Global Configuration
Spanning TreeConfigure the root bridges for your VLANs:
conf t
spanning-tree vlan 123 root primary
For access switches we can utilize uplink fast:
spanning-tree uplinkfast
Port Configuration
PC Client Access Port:
Features: Sticky Ports, DAI, IP Source Guard, Storm Control
int gix/y/z
ip addr 1.2.3.4 255.255.255.0
switchport mode access
switchport access vlan 123
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable / spanning-tree bpdufilter enable
OR
spanning-tree guard root
OR
spanning-tree guard root
switchport nonegotiate
no cdp enable
storm-control broadcast level 10.00
storm-control action trap || shutdown
Trunk Port:
int gix/y/z
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 1000
switchport trunk allowed vlan 10,11,12,13
switchport nonegotiate
storm-control broadcast level 10.00
storm-control action trap OR shutdown
no cdp enable
with aggregation:
channel-protocol lacp
channel-group 10 mode active
port-channel load-balance dst-ip | src-ip etc.
with aggregation:
channel-protocol lacp
channel-group 10 mode active
port-channel load-balance dst-ip | src-ip etc.
and optional -
spanning-tree portfast trunk // in circumstances where link aggregation is in place without LACP or PAgP.
spanning-tree guard root // where necessary to prevent another switch taking root
spanning-tree bpduguard enable // to prevent rouge switches from joining your network
Quality of Service
Limiting switch port ingress and egress traffic:mls qos
ip access-list extended ACL_ALLTRAFFIC
permit ip any any
class-map match-all CLASS_ALLTRAFFIC
match access-group name ACL_ALLTRAFFIC
policy-map POLICY_ALLTRAFFIC
class CLASS_ALLTRAFFIC
police 1250000 12500000 exceed-action drop
interface GigabitEthernet0/2
service-policy input POLICY_ALLTRAFFIC
srr-queue bandwidth limit 90
* The policy map 'POLICY_ALLTRAFFIC' allows a normal ingress operational speed of 10mbps and a burst rate of 100mbps. *
* The srr-queue limit statement is worked out as follows - for example if you have an interface speed of 1 Gigabit and you limit it to 90 - this then provides the end device 10% of the available bandwdith - in this case 100 Mbit. *
Setting up CoS / DSCP:
http://blog.manton.im/2017/05/setting-up-qos-on-cisco-2960x-3650-x.html
Services Configuration
SSH / AAA:
conf t
username test privilage 15 secret $tr0ngPa$$w0rd!
aaa new-model
aaa authentication login default local
line console 0
login authentication default
line vty 0
login authentication default
ip domain-name yourdomain.local
crypto key generate rsa modulus 2048
ip ssh version 2
line vty 0
transport input ssh
ip access-list standard mgmt-ssh
10 permit <management-subnet> <management-wildcardmask>
20 deny any log
line vty 0
access-class mgmt-ssh in
VTP:
vtp domain mydomain.internal
vtp version 3
vtp mode transparent // to reset revision number
vtp mode server OR client
vtp password xyz
VTP:
vtp domain mydomain.internal
vtp version 3
vtp mode transparent // to reset revision number
vtp mode server OR client
vtp password xyz
SNMP v3:
ip access-list standard mgmt-snmp
1 permit 10.0.0.0 0.0.0.255
10 deny any log
snmp-server group snmp v3 auth access mgmt-snmp
snmp-server user snmp snmp v3 auth md5 <password>
snmp-server host 10.0.2.75 version 3 auth snmp
snmp-server enable traps snmp linkdown linkup coldstart warmstart
SNMP v2c:
ip access-list standard mgmt-snmp
1 permit 10.0.0.0 0.0.0.255
10 deny any log
snmp-server view SNMPView iso included
snmp-server community <community-name> view SNMPView RO mgmt-snmp
snmp-server host <remote-server> version 2c <community-name>
snmp-server enable traps snmp linkdown linkup coldstart warmstart
1 permit 10.0.0.0 0.0.0.255
10 deny any log
snmp-server group snmp v3 auth access mgmt-snmp
snmp-server user snmp snmp v3 auth md5 <password>
snmp-server host 10.0.2.75 version 3 auth snmp
snmp-server enable traps snmp linkdown linkup coldstart warmstart
SNMP v2c:
ip access-list standard mgmt-snmp
1 permit 10.0.0.0 0.0.0.255
10 deny any log
snmp-server view SNMPView iso included
snmp-server community <community-name> view SNMPView RO mgmt-snmp
snmp-server host <remote-server> version 2c <community-name>
snmp-server enable traps snmp linkdown linkup coldstart warmstart
Remote Logging:
logging 1.2.3.4 // syslog server
logging buffered 64000 debug
NTP:
ntp server 81.168.77.149 prefer
ntp server 194.164.127.6
ntp server 194.164.127.4
RADIUS:
radius server <friendly-name>
address ipv4 <ip-address>
key <shared-secret>
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local if-authenticated
aaa accounting system default start-stop group radius
RADIUS:
radius server <friendly-name>
address ipv4 <ip-address>
key <shared-secret>
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local if-authenticated
aaa accounting system default start-stop group radius
Hardening:
no ip http server
no ip http secure-server
no ip domain-lookup
no service dhcp
no service pad
line vty 0
exec-timeout <minutes>
service tcp-keepalives-in
service tcp-keepalives-out
DHCP Snooping:
ip dhcp snooping
ip dhcp snooping vlan 100
# trust a server / port
int gi0/15
desc DHCP_Server
ip dhcp snooping trusted
no ip dhcp snooping information option # if using non-cisco DHCP server
Dynamic ARP Inspection
ip arp inspection vlan 100
show ip arp inspection vlan 100
# trust uplink interface
int g0/15
ip arp inspection trust
exit
ip arp inspection log-buffer entries 512
int range gi0/1-48
ip arp inspection limit rate 100
IP Source Guard
int gi0/4
ip verify source
# exclusions
ip source binding 1111.2222.3333 vlan 100 1.2.3.4 interface gi0/20
DHCP Snooping:
ip dhcp snooping
ip dhcp snooping vlan 100
# trust a server / port
int gi0/15
desc DHCP_Server
ip dhcp snooping trusted
no ip dhcp snooping information option # if using non-cisco DHCP server
Dynamic ARP Inspection
ip arp inspection vlan 100
show ip arp inspection vlan 100
# trust uplink interface
int g0/15
ip arp inspection trust
exit
ip arp inspection log-buffer entries 512
int range gi0/1-48
ip arp inspection limit rate 100
IP Source Guard
int gi0/4
ip verify source
# exclusions
ip source binding 1111.2222.3333 vlan 100 1.2.3.4 interface gi0/20
0 comments:
Post a Comment