-
Notifications
You must be signed in to change notification settings - Fork 0
/
cisco-ios-basic-secure-config
116 lines (96 loc) · 2.31 KB
/
cisco-ios-basic-secure-config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no service dhcp
! Change this to your organization's naming convention
hostname sw01
boot-start-marker
boot-end-marker
logging buffered 32768
logging console critical
! Change this to your organization's requirements
enable secret PLEASE-change-this!
username this-is-temp privilege 0 secret CHANGE-this-4-Urself!
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
aaa session-id common
system mtu routing 1500
vtp domain vtp1.corp.example.com
vtp mode transparent
no ip gratuitous-arps
no ip domain-lookup
ip domain-name corp.example.com
spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 999
name unused-ports
exit
ip tcp synwait-time 10
crypto key generate rsa general-keys modulus 2048
ip ssh time-out 10
ip ssh authentication-retries 2
ip ssh version 2
interface range g0/1 - 48
description not-in-use
switchport access vlan 999
switchport mode access
switchport nonegotiate
switchport port-security
shutdown
no cdp enable
spanning-tree bpduguard enable
exit
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
exit
no ip http server
no ip http secure-server
! Change the IPs to your management network's subnet
ip access-list extended mgmt-access
permit tcp 10.1.2.00 0.0.0.255 gt 1023 any eq 22 log-input
deny ip any any log-input
exit
ip sla enable reaction-alerts
logging esm config
! Change the IP to your log server
logging 10.1.1.21
! Change the IP to your SNMP poller
access-list 20 permit 10.1.1.41
snmp-server group netadmins v3 auth read adminview write adminview access 20
banner exec ^C
MYBANNER EXEC
^C
banner login ^C
MYBANNER LOGIN
^C
banner motd ^C
MYBANNER MOTD
^C
line con 0
logging synchronous
exit
line vty 0 4
access-class mgmt-access in
privilege level 0
transport input ssh
transport output none
exit
line vty 5 15
access-class mgmt-access in
privilege level 0
transport input ssh
transport output none
exit
scheduler interval 500
ntp server 10.1.1.31 prefer