!Notes: items that require tuning
!
!Routing RTS-SW-031 ANSSI-R31
!requires remeditation of VPC keepalive

!Routing RTS-SW-034 ANSSI-R34
!to be enabled ?

!Security-protecting ports RTS-SW-035 ANSSI-R35
! port security ?

!Systems linked to availability RTS-SW-037 ANSSI-R37
! DHCP snooping vlan & port numbers required

!Systems linked to availability RTS-SW-038 ANSSI-R38
! vlan configuration required for access ports

!Systems linked to availability RTS-SW-040 ANSSI-R40
! interface range required

!Systems linked to availability RTS-SW-041 ANSSI-R41
! broadcast storm levels reqd

!Systems linked to availability RTS-SW-042 ANSSI-R42
! interface range required

!Systems linked to availability RTS-SW-043 ANSSI-R43
! packet per second rates reqd

!Systems linked to availability RTS-SW-044 ANSSI-R44
! interface range reqd

! Nexus Hardening
!
! V1.0 28/10/2020
!--------------------------------------------------------------------
term len 0

!Administration RTS-SW-001 ANSSI-R1
!Dedicate a physical interface on the switch to its administration

show int mgmt0
show run int mgmt0

!Administration RTS-SW-002 ANSSI-R2
!Physically separate the administration networks
!from the business line networks.
!OR
!Arrange logical partitioning using VLANs.

sh vlan
show interface trunk

!Administration RTS-SW-003 ANSSI-R3
!Do not disable the console port of switches

sh run | sec console


!Administration RTS-SW-004 ANSSI-R4
!Use version 2 of the SSH protocol


show running-config security all
show ssh server
show ssh key rsa


!Administration RTS-SW-005 ANSSI-R5
!The configuration must adhere to the cipher recommendations

! see above

!Administration RTS-SW-006 ANSSI-R6
!Disable the web server that manages the switch, whether it is in
!secure (HTTPS) or non-secure (HTTP) version.

show http server

!Administration RTS-SW-007 ANSSI-R7
!Delete the certificates created by default on the switch

show crypto ca certificates


!Administration RTS-SW-008 ANSSI-R8
!Do not use Telnet protocol for remote administration of
!switches when more secure protocols are supported
!by the equipment.

show telnet server


!Administration RTS-SW-009 ANSSI-R9
!A switch must have only one IP address dedicated to its
!administration.

show ip int brief vrf all

!Administration RTS-SW-010 ANSSI-R10
!Take the necessary measures in the IS such that only administrators
!are authorised to access the administration interface of the switch,
!notably using filtering in the firewalls.
!OR
!If this is not possible, it may be feasible to set up ACLs on the switch as a workaround measure.

sh run | section access-list

!Administration RTS-SW-011 ANSSI-R11
!Enable logging of authentications and attempted
!authentications.

sh run | include login

!Administration RTS-SW-012 ANSSI-R12
!Set up counter-measures to protect the switch from
!brute-force attacks.

sh system login

!Administration RTS-SW-013 ANSSI-R13
!Make the use of nominative accounts universal
!OR
!If this is not possible, comply with strict usage conditions tailored to the context.


!Administration RTS-SW-014 ANSSI-R14
!It is good practice to stick to using ""unprivileged"" and ""administrator
!account"" privilege levels, as long as no needs have been identified
!that require other privilege levels.

sh run | inc username


!Administration RTS-SW-015 ANSSI-R15
!The enable functionality must be disabled; use of nominative
!administrator accounts removes the need for this feature.


!Administration RTS-SW-016 ANSSI-R16
!Centralise the accounts in one or more directories in the 
!information system (rather than managing them locally on each
!switch), except for a local ""backup"" administration account.



!Administration RTS-SW-017 ANSSI-R17
!Protect the configuration files that contain passwords;
!as these are either unencrypted or easily found by
!a malicious user. Delete passwords from configuration files
!if these files are shared with other people."


!Administration RTS-SW-018 ANSSI-R18
!Delete the accounts by default, or at least disable them, while taking
!care to conserve at least one local ""backup"" administration account
!see ANSSI-R15



!Administration RTS-SW-019 ANSSI-R19
!The use of a remote access control method, based on one of the
!information system directories, must be set up to enable login to the switch on all lines (including the console)"
sh run all | section aaa


!Administration RTS-SW-020 ANSSI-R20
!Local authentication must be authorised for the local administration
!account only.


!Administration RTS-SW-021 ANSSI-R21
!Use TACACS+ in preference to RADIUS


!Administration RTS-SW-022 ANSSI-R22
!The security policy regarding user account passwords must
!comply with the ISSP in force."


!Administration RTS-SW-023 ANSSI-R23
!Do not configure a login banner.

sh banner motd


!Partitioning of networks and VLANs RTS-SW-024 ANSSI-R24
!When physical separation of networks is not possible,
!it is recommended practice to partition their information system in a
!coherent way using VLANs, basing the segmentation decisions on
!utility and simplicity."
sh vlan
sh int status

!Partitioning of networks and VLANs RTS-SW-025 ANSSI-R25
!Disable the services that automatically configure the VLAN, VTP, MVRP or GVRP depending on the switch.

sh feature | include vtp

!Partitioning of networks and VLANs RTS-SW-026 ANSSI-R26
!Prohibit automatic configuration of ports (trunk or access) and configure them securely. In particular:
!- for access ports: configure only the VLAN necessary for a given port.
!- for trunk ports: authorise only the VLANs that effectively need to circulate via the trunk port.
sh run int

!Partitioning of networks and VLANs RTS-SW-027 ANSSI-R27
!All ports that are supposed to be out of use must be associated with the quarantine VLAN. Ports placed in this VLAN must not provide access to any resource in the information system, and must prohibit communication with any other machine, including others placed in this same VLAN. Also, these ports must be disabled, along with the quarantine VLAN and its associated interface.
sh vlan id 666

!Partitioning of networks and VLANs RTS-SW-028 ANSSI-R28
!The default VLAN must never be used
sh vlan

!Partitioning of networks and VLANs RTS-SW-029 ANSSI-R29
!The native VLAN:
!- must be configured such that it is different from the default VLAN.
!- must not be attributed to any port in access mode (it must not be used to circulate business line or administration traffic).
!- must be the same for all switches in the same distribution domain (and preferably throughout the IS, on principle of uniformity) to avoid unsuitable behaviours.
sh vlan id 999

!Partitioning of networks and VLANs RTS-SW-030 ANSSI-R30
!Use Private VLANs in isolated mode as soon as technically possible, in other words when this can be done without affecting any service essential to the information system. Effectively, post-to-post communication is no longer possible in this scenario.
!OR
!As a minimum, activate the Protected Port or Port Isolation mechanism, depending on the equipment model."
conf t
no feature interface-vlan
exit

sh feature | include private


!Routing RTS-SW-031 ANSSI-R31
!Inter-VLAN routing must be handled by level-3 equipment. This routing must therefore be disabled on the access switches
conf t
no feature interface-vlan
exit

sh feature | include interface

!Routing RTS-SW-032 ANSSI-R32
!Inter-VLAN routing must be handled by level-3 equipment. The ARP proxy feature must therefore be disabled on the access switches.
!conf t
!ip arp proxy disable
!exit

!Routing RTS-SW-033 ANSSI-R33
!Disable the Source Routing feature


!Routing RTS-SW-034 ANSSI-R34
!Disable unused ports on the switches
sh int status


!Security-protecting ports RTS-SW-035 ANSSI-R35
!Use 802.1X to security-protect access to the switch ports
!OR
!Use Port Security

!feature port-security
!interface ethernet 2/1
!switchport port-security"

!Security-protecting ports RTS-SW-036 ANSSI-R36
!If 802.1X is used to control access to the switch ports, use the standard based on EAP-TLS.
!NA

!Systems linked to availability RTS-SW-037 ANSSI-R37
!Enable the DHCP snooping and IP Source Guard features to mitigate the security flaws in the DHCP protocol.

!ip dhcp snooping vlan <2-4094>
!interface gi 1/0/1-15
!ip verify source


!Systems linked to availability RTS-SW-038 ANSSI-R38
!Enable the ARP inspection features on the access ports

!ip arp inspection vlan <38-60>
! Validates the consistency of the ARP packets based on the consistency in the headers
!ip arp inspection validate src-mac dst-mac ip
! Defines the interfaces connected to other switches, such as trusted ones
!interface gi 1/0/50
!ip arp inspection trust


!Systems linked to availability RTS-SW-039 ANSSI-R39
!Enable protections against propagation of Spanning Tree frames (BPDUs) on the access ports.

sh run | include bpduguard



!Systems linked to availability RTS-SW-040 ANSSI-R40
!Enable PortFast mode on ports connected to client machines. Do not enable this mode on !interfaces connected to other switches.

! Disable ports in PortFast mode if they are receiving BPDUs (global)

sh run | include edge



!Systems linked to availability RTS-SW-041 ANSSI-R41
!It is beneficial to implement systems that guard against "broadcast storms", to boost the resistance of switches in the face of these attacks.

! Limits broadcast traffic to X% of bandwidth
!storm-control broadcast level <X>
! Limits multicast traffic to Y% of bandwidth
!storm-control multicast level <Y>
! Limits unicast traffic to Z% of bandwidth
!storm-control unicast level <Z>
! Enables SNMP to escalate alerts
!storm-control action trap
! Switches off any port subjected to a broadcast storm
!storm-control action shutdown"



!Systems linked to availability RTS-SW-042 ANSSI-R42
!It is helpful to implement the small-frame rate checking service, to boost the resistance of switches attacked using this kind of frame.

! Enables the small-frame detection service
!conf t
!errdisable detect cause small-frame
!interface range gi 1/0/1-15
!small-frame violation-rate <10000>
!exit
!exit

!Systems linked to availability RTS-SW-043 ANSSI-R43
!Limit the number of packets per second in the ARP, DHCP and IGMP protocols.

! Limit the number of DHCP packets to X per second
!# psp dhcp pps <X>
! Limit the number of ARP packets to Y per second
!# psp arp pss <Y>
! Limit the number of IGMP packets to Z per second
!# psp igmp pss <Z>



!Systems linked to availability RTS-SW-044 ANSSI-R44
!To minimise level-2 network pollution on the switches, it is useful to enable protection against undesirable frames.

! Blocking of unicast and multicast frames destined for unknown MAC addresses
!interface range gi 1/0/1-48
!switchport block unicast
!switchport block multicast



!Time and date synchronization and stamping RTS-SW-045 ANSSI-R45
!Automate the time synchronization of switches in the IS to ensure that the time is consistent across all equipment.
!If possible, use several time sources located in the IS.

sh run | include ntp

!Time and date synchronization and stamping RTS-SW-046 ANSSI-R46
!Synchronize the switches' time by routing time synchronization data flows through a non-business line network, for example the administration network.

! see above

!Time and date synchronization and stamping RTS-SW-047 ANSSI-R47
!Enable time-stamping of events logged on the switches. This time-stamping must contain the necessary information to maintain temporal
!consistency between the events, irrespective of the geographical distribution of the information system.

!conf t
!service timestamps log datetime localtime show-timezone
!exit

!Logging RTS-SW-048 ANSSI-R48
!Set the logging level for switches to suit IS logging needs.

 sh run | section logging

!Logging RTS-SW-049 ANSSI-R49
!Enable sending of switch logs to a collection server.

! see above

!Logging RTS-SW-050 ANSSI-R50
!In the context of centralising switch logs, send in event reports via the administration network to prevent leakage of sensitive information.

!NA
!logging source-interface vlan <admin-vlan-number>


!Logging RTS-SW-051 ANSSI-R51
!Enable logging of commands entered by administrators.

sh run all | section archive


!Logging RTS-SW-052 ANSSI-R52
!Increase the size of the logging cache, taking care to avoid any notable impact on the switches' performance.

sh run | section logging

!Logging RTS-SW-053 ANSSI-R53
!Enable local storage of logged events. Adapt the log size to the number of events it is considered necessary to conserve locally
!and the amount of drive space available on the equipment.



!Logging RTS-SW-054 ANSSI-R54
!If the function of displaying logging event notifications on the console and/or the terminal is enabled, filter the displayed notifications to reduce the visual clutter caused by minor events. If this feature is not considered useful, disable it to conserve the switch's resources.
!conf t
!no logging console
!no logging monitor
!exit

!Logging RTS-SW-055 ANSSI-R55
!Limit the number of logging event notifications displayed on the switch console so as not to hinder its operation.

! Limited to 2 messages per second on the console
!conf t
!logging rate-limit
!exit


!SNMP RTS-SW-056 ANSSI-R56
!Do not use the SNMP protocol in set mode to administrate switches.
sh run | include snmp


!SNMP RTS-SW-057 ANSSI-R57
!Use SNMP version 3 AuthPriv


!SNMP RTS-SW-058 ANSSI-R58
!Where the trap service exists, recommended practice is to use it in inform mode.


!SNMP RTS-SW-059 ANSSI-R59
!Configuration of the SNMP service must, unless there are highly specific constraints, comply with the cipher recommendations detailed in appendix B of the General Security Rules (RGS).


!Link aggregation RTS-SW-060 ANSSI-R60
sh vpc brief
sh int status

!Management of the TLS/MCS area RTS-SW-061 ANSSI-R61


!Management of the TLS/MCS area RTS-SW-062 ANSSI-R62


!Management of the TLS/MCS area RTS-SW-063 ANSSI-R63


!Management of the TLS/MCS area RTS-SW-064 ANSSI-R64


!Management of the TLS/MCS area RTS-SW-065 ANSSI-R65


!Management of the TLS/MCS area RTS-SW-066 ANSSI-R66


!Management of the TLS/MCS area RTS-SW-067 ANSSI-R67


!Management of the TLS/MCS area RTS-SW-068 ANSSI-R68


!Other functionalities RTS-SW-069 ANSSI-R69


!Other functionalities RTS-SW-070 ANSSI-R70


!System availability RTS-SW-071 ANSSI-R71
!Apply preventive measures against switch unavailability via actions on the memory and processor equipment.

! SNMP alert sent if CPU is overloaded
!snmp-server enable traps cpu threshold
!snmp cpu threshold type total rising <percentage> interval <s>
!snmp host <snmp-server-ip> <user-snmpv3> cpu
! Defines the low threshold for available processor memory; a breach triggers a notification
!memory free low-watermark processor <low memory threshold kB>
! Defines the low threshold for available I/O memory; a breach triggers a notification
!memory free low-watermark io <low memory threshold kB>
! Keeps 1 MB of memory in reserve for sending notifications
!memory reserve critical <1000>

copy run start

sh run

sh ver

sh clock