Here is my template for access layer switches in my environment. Some of blue color words will need to replace with your specific information. Red words will be the explanation for next commands. Some commands may only apply to certain devices. Not all commands will work on every device series (router/switch) or on every IOS version. Always test it first before apply them to your production devices.
version 15.0
!Disable PAD service:
no service pad
no service password-recovery
!Configure Service Timestamps for Debug and Log Messages:
service timestamps debug datetime msec show-timezone localtime
service timestamps log datetime msec show-timezone localtime
! Set and secure passwords:
service password-encryption
service sequence-numbers
service nagle
service tcp-keepalives-in
service tcp-keepalives-out
!Disable DHCP server:
no service dhcp
ip dhcp bootp ignore
!
hostname SW-HW-DC-1
!
boot-start-marker
boot-end-marker
!
logging console critical
logging monitor informational
!Set Enable and User Password with Secret:
enable secret 0 1qaz2wsx!.
username swadmin1 secret 0 1q2w3e4r!
! localit user only can show running configuration
username localit secret Cisco1234
username localit privilege 15 autocommand show running
! localadmin user can do more troubleshooting and run ‘show config’
username localadmin privilege 7 secret Cisco1234
!
privilege exec level 7 show config
!
! localit user only can show running configuration
username localit secret Cisco1234
username localit privilege 15 autocommand show running
! localadmin user can do more troubleshooting and run ‘show config’
username localadmin privilege 7 secret Cisco1234
!
privilege exec level 7 show config
!
!Configure AAA service:
aaa new-model
!
!Configure AAA Authentication for Login
aaa authentication login default local group radius group tacacs+
aaa authentication login CONAUTH local group tacacs+
aaa authentication login VTYAUTH local group tacacs+
!Configure AAA Authentication for Enable Mode:
aaa authentication enable default enable group radius group tacacs+
aaa authorization console
aaa authorization exec default local group radius group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 5 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting system default start-stop group tacacs+
!
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
system mtu routing 1500
!Disable IP source-route:
no ip source-route
no ip gratuitous-arps
!
!Disable Router Name and DNS Name Resolution:
no ip domain-lookup
ip domain-name sw.hw
login block-for 120 attempts 5 within 60
login quiet-mode access-class 101
login on-failure log
login on-success log
vtp domain sw.hw
vtp mode transparent
!
!Catch crash dumps; very important with a “security switch.”
ip ftp username switchftp
ip ftp password Cisco1234
! Give our core dump files a unique name.
exception core-file secure-switch01-core
exception protocol ftp
exception dump 10.10.2.13
!Logging and archive the commands
archive
log config
logging enable
logging size 200
notify syslog
path flash:backup-
write-memory
maximum 8
!
spanning-tree mode pvst
spanning-tree loopguard default
spanning-tree portfast default
spanning-tree portfast bpduguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree uplinkfast
spanning-tree backbonefast
spanning-tree vlan 1,10,100,1000 priority 28672
!
errdisable recovery cause bpduguard
errdisable recovery cause psecure-violation
!
vlan internal allocation policy ascending
!
vlan 10
!
vlan 100
!
vlan 1000
name NATIVE
!Configure SSH for Remote Access:
Crypto Key Generate RSA General-keys modulus 2048
Crypto Key Generate RSA General-keys modulus 2048
ip ssh time-out 10
ip ssh authentication-retries 5
ip ssh logging events
ip ssh version 2
!
interface Port-channel1
switchport trunk allowed vlan 1,10,100-1000
switchport trunk native vlan 1000
switchport trunk native vlan 1000
switchport mode trunk
spanning-tree bpduguard disable
spanning-tree bpduguard disable
!
interface GigabitEthernet0/1
switchport mode access
spanning-tree portfast
!Configure switch port-security:
switchport port-security
switchport port-security violation shutdown
switchport port-security maximum 1
switchport port-security mac-address sticky
no cdp enable
no cdp enable
!
interface GigabitEthernet0/2
shutdown
no cdp enable
!
interface GigabitEthernet0/3
description Connecting SW Core Layer
switchport trunk allowed vlan 1,10,100-1000
switchport trunk native vlan 1000
switchport mode trunk
channel-group 1 mode desirable
spanning-tree bpduguard disable
no cdp enable
spanning-tree bpduguard disable
no cdp enable
!
……
!
interface Vlan1
description DefaultVLAN-Do not use it.
no ip route-cache
!
interface Vlan10
description Management
ip address 10.10.10.1
no ip route-cache
!
interface Vlan100
ip address 10.100.10.1 255.255.255.0
standby 100 ip 10.100.10.3
standby 100 priority 200
!
ip default-gateway 10.10.10.254
no ip http server
no ip http secure-server
!
!ip access-list standard remark SNMP ACL
ip access-list standard snmp-Allow
permit 10.0.0.0 0.255.255.255
deny any log
!
deny any log
!
logging esm config
logging trap debugging
logging 10.10.10.15
access-list 101 remark VTY Access ACL
access-list 101 remark VTY Access ACL
access-list 101 permit ip 10.10.0.0 0.0.255.255 any log-input
access-list 101 deny ip any any log-input
access-list 101 deny ip any any log-input
!You also could use ip access-list command to edit 101 access-list
!
snmp-server group SNMPv3-RO v3 priv read ReadView-All access snmp-Allow
!Write SNMPv3 permission is not necessary. This is just for configuration example
!snmp-server group SNMPv3-RW v3 priv read ReadView-All write WriteView-All access snmp-Allow
snmp-server group NetService-RO v3 priv notify *tv.FFFFFFFF.FFFFFFFF.
snmp-server view ReadView-All iso included
snmp-server view ReadView-All internet included
snmp-server view ReadView-All system included
snmp-server view ReadView-All interfaces included
snmp-server view ReadView-All snmpUsmMIB excluded
snmp-server view ReadView-All snmpVacmMIB excluded
snmp-server view ReadView-All snmpCommunityMIB excluded
snmp-server view ReadView-All ip.21 excluded
snmp-server view ReadView-All ip.22 excluded
snmp-server view ReadView-All chassis included
snmp-server view WriteView-ALL iso included
snmp-server view WriteView-All iso included
snmp-server view WriteView-All internet included
snmp-server view WriteView-All system included
snmp-server view WriteView-All interfaces included
snmp-server view WriteView-All snmpUsmMIB excluded
snmp-server view WriteView-All snmpVacmMIB excluded
snmp-server view WriteView-All snmpCommunityMIB excluded
snmp-server view WriteView-All ip.21 excluded
snmp-server view WriteView-All ip.22 excluded
snmp-server view WriteView-All chassis included
!
!
snmp-server community SNMPCO RO
snmp-server location US-HW
snmp-server contact IT-HP
!
!It is best to define trap details here to reduce resource usage
snmp-server enable traps
snmp-server host 10.10.10.25 version 3 priv NetService-RO
!
radius-server host 10.10.10.35 auth-port 1812 key q1w2e3!
radius-server host 10.10.10.35 auth-port 1812 key q1w2e3!
!
!tacacs server 10.10.1.8
! key 7 01300F175804575D7218
!If you do not have Tacacs server, please donot implement those above two commands since it will cause slow CLI responding issue.
!
banner motd #
******************************
* This is a private computing facility. *
* Unauthorized use of this device is strictly prohibited. *
* Violators will be prosecuted to the maximum extent possible. *
* *
* TACACS+ Authentication and Accounting are in place. *
* All actions/commands are monitored and recorded. *
* By using the network you expressly consent to such *
* monitoring and recording. *
******************************
#
!
line con 0
!Configure AAA Authentication for Local Console Line:
login authentication CONAUTH
exec-timeout 5 0
logging synchronous
line vty 0 4
access-class 101 in
!Configure Timeout for Login Sessions:
exec-timeout 5 0
logging synchronous
!Configure SSH Access:
transport input ssh
login authentication VTYAUTH
login authentication VTYAUTH
!
!
monitor session 1 source vlan 100 – 1000
monitor session 1 destination interface Gi1/0/13
!
ntp logging
ntp master 3
ntp server 10.10.10.5
end
Reference:
1. Download CIS Security Benchmark Division Resources
2. BRKSEC-2007 – Fundamental IOS Security
3. BRKSEC-2017 – IOS Security: Securing the Management Plane
2. BRKSEC-2007 – Fundamental IOS Security
3. BRKSEC-2017 – IOS Security: Securing the Management Plane
Very helpful. Thanks a lot