Tuesday, 19 May 2009

Secure Switchport Template

There are several reasons why you might want to use a switch port template.
  • Make life easier for administrators.
  • Standardize configuration.
  • Allow people without specific Cisco knowledge to configure ports.
  • Increase security.

An example template in macro form:


macro name accessport
switchport mode access
switchport nonegotiate
switchport access vlan 99
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
storm-control multicast level 20.00
storm-control broadcast level 20.00
@


To apply this to a port run:

configure terminal
interface fa0/xx
macro apply accessport


It is probably advisable to reset the port configuration in advance in which case the commands become:

configure terminal
default interface fa0/xx
interface fa0/xx
macro apply accessport




So what do these commands do?

switchport mode access
Specify the port is an access port.
switchport nonegotiate
Disable Dynamic Trunking Protocol (DTP).
switchport access vlan 99
Set the port into a VLAN to avoid VLAN hopping shenanigens. Replace VLAN 99 with the ID of an unused VLAN on your network (not VLAN 1!).
no cdp enable
Disable CDP to stop attackers flooding the CDP neighbor table using Yersinia or similar tools.
spanning-tree portfast
Turn on portfast for access ports, usually a good idea. If you use boot-from-LAN then you'll need this!
Note that turning on portfast does NOT disable STP on that port, it just allows the port to go directly to the forwarding state. You could still create a temporary bridging loop however so also apply:
spanning-tree bpduguard enable


Turn on BPDU Guard to shut the port down if it gets connected to another switch, but allow this switch to keep sending BPDUs on that port.

You can turn this on globally with the command:
spanning-tree portfast bpduguard default




storm-control multicast level 20.00
storm-control broadcast level 20.00

Configure storm-control.



Further reading:

The NSA guide to Cisco switch security.