Pages

CCNP Switch - Securing Switched Networks (Port Security, 802.1x, DHCP Snooping, IP Source Guard, DAI)

Catalyst switches have a variety of methods that can secure or control user access.

Port Security 
Default Port Security Configuration 
Feature                Default Setting
Port security          Disabled on a port
Sticky learning        Disabled
Maximum MACs/port      1
Violation mode         Shutdown. The port shuts down when the maximum number of secure MAC addresses is exceeded.
Port security aging    Disabled. Aging time is 0
                       Static aging is disabled
                       Type is absolute
 - In some environments, a network must be secured by controlling what stations can gain access to the network itself.
 - Catalyst switches offer the port security feature to control port access based on MAC addresses.
Switch(config-if)# switchport port-security    <--- enable port-security first on a per-interface basis
- You must identify a set of allowed MAC addresses so that the port can grant them access.
- Specify the maximum number of MAC addresses that will be allowed access:
Switch(config-if)# switchport port-security maximum <max-addr>
Switch(config-if)# switchport port-security maximum 2   <-- at any time to any two MAC addresses that can be active on a switch port
 - By default, port security will make sure that only one MAC address will be allowed access on each switch port.
 - You can set the maximum number of addresses in the range of 1 to 1024.
 - Sticky MAC addresses - port security dynamically learns MAC addresses by default and expects those addresses to appear on that interface in the future.
 - The interface learns up to the maximum number of addresses allowed. Learned addresses also can be aged out of the table if those hosts are silent for a period of time.
 By default, no aging occurs.
 - You also can statically define one or more MAC addresses on an interface.
Switch(config-if)# switchport port-security mac-address <mac-add>
Switch(config-if)# switchport port-security mac-address 0006.5b02.a841
The switch supports these types of secure MAC addresses:

  • Static secure MAC addresses—These are manually configured by using the switchport port-security mac-address mac-address interface configuration command, stored in the address table, and added to the switch running configuration.

  • Dynamic secure MAC addresses—These are dynamically configured, stored only in the address table, and removed when the switch restarts.

  • Sticky secure MAC addresses—These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, when the switch restarts, the interface does not need to dynamically reconfigure them.
switchport port-security mac-address sticky - the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. All sticky secure MAC addresses are added to the running configuration.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_44_se/configuration/guide/scg/swtrafc.html

MAC Address Aging
- The aging increment is one minute.
- Aging of sticky addresses is not supported.
- Unless static aging is explicitly configured with the switchport port-security aging static, static addresses are not aged even if aging is configured on the port.
- switchport port-security aging time 0  - disable age out of inactive MACs,

By default, secure MAC addresses are learned (in effect) permanently. Aging can be configured so that the addresses expire after a certain amount of time has passed. This allows a new host to take the place of one which has been removed. Aging can be configured to take effect at regular intervals, or only during periods of inactivity. The following example configures expiration of MAC addresses after five minutes of inactivity:
Switch(config-if)# switchport port-security aging time 5
Switch(config-if)# switchport port-security aging type inactivity
Switch(config-if)# ^Z
Switch# show port-security interface f0/13
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 5 mins
Aging Type                 : Inactivity
SecureStatic Address Aging : Disabled
After five minutes of inactivity, we can see that the address has been purged:
Switch# show port-security interface f0/13
...
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0

Port-Security violation
 - You must define how each interface using port security should react if a MAC address is in violation.
 - A violation occurs if more than the maximum number of MAC addresses are learned or if an unknown (not statically defined) MAC address attempts to transmit on the port.
Switch(config-if)# switchport port-security violation {shutdown | restrict | protect}
   Shutdown—The port immediately is put into the Errdisable state (shuts it down) + SNMP trap. Must be reenabled manually or through errdisable recovery to be used again.
  Shutdown VLAN - Shuts down only the VLAN on which the violation occurred. Use to set the security violation mode per-VLAN. In this mode, the VLAN is error disabled instead of the entire port when a violation occurs
   Restrict—The port is allowed to stay up, but all packets from violating MAC addresses are dropped. The switch keeps a running count of the number of violating packets and can send an SNMP trap and a syslog message as an alert of the violation.
   Protect—The port is allowed to stay up, as in the restrict mode. Although packets from violating addresses are dropped, no record of the violation is kept.
Example:
interface GigabitEthernet0/11
switchport access vlan 991
switchport mode access
switchport port-security
switchport port-security violation restrict
spanning-tree portfast
When the default maximum of one MAC address is exceeded on this interface
Jun 3 17:18:41.888 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0000.5e00.0101 on port GigabitEthernet0/11.
Shutdown mode:
Jun 3 17:14:19.018 EDT: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/11, putting Gi0/11 in err-disable state
Jun 3 17:14:19.022 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation
occurred, caused by MAC address 0003.a089.efc5 on port GigabitEthernet0/11.
If an interface is undergoing the restrict or protect condition, you might need to clear the learned MAC addresses so that a specific host can use the switch port.
Switch# clear port-security dynamic [address <mac-addr> | interface <type mod/num>]
Verify status of port-security
Switch#  show port-security interface gigabitethernet 0/11
Port Security  : Enabled
Port Status  : Secure-shutdown

Violation Mode  : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging  : Disabled
Maximum MAC Addresses  : 1
Total MAC Addresses  : 0
Configured MAC Addresses  : 0
Sticky MAC Addresses  : 0
Last Source Address  : 0003.a089.efc5
Security Violation Count  : 1
Switch#
Switch# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
            (Count)       (Count)     (Count)
---------------------------------------------------------------------------
Gi0/11      5             1           0                 Restrict
Gi0/12      1             0           0                 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6176
Switch# 
Quick summary of only ports in the Errdisable state
Switch# show interfaces status err-disabled
Port Name Status Reason
Gi0/11 Test port err-disabled psecure-violation
! When a port is moved to the errdisable state, you must either manually cycle it or configure the switch to automatically re-enable ports  after a prescribed delay. 
To manually cycle a port and return it to service, use the following commands:
Switch(config)# interface <type mod/num>
Switch(config-if)# shutdown
Switch(config-if)# no shutdown
Port-security on Voice VLAN  (info)
Allow:
 - a maximum of one MAC address for a voice VLAN (for a Cisco IP Phone, let's say)
 - and one MAC address for the data VLAN (for a PC, let's say) on Fast Ethernet interface 5/1
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface fa5/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security maximum 1 vlan voice
Switch(config-if)# switchport port-security maximum 1 vlan access
Switch(config-if)# end
Another example:
Switch(config-if)#interface FastEthernet1/0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
!
Switch#show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
    Fa1/0/1              1            1                  0         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 6144
Switch#
After violation
*Mar  1 00:21:54.192: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa1/0/1, putting Fa1/0/1 in err-disable state
*Mar  1 00:21:54.201: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0018.7330.7e06 on port FastEthernet1/0/1.
*Mar  1 00:21:55.199: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to down
*Mar  1 00:21:56.206: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to down
Switch#sh port-security int  fa 1/0/1
Port Security              : Enabled
Port Status                : Secure-shutdown
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0018.7330.7e06:1
Security Violation Count   : 1
Switch#
Port-Based Authentication
 - Catalyst switches can support port-based authentication, a combination of AAA authentication and port security.
 - This feature is based on the IEEE 802.1x standard.
 - When it is enabled, a switch port will not pass any traffic until a user has authenticated with the switch. If the authentication is successful, the user can use the port normally.
 - Both the switch and the end user’s PC must support the 802.1x standard, using Layer 2 protocol - the Extensible Authentication Protocol over LANs (EAPOL)
 - If the client PC is configured to use 802.lx but the switch does not support it, the PC abandons the protocol and communicates normally.
 - If the switch is configured for 802.1x but the PC does not support it, the switch port remains in the unauthorized state so that it will not forward any traffic to the client PC.

 - Until the client is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected.
http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/ht_8021x.html
 - Either the client or the switch can initiate an 802.1x session.
 - How to configure wired 802.1X for Windows 7

Wired 802.1X Deployment Guide
About 'aaa new-model'
 - Without aaa new-model the default for authentication (on console and on vty) is to use the line password.
 - When you enable aaa new-model then the default for authentication  becomes local - and this generates the prompt for a user name, and will check the entered user name against any locally configured user names and passwords.
 - When you configured aaa new-model and authentication dot1x then it set the default for authentication to use locally configured user ID and password.
Create a named authentication method and assign it to the vty would solve issue logging on the vty (but not on the console).
Suggestion is to create a default authentication which uses the line password. This will solve the issue on both the vty and the console.
It might look something like this aaa authentication login default line. That should get you  back to needing only to enter the line password on the console and on the vty and would not impact the dot1x authentication.

802.1x Configuration
 - Port-based authentication can be handled by one or more external Remote Authentication Dial-In User Service (RADIUS) servers.
 - Only RADIUS is supported for 802.1x
Switch(config)# aaa new-model
 ! Enable AAA on the switch.
 ! By default, AAA is disabled. 


Switch(config)# radius-server host {<hostname> | <ip-address>}[key <string>]
 ! define each server along with its secret shared password

Switch(config)# aaa authentication dot1x default group radius
 ! causes all RADIUS authentication servers that are defined on the switch to be used for 802.1x authentication

Switch(config)# dot1x system-auth-control
 ! Enable 802.1x on the switch

Switch(config)# interface <type mod/num>
Switch(config-if)# dot1x port-control {force-authorized | force-unauthorized | auto}
 ! Configure each switch port that will use 802.1x
 ! force-authorized—Disables 802.1X port-based authentication and causes the port to transition to the authorized state without any authentication exchange required. No authentication is necessary. This is the default state for all switch ports when 802.1x is enabled.
! force-unauthorized—The port is forced to never authorize any connected client. As a result, the port cannot move to the authorized state to pass traffic to a connected client.
! auto—The port uses an 802.1x exchange to move from the unauthorized to the authorized state, if successful.
             This requires an 802.1x-capable application on the client PC.


Switch(config-if)# dot1x host-mode multi-hos
 ! Allow multiple hosts on a switch port.
 ! If the switch should expect to find multiple hosts present on the switch port

Switch# show dot1x all
 ! verify the 802.1x operation on each switch port that is configured to use port-based authentication

After 802.1x is globally enabled on a switch, all switch ports default to the force-authorized state. This means that any PC connected to a switch port can immediately start accessing the network.

Config example
Switch(config)# aaa new-model
Switch(config)# radius-server host 10.1.1.1 key BigSecret
Switch(config)# radius-server host 10.1.1.2 key AnotherBigSecret
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# dot1x system-auth-control
Switch(config)# interface range FastEthernet0/1 - 40
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x port-control auto
Switch(config-if)# switchport access vlan 30 <---If the client succeed to authenticate, allow the client to access the VLAN30
Switch(config-if)# dot1x guest-vlan 10       <---If the client doesn’t support 802.1x, put the client in the GUEST VLAN 10
Switch(config-if)# dot1x auth-fail vlan 20   <---If the client fails to authenticate, put the client in the RESTRICTED VLAN 20
Switch(config-if)# dot1x auth-fail max-attempts 1      <---The maximum number of authentication attempts will be 1

Mitigating Spoofing Attacks
 - Malicious users sometimes can send spoofed information to trick switches or other hosts into using a rogue machine as a gateway.
 - Cisco Catalyst features—DHCP snooping, IP Source Guard, and dynamic ARP inspection—that prevent certain types of spoofing attack

DHCP Snooping
A DHCP server normally provides all the basic information a client PC needs to operate on a network.
An attacker could bring up a rogue DHCP server on a machine in the same subnet as that same client PC.
Client can receives the reply from rogue DHCP server with the spoofed gateway address.
Cisco Catalyst switches can use the DHCP snooping feature to help mitigate this type of attack.
When DHCP snooping is enabled, switch ports are categorized as trusted or untrusted.
 Legitimate DHCP servers can be found on trusted ports, whereas all other hosts sit behind untrusted ports.
Switch(config)# ip dhcp snooping
 ! configure DHCP snooping first by enabling it globally on a switch
Switch(config)# ip dhcp snooping vlan <vlan-id> [<vlan-id>]
 ! identify the VLANs where DHCP snooping should be implemented
Switch(config)# interface <type mod/num>
Switch(config-if)# ip dhcp snooping trust
 ! Only trusted ports are allowed to send DHCP replies
Switch(config)# interface <type mod/num>
Switch(config-if)# ip dhcp snooping limit rate <rate>
 ! For untrusted ports, an unlimited rate of DHCP requests is accepted.
 ! Rate-limit DHCP traffic on an untrusted port can be applied
 ! The rate can be 1 to 2048 DHCP packets per second
You also can configure the switch to use DHCP option-82, the DHCP Relay Agent Information option, which is described in RFC 3046.
Switch adds its own MAC address and the switch port identifier into the option-82 field of the request. The request then is forwarded normally so that it can reach a trusted DHCP server.
 - This feature is enabled by default.
You can enable or disable option-82 globally
Switch(config)# [no] ip dhcp snooping information option
When DHCP snooping is configured, you can display its status
Switch# show ip dhcp snooping [binding]
binding - display all the known DHCP bindings that have been overheard
DHCP Snooping Configuration
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 104   <---access VLAN 104 are considered untrusted
Switch(config)# interface range fastethernet 0/35 – 36
Switch(config-if)# ip dhcp snooping limit rate 3   <---DHCP rate limiting applied at three per second
Switch(config-if)# interface gigabitethernet 0/1   <---known DHCP server is located on the Gigabit Ethernet 0/1 uplink
Switch(config-if)# ip dhcp snooping trust
DHCP Snooping Status Display
Switch# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs: 104
Insertion of option 82 is enabled
Interface            Trusted   Rate limit (pps)
------------------  ------- ----------------
FastEthernet0/35     no         3
FastEthernet0/36     no         3
GigabitEthernet0/1   yes        unlimited
Switch#

Using Cisco IP Phones with a DHCP Server
Enterprises with small branch offices that implement a Cisco IP Telephony Voice over IP solution
typically implement Cisco CallManager at a central office to control Cisco IP Phones at small branch
offices. This implementation allows centralized call processing, reduces the equipment required, and
eliminates the administration of additional Cisco CallManager and other servers at branch offices.
Cisco IP Phones download their configuration from a TFTP server. When a Cisco IP Phone starts, if it does not have both the IP address and TFTP server IP address preconfigured, it sends a request with
option 150 or 66 to the DHCP server to obtain this information.
 - DHCP option 150 provides the IP addresses of a list of TFTP servers.
 - DHCP option 66 gives the IP address or the hostname of a single TFTP server.
 - Note Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route.


IP Source Guard
 - Address spoofing is one type of attack that can be difficult to mitigate.
 - A rogue or compromised host PC can use its legitimate address, or it can begin to use spoofed addresses—borrowed from other hosts or used at random.
 - Spoofed addresses are often used to disguise the origin of denial-of-service attacks. If the source address doesn’t really exist, no return traffic will find its way back to the originator.
 - Routers or Layer 3 devices can perform some simple tests to detect spoofed source addresses in packets passing through.
 - It is difficult to detect spoofed addresses when they are used inside the VLAN or subnet where they should already exist.
 - Cisco Catalyst switches can use the IP source guard feature to detect and suppress address spoofing attacks—even if they occur within the same subnet. 
 - If DHCP snooping is configured and enabled, the switch learns the MAC and IP addresses of hosts that use DHCP.
Packets arriving on a switch port can be tested for one of the following conditions:
 - The source IP address must be identical to the IP address learned by DHCP snooping or a static entry.
   A dynamic port ACL is used to filter traffic. The switch automatically creates this ACL, adds the learned source IP address to the ACL, and applies the ACL to the interface where the address is learned.
 - The source MAC address must be identical to the MAC address learned on the switch port and by DHCP snooping. Port security is used to filter traffic.

To configure IP Source Guard, first configure and enable DHCP snooping
For the hosts that do not use DHCP, you can configure a static IP source binding
Switch(config)# ip source binding <mac-address> vlan <vlan-id> <ip-address> interface <type mod/num>
Enable IP source guard
Switch(config)# interface <type mod/num>
Switch(config-if)# ip verify source [port-security]
 ! ip verify source - inspects the source IP address only.
 ! You can add the port-security - to inspect the source MAC address, too.
Verify the IP source guard status
Switch# show ip verify source [interface <type mod/num>]
Verify the information contained in the IP source binding database
Switch# show ip source binding [<ip-address>] [<mac-address>] [dhcp-snooping | static] [interface <type mod/num>] [vlan <vlan-id>]

Dynamic ARP Inspection (DAI)
 - Hosts normally use the Address Resolution Protocol (ARP) to resolve an unknown MAC address when the IP address is known.
 - The ARP process works well among trusted and well-behaved users.
 - An attacker could send its own crafted ARP reply when it overhears an ARP request being broadcast.
 - The reply could contain its own MAC address, causing the original requester to think that it is bound to the IP address in question.
 - Packets will be sent to the attacker instead of another host or the default gateway. The attacker can intercept packets and (perhaps) forward them on only after examining the packets contents.
 - This attack is known as ARP poisoning or ARP spoofing, and it is considered to be a type of man-in-the-middle attack.
 - Cisco Catalyst switches can use the dynamic ARP inspection (DAI) feature to help mitigate this type of attack.
 - DAI works much like DHCP snooping.  ( All switch ports are classified as trusted or untrusted. )
 - When an ARP reply is received on an untrusted port, the switch checks the MAC and IP addresses reported in the reply packet against known and trusted values.
 - A switch can gather trusted ARP information from statically configured entries or from dynamic entries in the DHCP snooping database.
 - If an ARP reply contains invalid information or values that conflict with entries in the trusted database, it is dropped and a log message is generated.

About DAI and ARP Spoofing
DAI is used to validate ARP requests and responses as follows:
- Intercepts all ARP requests and responses on untrusted ports.
- Verifies that a packet has a valid IP-to-MAC address binding before updating the ARP cache or forwarding the packet.
- Drops invalid ARP packets. 

DAI Guidelines and Limitations
 - DAI is supported on access, trunk, Ether-Cahnnel and Private-VLAN ports.
- DAI is an ingress security feature and does not perform any egress checking.
 - DAI is not effective when the host is connected to a device that does not support DAI or that does not have DAI enabled. To prevent attacks that are limited to a single Layer 2 broadcast domain, you should separate a domain with DAI from those without DAI. This separation secures the ARP caches of hosts in the domain with DAI.
- DAI verifies IP-to-MAC address bindings in incoming ARP requests and ARP responses. If you have not configured static entries, then DHCP snooping must be enabled on the same VLANs on which you configure DAI, to use dynamic IP-MAC address bindings to determine if ARP packets are valid, ensure that DHCP snooping is configured. For more information, see the "Configuring DHCP Snooping".

Configure DAI
by first enabling it on one or more client VLANs
Switch(config)# ip arp inspection vlan <vlan-range>
 ! VLAN range can be a single VLAN ID, a range of VLAN IDs separated by a hyphen, or a list of VLAN IDs separated by commas
By default, all switch ports associated with the VLAN range are considered to be untrusted.
The local switch will not inspect ARP packets arriving on trusted ports; it will assume that the neighboring switch also is performing DAI on all of its ports in that VLAN.
Switch(config)# interface <type mod/num>
Switch(config-if)# ip arp inspection trust
Defines static MAC-IP address bindings that are permitted
Switch(config)# arp access-list <acl-name>
Switch(config-acl)# permit ip host <sender-ip> mac host <sender-mac> [log]
[Repeat the previous command as needed]
Switch(config-acl)# exit
ARP access list must be applied to DAI
Switch(config)# ip arp inspection filter <arp-acl-name> vlan <vlan-range> [static]
If no match is found, the DHCP snooping bindings database is checked next.
static - to prevent the DHCP bindings database from being checked at all.
If no match is found in the access list, the ARP reply is considered invalid.

You can specify further validations on the contents of ARP reply packets.
By default, only the MAC and IP addresses contained within the ARP reply are validated.
To validate that an ARP reply packet is really coming from the address listed inside it
Switch(config)# ip arp inspection validate {[src-mac] [dst-mac] [ip]}
Be sure to specify at least one of the options:
■ src-mac—Check the source MAC address in the Ethernet header against the sender MAC address in the ARP reply.
■ dst-mac—Check the destination MAC address in the Ethernet header against the target MAC address in the ARP reply.
■ ip—Check the sender’s IP address in all ARP requests; check the sender’s IP address against the target IP address in all ARP replies.

Configuration example: DAI is enabled for all switch ports associated with VLAN 104 on an access-layer switch. The uplink to a distribution switch is considered to be trusted.
Switch(config)# ip arp inspection vlan 104
Switch(config)# arp access-list StaticARP
Switch(config-acl)# permit ip host 192.168.1.10 mac host 0006.5b02.a841
Switch(config-acl)# exit
Switch(config)# ip arp inspection filter StaticARP vlan 104
Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# ip arp inspection trust
Best Practices for Securing Switches
1) Configure secure passwords
 - Whenever possible, you should use the enable secret command to set the privileged-level password on a switch.
 - You also should use external AAA servers to authenticate administrative users whenever possible.
 - You always should use the service password-encryption configuration command to automatically encrypt password strings that are stored in the switch configuration.

2) Use system banners (banner motd command )
When users successfully access a switch, they should be aware of any specific access or acceptable use policies that are pertinent to your organization.

3) Secure the web interface
Decide whether you will use the web interface to manage or monitor a switch.
 - you should disable the web interface with the no ip http server global configuration command.
 - try to limit the source addresses that can access the HTTPS interface
Switch(config)# ip http secure server
Switch(config)# access-list 1 permit 10.100.50.0 0.0.0.255
Switch(config)# ip http access-class 1
4) Secure the switch console
In many environments, switches are locked away in wiring closets where physical security is used to keep people from connecting to the
switch console. Even so, you always should configure authentication on any switch console. It is usually appropriate to use the same authentication configuration on the console as the virtual terminal (vty) lines.

5) Secure virtual terminal access
- You always should configure user authentication on all the vty lines on a switch.
Switch(config)# access-list 10 permit 192.168.199.10
Switch(config)# access-list 10 permit 192.168.201.100
Switch(config)# line vty 0 15
Switch(config-line)# access-class 10 in
show user all
6) Use SSH whenever possible
 - Although Telnet access is easy to configure and use, Telnet is not secure
 - The early SSHv1 and SSHv1.5 have some weaknesses, so you should choose SSHv2 whenever possible.

7) Secure SNMP access
To prevent unauthorized users from making changes to a switch configuration, you should disable any read-write SNMP access.
snmp-server community <string> RW
-  you should have only read-only commands in the configuration, with ACL applied

8) Secure unused switch ports
 - very unused switch port should be disabled so that unexpected users can’t connect and use them without your knowledge.
 - interface -> shutdown
 - interface -> switchport mode access   (prevent negotiate trunking mode on a port)
switchport host
Macro - quick way to force a port to support only a single PC
Switch(config)# interface fastethernet 1/0/1
Switch(config-if)# switchport host
switchport mode will be set to access spanning-tree portfast will be enabled, channel group will be disabled
Switch(config-if)#

9) Secure STP operation
A malicious user can inject STP bridge protocol data units (BPDU) into switch ports or VLANs, and can disrupt a stable, loop-free topology. You always should enable the BPDU guard feature so that access switch ports automatically are disabled if unexpected BPDUs are received.

10) Secure the use of CDP
 - By default, CDP advertisements are sent on every switch port at 60-second intervals.
 - Although CDP is a very handy tool for discovering neighboring Cisco devices, you shouldn’t allow CDP to advertise unnecessary information about your switch to listening attackers.
no cdp enable   <---can disable CDP on a port-by-port basis