Initial HPE Comware Switch Configuration

Initial configuration (Best Practices) for HPE Comware switches based on My deep personal experience and HPE reference guides, with focus on Security. Only the Best to the Best. Let’s go!

Out of box switch has no configuration but this is not truth. Switch will try to allocate IP address on Management port. With Zero Provisioning technology we can push basic configuration to the switch automatically by connecting Management port to Out of Band Network. In the next articles I will share the exacts steps.

Let’s connect to the new switch with USB to console cable.

Startup/Backup Configuration files

After switch is starting up press CTRL+D or CTRL+C to quit from auto configuration.

Enter to configuration mode with System-view. Configure hostname with sysname command. I recommend to set startup/backup configuration files with the same name as the switch and not the default name: startup.cfg. In case you have centralised backup server, it is nicer to have all backups with different names. Press save followed by file name (don’t forget .cfg extension). Same for the backup configuration file: save backup. With display startup command you can verify startup and backup configuration files.

RSA/DSA keys

1024-bit keys are become crackable between 2006 and 2010 and that 2048-bit keys are sufficient until 2030. The National Institute of Standards (NIST) recommends 2048-bit keys for RSA.

 

LLDP, STP

LLDP is not enabled by default. There is no way to enable LLDP on specific ports without enabled it globally. Enable LLDP globally and keep it only on switch to switch ports. Enter lldp global enable command. Spanning is also not enabled by default, so let’s enable it with stp global enable command. In addition strongly recommended in modern Networks move to dot1t path cost, enter stp pathcost-standard dot1t. (Be careful, it will recalculate stp cost on all links

VPN Instance (VRF-Lite)

In case that HPE device supports VPN Instance feature, I am strongly recommend to configure VPN Instance on Management interface (completely separate routing table for management). In addition, Static routes, NTP, SNMP, Syslog and TACACS configurations will run with VPN Instance feature.

ip vpn-instance mgmt command will create VPN Instance named mgmt. Then we need to bind management interface (it will delete IP address if you have one).

 int M-GigabitEthernet 0/0/0

ip binding vpn-instance mgmt

 description HPE-TEST

ip address 10.0.0.1 24

Login banner

To configure the banner that displays when the user logs in to a HPE switch, use the header login command. Use “%” in beginning of the banner and in the end.

header login %

************************************

*  Your Banner Here      *

************************************

%

Console password

By default there is no password on the console port. To configure the console to require authentication use the following commands:

line aux 0

 authentication-mode password

 user-role network-admin

 set authentication password simple 123456

 idle-timeout 5 0

SSH

For SSH connection let’s create local user admin with inbound protocol SSH only:

local-user admin class manage

 password simple 123456

 service-type ssh

 authorization-attribute user-role network-admin

#

line vty 0 63

 authentication-mode scheme

 user-role network-admin

 protocol inbound ssh

 idle-timeout 15 0

#

ssh server enable

 ssh server authentication-retries 5

 ssh server authentication-timeout 30

Hardening

Disable copyright info,USB port and unused services.

usb disable

undo copyright-info enable

In addition, if you have HTTP or Telnet running, please disabled it. HTTPS and DHCP can be also disabled, unless you are using them. Personal, I am using only CLI.

undo ip http enable

undo ip https enable

undo telnet server enable

undo dhcp enable

Version 1 of the SSH protocol has irremediable problems and multiple vulnerabilities. Strongly recommended to disable ssh v1 compatibility:

undo ssh server compatible-ssh1x

Verification can be done with display ssh server status command.

To verify TCP/UDP open ports use display tcp and display udp:

Enable BPDU protection, all access ports configure as edge ports (portfast). All unused ports should be moved to some unused VLAN and must be Shutdown. For example, we have 10 servers connected to first 10 ports:

vlan 666

description Null

name Null

*All unused ports will be configured in VLAN 666.

**Always put name and description after creating VLANs.

int range GigabitEthernet 1/0/1 to GigabitEthernet 1/0/10

stp edged-port

Enable BPDU protection globally:

stp bpdu-protection

—————————————————————————————————————

In the next article I will share Best Practices for Monitoring configurations: NTPv4, Info Center (Syslog), SNMPv3 and TACACs.