Here is my template for access layer switches in my environment. Some of blue color words will need to replace with your specific information. Red words will be the explanation for next commands. Some commands may only apply to certain devices. Not all commands will work on every device series (router/switch) or on every IOS version. Always test it first before apply them to your production devices.
no service pad
no service password-recovery
!Configure Service Timestamps for Debug and Log Messages:
service timestamps debug datetime msec show-timezone localtime
service timestamps log datetime msec show-timezone localtime
! Set and secure passwords:
service password-encryption
service sequence-numbers
service nagle
service tcp-keepalives-in
service tcp-keepalives-out
login on-failure log
login on-success log
vtp domain xxxxx
vtp mode transparent
name NATIVE
version 15.0
!Disable PAD service:no service pad
no service password-recovery
!Configure Service Timestamps for Debug and Log Messages:
service timestamps debug datetime msec show-timezone localtime
service timestamps log datetime msec show-timezone localtime
! Set and secure passwords:
service password-encryption
service sequence-numbers
service nagle
service tcp-keepalives-in
service tcp-keepalives-out
!Disable DHCP server:
no service dhcp
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
logging console critical
logging monitor informational
!Set Enable and User Password with Secret:
enable secret 0 xxxxxx.
username xxxxxx secret 0 xxxxxx
!Configure AAA service:
aaa new-model
!
!Configure AAA Authentication for Login
aaa authentication login default local group radius group tacacs+
aaa authentication login CONAUTH local group tacacs+
aaa authentication login VTYAUTH local group tacacs+
!Configure AAA Authentication for Enable Mode:
aaa authentication enable default enable group radius group tacacs+
aaa authorization console
aaa authorization exec default local group radius group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 5 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting system default start-stop group tacacs+
!
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
system mtu routing 1500
!Disable IP source-route:
no ip source-route
no ip gratuitous-arps
!
!Disable Router Name and DNS Name Resolution:
no ip domain-lookup
ip domain-name xxx.xxx
login block-for 120 attempts 5 within 60login on-failure log
login on-success log
vtp domain xxxxx
vtp mode transparent
!
spanning-tree mode pvst
spanning-tree loopguard default
spanning-tree portfast default
spanning-tree portfast bpduguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree uplinkfast
spanning-tree backbonefast
spanning-tree vlan 1,x,y,z priority 28672
!
errdisable recovery cause bpduguard
errdisable recovery cause psecure-violation
!
!
vlan internal allocation policy ascending
!
vlan 10
!
vlan 100
!
vlan 1000name NATIVE
!Configure SSH for Remote Access:
ip ssh time-out 10
ip ssh authentication-retries 5
ip ssh logging events
ip ssh version 2
!
interface Port-channel1
switchport trunk allowed vlan 1,xx,xx-yy
switchport trunk native vlan 1000
switchport trunk native vlan 1000
switchport mode trunk
spanning-tree bpduguard disable
spanning-tree bpduguard disable
!
interface GigabitEthernet0/1
switchport mode access
spanning-tree portfast
!Configure switch port-security:
switchport port-security
switchport port-security violation shutdown
switchport port-security maximum 1
switchport port-security mac-address sticky
no cdp enable
no cdp enable
!
interface GigabitEthernet0/2
shutdown
no cdp enable
!
interface GigabitEthernet0/3
description xxxxx
switchport trunk allowed vlan 1,xx,xx-yy
switchport trunk native vlan 1000
switchport mode trunk
channel-group 1 mode desirable
spanning-tree bpduguard disable
no cdp enable
spanning-tree bpduguard disable
no cdp enable
!
......
!
interface Vlan1
description xxxxxxxx
no ip route-cache
!
interface Vlan10
description Management
ip address x.x.x.x
no ip route-cache
!
interface Vlan100
ip address x.y.z.1 255.255.255.0
standby 100 ip x.y.z.3
standby 100 priority 200
!
ip default-gateway x.x.x.x
no ip http server
no ip http secure-server
!
ip access-list standard remark SNMP ACL
ip access-list standard remark SNMP ACL
ip access-list standard snmp-Allow
permit 10.x.y.0 0.0.0.255
deny any any log
deny any any log
logging esm config
logging trap debugging
logging 10.x.y.z
access-list 101 remark VTY Access ACL
access-list 101 remark VTY Access ACL
access-list 101 permit ip 10.x.y.0 0.0.255.255 any log-input
access-list 101 deny ip any any log-input
access-list 101 deny ip any any log-input
!
snmp-server group SNMPv3-RO v3 priv read ReadView-All access snmp-Allow
snmp-server group SNMPv3-RW v3 priv read ReadView-All write WriteView-All access snmp-Allow
snmp-server group NetService-RO v3 priv notify *tv.FFFFFFFF.FFFFFFFF.
snmp-server view ReadView-All iso included
snmp-server view ReadView-All internet included
snmp-server view ReadView-All system included
snmp-server view ReadView-All interfaces included
snmp-server view ReadView-All snmpUsmMIB excluded
snmp-server view ReadView-All snmpVacmMIB excluded
snmp-server view ReadView-All snmpCommunityMIB excluded
snmp-server view ReadView-All ip.21 excluded
snmp-server view ReadView-All ip.22 excluded
snmp-server view ReadView-All chassis included
snmp-server view WriteView-ALL iso included
snmp-server view WriteView-All iso included
snmp-server view WriteView-All internet included
snmp-server view WriteView-All system included
snmp-server view WriteView-All interfaces included
snmp-server view WriteView-All snmpUsmMIB excluded
snmp-server view WriteView-All snmpVacmMIB excluded
snmp-server view WriteView-All snmpCommunityMIB excluded
snmp-server view WriteView-All ip.21 excluded
snmp-server view WriteView-All ip.22 excluded
snmp-server view WriteView-All chassis included
!
!
snmp-server community xxxxxx RO
snmp-server location xxxxx
snmp-server contact xxxx
!
snmp-server enable traps
snmp-server host x.x.x.x version 3 priv NetService-RO
radius-server host x.x.x.x auth-port 1812 key yyyy
!
!
banner motd ^C
**********************************
* This is a private computing facility. *
* Unauthorized use of this device is strictly prohibited. *
* Violators will be prosecuted to the maximum extent possible. *
* *
* TACACS+ Authentication and Accounting are in place. *
* All actions/commands are monitored and recorded. *
* By using the network you expressly consent to such *
* monitoring and recording. *
**********************************
^C
!
line con 0
!Configure AAA Authentication for Local Console Line:
login authentication default
exec-timeout 5 0
logging synchronous
line vty 0 4
access-class 101 in
!Configure Timeout for Login Sessions:
exec-timeout 5 0
logging synchronous
!Configure SSH Access:
transport input ssh
!
!
monitor session 1 source vlan x - y
monitor session 1 destination interface Gi0/xx
!
ntp logging
ntp master 3
ntp server x.x.x.x
RSS Feed
