Underlying security-vswitch

Author: EvilAngel security is the primary issue for major companies today when cyber hunters are rampant. Generally, most enterprises and institutions have the following basic assumption: all external users are untrusted, while all internal users are trustworthy, most network designers also apply this design concept. In the actual network environment, up to 80% of unauthorized behaviors come from the inside. The current firewall has spared the main network threats while dealing with external data packets. Today, I will focus on some of the common security risks that require attention in vswitch configuration. This article only covers vswitch settings. For more information about other devices, see other articles.

In general, vswitch security is divided into two parts: one is control-level security, and a sound management system is established to ensure the physical security of the device. If the device is stolen, the following security configurations are not mentioned. Second, data-Level Security is implemented. Auxiliary application systems such as ACL and VLAN technologies are used to enhance the overall security of the network;

The following uses Cisco 2 and 3 vswitches as an example to describe how to configure the security of core layer switches and working group switches in Small and Medium networks. The configuration commands differ from the system versions running on your switches, see the random manual.

First, ensure the physical security of the switch, which is also the security of the control layer. Establish a sound management system to ensure the physical security of the device. For working group switches, due to the limitations of the network topology, the working group switches may appear in some public places. We recommend that you configure the console password to disconnect the data line and configure the console password:
# Configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
(Config) # line console 0
(Config-line) # password EvilAngel
(Config-line) # login prevents unauthorized users from logging on remotely. Like our server system, switches need to be maintained, upgraded, and patched. Of course, remote terminals bring great convenience to our network management system, and there are also potential threats, we recommend that you allow only network administrators to log on to the vswitch. We use a standard access control list to achieve this:

(Config) # access-list 88 permit 172.16.1.254 0.0.0.0
(Config) # line vty 0 4
(Config-line) # ip access-group 88 in
Assume that the subnetwork administrator address is (static) 172.16.1.254, and a standard access list 88 is set up to prohibit other illegal login devices from allowing only the IP address 172.16.1.254 to log on to the vty interface.

Of course, we need to give him a strong password (simplified for the sake of readability in this article) to configure the privileged password as NoHack and the remote login password as cisco:
(Config) # enable secret NoHack
(Config) # enable password hack
(Config) # line vty 0 4
(Config-line) # password cisco
(Config-line) # login
Run "service password-encryption" (remove quotation marks) for password encryption in privileged mode. Otherwise, the password is displayed as plain text, 1, if someone with bad intentions gets the device configuration file (the configuration file is usually stored on the TFTP server), the consequences are unimaginable.

Someone said, do you think that using only one access list to filter login IP addresses and encrypted passwords can block others' logins? Of course not. To prevent non-administrators from connecting devices (such as laptops) to the network port where the network administrator is located and changing their IP addresses, the administrator can log on to the device configuration. We can also set an interface corresponding to a MAC address on the access switch interface of the network customer, and disable this interface in violation of rules (this is a 19-series workgroup switch ):
(Config-if) # port security max-mac-count 1
(Config-if) # The command above port security action shutdown is that on this interface, the switch can only learn one MAC address, if other MAC data arrives at this interface, it is disabled until the Administrator runs the no shutdown command on this interface. We can also set an IP address to a MAC address. Of course, we can also statically configure each interface to bind a MAC address, so that users cannot change the IP address. We will introduce it later.

Those who learn security often say that the minimum service + the minimum permission = the maximum security. The same is true for our vswitches. We should also stop unnecessary services accordingly, here we will only introduce a few. For details, refer to the random manual:
(Config) # no service finger
(Config) # no service tcp-small-servers
(Config) # no ip http server
(Config) # no ip domain-lookup
(Config )#......
We recommend that you disable cdp information on unnecessary ports. If it exists, unauthorized users can use commands like "show cdp neighbors" to log on to the network to view information about adjacent devices.

Clearly you can see Fas0/1 port connected to a 1003 router, name is a RC1000-02, and on the Fas0/2 interface connected to a Cisco2505 router name for the RH32-01.

A friend who has configured Cisoc network devices knows that, although the vswitch, router, and firewall have a telnet password verification, but due to the domestic network topology, he is easily listened. When you get the permission to log on to the device, you can run a "destructive" command even if you do not know the "enable" password, for example, show version is used to view the device version information, show ip route is used to display the current device route table, show vlan, and other commands, an experienced hacker can construct a topology with only simple information to determine the next step of penetration. Therefore, we recommend that you use ssh (secure shell) to log on to the device to protect your Logon account and password. We know that the system's built-in telnet function uses civilized transmission of data, if hackers use other hosts on the network to sniff the network, the consequences can be considered. If ssh login information is sniffed, it will take a lot of time to crack.


To protect our accounts, we can enable AAA authentication on the switch to ensure the security of our devices. AAA authentication can be divided into authentication, authorization, and accounting. We will only briefly introduce the authentication Configuration:

Aaa new-model // start the AAA authentication mechanism
Aaa