Anda di halaman 1dari 4


ntp client enable

ntp server <IP_Address>

show ntp status

show ntp server status

Snipp- save "Hardening", "1h" ntp

aaa radius-server NPS01 host key FM1040
aaa authentication http NPS01 local
aaa accounting vlan NPS01 local

//VTY Transport SSH

no ip service telnet
no aaa authentication telnet
ssh enable
ip service ssh
aaa authentication ssh NPS01 local

show aaa server

show aaa accounting
show aaa authentication

Snipp- save "Hardening", "2h" aaa

//Appropriate banners shall be configured during login or for message of the day
"Two steps are rquired to change the login banner. These steps are listed here:
� Create a text file that contains the banner you want to display in the
switch�s /flash/switch directory.
� Enable the text file by entering the session banner CLI command followed by the
To create the text file containing the banner text, you may use the vi text editor
in the switch. This
method allows you to create the file in the /flash/switch directory without leaving
the CLI console
session. You can also create the text file using a text editing software package
(such as MS Wordpad) and
transfer the file to the switch�s /flash/switch directory
If you want the login banner in the text file to apply to FTP switch sessions,
execute the following CLI
command where the text filename is firstbanner.txt.
-> session banner ftp /flash/switch/firstbanner.txt
If you want the login banner in the text file to apply to CLI switch sessions,
execute the following CLI
command where the text filename is secondbanner.txt.
-> session banner cli /flash/switch/secondbanner.txt"

using FTP
Snipp- save "Hardening", "3-1h" before transfer
Snipp- save "Hardening", "3-2h" after transfer

session banner cli /flash/switch/banner.txt
session banner http /flash/switch/banner.txt
session banner ftp /flash/switch/banner.txt
Note:- Assuming that the banner file is banner.txt
//Timeout for Login Sessions
session login-timeout 240
session timeout cli 5

//Configure the SSH Timeout

session timeout cli 2
session timeout http 1
session timeout ftp 2

//Limit the number of SSH Authentication Retries

session login-attempt 5

show session config

Snipp- save "Hardening", "4h" session

show system

//Clock Timezone
system timezone zp8
//correct the time
system time hh:mm:ss

//Clock Timezone with Daylight settings

system daylight savings time enable

//Configure the Domain Name

ip domain-name

show system

Snipp- save "Hardening", "5h" verify SYS time

//System Logging
swlog appid bridge level warning

//Logging Buffer-ok
swlog output flash file-size 128000

//Logging to Device Console

swlog output console

//Logging to Syslog Server

swlog output socket

//Logging Trap Severity Level

swlog appid system level warning

show swlog

Snipp- save "Hardening", "6h"

//Forbid Directed Broadcast

ip directed-broadcast off

show ip config
Snipp- save "Hardening", "7h"

//create management vlan 10.232.x.224/28 -pool ////"X" is the existing pool
vlan 510 name "management"
vlan 510 enable
ip interface MANAGEMENT address 10.232.x.228/28 vlan 510
vlan 510 port default <port_number> // assign vlan 510 to one interface [note down
the interface].

vlan 957 name "unused_vlan"

vlan 957 port default <port number> //assign this to all unused ports.
interface <port> admin down //after assigning a vlan to all unused port,disable
the interface.

eg:vlan 957 port default 1/6

interface 1/6 admin down

show ip interface

Snipp- save "Hardening", "8-1h"

show vlan port

Snipp- save "Hardening", "8-2h"


Snipp- save "Hardening", "9h"

write memory
copy working certified

show configuration snapshot

Snipp- save "Hardening", "10-1h, 10-2h, 10-3h"

test FTP/HTTP/Telnet/SSH and Console with Mngt IP

Snipp- save "Final Test", "Console/FTP/HTTP/SSH and Telnet and FTP Mngt/HTTP
Mngt/SSH and Telnet Mngt"

note down the unused interfaces.
note down in which interface the management vlan is assigned by you.
collect all logs.
collect screenshots.

you may encounter "Low Flash Memory Issue" hence after updating AOS Delete 2 files
inside "Working directory"

Check your boot.cfg to see if all configs are set on the router before backup and
doing certify. Screenshot needed as well.
you need to have 4 backup copies of boot.cfg
Boot1 : before AOS update
Boot2 : after AOS update
Boot3 : after hardening
Final : copy form certified folder