Switch configuration overview

The following configuration options should be set in order for the switch to be in a fully hardened configuration:

  • Telnet for CLI and Menu interfaces must be disabled and SSH must be used.

  • Plaintext (nonencrypted) web access for management using a standard web browser connection and REST API access must be disabled. If access to the web management interface or REST API is required, use SSL/TLS instead.

  • The built-in TFTP client and server must be disabled, and Secure File Transfer Protocol (SFTP) and Secure Copy Protocol (SCP) should be enabled.

  • SNMP v1 and v2c must be disabled, and SNMP v3 with encryption must be used if remote management via SNMP is to be used.

    • If SNMP v1 or v2c must be used, replace the default community name “public” with a unique community name.

  • Manager and Operator access levels must have a password assigned.

  • Full individual user identification and authentication can only be achieved if the switch is configured so that identification and authentication are handled via a trusted external authentication server (RADIUS or TACACS+).

  • The console inactivity timer must be configured to a nonzero value.

  • The console session lockout must be enabled.

  • There are two recessed buttons on the front-panel of the switch: “password clear” and “factory reset.” Both must be disabled to fully secure the device.

  • The switch includes a USB port to support use of a flash drive for deploying and backing up configurations, troubleshooting, or loading software images. This port must be disabled when not in use and only temporarily enabled when needed.

  • Control Plane Policing (CoPP) must be used, where supported, to prevent denial-of-service attacks against the device CPU by rate-limiting certain types of packets.

CAUTION:

ArubaOS-Switch provides a password-recovery feature that is enabled by default. Aruba strongly recommends that you not disable password-recovery, as doing so requires that factory-reset be enabled, and locks out the ability to recover a lost manager username (if configured) and password on the switch. In this event, the only way to recover from a lost manager username/password situation is to reset the switch to its factory default configuration. This can disrupt network operation and make it necessary to temporarily disconnect the switch from the network to prevent unauthorized access and other problems while it is being reconfigured. In addition, with factory-reset enabled, unauthorized users can use the Reset + Clear front panel button combination to reset the switch to factory default configuration and gain management access to the switch.