Cisco Base Security Configuration # How to Use This Document This document serves as a guide for the proper configuration of an ICS IT Cisco Switch. It does not aim to provide users with foundational knowledge of Cisco commands and functions. The document is divided by configuration code intent used with Cisco IOS switches. The order of the presented code is not intended to indicate the correct implementation sequence, and additional configurations may be necessary from one block to another. ## Procedures The following code blocks can be implemented in any order after the switch has been booted to the IOS command line. Each code block can also be used independently or to verify an existing configuration. ## Initial Configuration ### Services Set up switch services. ```plaintext no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ``` ### Hostname Set the hostname of the switch. ```plaintext hostname Hostname ``` ### Logging Set up logging. ```plaintext logging file flash:LOG_SWITCH8 89999 notifications logging count logging buffered 16000 logging console critical no logging monitor login on-failure log login on-success log ``` ### Security Set the main administration password. ```plaintext enable secret 5 $1$17Sv$8ggwbemNPWiYG5OfzyDj10 ``` ### Users Set up users. ```plaintext username username privilege 15 secret 5 $1$0OSy$a3Efm134K8B.CiI0FJrT9. username username2 privilege 15 secret 5 $1$.JaZ$mQGaaM632DVlyAxIkyqxx0 ``` ### Time Settings Set your time zone and daylight savings time details. ```plaintext no aaa new-model clock timezone PST -8 0 clock summer-time PST recurring system mtu routing 1500 ``` ## Routing and DNS Set the domain source and domain name server addresses. ```plaintext no ip source-route ip routing no ip gratuitous-arps ! ip domain-list pacs.local.lan ip domain-lookup source-interface Vlan10 ip domain-name pacs.local.lan ip name-server 192.168.0.1 ip name-server 192.168.0.2 ``` ## Spanning-tree settings Set the spanning-tree portfast settings. ```plaintext spanning-tree mode pvst spanning-tree portfast edge default spanning-tree portfast edge bpduguard default spanning-tree portfast edge bpdufilter default spanning-tree extend system-id ! vlan internal allocation policy ascending no cdp run ``` ## SSH Access Set up SSH access. ```plaintext ip forward-protocol nd ! no ip http server no ip http secure-server ip tftp source-interface Loopback0 ip ssh time-out 60 ip ssh version 2 ip scp server enable ``` ## Access List Set up the access list to limit device access to the shell interface. Include administration end points as IP addresses, one per line. IP addresses not listed will be denied access. ```plaintext logging facility local1 logging source-interface Vlan10 access-list 38 remark *** Permitted Access Sources *** access-list 38 permit 192.168.0.100 access-list 38 permit 192.168.0.101 ``` ## Warning Banner Set up the MOTD login working banner by following the terminal prompts and copy pasting as needed from the code below. ```plaintext banner login  ================================================================================ _                     **WARNING TO USERS OF THIS SYSTEM** _ This computer system, including all related equipment, networks, and network devices, is provided by [entity or business name] in accordance with the policy for official use and limited personal use. This system may not be connected to the Internet, in any way, unless specifically authorized by the [authorizing individual or entity]. _ All computer systems may be monitored for all lawful purposes, including but not limited to, ensuring that use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability and operational security. Any information on this computer system may be examined, recorded, copied and used for authorized purposes at any time.  All information, including personal information, placed or sent over this system may be monitored, and users of this system are reminded that such monitoring does occur.  Therefore, there should be no expectation of privacy with respect to use of this system. _ By logging into this computer system, you acknowledge and consent to the monitoring of this system.  Evidence of your use, authorized or unauthorized, collected during monitoring may be used for civil, criminal, administrative, or other adverse action.  Unauthorized or illegal use may subject you to prosecution. _ ================================================================================ ``` ## Transport and Monitoring ### Transport Set up transport. ```plaintext line con 0  exec-timeout 15 0  logging synchronous  login local line vty 0 4  access-class 38 in  exec-timeout 9 0  logging synchronous  login local  transport input ssh  transport output ssh line vty 5 15  access-class 38 in  exec-timeout 9 0  logging synchronous  login local  transport input ssh  transport output ssh ``` ### Monitoring Set up session-vlan monitoring. ```plaintext monitor session 10 source vlan 10 scheduler interval 500 ``` ## Interface Configuration ### Loopback Interface Set up the loopback interface. ```plaintext interface Loopback0  no ip address ``` ### Vlans Set up the Vlans to be used. Alter for your environment and device. ```plaintext ! interface Vlan1  description Do not use  no ip address  shutdown ! interface Vlan10  description *** PACS Switch ***  ip address 192.168.0.8 255.255.255.0  no ip redirects  no ip unreachables  no ip proxy-arp ! interface Vlan666  description SWITCH LAN  ip address 10.0.0.8 255.255.255.0  no ip unreachables ``` ## Interface Security Configuration Settings Set up each interface to either be shutdown (if no connection is expected), connected with macsticky security, trunk to another local switch or trunk to a remote switch using macsec encryption. ### Unconnected Interface ```plaintext interface GigabitEthernetX/X/X  switchport access vlan 256  switchport mode access  shutdown ``` ### Connected Interface with Macsticky ```plaintext interface GigabitEthernetX/X/X  description YOUR-DESCRIPTION  switchport access vlan 10  switchport mode access  switchport port-security  switchport port-security violation restrict  switchport port-security mac-address sticky  spanning-tree bpduguard enable ``` ### Connected Local Trunk Port (No MACsec) ```plaintext interface GigabitEthernet0/11  description UPLINK to SWITCH_HOST_NAME  switchport trunk allowed vlan 10  switchport trunk native vlan 10  switchport mode trunk  no cdp enable  spanning-tree portfast disable ``` ### Connected Remote Trunk Port (MACsec) ```plaintext interface GigabitEthernetx/x/xx  description test macsec  switchport mode trunk  macsec network-link  mka policy MKA_128  mka pre-shared-key key-chain KC_128 ``` ## Cisco MACsec Configuration ### Cisco 9300 Main Configuration MACsec Code ```plaintext key chain KC_128 macsec  key 12    cryptographic-algorithm aes-128-cmac   key-string 7 014A5651035F5F5677146F584B5143345328567C0F73786364044A21375257700F ``` ### Cisco 9300 Interface MACsec Code ```plaintext interface GigabitEthernet1/1/1  description UPLINK to KESWICK70  switchport trunk native vlan 10  switchport trunk allowed vlan 10  switchport mode trunk  no cdp enable  macsec network-link  mka policy MKA_128  mka pre-shared-key key-chain KC_128  spanning-tree portfast disable ``` ### Cisco 3650 Main Configuration MACsec Code ```plaintext key chain KC_128 macsec key 3C1337FCDCB631A33207210A261AED0C cryptographic-algorithm aes-128-cmac key-string 7 3c1337fcdcb631a33207210a261aed0c ``` ### Cisco 3650 Interface MACsec Code ```plaintext interface GigabitEthernetx/x/xx  description test macsec  switchport mode trunk  macsec network-link  mka policy MKA_128  mka pre-shared-key key-chain KC_128 ```