators to define multiple users
and groups, each of which can be associated with a list of permitted or denied commands. This
feature is especially useful in environments where switches are administered by multiple groups of
people with different access requirements.
Securing web-based GUI access—Catalyst switches can be configured and monitored using a
convenient web-based user interface. Whenever it is available, the web-based GUI should be
configured with HTTPS rather than HTTP. HTTP does not provide encryption for client
connections, which leaves communication between clients and servers vulnerable to interception
and other attacks. Another good practice is to enable authentication for HTTP and HTTPS
connections.
Use secure access protocols (SSH) instead of clear text protocols (telnet)—SSH is a protocol that
provides secure remote access, allowing you to issue commands remotely, and to transfer files. SSH
implements strong authentication and encryption, which make it a better option over insecure
protocols such as rlogin and telnet.
Controlling SNMP access—Whenever available, use SNMPv3 rather than earlier versions of the
protocol. SNMP versions 1 and 2c are weak in security. In these earlier versions of SNMP, access
to MIB objects is primarily controlled by the use of community strings, but neither version provides
authentication or encryption. SNMP version 3 incorporates security features, such as authentication,
identity, and access control.
Access Control, page 98 provides the configuration guidelines to implement these best practices in Cisco
IOS and Catalyst OS.
Access Control Lists
Catalyst 6500 and 4500 Series switches support several classes of Layer 2 and Layer 3 Access Control
Lists (ACLs) that can be used to shield the infrastructure from DoS, source address spoofing and other
attacks. The Layer 2 and Layer 3 ACLs available can help protect the infrastructure by filtering traffic
destined to the management and control planes, and by blocking illegitimate packets, such as those
containing private addresses or spoofed IP addresses.
The following types of ACLs are available:
Router ACL, page 8
VLAN ACL(VACL), page 8
Port ACL (PACL), page 12
Unicast MAC Address Filtering (MAC Address-Based Traffic Blocking), page 14
IP Permit Lists, page 15
Access-Class, page 15