Leaflet

86
OL-11615-01
For more information on the set multicast ratelimit command, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_5/cmd_ref/set_m
_pi.htm#wp1119887
Integrated Deployment Guidelines
The tools and techniques described in this document are very valuable for protecting Cisco Catalyst 6500
and 4500 Series switches from direct attacks and the negative effects of accidental misconfiguration.
Even though most of the tools described in this section work independently, they are also complementary
and provide even greater value when deployed in an integrated fashion. This section describes the
interrelations between these tools and provides general guidelines for deploying these tools as an
integrated solution, rather than as isolated elements. This section includes the following topics:
Deploying Basic Device Hardening Tools and Techniques, page 86
Spanning Tree Protocol Security, page 87
Deploying Routing Protocol Security, page 88
Deploying Catalyst Integrated Security, page 89
Catalyst 6500 Hardware Rate Limiters and CoPP, page 90
Deploying Basic Device Hardening Tools and Techniques
The section, Basic Tools and Techniques for Device Hardening, page 5 describes a collection of features
and techniques that form an essential toolkit for securing Catalyst 6500 and 4500 Series switches. The
deployment of these tools on switches is recommended for most environments.
This toolkit includes features that help prevent indiscriminate consumption of the limited resources on
a device. In addition,
Unneeded Services, page 91 and Access Control, page 98 provide techniques for
disabling unneeded services, and control access to the device. These are essential security services that,
when combined, provide a security baseline.
Disabling unneeded services is always recommended. Routers and switches often run a collection of
services by default, and some services could potentially be used maliciously. Disabling all unneeded
global and interface services greatly reduces the risk of security incidents. In cases where a service is
still needed, it should be selectively deployed. The service might not be needed globally, but only on
specific interfaces.
Directed broadcasts are a good example of a service that, as a general best practice, should never be
globally enabled. However, in certain circumstances, it might be needed. For example, messaging
middleware, such as TIBCO, might rely on directed broadcasts for system communication. Directed
broadcast should not be enabled indiscriminately on all interfaces because this clearly increases the
likelihood of security incidents, such as Smurf attacks; directed broadcasts should be enabled only on
those interfaces that have systems communicating with TIBCO or other essential services requiring
directed broadcasts. In addition, and to properly secure this type of environment, ACLs need to be
deployed on all interfaces to ensure that only expected sources send directed broadcasts to the specific
interfaces enabled to accept them.
Enforcing appropriate device access is always a recommended practice as well. The following are best
practices that should be followed whenever possible:
Adequate password management
Controlling console and interactive access