Thursday, 13 July 2017

Switch Configuration Template

This is the first in a planned series of templates. It provides a baseline template for switch configuration prior to customisation, such as port-security, routing protocols, QoS etc. Not all commands will work on all models of switches or all versions of IOS, so don't just copy & paste the whole lot without confirming. Inline commentary explains various settings.

! For switches that support it, set SDM template to match intended role. Templates vary between models & a reboot is required
sdm prefer {access | default | routing | vlan} 
! Disable unnecessary services
no ip source-route
no ip http server
no ip http secure-server
no service tcp-small-servers
no service udp-small-servers
no ip bootp server
no ip finger
no ip identd
no service config
no mop enabled
no service pad
! Enable CDP & LLDP
cdp run
lldp run
! Enable routing if required
ip routing 

no ip source-route
! Enable password encryption & faster config viewing
service password-encryption
parser config cache interface
! Optimise TFTP transfers & EtherChannel load balancing
ip tftp blocksize 8192
port-channel load-balance src-dst-ip
! If using DHCP Snooping disable DHCP option 82 insertion
no ip dhcp snooping information option
! Enable log time stamps with the timezone & logging to a syslog server
service timestamps debug datetime msec
service timestamps log datetime localtime msec show-timezone
logging buffered 16384
logging host x.x.x.x
! Enable SSH v2, reduce SSH session establish timeout & create SSH key
hostname [name]
ip domain-name [domain name]
crypto key generate rsa modulus 2048
ip ssh time-out 120
ip ssh version 2
! Block logins for 5 minutes after 4 failed attempts within 2 minutes, also log login attempts
login block-for 300 attempts 4 within 120
login delay 2
login on-failure log
login on-success log
! Define a login banner
banner login ^
You have logged on to a [COMPANY] proprietary device.

This device may be used only for the authorized business purposes 
of [COMPANY]. Anyone found using this device or its information for 
any unauthorized purpose may be subject to disciplinary action 
and/or prosecution.
! Define an admin user, configure local authentication & authorisation (ideally use RADIUS/TACACS+)
username [user] privilege 15 secret [password]
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
! Set VTP to transparent unless the LAN uses VTP
vtp domain UNUSED
vtp mode transparent
! Match the LAN's STP settings
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree pathcost method long
! BPDU Guard on by default & create parking VLAN
spanning-tree portfast bpduguard default
vlan 999
! Enable notification of MAC address flapping
mac address-table notification mac-move
! Assign unused ports as access ports to VLAN 999
interface range Ethernet0/0 - Ethernet0/2
 description ## Unused Port ##
 switchport access vlan 999
 switchport mode access
 speed auto
 duplex auto
! Assign trunks' native VLAN to 999 & disable DTP
interface Ethernet0/3
 description ## Trunk to Something ##
 switchport mode trunk
 switchport trunk native vlan 999
 switchport nonegotiate
 speed auto
 duplex auto
! Set correct time zone & configure multiple NTP servers via DNS
ip name-server
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
ntp server
ntp server
ntp update-calendar
! Restrict vty access to SSH & set 15 minute timeout on console & vty
ip access-list standard VTY-IN
 permit x.x.x.x x.x.x.x
line con 0
 logging synchronous
 transport preferred none
 exec-timeout 15
line vty 0 15
 logging synchronous
 transport preferred none
 transport input ssh
 access-class VTY-IN in
 exec-timeout 15