Show Menu

HPE Switch (Aruba/Procurve) Hardening Cheat Sheet by

A Short guide to locking down a fresh switch


password all

Enable SSH

configure terminal
crypto key generate ssh
ip ssh
no telnet

Time Servers

sntp server x.x.x.x
altern­ati­vely: sntp server priority 1 x.x.x.x
sntp unicast
sntp 720
timesync sntp
Logging and other services depend on accurate timest­amping, Procurve can use standard NTP sources and Windows DCs


ip ssh filetr­ansfer
enable sftp & scp
no tftp server
no tftp client

Management VLAN

manage­men­t-vlan x
can be either VLAN number or name
ip author­ize­d-m­anager x.x.x.x mask x.x.x.x operat­or/­manager
Locks down the Management functions of the switch, allowing access from the nominated VLAN only, it also Disables routing to the management VLAN


logging x.x.x.x

Enable SSL

crypto key generate certif­icate 1024
Generates RSA cert
crypto host generate self-s­igned
fill in the requested details to generate your certif­icate
web-m ssl
enables https
no web-m pla
disables plaintext


banner motd #
WARNING!!! This system is solely for the use of authorized users for official purposes. You have no expect­ation of privacy in its use and to ensure that the system is functi­oning properly, indivi­duals using this computer system are subject to having all of their activities monitored and recorded by system personnel. Use of this system evidences an express consent to such monitoring and agreement that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to approp­riate officials. #

Stack Management

no stack
Removes the remote possib­ility that someone will bring another Procurve into your office and take command of your device.


snmpv3 enable
snmpv3 user USERNAME auth md5 AUTHPA­SSWORD priv des PRIVPA­SSWORD
snmpv3 group operat­orauth user USERNAME sec-model ver3
no snmpv3 user initial
snmpv3 only
disables snmp v1 & 2c


radius­-server host x.x.x.x key Super$­ecr­etR­adi­usK3y
aaa authen­tic­ation X login radius local
X can be console, telnet, ssh or web
aaa authen­tic­ation X enable radius local
aaa authen­tic­ation num-at­tempts N
aaa authen­tic­ation login privil­ege­-mode
optional to allow operator or manager access as per RADIUS response
Options configure switch to contact RADIUS for logon to switch console or webint­erface, and optionally via enable to use L15/Ma­nager commands.
If no RADIUS server is contac­table, switch will fall back to using local authen­tic­ation table

Physical Security

no front-­pan­el-­sec­urity passwo­rd-­clear
no front-­pan­el-­sec­urity factor­y-reset
Somewhat dangerous commands if you forget the local password


No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.