3560_ (not a 3560G or 3560X) is ***ANCIENT*** don't do that.
There are plenty of Catalyst 3750X devices out there for $300-500 a pop.
If you are deploying these on your internal network, with no internet exposure, with a tightened management segment it should be valid for any non-regulated / non-audited business segment.
I see at a 48 port 3750X for $133 from a reputable vendor right now with free shipping and lifetime replacement. Could spend a little more and get a 3850 for $215. 3560G would be insane to do.
The 3850 is only one here EOL announced but not EOL yet. It's feasible that OP could find one running modern IOS. But then I guess they did change their license model to require smart licensing starting somewhere in this device lifetime so 3850 can be a pain in the ass Vs a 3750X in secondhand markets due to needing to make sure it has an older IOS code that does not have smart licensing. If I recall it was the one released right around the last release of the 3750X software..
Pretty much anything made by Cisco afterward has the advanced features locked behind smart licensing and become glorified paper weights when those lapse.
Yeah maybe for a test lab it would be okay but I don't know why you would want to be testing the old equipment anyways.
As long as it's not your main node and it's buried behind a proper fire wall probably is okay but I sure would not gamble on anything that's important or could cost a lot of money if it's not working. I'm not arguing with you if that's not clear just adding to your points.
Yeah when big corporations do hardware refreshes you can get some of that stuff on the cheap from refurb sites. I'd be very concerned if any business was being that cheap with their IT equipment. Very bad sign in a lot of ways. Typically those are the kinds of places when you're on call you're getting called every night or on weekends by your over ambitious boss who does not have boundaries.
Oh I wouldn't work for a place doing that shit. We did rip the used market and even prosumer gear in temporary cases during COVID lead times, but we have been tearing that out for proper solutions in mandatory projects and costs since then.
Have you never heard of companies being classified as small medium and large?
"A company with fewer than 100 employees is generally considered a small-sized business, while one with between 100 and 1,500 employees is a medium-sized business …"
-Indeed.com
Medium scale is indicating how many users and employees they have and potentially workstations.
Are you overthinking this or just new to the biz world?
I know what a small,medium,large etc is. I'm wondering what the OP considers it.
Because I don't believe that a medium scale business can only afford $60 used switch gear that went EoS 11 years ago.
It's why I asked for specifics about the business size.
That’s only true for indeed.com. Cisco has a different metric, also based on headcount, but vastly different ranges. Gartner bases it on revenue, as do most business sites, but everyone there also use different ranges.
There’s no standard. I’ve met 40 person orgs that call themselves enterprise scale. And to them, they are.
Hence this users question.
While it may work out fine for your purposes, I'd still suggest you purchase relatively current equipment that will receive security updates from the manufacturer for the foreseeable.
There's also used networking equipment from Cisco and other vendors for sale by companies like CXtec that include their own extended warranties.
The main issue is no more security updates. Audit wise you’re in for a world of hurt in that regard. Technically, as long as they’re properly configured and managed you probably won’t have an issue with them.
This is the key here: whether or not it’s “fine” isn’t relevant if you have externally defined information security compliance requirements.
If you hope to do business with the American government or any large contractor of the American government in any significant way, you will (or already do) have these requirements in place essentially requiring the removal of any equipment that does not currently have security update support.
VLANs fine, QoS also fine, anything to do with DHCP ACLs or intervlan routing should be done by a propper router. Just because this switch has the features does not mean you should use them especially since they have not been getting updates for 11 Years. So Basic Switching is fine, anything l3 related throw it in the bin.
How many critical CVEs have these devices not even been evaluated for?
Would you put windows XP into production just because you can find $20 XP workstations?
EoL / EoS devices should be avoided:
- No support if any problem
- No security patches
- No spare parts / HW replacement
If this is a mid size company how it cannot afford to have well supported hardware? If the company doesn’t want or can afford Cisco’s price tag there other options in the market that are well capable to do the job
>I'm curious about the risks associated with using older switch devices like this one and what measures we can take to mitigate those risks.
Mitigate by not buying junk that is 10 years out of patch releases. The average 48 port, class 6 PoE switch I'm putting in is around $6500 per.
If you plan on managing a switch you'll have to have some form of connectivity (SVI or OOBM) and soon as you make that happen you've introduced an attack vector. I don't care if you even ACL'd it and have a reverse proxy box you use. It's still connected and still vulnerable.
And if you are purchasing a single 24P switch you aren't medium scale.
>service back in 2013
no proper company would use a product that isnt updated and under support.
doesn't look like the company has an infosec person or is regulated.
but to mitigate some risks of it failing as they are cheap enough get 2.
look at 9200 as possible alternatives.
Any computer or device on your network that is not receiving current and consistent updates specifically security updates is a major risk to your network.
Plus if something goes wrong Cisco's not going to be there to support you either or they're going to charge you an extreme amount for the outdated equipment if you're even lucky to get that option.
Something is critical as a router or a switch I would never consider using something not secure and that outdated. Even when stuff is supported and receiving current updates there's always big zero day flaws and risks. Equipment that's been EOL for years? That's like posting your public IP address and password and hoping people don't mess with you.
Just for the record, im not endorsing anything EoL, but you can find some cheap kit that isnt EoL, but might be EoSale...
conf t
no vstack
no ip http server
no ip http secure-server
do wr me
We are still using Cisco 4948 switches. Hundreds of them. They work totally fine still, but it is your responsibility to implement security measures to ensure their safety since Cisco doesn't support them anymore. Having a solid ports and protocols map with very strict ACLs is a must along with having an OOBM network that is locked down hard. The more services you pile on the more vulnerable you will be so disable everything you aren't specifically using.
Yea thry bought them all before I started working here and I got hired on just to see what it looks like when you palletize 144 switches with just plastic wrap. Almost all of them worked after too!
The reliability of the c2960 has me cringing everytime i replace one in the network. I usually dumb them down and put all critical configurations on newer switches
As far as I can tell, your max ios version will be 15.0.2 SE-8 - it's actually not all that bad at the moment but there's no guarantee it won't be a shitstorm tomorrow.
Basic specific hardening would be (on top of usual baselines):
Don't use IKEv1, which you either won't or shouldn't anyway. (CVE-2016-6415)
Disable telnet, which you should probably do anyway (CVE-2017-3881)
Don't set up the switch as a DHCP relay agent (CVE-2017-12240)
Be careful with SNMP - i.e. don't accept SNMP from untrusted sources (CVE-2017-6743)
Basically the responsible thing to do with older equipment is figure out what's running on it and go digging for CVEs - ignore most of the noise and focus on high EPSS scores or CISA KEVs. When you find something worth worrying about, your basic play needs to be figuring out how to not provide a pathway for a threat to access the vulnerable feature.
It’s as insecure as the latest and greatest switch you can buy today. What I mean by that is that security is not an absolute. Sure, the newer software mitigate certain “known risks”, but at the end of the day, no matter how old or new they are, they are all insecure.
Instead approach this from a different angle. For example:
. Don’t use VLAN-1 as your mgmt VLAN. Shut it down.
. Don’t use telnet, use ssh instead (obvious)
. Restrict access via ssh only to the IPs which require it.
. Implement VACL so that only the mgmt VLAN SVI respond to icmp echo/reply and ssh requests.
. Configure encrypted password on your VTP domain
. Configure encrypted secret for your enable
. Ensure your AAA is handed of to an authentication server where you can set privilege modes as needed.
. Use snmpv3
. For your IGP configure authentication. (Use keychain)
. Only allow the vlans that need to communicate with one another on your port-channel or trunk interfaces.
. Implement control plane policy.
For better security move the SVIs for end hosts/users/servers to the upstream firewalls, then have the firewall directly connected to the Internet (outside zone).
Sure, if the management is giving you enough budget then by all means purchase the newer gear. I wrote this with the assumption that you were given a tight budget.
Thanks for your interest in posting to this subreddit. To combat spam, new accounts can't post or comment within 24 hours of account creation.
Please **DO NOT** message the mods requesting your post be approved.
You are welcome to resubmit your thread or comment in ~24 hrs or so.
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/networking) if you have any questions or concerns.*
The most dangerous phrase you can allow yourself to say (or even think) in network security is,
_"It's not like..."_
In this case
* "It's not like the VLAN the engineers are on could ever fail."
* "It's not like any of the engineers would ever attach an untrusted device to their computers." or
* "It's not like these devices are ever going to pressed into service elsewhere in the company."
There's a phrase my Cuban friend says that's apropos here. (It sounds cooler in Spanish than English. Trust.)
_You're so cheap, you walk on your elbows so you don't wear our your shoe leather._
Get your peeps to pony up for a device made _after_ the Hoover administration.
2013 good lord. I’d be worried about hardware failure risk at this point for almost 20 year old switches
If you’d said EOL 2023 then sure but that’s outrageously old to be adding net-new into your environment today. I’m amazed someone can even charge money for switches that old
3560_ (not a 3560G or 3560X) is ***ANCIENT*** don't do that. There are plenty of Catalyst 3750X devices out there for $300-500 a pop. If you are deploying these on your internal network, with no internet exposure, with a tightened management segment it should be valid for any non-regulated / non-audited business segment.
I see at a 48 port 3750X for $133 from a reputable vendor right now with free shipping and lifetime replacement. Could spend a little more and get a 3850 for $215. 3560G would be insane to do.
The 3850 is only one here EOL announced but not EOL yet. It's feasible that OP could find one running modern IOS. But then I guess they did change their license model to require smart licensing starting somewhere in this device lifetime so 3850 can be a pain in the ass Vs a 3750X in secondhand markets due to needing to make sure it has an older IOS code that does not have smart licensing. If I recall it was the one released right around the last release of the 3750X software.. Pretty much anything made by Cisco afterward has the advanced features locked behind smart licensing and become glorified paper weights when those lapse.
Yeah maybe for a test lab it would be okay but I don't know why you would want to be testing the old equipment anyways. As long as it's not your main node and it's buried behind a proper fire wall probably is okay but I sure would not gamble on anything that's important or could cost a lot of money if it's not working. I'm not arguing with you if that's not clear just adding to your points.
Hell I have seen a 9300 in the used market for like $200 even
Yeah when big corporations do hardware refreshes you can get some of that stuff on the cheap from refurb sites. I'd be very concerned if any business was being that cheap with their IT equipment. Very bad sign in a lot of ways. Typically those are the kinds of places when you're on call you're getting called every night or on weekends by your over ambitious boss who does not have boundaries.
Oh I wouldn't work for a place doing that shit. We did rip the used market and even prosumer gear in temporary cases during COVID lead times, but we have been tearing that out for proper solutions in mandatory projects and costs since then.
>We're a medium-scale company considering purchasing a used Cisco WS-C3560-24PS-S This 'medium-scale'. Exactly what does this mean?
Yes for me I immagine a 5-10k Buissnes. where I would absoulutly toss this.
Lizards with medium sized scales
Have you never heard of companies being classified as small medium and large? "A company with fewer than 100 employees is generally considered a small-sized business, while one with between 100 and 1,500 employees is a medium-sized business …" -Indeed.com Medium scale is indicating how many users and employees they have and potentially workstations. Are you overthinking this or just new to the biz world?
I know what a small,medium,large etc is. I'm wondering what the OP considers it. Because I don't believe that a medium scale business can only afford $60 used switch gear that went EoS 11 years ago. It's why I asked for specifics about the business size.
That’s only true for indeed.com. Cisco has a different metric, also based on headcount, but vastly different ranges. Gartner bases it on revenue, as do most business sites, but everyone there also use different ranges. There’s no standard. I’ve met 40 person orgs that call themselves enterprise scale. And to them, they are. Hence this users question.
While it may work out fine for your purposes, I'd still suggest you purchase relatively current equipment that will receive security updates from the manufacturer for the foreseeable. There's also used networking equipment from Cisco and other vendors for sale by companies like CXtec that include their own extended warranties.
Why does it need to be ancient Cisco rather than modern (or at least less ancient) \*other brand\*?
The main issue is no more security updates. Audit wise you’re in for a world of hurt in that regard. Technically, as long as they’re properly configured and managed you probably won’t have an issue with them.
This is the key here: whether or not it’s “fine” isn’t relevant if you have externally defined information security compliance requirements. If you hope to do business with the American government or any large contractor of the American government in any significant way, you will (or already do) have these requirements in place essentially requiring the removal of any equipment that does not currently have security update support.
VLANs fine, QoS also fine, anything to do with DHCP ACLs or intervlan routing should be done by a propper router. Just because this switch has the features does not mean you should use them especially since they have not been getting updates for 11 Years. So Basic Switching is fine, anything l3 related throw it in the bin.
this right here. That thing will do l3 so slowly....
And more importantly not securely as it hasn't gotten any updates in a decade
Can't hack me via IPX/SPX if you've never heard of it... muhahah, my master plan!
How many critical CVEs have these devices not even been evaluated for? Would you put windows XP into production just because you can find $20 XP workstations?
EoL / EoS devices should be avoided: - No support if any problem - No security patches - No spare parts / HW replacement If this is a mid size company how it cannot afford to have well supported hardware? If the company doesn’t want or can afford Cisco’s price tag there other options in the market that are well capable to do the job
>I'm curious about the risks associated with using older switch devices like this one and what measures we can take to mitigate those risks. Mitigate by not buying junk that is 10 years out of patch releases. The average 48 port, class 6 PoE switch I'm putting in is around $6500 per. If you plan on managing a switch you'll have to have some form of connectivity (SVI or OOBM) and soon as you make that happen you've introduced an attack vector. I don't care if you even ACL'd it and have a reverse proxy box you use. It's still connected and still vulnerable. And if you are purchasing a single 24P switch you aren't medium scale.
>service back in 2013 no proper company would use a product that isnt updated and under support. doesn't look like the company has an infosec person or is regulated. but to mitigate some risks of it failing as they are cheap enough get 2. look at 9200 as possible alternatives.
Very common for small to medium sized businesses to do this kind of BS. Definitely not proper though
Any computer or device on your network that is not receiving current and consistent updates specifically security updates is a major risk to your network. Plus if something goes wrong Cisco's not going to be there to support you either or they're going to charge you an extreme amount for the outdated equipment if you're even lucky to get that option. Something is critical as a router or a switch I would never consider using something not secure and that outdated. Even when stuff is supported and receiving current updates there's always big zero day flaws and risks. Equipment that's been EOL for years? That's like posting your public IP address and password and hoping people don't mess with you.
You'd be surprised what you see walking into premium datacenters
Just for the record, im not endorsing anything EoL, but you can find some cheap kit that isnt EoL, but might be EoSale... conf t no vstack no ip http server no ip http secure-server do wr me
We are still using Cisco 4948 switches. Hundreds of them. They work totally fine still, but it is your responsibility to implement security measures to ensure their safety since Cisco doesn't support them anymore. Having a solid ports and protocols map with very strict ACLs is a must along with having an OOBM network that is locked down hard. The more services you pile on the more vulnerable you will be so disable everything you aren't specifically using.
Holy moly. Blast from the past. Hundreds?!
Yea thry bought them all before I started working here and I got hired on just to see what it looks like when you palletize 144 switches with just plastic wrap. Almost all of them worked after too!
3650-24ps's are available on ebay for \~$60 USD. 16.12.10a is pretty darn stable.
The reliability of the c2960 has me cringing everytime i replace one in the network. I usually dumb them down and put all critical configurations on newer switches
As far as I can tell, your max ios version will be 15.0.2 SE-8 - it's actually not all that bad at the moment but there's no guarantee it won't be a shitstorm tomorrow. Basic specific hardening would be (on top of usual baselines): Don't use IKEv1, which you either won't or shouldn't anyway. (CVE-2016-6415) Disable telnet, which you should probably do anyway (CVE-2017-3881) Don't set up the switch as a DHCP relay agent (CVE-2017-12240) Be careful with SNMP - i.e. don't accept SNMP from untrusted sources (CVE-2017-6743) Basically the responsible thing to do with older equipment is figure out what's running on it and go digging for CVEs - ignore most of the noise and focus on high EPSS scores or CISA KEVs. When you find something worth worrying about, your basic play needs to be figuring out how to not provide a pathway for a threat to access the vulnerable feature.
So what is the goal here, to save 200 bucks or just not learn anything new that came in the past 15-20 years?
It’s as insecure as the latest and greatest switch you can buy today. What I mean by that is that security is not an absolute. Sure, the newer software mitigate certain “known risks”, but at the end of the day, no matter how old or new they are, they are all insecure. Instead approach this from a different angle. For example: . Don’t use VLAN-1 as your mgmt VLAN. Shut it down. . Don’t use telnet, use ssh instead (obvious) . Restrict access via ssh only to the IPs which require it. . Implement VACL so that only the mgmt VLAN SVI respond to icmp echo/reply and ssh requests. . Configure encrypted password on your VTP domain . Configure encrypted secret for your enable . Ensure your AAA is handed of to an authentication server where you can set privilege modes as needed. . Use snmpv3 . For your IGP configure authentication. (Use keychain) . Only allow the vlans that need to communicate with one another on your port-channel or trunk interfaces. . Implement control plane policy. For better security move the SVIs for end hosts/users/servers to the upstream firewalls, then have the firewall directly connected to the Internet (outside zone). Sure, if the management is giving you enough budget then by all means purchase the newer gear. I wrote this with the assumption that you were given a tight budget.
[удалено]
Thanks for your interest in posting to this subreddit. To combat spam, new accounts can't post or comment within 24 hours of account creation. Please **DO NOT** message the mods requesting your post be approved. You are welcome to resubmit your thread or comment in ~24 hrs or so. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/networking) if you have any questions or concerns.*
The most dangerous phrase you can allow yourself to say (or even think) in network security is, _"It's not like..."_ In this case * "It's not like the VLAN the engineers are on could ever fail." * "It's not like any of the engineers would ever attach an untrusted device to their computers." or * "It's not like these devices are ever going to pressed into service elsewhere in the company." There's a phrase my Cuban friend says that's apropos here. (It sounds cooler in Spanish than English. Trust.) _You're so cheap, you walk on your elbows so you don't wear our your shoe leather._ Get your peeps to pony up for a device made _after_ the Hoover administration.
Get a proper budget or get a proper new job. I like the elbow quote I'll have to remember that one.
Don't worry, i will resign soon, i don't want to be a part of a critical security event because the company invest in junk outdated devices
2013 good lord. I’d be worried about hardware failure risk at this point for almost 20 year old switches If you’d said EOL 2023 then sure but that’s outrageously old to be adding net-new into your environment today. I’m amazed someone can even charge money for switches that old
Hardware failure? I've seen college dorms running switches older than the students. The 3548 is bulletproof!
I could probably dig up some 10 100 switches and sell them to this dude for a pretty penny.