!NOTE: items that require tuning
!Systems linked to availability,  RTS-SW-037,ANSSI-R37
!Systems linked to availability,  RTS-SW-038,ANSSI-R38
!Systems linked to availability,  RTS-SW-039,ANSSI-R39
!Systems linked to availability,  RTS-SW-040,ANSSI-R40
!Systems linked to availability,  RTS-SW-041,ANSSI-R41
!Systems linked to availability,  RTS-SW-044,ANSSI-R44

! Catalyst Hardening & Reporting
!
! v1.0 28/10/2020
!
!---------------------------------------------------------------

term len 0

!Administrative, RTS-SW-001,ANSSI-R1
!Dedicate a physical interface on the switch to its administration

sh run int Gi0/0

!Administrative, RTS-SW-002,ANSSI-R2
!Physically separate the administration networks
!from the business line networks.
!OR
!Arrange logical partitioning using VLANs.

sh run vlan
sh vlan

!Administrative, RTS-SW-003,ANSSI-R3
!Do not disable the console port of switches

sh line
sh run | include logging
sh run | include exec

!Administrative, RTS-SW-004,ANSSI-R4
!Use version 2 of the SSH protocol

sh ip ssh
sh run | include ssh

!Administrative, RTS-SW-005,ANSSI-R5
!The configuration must adhere to the cipher recommendations

sh run all | include ip ssh
sh run all | include service tcp

!Administrative, RTS-SW-006,ANSSI-R6
!Disable the web server that manages the switch, whether it is in
!secure (HTTPS) or non-secure (HTTP) version.

sh run | include ip http

!Administrative, RTS-SW-007,ANSSI-R7
!Delete the certificates created by default on the switch

sh crypto pki trustpoint

!Administrative, RTS-SW-008,ANSSI-R8
!Do not use Telnet protocol for remote administration of
!switches when more secure protocols are supported
!by the equipment.

sh run view | section include line

!Administrative, RTS-SW-009,ANSSI-R9
!A switch must have only one IP address dedicated solely to its
!administration.

!sh ip interface brief
sh ip interface brief | exclude unassigned


!Administrative, RTS-SW-010,ANSSI-R10
!Take the necessary measures in the IS such that only administrators
!are authorised to access the administration interface of the switch,
!notably using filtering in the firewalls.
!OR
!If this is not possible, it may be feasible to set up ACLs on the switch as a workaround measure.

! see screenshot of Admin FW/Wallix

sh run | section access-list

!Administrative, RTS-SW-011,ANSSI-R11
!Enable logging of authentications and attempted
!authentications.

sh run view | section login

!Administrative, RTS-SW-012,ANSSI-R12
!Set up counter-measures to protect the switch from
!brute-force attacks.

sh run view | section login

!Administrative, RTS-SW-012,ANSSI-R13
!Make the use of nominative accounts universal
!OR
!If this is not possible, comply with strict usage conditions
!tailored to the context."
!NA Wallix not available

sh run | section username


!Administrative, RTS-SW-014,ANSSI-R14
!It is good practice to stick to using ""unprivileged"" and ""administrator
!account"" privilege levels, as long as no needs have been identified
!that require other privilege levels.


!Administrative, RTS-SW-015,ANSSI-R15
!The enable functionality must be disabled; use of nominative
!administrator accounts removes the need for this feature.

sh run | include privilege exec

!Administrative, RTS-SW-016,ANSSI-R16
!Centralise the accounts in one or more directories in the 
!information system (rather than managing them locally on each
!switch), except for a local ""backup"" administration
!account.


!Administrative, RTS-SW-017,ANSSI-R17
!Protect the configuration files that contain passwords;
!as these are either unencrypted or easily found by
!a malicious user. Delete passwords from configuration files
!if these files are shared with other people."


!Administrative, RTS-SW-018,ANSSI-R18
!Delete the accounts by default, or at least disable them, while taking
!care to conserve at least one local ""backup"" administration account"


!Administrative, RTS-SW-019,ANSSI-R19
!The use of a remote access control method, based on one of the
!information system directories, must be set up to enable
!login to the switch on all lines (including the console)"

sh run view | section aaa
sh run view | section line con

!Administrative, RTS-SW-020,ANSSI-R20
!Local authentication must be authorised for the local administration
!account only."

!Administrative, RTS-SW-021,ANSSI-R21
!Use TACACS+ in preference to RADIUS

sh run | include radius
sh run | include tacacs

!Administrative, RTS-SW-022,ANSSI-R22
!The security policy regarding user account passwords must
!comply with the ISSP in force.

!Visual check of the password in Keepass

!Administrative, RTS-SW-023,ANSSI-R23
!Do not configure a login banner.

sh run | include banner

!Partitioning of networks and VLANs,  RTS-SW-024,ANSSI-R24
!When physical separation of networks is not possible,
!it is recommended practice to partition their information system in a
!coherent way using VLANs, basing the segmentation decisions on
!utility and simplicity."

sh vlan

!Partitioning of networks and VLANs,  RTS-SW-025,ANSSI-R25
!Nominative accounts yet to be configured, but there are generic accounts with
!privilege level 15 on new switches only; level 0 on old switches.


!Partitioning of networks and VLANs,  RTS-SW-026,ANSSI-R26
!Prohibit automatic configuration of ports (trunk or access) and configure them securely. In particular:
!- for access ports: configure only the VLAN necessary for a given port.
!- for trunk ports: authorise only the VLANs that effectively need to circulate via the trunk port."



!Partitioning of networks and VLANs,  RTS-SW-027,ANSSI-R27
!All ports that are supposed to be out of use must be associated with the quarantine VLAN.
!Ports placed in this VLAN must not provide access to any resource in the information system, 
!and must prohibit communication with any other machine, including others placed in this same VLAN. 
!Also, these ports must be disabled, along with the quarantine VLAN and its associated interface.

sh run | section interface

!Partitioning of networks and VLANs,  RTS-SW-028,ANSSI-R28
!The default VLAN must never be used

sh run interface vlan 1

!Partitioning of networks and VLANs,  RTS-SW-029,ANSSI-R29
!The native VLAN:
!- must be configured such that it is different from the default VLAN.
!- must not be attributed to any port in access mode (it must not be used to circulate business line or administration traffic).
!- must be the same for all switches in the same distribution domain (and preferably throughout the IS, on principle of uniformity) to avoid unsuitable behaviours.


!Partitioning of networks and VLANs,  RTS-SW-030,ANSSI-R30
!Use Private VLANs in isolated mode as soon as technically possible, in other words when this can be done without affecting
!any service essential to the information system. Effectively, post-to-post communication is no longer possible in this scenario.
!OR
!As a minimum, activate the Protected Port or Port Isolation mechanism, depending on the equipment model.

!interface range gi 1/0/1-48
!switchport protected"

!Routing,  RTS-SW-031,ANSSI-R31
!Inter-VLAN routing must be handled by level-3 equipment. This routing must therefore be disabled on the access switches

sh ip protocols
sh ip route

!Routing,  RTS-SW-032,ANSSI-R32
!Inter-VLAN routing must be handled by level-3 equipment. The ARP proxy feature must therefore be disabled on the access switches.

sh run | section arp

!Routing,  RTS-SW-033,ANSSI-R33
!Disable the Source Routing feature


show run | include ip source-route

!Routing,  RTS-SW-034,ANSSI-R34
!Disable unused ports on the switches

show int status

!Security-protecting ports,  RTS-SW-035,ANSSI-R35
!Use 802.1X to security-protect access to the switch ports
!OR
!Use Port Security

!switchport port-security
!switchport port-security maximum 1
!switchport port-security mac address sticky
!switchport port-security violation shutdown

!Security-protecting ports,  RTS-SW-036,ANSSI-R36
!If 802.1X is used to control access to the switch ports, use the standard based on EAP-TLS.

!NA

!Systems linked to availability,  RTS-SW-037,ANSSI-R37
!Enable the DHCP snooping and IP Source Guard features to mitigate the security flaws in the DHCP protocol.

!ip dhcp snooping vlan <2-4094>
!interface gi 1/0/1-15
!ip verify source

!Systems linked to availability,  RTS-SW-038,ANSSI-R38
!Enable the ARP inspection features

!ip arp inspection vlan <38-60>
!ip arp inspection validate src-mac dst-mac ip


!Systems linked to availability,  RTS-SW-039,ANSSI-R39
!Enable protections against propagation of Spanning Tree frames (BPDUs) on the access ports.

sh run | section spanning-tree


!Systems linked to availability,  RTS-SW-040,ANSSI-R40
!Enable PortFast mode on ports connected to client machines. Do not enable this mode on interfaces connected to other switches.

!sh run | section spanning-tree


!Systems linked to availability,  RTS-SW-041,ANSSI-R41
!It is beneficial to implement systems that guard against "broadcast storms", to boost the resistance of switches in the face of these attacks.

! Limits broadcast traffic to X% of bandwidth
!storm-control broadcast level <X>
! Limits multicast traffic to Y% of bandwidth
!storm-control multicast level <Y>
! Limits unicast traffic to Z% of bandwidth
!storm-control unicast level <Z>
! Enables SNMP to escalate alerts
!storm-control action trap
! Switches off any port subjected to a broadcast storm
!storm-control action shutdown

!Systems linked to availability,  RTS-SW-042,ANSSI-R42
!It is helpful to implement the small-frame rate checking service, to boost the resistance of switches attacked using this kind of frame.

!Enables the small-frame detection service
!errdisable detect cause small-frame
!interface range gi 1/0/1-15
!small-frame violation-rate <10000>

!Systems linked to availability,  RTS-SW-043,ANSSI-R43
!Limit the number of packets per second in the ARP, DHCP and IGMP protocols.

! Limit the number of DHCP packets to X per second
!psp dhcp pps <X>
! Limit the number of ARP packets to Y per second
!psp arp pss <Y>
! Limit the number of IGMP packets to Z per second
!psp igmp pss <Z>


!Systems linked to availability,  RTS-SW-044,ANSSI-R44
! Blocking of unicast and multicast frames destined for unknown MAC addresses
!interface range gi 1/0/1-48
!switchport block unicast
!switchport block multicast

!Time and date synchronization and stamping RTS-SW-045 ANSSI-R45
!Automate the time synchronization of switches in the IS to ensure that the time is consistent across all equipment.
!If possible, use several time sources located in the IS.

sh run | include ntp server


!Time and date synchronization and stamping RTS-SW-046 ANSSI-R46
!Synchronize the switches' time by routing time synchronization data flows through a non-business line network,
!for example the administration network.

sh run | include ntp source

!Time and date synchronization and stamping RTS-SW-047 ANSSI-R47
!Enable time-stamping of events logged on the switches. This time-stamping must contain the necessary information to maintain
! temporal consistency between the events, irrespective of the geographical distribution of the information system.

sh run | include service timestamp


!Logging RTS-SW-048 ANSSI-R48
!Set the logging level for switches to suit IS logging needs.



!Logging RTS-SW-049 ANSSI-R49
!Enable sending of switch logs to a collection server.

sh run | section logging

!Logging RTS-SW-050 ANSSI-R50
!In the context of centralising switch logs, send in event reports via the administration network to prevent leakage of sensitive information.

sh run | include logging source-interface

!Logging RTS-SW-051 ANSSI-R51
!Enable logging of commands entered by administrators.

sh run | section archive

!Logging RTS-SW-052 ANSSI-R52
!Increase the size of the logging cache, taking care to avoid any notable impact on the switches' performance.

sh run | include logging buffered

!Logging RTS-SW-053 ANSSI-R53
!Enable local storage of logged events. Adapt the log size to the number of events it is considered necessary to conserve locally and the amount of drive space available on the equipment.

sh run | include logging file

!Logging RTS-SW-054 ANSSI-R54
!If the function of displaying logging event notifications on the console and/or the terminal is enabled, filter the displayed notifications to reduce the visual clutter caused by minor events. If this feature is not considered useful, disable it to conserve the switch's resources.

!no logging console
!no logging monitor

!Logging RTS-SW-055 ANSSI-R55
!Limit the number of logging event notifications displayed on the switch console so as not to hinder its operation.

sh run | include logging rate-limit

!SNMP RTS-SW-056 ANSSI-R56
!Do not use the SNMP protocol in set mode to administrate switches.

sh run | section snmp-server

!SNMP RTS-SW-057 ANSSI-R57
!Use SNMP version 3 AuthPriv


!SNMP RTS-SW-058 ANSSI-R58
!Where the trap service exists, recommended practice is to use it in inform mode.


!SNMP RTS-SW-059 ANSSI-R59
!Configuration of the SNMP service must, unless there are highly specific constraints, comply with the cipher recommendations detailed in appendix B of the General Security Rules (RGS).


!Link aggregation RTS-SW-060 ANSSI-R60
!To increase the bandwidth or ensure redundancy on the network links between the service and distribution switches, it is advisable to set up link aggregation.

sh int status

!Management of the TLS/MCS area RTS-SW-061 ANSSI-R61
!Standardise hardware and software configurations of switches in the relevant IS to facilitate their TLS/MCS


!Management of the TLS/MCS area RTS-SW-062 ANSSI-R62
!Regularly update the operating system that encompasses the switches, to protect them against security flaws corrected in the updates.


!Management of the TLS/MCS area RTS-SW-063 ANSSI-R63
!Take care to ensure that the switch configurations are consistent with changes applied to the IS.


!Management of the TLS/MCS area RTS-SW-064 ANSSI-R64
!Centralise administration of the switches in the IS.


!Management of the TLS/MCS area RTS-SW-065 ANSSI-R65
!Set up remote, automatic and regular backups of the IS switch configurations.


!Management of the TLS/MCS area RTS-SW-066 ANSSI-R66
!Regularly test the procedures for restoring equipment configurations


!Management of the TLS/MCS area RTS-SW-067 ANSSI-R67
!Introduce a system for checking the configuration of switches in the IS.


!Management of the TLS/MCS area RTS-SW-068 ANSSI-R68
!Define macros for recurrent operations if the hardware permits.


!Other functionalities RTS-SW-069 ANSSI-R69
!Enable encryption of passwords in the configuration file.

sh run | include service password-encryption

!Other functionalities RTS-SW-070 ANSSI-R70
!It is recommended practice to disable the following features in a switch configuration: name resolution, DHCP server, CDP and LLDP protocols

! no ip domain-lookup
! no cdp run
! no service dhcp
! no lldp run"



!System availability RTS-SW-071 ANSSI-R71
!Apply preventive measures against switch unavailability via actions on the memory and processor equipment.

! SNMP alert sent if CPU is overloaded
! snmp-server enable traps cpu threshold
! snmp cpu threshold type total rising <percentage> interval <s>
! snmp host <snmp-server-ip> <user-snmpv3> cpu

! Defines the low threshold for available processor memory; a breach triggers a notification
! memory free low-watermark processor <low memory threshold kB>
! Defines the low threshold for available I/O memory; a breach triggers a notification
! memory free low-watermark io <low memory threshold kB>
! Keeps 1 MB of memory in reserve for sending notifications
!# memory reserve critical <1000>"



! Save Changes
copy run start

show run
show version

sh clock