Initial configuration (Best Practices) for HPE Comware switches based on My deep personal experience and HPE reference guides, with focus on Security. Only the Best to the Best. Let’s go!
Out of box switch has no configuration but this is not truth. Switch will try to allocate IP address on Management port. With Zero Provisioning technology we can push basic configuration to the switch automatically by connecting Management port to Out of Band Network. In the next articles I will share the exacts steps.
Let’s connect to the new switch with USB to console cable.
Startup/Backup Configuration files
After switch is starting up press CTRL+D or CTRL+C to quit from auto configuration.
Enter to configuration mode with System-view. Configure hostname with sysname command. I recommend to set startup/backup configuration files with the same name as the switch and not the default name: startup.cfg. In case you have centralised backup server, it is nicer to have all backups with different names. Press save followed by file name (don’t forget .cfg extension). Same for the backup configuration file: save backup. With display startup command you can verify startup and backup configuration files.
RSA/DSA keys
1024-bit keys are become crackable between 2006 and 2010 and that 2048-bit keys are sufficient until 2030. The National Institute of Standards (NIST) recommends 2048-bit keys for RSA.
LLDP, STP
LLDP is not enabled by default. There is no way to enable LLDP on specific ports without enabled it globally. Enable LLDP globally and keep it only on switch to switch ports. Enter lldp global enable command. Spanning is also not enabled by default, so let’s enable it with stp global enable command. In addition strongly recommended in modern Networks move to dot1t path cost, enter stp pathcost-standard dot1t. (Be careful, it will recalculate stp cost on all links
VPN Instance (VRF-Lite)
In case that HPE device supports VPN Instance feature, I am strongly recommend to configure VPN Instance on Management interface (completely separate routing table for management). In addition, Static routes, NTP, SNMP, Syslog and TACACS configurations will run with VPN Instance feature.
ip vpn-instance mgmt command will create VPN Instance named mgmt. Then we need to bind management interface (it will delete IP address if you have one).
int M-GigabitEthernet 0/0/0
ip binding vpn-instance mgmt
description HPE-TEST
ip address 10.0.0.1 24
Login banner
To configure the banner that displays when the user logs in to a HPE switch, use the header login command. Use “%” in beginning of the banner and in the end.
header login %
************************************
* Your Banner Here *
************************************
%
Console password
By default there is no password on the console port. To configure the console to require authentication use the following commands:
line aux 0
authentication-mode password
user-role network-admin
set authentication password simple 123456
idle-timeout 5 0
SSH
For SSH connection let’s create local user admin with inbound protocol SSH only:
local-user admin class manage
password simple 123456
service-type ssh
authorization-attribute user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
protocol inbound ssh
idle-timeout 15 0
#
ssh server enable
ssh server authentication-retries 5
ssh server authentication-timeout 30
Hardening
Disable copyright info,USB port and unused services.
usb disable
undo copyright-info enable
In addition, if you have HTTP or Telnet running, please disabled it. HTTPS and DHCP can be also disabled, unless you are using them. Personal, I am using only CLI.
undo ip http enable
undo ip https enable
undo telnet server enable
undo dhcp enable
Version 1 of the SSH protocol has irremediable problems and multiple vulnerabilities. Strongly recommended to disable ssh v1 compatibility:
undo ssh server compatible-ssh1x
Verification can be done with display ssh server status command.
To verify TCP/UDP open ports use display tcp and display udp:
Enable BPDU protection, all access ports configure as edge ports (portfast). All unused ports should be moved to some unused VLAN and must be Shutdown. For example, we have 10 servers connected to first 10 ports:
vlan 666
description Null
name Null
*All unused ports will be configured in VLAN 666.
**Always put name and description after creating VLANs.
int range GigabitEthernet 1/0/1 to GigabitEthernet 1/0/10
stp edged-port
Enable BPDU protection globally:
stp bpdu-protection
—————————————————————————————————————
In the next article I will share Best Practices for Monitoring configurations: NTPv4, Info Center (Syslog), SNMPv3 and TACACs.