Wednesday 17 May 2017

Cisco Switch Template v1.0: Ports, Security / Hardening, Features

Global Configuration

Spanning Tree

Configure the root bridges for your VLANs:
conf t
spanning-tree vlan 123 root primary

For access switches we can utilize uplink fast:
spanning-tree uplinkfast

Port Configuration

PC Client Access Port:

Features: Sticky Ports, DAI, IP Source Guard, Storm Control

int gix/y/z
ip addr
switchport mode access 
switchport access vlan 123
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast

spanning-tree bpduguard enable spanning-tree bpdufilter enable
spanning-tree guard root

switchport nonegotiate
no cdp enable
storm-control broadcast level 10.00
storm-control action trap || shutdown

Trunk Port:

int gix/y/z
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 1000
switchport trunk allowed vlan 10,11,12,13
switchport nonegotiate
storm-control broadcast level 10.00
storm-control action trap OR shutdown
no cdp enable

with aggregation:

channel-protocol lacp
channel-group 10 mode active
port-channel load-balance dst-ip | src-ip etc.

and optional - 

spanning-tree portfast trunk // in circumstances where link aggregation is in place without LACP or PAgP.
spanning-tree guard root // where necessary to prevent another switch taking root
spanning-tree bpduguard enable // to prevent rouge switches from joining your network

Quality of Service

Limiting switch port ingress and egress traffic:

mls qos

ip access-list extended ACL_ALLTRAFFIC
permit ip any any

class-map match-all CLASS_ALLTRAFFIC
  match access-group name ACL_ALLTRAFFIC

    police 1250000 12500000 exceed-action drop

interface GigabitEthernet0/2
service-policy input POLICY_ALLTRAFFIC
srr-queue bandwidth limit 90

* The policy map 'POLICY_ALLTRAFFIC' allows a normal ingress operational speed of 10mbps and a burst rate of 100mbps. *

* The srr-queue limit statement is worked out as follows - for example if you have an interface speed of 1 Gigabit and you limit it to 90 - this then provides the end device 10% of the available bandwdith - in this case 100 Mbit. *

Setting up CoS / DSCP:

Services Configuration


conf t
username test privilage 15 secret $tr0ngPa$$w0rd!
aaa new-model
aaa authentication login default local
line console 0
login authentication default
line vty 0
login authentication default
ip domain-name yourdomain.local
crypto key generate rsa modulus 2048
ip ssh version 2
line vty 0
transport input ssh
ip access-list standard mgmt-ssh
10 permit <management-subnet> <management-wildcardmask>
20 deny any log
line vty 0
access-class mgmt-ssh in


vtp domain mydomain.internal
vtp version 3
vtp mode transparent // to reset revision number
vtp mode server OR client

vtp password xyz

SNMP v3:

ip access-list standard mgmt-snmp
1 permit
10 deny any log
snmp-server group snmp v3 auth access mgmt-snmp
snmp-server user snmp snmp v3 auth md5 <password>
snmp-server host version 3 auth snmp
snmp-server enable traps snmp linkdown linkup coldstart warmstart

SNMP v2c:

ip access-list standard mgmt-snmp
1 permit
10 deny any log
snmp-server view SNMPView iso included
snmp-server community <community-name> view SNMPView RO mgmt-snmp
snmp-server host <remote-server> version 2c <community-name>
snmp-server enable traps snmp linkdown linkup coldstart warmstart

Remote Logging:

logging // syslog server
logging buffered 64000 debug


ntp server prefer
ntp server
ntp server


radius server <friendly-name>
address ipv4 <ip-address>
key <shared-secret>

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local if-authenticated

aaa accounting system default start-stop group radius


no ip http server
no ip http secure-server
no ip domain-lookup
no service dhcp
no service pad
line vty 0
exec-timeout <minutes>
service tcp-keepalives-in
service tcp-keepalives-out

DHCP Snooping:
ip dhcp snooping
ip dhcp snooping vlan 100
# trust a server / port
int gi0/15
desc DHCP_Server
ip dhcp snooping trusted
no ip dhcp snooping information option # if using non-cisco DHCP server

Dynamic ARP Inspection
ip arp inspection vlan 100
show ip arp inspection vlan 100
# trust uplink interface
int g0/15
ip arp inspection trust
ip arp inspection log-buffer entries 512
int range gi0/1-48
ip arp inspection limit rate 100

IP Source Guard
int gi0/4
ip verify source
# exclusions

ip source binding 1111.2222.3333 vlan 100 interface gi0/20


Post a Comment