This section provides various configuration procedures to harden the switch.
Configure secure access rules.
Enable only SSH for remote system access
By default, in OS10, SSH is the only protocol that is enabled for remote system access. As the Telnet protocol is not secure, Dell Technologies recommends that you do not enable the Telnet server.
OS10(config)# ip ssh server enable OS10(config)# ip ssh server max-auth-tries 4 OS10(config)# no ip telnet server enable OS10(config)# exit OS10# write memory
Enable SSH access control
Filter SSH connections to the switch using an access list.
OS10(config)# ip access-list permit10 OS10(config-ipv4-acl)# permit ip 172.16.0.0 255.255.0.0 any OS10(config-ipv4-acl)# exit OS10(config)# line vty OS10(config-line-vty)# ip access-class permit10 OS10(config-line-vty)# exit OS10(config)# exit OS10# write memory
Configure EXEC session timeout
By default, there is no EXEC timeout configured. To prevent unauthorized access to the EXEC mode, configure a timeout interval.
OS10(config)# exec-timeout timeout-value OS10(config)# exit OS10# write memory
timeout-value—Specify the number of seconds of inactivity on the system before disconnecting the current session (0 to 3600).
Limit concurrent login sessions
To avoid an unlimited number of active sessions on a switch for the same user ID, limit the number of console and remote connections.
OS10(config)# login concurrent-session limit-number OS10(config)# exit OS10# write memory
limit-number—Specify the number of concurrent sessions that any user can have on the console or virtual terminal lines (1 to 12).
Ensure user lockout
Configure the system to prevent the user from logging in to the system for a specific time after a specified number of failed login attempts.
OS10(config)# password-attributes max-retry number lockout-period minutes OS10(config)# exit OS10# write memory
Enable login statistics
Enable login statistics to view user login information, including the number of successful and failed logins, role changes, and the last time a user logged in, displays after a successful login. After enabling login statistics, you can use the show login statistics {all | user} command to view user login information.
OS10(config)# login-statistics enable OS10(config)# exit OS10# write memory
Lookback interfaces are virtual interfaces and unlike physical interfaces, loopback interfaces do not go down unless they are manually removed. This property provides security and consistency for device identification and stability.
Configure a loopback interface
Configure a loopback interface which can be used for system multiple services.
OS10(config)# interface loopback 0 OS10(config)# exit OS10# write memory
Remove multiple loopback interfaces
Ensure that there is not more than one loopback interface configured.
OS10(config)# no interface loopback loopback-instance OS10(config)# exit OS10# write memory
Bind AAA services to a loopback interface
AAA services are bound to a loopback interface so that the AAA services are not interrupted.
OS10(config)# ip tacacs source-interface loopback 0 OS10(config)# exit OS10# write memory
Bind the NTP service to a loopback interface
The NTP service is bound to a loopback interface so that the AAA services are not interrupted.
OS10(config)# ntp source loopback 0 OS10(config)# exit OS10# write memory
Use control-plane ACLs to selectively restrict packets that are destined to the CPU, hence preventing flooding and DoS attacks.
OS10# configure terminal OS10(config)# control-plane OS10(config-control-plane)# ip access-group acl_name in OS10(config-control-plane)# end OS10# write memory
The data plane is part of the network that carries user traffic. Data plane rules include services and settings that affect user data. Apply these rules on border-filtering devices that connect internal networks to external networks, such as the Internet.
Forbid private source addresses from external networks
Private IP addresses are meant to be used in internal networks, such as networks that connect workstations, printers, DMZ, and so on. These IP addresses are not routed to the Internet which uses public IP addresses. A private IP address originating from the Internet is mostly an attack. Configure ACL rules to deny any traffic from the external network that has a source address that should reside on the internal network, and apply them on the interface that connect to an external network.
OS10(config)# ip access-list deny-private-external OS10(config-ipv4-acl)# deny ip source-ip-address mask any log OS10(config-ipv4-acl)# end OS10# write memory
Forbid external source addresses on outbound traffic
Ensure that the outbound traffic carries only valid internal addresses of the IP address range of your organization.
OS10(config)# ip access-list deny-source-external OS10(config-ipv4-acl)# permit ip internal-ip-address mask any OS10(config-ipv4-acl)# exit OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ip access-group deny-source-external in OS10(conf-if-eth1/1/1)# end OS10# write memory
Use the port security feature to restrict the number of workstations that can send traffic through an interface and to control MAC address movement. Port security is a package of the following sub features that provide added security to the system:
Configure the MAC address learning limit
Using the MAC address learning limit method, you can set an upper limit on the number of allowed MAC addresses on an interface. Limiting the MAC addresses protects switches from MAC address flooding attacks. After the configured limit is reached on an interface, by default, the system drops all traffic from any unknown device. After you enable port security on an interface, the interface can learn one secure MAC address by default. This limit is applicable for both secure dynamic and secure static MAC addresses.
OS10(config)# switchport port-security
OS10(config)# switchport port-security OS10(config)# no disable
mac-learn {limit | no-limit}
For the limit keyword, the range is from 0 to 3072. To enable the interface to learn the maximum number of MAC addresses that the hardware supports, use the no-limit keyword.
MAC address learning limit example
OS10# configure terminal OS10(config)#interface ethernet 1/1/1 OS10(config-if-eth1/1/1)# switchport port-security OS10(config-if-port-sec)# no disable OS10(config-if-port-sec)# mac-learn limit 100 OS10(config-if-port-sec)# end OS10# write memory
Configure MAC address learning limit violation actions
After the number of secure MAC addresses reaches the maximum configured, if an interface receives a frame with the source MAC address different from any of the learned MAC addresses, the system considers this as a MAC address learning limit violation.
Use the following commands in INTERFACE PORT SECURITY mode:
OS10(config-if-port-sec)#mac-learn limit violation log
OS10(config-if-port-sec)#mac-learn limit violation drop
OS10(config-if-port-sec)#mac-learn limit violation forward
OS10(config-if-port-sec)#mac-learn limit violation shutdown
MAC address learning limit violation actions configuration example
OS10# configure terminal OS10(config)# interface ethernet 1/1/1 OS10(config-if-eth1/1/1)# switchport port-security OS10(config-if-port-sec)# no disable OS10(config-if-port-sec)# mac-learn limit 100 OS10(config-if-port-sec)# mac-learn limit violation shutdown OS10(config-if-port-sec)# end OS10# write memory
Configure sticky MAC addresses
When you reload the system, port security removes the dynamically learned secure MAC addresses. You can use the sticky feature to make the dynamically learned secure MAC addresses persist even after a system reboot so that the interface does not have to learn these MAC addresses again.
Enter the following command in INTERFACE PORT SECURITY mode:
sticky
Sticky MAC addresses configuration example
OS10# configure terminal OS10(config)#interface ethernet 1/1/1 OS10(config-if-eth1/1/1)#switchport port-security OS10(config-if-port-sec)#no disable OS10(config-if-port-sec)#mac-learn limit 100 OS10(config-if-port-sec)#sticky OS10(config-if-port-sec)# end OS10# write memory
MAC address movement
A MAC address movement happens when the system detects the same MAC address on an interface which it has already learned through another port security-enabled interface on the same broadcast domain. MAC address movement is not allowed for secure static and sticky MAC addresses. By default, MAC address movement for dynamically-learned MAC address is disabled on the system. Secure dynamic MAC address movement is allowed between port-security-enabled and port-security-disabled interfaces.
OS10(config-if-port-sec)#mac-move allow OS10(config-if-port-sec)# end OS10# write memory
MAC address movement configuration example
OS10# configure terminal OS10(config)# interface ethernet 1/1/1 OS10(config-if-eth1/1/1)# switchport port-security OS10(config-if-port-sec)# no disable OS10(config-if-port-sec)# mac-learn limit 100 OS10(config-if-port-sec)# mac-move allow OS10(config-if-port-sec)# end OS10# write memory
Configure MAC address movement violation actions
If the system detects the same MAC address in a port-security-enabled interface which it has already learned through another port-security-enabled interface, by default, the system considers this as a MAC address move violation. You can configure MAC address move violation actions. You can also configure the system to permit MAC address movement across port security-enabled interfaces.
OS10(config-if-port-sec)#mac-move violation log
OS10(config-if-port-sec)#mac-move violation drop
OS10(config-if-port-sec)#mac-move violation shutdown-original
OS10(config-if-port-sec)#mac-move violation shutdown-offending
OS10(config-if-port-sec)#mac-move violation shutdown-both
Verify what port security features are enabled and running
Use the following command to verify if the port security is enabled on all interfaces. This command also shows information about the status of port security features. Specify specific interfaces to view details about individual interfaces.
OS10# show switchport port-security interface ethernet 1/1/1 Global Port-security status : Enabled Interface name : ethernet1/1/1 Port Security : Enabled Port Status : Up Mac learn limit : 100 MAC-learn-limit-Violation action : Log Sticky : Disabled Mac-move-allow : Not Allowed Mac-move-violation action : shutdown-both Aging : Enabled Total MAC Addresses : 10 Secure static MAC Addresses : 0 Sticky MAC Addresses : 10 Secure Dynamic MAC addresses : 0