Okay, “hacking” may be a bit overboard for what I’m talking about here, but between the recent policies from General Dynamics and the ineptitude of the team you may be replacing, I might not be that far off.
In Part II of the Team Chief’s Toolkit, I’ll give a few recommendations for modifying your equipment and provide a few useful tips for dealing with TPE equipment.
Modify Your Switches
Any remote switch you may have (that is, a switch not mounted inside your stacks) should be locked down and hardened.
- Enable service password-encryption. This will prevent your VTY and console passwords from being displayed in clear text inside your config.
- Enable SSH version 2 and disable telnet. Cisco has a nice article on how this is done.
- Enable port security. For each non-trunk port, there should only be two MAC addresses: the IP phone and the computer attached to it. Port security is not needed on trunk ports, but ensure that nonnegotiate is set to prevent VLAN hijacking and only allow the voice, data, and management VLANs across.
- Avoid using SNMP version 2c or earlier. Use 3 if your NETOPS will allow it.