This is the first in a planned series of templates. It provides a baseline template for switch configuration prior to customisation, such as port-security, routing protocols, QoS etc. Not all commands will work on all models of switches or all versions of IOS, so don't just copy & paste the whole lot without confirming. Inline commentary explains various settings.
!
! For switches that support it, set SDM template to match intended role. Templates vary between models & a reboot is required
sdm prefer {access | default | routing | vlan}
!
! Disable unnecessary services
no ip source-route
no ip http server
no ip http secure-server
no service tcp-small-servers
no service udp-small-servers
no ip bootp server
no ip finger
no ip identd
no service config
no mop enabled
no service pad
!
! Enable CDP & LLDP
cdp run
lldp run
!
! Enable routing if required
ip routing
no ip source-route
!
! Enable password encryption & faster config viewing
service password-encryption
parser config cache interface
!
! Optimise TFTP transfers & EtherChannel load balancing
ip tftp blocksize 8192
port-channel load-balance src-dst-ip
!
! If using DHCP Snooping disable DHCP option 82 insertion
no ip dhcp snooping information option
!
! Enable log time stamps with the timezone & logging to a syslog server
service timestamps debug datetime msec
service timestamps log datetime localtime msec show-timezone
logging buffered 16384
logging host x.x.x.x
!
! Enable SSH v2, reduce SSH session establish timeout & create SSH key
hostname [name]
ip domain-name [domain name]
crypto key generate rsa modulus 2048
ip ssh time-out 120
ip ssh version 2
!
! Block logins for 5 minutes after 4 failed attempts within 2 minutes, also log login attempts
login block-for 300 attempts 4 within 120
login delay 2
login on-failure log
login on-success log
!
! Due to CVE-2018-0171 & CVE-2018-0156 disable vstack
no vstack
!
! Define a login banner
banner login ^
************************************************************************
You have logged on to a [COMPANY] proprietary device.
This device may be used only for the authorized business purposes
of [COMPANY]. Anyone found using this device or its information for
any unauthorized purpose may be subject to disciplinary action
and/or prosecution.
************************************************************************
^
!
! Define an admin user, configure local authentication & authorisation (ideally use RADIUS/TACACS+)
username [user] privilege 15 secret [password]
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
!
! Set VTP to transparent unless the LAN uses VTP
vtp domain UNUSED
vtp mode transparent
!
! Match the LAN's STP settings
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree pathcost method long
!
! BPDU Guard on by default & create parking VLAN
spanning-tree portfast bpduguard default
vlan 999
name PARKING
!
! Enable notification of MAC address flapping
mac address-table notification mac-move
!
! Assign unused ports as access ports to VLAN 999
interface range Ethernet0/0 - Ethernet0/2
description ## Unused Port ##
switchport access vlan 999
switchport mode access
speed auto
duplex auto
!
! Assign trunks' native VLAN to 999 & disable DTP
interface Ethernet0/3
description ## Trunk to Something ##
switchport mode trunk
switchport trunk native vlan 999
switchport nonegotiate
speed auto
duplex auto
!
! Set correct time zone & configure multiple NTP servers via DNS
ip name-server 208.67.220.220 208.67.222.222
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
ntp server 0.uk.pool.ntp.org
ntp server 1.uk.pool.ntp.org
ntp update-calendar
!
! Restrict vty access to SSH & set 15 minute timeout on console & vty
ip access-list standard VTY-IN
permit x.x.x.x x.x.x.x
line con 0
logging synchronous
transport preferred none
exec-timeout 15
line vty 0 15
logging synchronous
transport preferred none
transport input ssh
access-class VTY-IN in
exec-timeout 15