Wednesday 1 March 2017

Cisco Switch Setup Checklist (Best Practise, Hardening etc.)

This is a short list of initial management / setup tasks that can be used a a base template:

Setting up AAA

Setting up remote access (SSH)

Setting up SNMP

Setting up logging / syslog

Automatic configuration backups

Setting up NTP

If (like me) you prefer to disable DNS lookups - you can find the IP addresses of stratum 1 and 2 providers here.

(Ideally it's best that the stratum 1 provider takes precedence)

ntp server prefer
ntp server
ntp server

Hardening / Disabling Unnecessary Services 

no ip http server

no ip http secure-server

Ensure there are no vty lines with telnet enabled.

no ip domain-lookup

If you do not need any DHCP services - including DHCP relay (ip helpers) - you can issue:

no service dhcp

Unless you are connecting to an X.25 network - you can safely issue the 'pad' (packet assembler/disassembler service):

no service pad

EXEC Timeout: This defines how long on the session will remain available on a line before logging you out - by default this is commonly set at 10 minutes - although this should generally be much shorter:

line vty 0
exec timeout <minutes>

TCP Keepalives: By enabling these it allows the switch to identify if remote connections (inbound or outbound via SSH, Telnet etc.) are still active or not:

service tcp-keepalives-in
service tcp-keepalives-out


Cisco Guide to Harden Cisco IOS Devices:

NTP Servers UK List:


Post a Comment