Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
81828384858687888990
87
OL-11615-01
Deploying banners
Implementing role-based access
Securing web-based GUI Access
Use secure access protocols (SSH) instead of clear text protocols (telnet)
Controlling SNMP access
These practices are described in Access Control, page 98.
Layer 2 and Layer 3 Access Control Lists (ACLs) are also essential security features because they can
help shield the infrastructure from DoS, source address spoofing, and other attacks. Here are some best
practices:
Deploy ACLs at the edge switches to restrict external access to the infrastructure address space,
allowing only authorized devices to communicate with infrastructure elements, and providing basic
anti-spoofing controls.
Deploy ACLs on switches that seat between trust boundaries. These ACLs can be configured to
provide basic anti-spoofing and access control.
Deploy IP permit lists and access-classes on every switch to control SSH, Telnet, and SNMP access
to the device.
When deploying several types of ACLs, it is important to understand how they interact. For example,
when combining PACLs, VACLs and IOS ACLs, a PACL is first applied on an incoming packet on a
physical port. If the packet is permitted by the PACL, it is filtered by the VACL that is applied to the
corresponding ingress VLAN. If the packet is Layer 3 forwarded and is permitted by the VACL, it is
filtered by the Cisco IOS ACL on the same VLAN. The same process happens in reverse in the egress
direction.
Finally, by default, Catalyst switches running Catalyst OS come with all Ethernet ports enabled and set
to VLAN 1. Leaving all unused ports configured in VLAN 1 opens the chance for unauthorized access.
For this reason, we recommend that you disabled all unused ports, and place them in an unused VLAN.
In Catalyst switches running Cisco IOS, all interfaces are shut down by default. The interfaces should
be enabled only as needed.
Spanning Tree Protocol Security
Spanning Tree (STP) is a widely used protocol that makes it possible to implement redundant topologies
in bridged networks while preventing undesirable loops. Unfortunately, STP communications are neither
encrypted nor authenticated, leaving STP vulnerable to a variety of attacks, including the injection of
bogus BPDUs, man-in-the-middle, and even DoS. Catalyst 6500 and 4500 Series switches provide a set
of tools that can be deployed jointly to mitigate, and in some cases even prevent, attacks against STP.
The following guidelines pertain to deploying these tools in a systematic manner.
By default, all Ethernet ports on Catalyst switches are set to auto-negotiated trunking mode. Ports
configured in this mode automatically negotiate the configuration of trunks. Leaving auto-negotiated
trunking mode indiscriminately enabled on all ports could allow anyone connected to one of these ports
to establish an illegal trunk. Therefore, auto-negotiated trunking should be disabled on all ports
connecting to all non-switching devices, such as workstations and servers. In a more restrictive
approach, administrators can opt to disable auto-negotiated trunks on all ports, and allow only for the
manual configuration of trunks as needed.
Per-VLAN Spanning Tree (PVST) is another recommended feature that should be enabled on all
switches. PVST implements a separate instance of spanning tree for each VLAN configured in the
network, making the network more resilient from attacks against spanning tree. With PVST, if a problem