Professional Documents
Culture Documents
1. Management Plane
1.0 AAA security
1.7 Setup SSH and configure Prerequisites for the SSH Service
1.7.1 Set the 'hostname'
1.7.2 Set the 'ip domain name'
1.7.3 Set a value (in secs) for 'ip ssh timeout'
1.7.4 Set a maximum value for 'ip ssh authentication-retries'
1.7.5 Set version 2 for 'ip ssh version'
2.2 - Limit Data Plane types of traffic which require special CPU processing and process switching by
CPU
Although not exhaustive, this list includes types of data plane traffic that require special CPU processing
and are process switched by the CPU:
ACL Logging - ACL logging traffic consists of any packets that are generated due to a match (permit or deny) of an ACE
on which the log keyword is used.
Unicast RPF - Unicast RPF used in conjunction with an ACL might result in the process switching of certain packets.
IP Options - Any IP packets with options included must be processed by the CPU.
*Fragmentation - Any IP packet that requires fragmentation must be passed to the CPU for processing.
Time-to-Live (TTL) Expiry - Packets that have a TTL value less than or equal to 1 require Internet Control Message
Protocol Time Exceeded (ICMP Type 11, Code 0) messages to be sent, which results in CPU processing.
ICMP Unreachables - Packets that result in ICMP unreachable messages due to routing, MTU or filtering are processed
by the CPU.
Traffic Requiring an ARP Request - Destinations for which an ARP entry does not exist require processing by the CPU.
Non-IP Traffic - All non-IP traffic is processed by the CPU.
2.3.1 Set Protected Ports (PVLAN edge) on all users access switches
2.3.2 Configure PVLANs (to isolate traffic between 2 protected ports located on different switches)
3. Control Plane
3.0 General Control Plane Hardening
3.0.1 Disable IP redirects on edge routers/gateways
3.0.2 Disable or rate-limit the sending of ICMP Unreachables
3.0.3 Disable Proxy ARP