Thursday 21 December 2017

Cisco layer 2 best practice step by step

                         Cisco Access layer best security practice

As we all are well aware that layer 2 security pays a vital role for securing our internal network from any network thread. Now a days as technology grows as hacker also be very advance to generate different kinds of thread in networks.
Note: All configurations and tips are according to cisco IOS and base on cisco switches mostly and we are focusing quick step by step configurations.
Well without wasting a time lets start of discussion about HOW TO SECURE OF LAYER 2

VLANS

  • All of your unused ports are in shutdown mode. Avoid using default VLAN(VLAN 1) for anything. Put them in a VLAN which is not used for normal operations
  • Spanning tree protocol should be enable on your access switches. Its enable by default on the Cisco switches.

VTP

  • If you configure VTP in your network then all the access switches should be in client mode or transparent mode. Below mentioned link is for detail discussion of VTP configurations

Port Security

Should use port security feature in cisco switches and restrict user with their mac address. Below is the link for port security deployment

Use SSH

Use SSH instead of telnet for better security mechanism. and apply under mentioned command in line VTY configurations
Line VTY 0 15
Transport input ssh

Restrict Management

Also restrict management VLAN so that no one can access your switch through SSH/Telnet. This access should be enable on specific VLAN which should be used in your administrations only. You can use access-list on layer 2 to secure management access. Example is given below
  ip access-list extended Restrict-SSH
  permit ip 10.0.241.0 0.0.0.255 any
  deny any any
now apply this access list on line VTY configurations like under
line vty 0 4
access-class Restrict-SSH in
password cisco123
transport input ssh only
login local

Disable CDP

Also disable CDP where you can manage to disable it by applying under mentioned command

Trunk Port

Truck ports is very critical so that we should configured dedicated VLANs to trunk ports and for this always use trunk allowed command for your trunk ports. Commands is mentioned below
Note: If you configured port channel then you should run trunk allowed command in port channel as under mentioned

Switches Passwords

All access switches have strong password it includes enable password, Console password, SSH password and always use service password-encryption command for encrypted password in show running-config/startup config

Port level security

Use port level security in cisco switches to prevent threads.
  1. Port security
  2. IP source Guard
  3. DHCP Snooping
  4. shutdown unused ports
  5. ARP security (If apply able)
  6. Dynamic ARP Inspection (Apply on Interfaces)
You can contact us for free any cisco paid software router IOS , Latest Switches IOS, Wireless IOS, Cisco ASA IOS, paid cisco documentations. ****Free of Cost****
You can also mail us any kind of network issues. we will respond you with in 4 to 5 hours.
****Email****
aqlearninghub@gmail.com

 *****Facebook****

https://www.facebook.com/AQLearningcenter/


Regards,
Now presents AQ Learning Center

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)