Cisco Base Security Configuration
How to Use This Document
This document is intended to be a guide to the proper configuration of an ICS IT Cisco Switch and does not attempt to give the user a base knowledge of Cisco commands and functions.
The document is separated by configuration code intent used with Cisco IOS switches. The code and the order presented is not intended to indicate the proper order of implementation and further configuration may be required from one block to the next.
Procedures
The following code blocks can be implemented in order once the switch has been booted to the IOS command line. Each code block can also be implemented on it’s own or used to verify an existing configuration.
Initial Configuration
Services
Set up switch services.
Copy the code below:
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
Hostname
Set the hostname of the switch.
Copy the code below, alter for your environment and device:
hostname Hostname
Logging
Set up logging.
Copy the code below, alter for your environment and device:
logging file flash:LOG_SWITCH8 89999 notifications
logging count
logging buffered 16000
logging console critical
no logging monitor
login on-failure log
login on-success log
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
Security
Set the main administration password.
Copy the code below, alter for your environment and device:
enable secret 5 $1$17Sv$8ggwbemNPWiYG5OfzyDj10
Users
Set up users.
Copy the code below, alter for your environment and device:
username username privilege 15 secret 5 $1$0OSy$a3Efm134K8B.CiI0FJrT9.
username username2 privilege 15 secret 5 $1$.JaZ$mQGaaM632DVlyAxIkyqxx0
Time Settings
Set your time zone and daylight savings time details.
Copy the code below, alter for your environment and device:
no aaa new-model
clock timezone PST -8 0
clock summer-time PST recurring
system mtu routing 1500
Routing and DNS
Set the domain source and domain name server addresses.
Copy the code below, alter for your environment and device:
no ip source-route
ip routing
no ip gratuitous-arps
!
ip domain-list pacs.local.lan
ip domain-lookup source-interface Vlan10
ip domain-name pacs.local.lan
ip name-server 192.168.0.1
ip name-server 192.168.0.2
Spanning-tree settings
Set the spanning-tree portfast settings.
Copy the code below:
spanning-tree mode pvst
spanning-tree portfast edge default
spanning-tree portfast edge bpduguard default
spanning-tree portfast edge bpdufilter default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
no cdp run
SSH Access
Set up SSH access.
Copy the code below:
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip tftp source-interface Loopback0
ip ssh time-out 60
ip ssh version 2
ip scp server enable
Access List
Set up the access list to limit device access to the shell interface. Include administration end points as IP addresses, one per line. IP addresses not listed will be denied access.
Copy the code below, alter for your environment and device:
logging facility local1
logging source-interface Vlan10
access-list 38 remark *** Permitted Access Sources ***
access-list 38 permit 192.168.0.100
access-list 38 permit 192.168.0.101
Warning Banner
Set up the MOTD login working banner by following the terminal prompts and copy pasting as needed from the code below.
Copy the code below:
================================================================================
_ **WARNING TO USERS OF THIS SYSTEM**
_
This computer system, including all related equipment, networks, and network
devices, is provided by [entity or business name] in accordance with
the policy for official use and limited personal use. This system may not
be connected to the Internet, in any way, unless specifically authorized by the
_
All computer systems may be monitored for all lawful purposes, including
but not limited to, ensuring that use is authorized, for management of the
system, to facilitate protection against unauthorized access, and to verify
security procedures, survivability and operational security. Any information on
this computer system may be examined, recorded, copied and used for authorized
purposes at any time. All information, including personal information, placed or
sent over this system may be monitored, and users of this system are reminded
that such monitoring does occur. Therefore, there should be no expectation of
privacy with respect to use of this system.
_
By logging into this computer system, you acknowledge and consent to the
monitoring of this system. Evidence of your use, authorized or unauthorized,
collected during monitoring may be used for civil, criminal, administrative, or
other adverse action. Unauthorized or illegal use may subject you to
prosecution.
_
================================================================================
Transport and Monitoring
Transport
Set up transport and stuffs
Copy the code below:
line con 0
exec-timeout 15 0
logging synchronous
login local
line vty 0 4
access-class 38 in
exec-timeout 9 0
logging synchronous
login local
transport input ssh
transport output ssh
line vty 5 15
access-class 38 in
exec-timeout 9 0
logging synchronous
login local
transport input ssh
transport output ssh
Monitoring
Set up session-vlan monitoring.
Copy the code below:
monitor session 10 source vlan 10
scheduler interval 500
Interface Configuration
Loopback Interface
Set up the loopback interface.
Copy the code below:
interface Loopback0
no ip address
Vlans
Set up the Vlans to be used.
Copy the code below, alter for your environment and device:
!
interface Vlan1
description Do not use
no ip address
shutdown
!
interface Vlan10
description *** PACS Switch ***
ip address 192.168.0.8 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan666
description SWITCH LAN
ip address 10.0.0.8 255.255.255.0
no ip unreachables
!
Interface Security Configuration Settings
Set up each interface to either be shutdown (if no connection is excpected), connected with macsticky security, trunk to another local switch or trunk to a remote switch using macsec encryption.
Copy the code below depending on the interface use, alter for your environment and device:
Unconnected interface
interface GigabitEthernetX/X/X
switchport access vlan 256
switchport mode access
shutdown
Connected interface with macsticky
interface GigabitEthernetX/X/X
description YOUR-DESCRIPTION
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
spanning-tree bpduguard enable
Connected local trunk port (no MACsec)
interface GigabitEthernet0/11
description UPLINK to SWITCH_HOST_NAME
switchport trunk allowed vlan 10
switchport trunk native vlan 10
switchport mode trunk
no cdp enable
spanning-tree portfast disable
Connected remote trunk port (MACsec)
interface GigabitEthernetx/x/xx
description test macsec
switchport mode trunk
macsec network-link
mka policy MKA_128
and Another thing…
Cisco MACsec Configuration
Say some stuff that makes sense.
Cisco 9300
Main Configuration MACsec code
key chain KC_128 macsec
key 12
cryptographic-algorithm aes-128-cmac
key-string 7 014A5651035F5F5677146F584B5143345328567C0F73786364044A21375257700F
Interface MACsec code
interface GigabitEthernet1/1/1
description UPLINK to KESWICK70
switchport trunk native vlan 10
switchport trunk allowed vlan 10
switchport mode trunk
no cdp enable
macsec network-link
mka policy MKA_128
spanning-tree portfast disable
Cisco 3650
Main configuration MACsec code
key chain KC_128 macsec
key 3C1337FCDCB631A33207210A261AED0C
cryptographic-algorithm aes-128-cmac
key-string 7 3c1337fcdcb631a33207210a261aed0c
Interface MACsec code
interface GigabitEthernetx/x/xx
description test macsec
switchport mode trunk
macsec network-link
mka policy MKA_128