404d/HQ_S1_startup-config.txt

## HQ_S1_startup-config.txt
! vim:syntax=cisco
hostname HQ_S1
banner motd #Warning unauthorized access is not allowed#

! Hardening
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps


vlan 10
name Employees

vlan 20
name Administration

vlan 30
name Marketing

vlan 40
name Customer_Service

vlan 50
name Sales

vlan 60
name Accounting

vlan 70
name Mechanics

vlan 80
name Guest

vlan 90
name Datacenter

vlan 99
name Management_VLAN


! AAA stuff
aaa new-model
aaa authentication login default local-case
aaa authorization exec default local

! Credentials
service password-encryption
enable secret 9 $9$NRmTG16rYded/k$qHlZsu.5rked29v8t/2bxmtDgTkLHmn4n/Ejm3yQPgk

username admin privilege 15 secret 9 $9$6zK0a.Lym9hr3U$yV1HV7s5vmd/vSlPb7bzknBYjAAQ4Kb8wXG.3DnJ7I2
username tech view LocalTech secret 9 $9$5CTK/OghdaJm31$o6pXQ.Vm.rYM9ehghnvazQkBbuQQRjgEuS0lM4Pt71c

! Write user
snmp-server group EVRY v3 priv write v1default
snmp-server user evry EVRY v3 auth sha EVRYPASSWD priv aes 128 EVRYPRIVPLS

! Read user
snmp-server group TECH v3 priv read v1default
snmp-server user tech TECH v3 auth sha TECHPASSWD priv aes 128 TECHPRIVPLS

login on-failure log every 1
login on-success log every 1

ip ssh version 2
ip domain-name cardealar.no
ip default-gateway 10.0.1.209
crypto key generate rsa modulus 2048

line con 0
 login local

line vty 0 15
 login local
 transport input ssh

! Management interface
interface Vlan99
 description Management VLAN
! mac-address 0002.172e.6501
 ip address 10.0.1.215 255.255.255.240
 no shutdown
 ! Hardening
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply

interface Vlan1
 shutdown


! Logging and monitoring
service timestamps log datetime localtime msec show-timezone year
logging host 10.0.1.218 transport udp port 514
logging origin-id hostname


! STP
spanning-tree mode rapid-pvst

! DHCP snooping
ip dhcp snooping
ip dhcp snooping vlan 40,60,70,99
 ! Failing to disable this will make DHCP packets be silently dropped by the switch!
 no ip dhcp snooping information option

! Trunks
interface GigabitEthernet0/1
 description trunkToHQ_MLS1
 switchport trunk native vlan 99
 switchport trunk allowed vlan 10,20,30,40,50,60,70,80,90,99
 switchport mode trunk
 ip dhcp snooping trust

interface GigabitEthernet0/2
 description trunkToHQ_MLS2
 switchport trunk native vlan 99
 switchport trunk allowed vlan 10,20,30,40,50,60,70,80,90,99
 switchport mode trunk
 ip dhcp snooping trust


! Common interface settings
interface range fast0/1-24
 switchport mode access
 no cdp enable
 spanning-tree portfast
 spanning-tree bpduguard enable
 ip dhcp snooping limit rate 5
 switchport port-security
 switchport port-security maximum 5
 switchport port-security violation restrict
 switchport port-security mac-address sticky

! Access ports
interface range FastEthernet0/1-8
 description Mechanics - Access port
 switchport access vlan 70

interface range FastEthernet0/9-17
 description Customer Service - Access port
 switchport access vlan 40

interface range FastEthernet0/18-20
 description Accounting - Access port
 switchport access vlan 60

! Datacenter
interface range Fast0/21-22
 description Datacenter VLAN access port
 switchport access vlan 90

! Management
interface range Fast0/23-24
 description Management VLAN access port
 switchport access vlan 99


! Console views
parser view LocalTech
 secret 5 $1$aD3t$Ear2zeQzhCJgepX2O34WT.
 commands interface include shutdown
 commands configure include interface
 commands exec include all traceroute
 commands exec include all ping
 commands exec include configure terminal
 commands exec include configure
 commands exec include all show
 commands exec include all debug
 commands exec include no
 commands configure include interface FastEthernet0/1
 commands configure include interface FastEthernet0/2

! NTP
ip name-server 8.8.8.8
ntp logging
ntp authentication-key 1 md5 1354 7
ntp authenticate
ntp trusted-key 1
ntp update-calendar
ntp server 10.0.1.210 burst
ntp server 10.0.1.211 burst
clock timezone CET 1

end
	! vim:syntax=cisco
	hostname HQ_S1
	banner motd #Warning unauthorized access is not allowed#

	! Hardening
	no service finger
	no service pad
	no service udp-small-servers
	no service tcp-small-servers
	service tcp-keepalives-in
	service tcp-keepalives-out
	no cdp run
	no ip http server
	no ip finger
	no ip source-route
	no ip gratuitous-arps


	vlan 10
	name Employees

	vlan 20
	name Administration

	vlan 30
	name Marketing

	vlan 40
	name Customer_Service

	vlan 50
	name Sales

	vlan 60
	name Accounting

	vlan 70
	name Mechanics

	vlan 80
	name Guest

	vlan 90
	name Datacenter

	vlan 99
	name Management_VLAN


	! AAA stuff
	aaa new-model
	aaa authentication login default local-case
	aaa authorization exec default local

	! Credentials
	service password-encryption
	enable secret 9 $9$NRmTG16rYded/k$qHlZsu.5rked29v8t/2bxmtDgTkLHmn4n/Ejm3yQPgk

	username admin privilege 15 secret 9 $9$6zK0a.Lym9hr3U$yV1HV7s5vmd/vSlPb7bzknBYjAAQ4Kb8wXG.3DnJ7I2
	username tech view LocalTech secret 9 $9$5CTK/OghdaJm31$o6pXQ.Vm.rYM9ehghnvazQkBbuQQRjgEuS0lM4Pt71c

	! Write user
	snmp-server group EVRY v3 priv write v1default
	snmp-server user evry EVRY v3 auth sha EVRYPASSWD priv aes 128 EVRYPRIVPLS

	! Read user
	snmp-server group TECH v3 priv read v1default
	snmp-server user tech TECH v3 auth sha TECHPASSWD priv aes 128 TECHPRIVPLS

	login on-failure log every 1
	login on-success log every 1

	ip ssh version 2
	ip domain-name cardealar.no
	ip default-gateway 10.0.1.209
	crypto key generate rsa modulus 2048

	line con 0
	login local

	line vty 0 15
	login local
	transport input ssh

	! Management interface
	interface Vlan99
	description Management VLAN
	! mac-address 0002.172e.6501
	ip address 10.0.1.215 255.255.255.240
	no shutdown
	! Hardening
	no ip redirects
	no ip proxy-arp
	no ip unreachables
	no ip directed-broadcast
	no ip mask-reply

	interface Vlan1
	shutdown


	! Logging and monitoring
	service timestamps log datetime localtime msec show-timezone year
	logging host 10.0.1.218 transport udp port 514
	logging origin-id hostname


	! STP
	spanning-tree mode rapid-pvst

	! DHCP snooping
	ip dhcp snooping
	ip dhcp snooping vlan 40,60,70,99
	! Failing to disable this will make DHCP packets be silently dropped by the switch!
	no ip dhcp snooping information option

	! Trunks
	interface GigabitEthernet0/1
	description trunkToHQ_MLS1
	switchport trunk native vlan 99
	switchport trunk allowed vlan 10,20,30,40,50,60,70,80,90,99
	switchport mode trunk
	ip dhcp snooping trust

	interface GigabitEthernet0/2
	description trunkToHQ_MLS2
	switchport trunk native vlan 99
	switchport trunk allowed vlan 10,20,30,40,50,60,70,80,90,99
	switchport mode trunk
	ip dhcp snooping trust


	! Common interface settings
	interface range fast0/1-24
	switchport mode access
	no cdp enable
	spanning-tree portfast
	spanning-tree bpduguard enable
	ip dhcp snooping limit rate 5
	switchport port-security
	switchport port-security maximum 5
	switchport port-security violation restrict
	switchport port-security mac-address sticky

	! Access ports
	interface range FastEthernet0/1-8
	description Mechanics - Access port
	switchport access vlan 70

	interface range FastEthernet0/9-17
	description Customer Service - Access port
	switchport access vlan 40

	interface range FastEthernet0/18-20
	description Accounting - Access port
	switchport access vlan 60

	! Datacenter
	interface range Fast0/21-22
	description Datacenter VLAN access port
	switchport access vlan 90

	! Management
	interface range Fast0/23-24
	description Management VLAN access port
	switchport access vlan 99


	! Console views
	parser view LocalTech
	secret 5 $1$aD3t$Ear2zeQzhCJgepX2O34WT.
	commands interface include shutdown
	commands configure include interface
	commands exec include all traceroute
	commands exec include all ping
	commands exec include configure terminal
	commands exec include configure
	commands exec include all show
	commands exec include all debug
	commands exec include no
	commands configure include interface FastEthernet0/1
	commands configure include interface FastEthernet0/2

	! NTP
	ip name-server 8.8.8.8
	ntp logging
	ntp authentication-key 1 md5 1354 7
	ntp authenticate
	ntp trusted-key 1
	ntp update-calendar
	ntp server 10.0.1.210 burst
	ntp server 10.0.1.211 burst
	clock timezone CET 1

	end