Huawei Switch Hardening Guide -

[Switch] undo http server enable # No web GUI [Switch] undo https server enable [Switch] undo snmp-agent # Unless strictly needed [Switch] l2protocol-tunnel disable # For untrusted ports [Switch] ntp-service disable # Re-enable only for authenticated NTP

: Use local or remote (RADIUS/HWTACACS) authentication rather than simple password-only access.

These protocols transmit data in plaintext. Always use SSH and HTTPS . huawei switch hardening guide

: Restrict VTY (Virtual Type Terminal) access to specific trusted IP addresses or management VLANs.

[Switch] cpu-defend policy HardeningPolicy [Switch-cpu-defend-policy-HardeningPolicy] packet-type arp-reply rate-limit 64 [Switch-cpu-defend-policy-HardeningPolicy] packet-type icmp rate-limit 32 [Switch-cpu-defend-policy-HardeningPolicy] packet-type snmp rate-limit 16 [Switch-cpu-defend-policy-HardeningPolicy] apply global [Switch] undo http server enable # No web

: Automatically disconnect inactive sessions. user-interface vty 0 4 idle-timeout 5 0 (sets to 5 minutes) 2. Management Plane Protection Limit who can reach the switch's management interfaces.

Specifically log login failures and config changes. : Restrict VTY (Virtual Type Terminal) access to

Move away from simple password authentication. Implement AAA to control who logs in, what they can do, and record their actions.

Every enabled service is a potential vector.

: Mitigate ARP spoofing/Man-in-the-Middle attacks by validating ARP packets against the DHCP snooping binding table.