Tuesday, 13 November 2018

Security Hardening Avaya Switch Step-by-Step

Be the first to comment!

Setting up banner: 

Avaya_ERS5530(config)# banner custom
Avaya_ERS5530(config)#banner 1 “Welcome to ITINFRATECH Network” 

 

System user name and password using ACLI:

 

Avaya_ERS5530(config)# username superadmin rw
Enter password: ********* 
Confirm password: ********* 

To delete users, you need to overwrite with default value

 

 

Create a prompt to login:


There are only two users can be created for switch and stack each.(RO and RW level)

Avaya_ERS5530(config)# cli password telnet local (using local user account)
Avaya_ERS5530(config)# cli password telnet radius (using radius)
Avaya_ERS5530(config)# cli password telnet tacacs (using tacacs)
Avaya_ERS5530(config)# cli password telnet none (disable)
Avaya_ERS5530(config)# cli password stack telnet local
Avaya_ERS5530(config)# cli password stack telnet radius
Avaya_ERS5530(config)# cli password stack telnet tacacs
Avaya_ERS5530(config)# cli password stack telnet none

* Don't forget fallback command when you setup with RADIUS or TACACS.

 

Configure the password for selected access or a specific authentication type by using the following commands: 

 

Avaya_ERS5530(config)#cli password [serial | telnet] [local | none | radius | tacacs] cli password {read-only | read-write} [<password>]  

 

Enabling or disabling password security using ACLI:

 

Avaya_ERS5530(config)#password security
Avaya_ERS5530(config)#no password security 

 

Setting the password aging time using ACLI:


Avaya_ERS5530(config)#password aging-time day <1–2730>   

 

Setting the HTTP port number using ACLI:


Avaya_ERS5530(config)#http-port <1024–65535>

 

To enable Telnet remote access:


Avaya_ERS5530(config)#telnet-access enable 


To enable SSH remote access:


Avaya_ERS5530(config)# ssh 

 

To enable SNMP remote access:


Avaya_ERS5530(config)#snmp-server enable 
Avaya_ERS5530(config)#snmp-server community ro
Avaya_ERS5530(config)#snmp-server community rw

Configure SNMP host to add trap receiver to the trap-receiver table. 
Avaya_ERS5530(config)#snmp-server host <Host-IP> <comunity-String>


Set the system name:

 

Avaya_ERS5530(config)#snmp-server name "<text>" 

 

To enable Web Page remote access: 

 

Avaya_ERS5530(config)#web-server enable


Configuring Simple Network Time Protocol:

 

Avaya_ERS5530(config)#sntp enable
Avaya_ERS5530(config)#sntp server primary address 10.100.10.15
Avaya_ERS5530(config)#sntp sync-interval 1
Avaya_ERS5530(config)#clock set 10:38:16 25 March 2011
Avaya_ERS5530(config)#clock time-zone UTC 5 30

 

AVAYA POE Power ON/OFF:

 

Avaya_ERS5530(config)#interface ethernet 8
Avaya_ERS5530(config)#poe poe-shutdown
Avaya_ERS5530(config)#interface ethernet 8
Avaya_ERS5530(config)#no poe-shutdown

 

To delete a VLAN: 

 

Avaya_ERS5530(config)#vlan delete (2-4094)



To Enable Port Mirroring:


Avaya_ERS5530(config)#Port mirroring 2 mode Xrx monitor-port 10 mirror port 12
Avaya_ERS5530(config)#Show port mirroring(To View)
Avaya_ERS5530(config)#No port mirrioring(To Disable)

 


Enable Syslog:


Avaya_ERS5530(config)# logging remote address 10.0.0.10
Avaya_ERS5530(config)# logging remote level informational
Avaya_ERS5530(config)# logging remote enable

 

 

Enable RADIUS telnet authentication:

 

Avaya_ERS5530(config)# radius reachability use-icmp ; to allow ICMP to RADIUS srv.
Avaya_ERS5530(config)# radius reachability use-radius ; to send regular request.
Avaya_ERS5530(config)# radius-server host 10.0.0.11 key 123456789
Avaya_ERS5530(config)# radius accounting enable
Avaya_ERS5530(config)# cli password telnet radius


If the switch is used in a stack, enter the following:
Avaya_ERS5530(config)# cli password stack telnet radius
Avaya_ERS5530(config)# radius-server password fallback ; If RADIUS is not available use local user/pwd
Avaya_ERS5530(config)# radius use-management-ip

 

 

To Create L3 VLAN:

 

Avaya_ERS5530(config)#interface vlan 3
Avaya_ERS5530(config)#ip add 10.0.0.9 netmask 255.255.255.0
Avaya_ERS5530(config)#ip routing
Avaya_ERS5530(config)#exit


 

 Port Security:

 

Avaya_ERS5530(config)mac-security enable(Globally enable Mac-security)
Avaya_ERS5530(config)#mac-security mac-address table address xx:xx:xx:xx:xx:xx:xx(mac address) port 10
Avaya_ERS5530(config)#interface ethernet 10
Avaya_ERS5530(config-if)#mac-security enable

 

Basic CLI show command list:


show vlan
show audit log telnet
show ip route
show ipmgr
show running-config
show license all
show cli password
show cli password type
show tacacs
show Radius-Server
show ssh session
show ssh global
show snmp-server
show snmp-server view
show mac-security mac-address table
show interfaces
show interfaces names



Change VLAN assignment:



Avaya_ERS5530>enable
Avaya_ERS5530# conf t
Avaya_ERS5530(config)# vlan members remove 1 1/23
Avaya_ERS5530(config)# vlan members add 10 1/24
Avaya_ERS5530(config)# vlan ports 1/24 pvid 10


Save configuration:


Avaya_ERS5530# copy config nvram / wr me

 

 





Fahim Raza(Author)

Hi there! my name is Fahim Raza. I am a professional blogger. I like music(Linkin Park), playing games(football) and blogging...

No comments:

Post a comment