Created
November 23, 2017 16:33
-
-
Save 404d/6df7f03ed5b0e8ad2884ed85baa0967c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
! vim:syntax=cisco | |
hostname HQ_S1 | |
banner motd #Warning unauthorized access is not allowed# | |
! Hardening | |
no service finger | |
no service pad | |
no service udp-small-servers | |
no service tcp-small-servers | |
service tcp-keepalives-in | |
service tcp-keepalives-out | |
no cdp run | |
no ip http server | |
no ip finger | |
no ip source-route | |
no ip gratuitous-arps | |
vlan 10 | |
name Employees | |
vlan 20 | |
name Administration | |
vlan 30 | |
name Marketing | |
vlan 40 | |
name Customer_Service | |
vlan 50 | |
name Sales | |
vlan 60 | |
name Accounting | |
vlan 70 | |
name Mechanics | |
vlan 80 | |
name Guest | |
vlan 90 | |
name Datacenter | |
vlan 99 | |
name Management_VLAN | |
! AAA stuff | |
aaa new-model | |
aaa authentication login default local-case | |
aaa authorization exec default local | |
! Credentials | |
service password-encryption | |
enable secret 9 $9$NRmTG16rYded/k$qHlZsu.5rked29v8t/2bxmtDgTkLHmn4n/Ejm3yQPgk | |
username admin privilege 15 secret 9 $9$6zK0a.Lym9hr3U$yV1HV7s5vmd/vSlPb7bzknBYjAAQ4Kb8wXG.3DnJ7I2 | |
username tech view LocalTech secret 9 $9$5CTK/OghdaJm31$o6pXQ.Vm.rYM9ehghnvazQkBbuQQRjgEuS0lM4Pt71c | |
! Write user | |
snmp-server group EVRY v3 priv write v1default | |
snmp-server user evry EVRY v3 auth sha EVRYPASSWD priv aes 128 EVRYPRIVPLS | |
! Read user | |
snmp-server group TECH v3 priv read v1default | |
snmp-server user tech TECH v3 auth sha TECHPASSWD priv aes 128 TECHPRIVPLS | |
login on-failure log every 1 | |
login on-success log every 1 | |
ip ssh version 2 | |
ip domain-name cardealar.no | |
ip default-gateway 10.0.1.209 | |
crypto key generate rsa modulus 2048 | |
line con 0 | |
login local | |
line vty 0 15 | |
login local | |
transport input ssh | |
! Management interface | |
interface Vlan99 | |
description Management VLAN | |
! mac-address 0002.172e.6501 | |
ip address 10.0.1.215 255.255.255.240 | |
no shutdown | |
! Hardening | |
no ip redirects | |
no ip proxy-arp | |
no ip unreachables | |
no ip directed-broadcast | |
no ip mask-reply | |
interface Vlan1 | |
shutdown | |
! Logging and monitoring | |
service timestamps log datetime localtime msec show-timezone year | |
logging host 10.0.1.218 transport udp port 514 | |
logging origin-id hostname | |
! STP | |
spanning-tree mode rapid-pvst | |
! DHCP snooping | |
ip dhcp snooping | |
ip dhcp snooping vlan 40,60,70,99 | |
! Failing to disable this will make DHCP packets be silently dropped by the switch! | |
no ip dhcp snooping information option | |
! Trunks | |
interface GigabitEthernet0/1 | |
description trunkToHQ_MLS1 | |
switchport trunk native vlan 99 | |
switchport trunk allowed vlan 10,20,30,40,50,60,70,80,90,99 | |
switchport mode trunk | |
ip dhcp snooping trust | |
interface GigabitEthernet0/2 | |
description trunkToHQ_MLS2 | |
switchport trunk native vlan 99 | |
switchport trunk allowed vlan 10,20,30,40,50,60,70,80,90,99 | |
switchport mode trunk | |
ip dhcp snooping trust | |
! Common interface settings | |
interface range fast0/1-24 | |
switchport mode access | |
no cdp enable | |
spanning-tree portfast | |
spanning-tree bpduguard enable | |
ip dhcp snooping limit rate 5 | |
switchport port-security | |
switchport port-security maximum 5 | |
switchport port-security violation restrict | |
switchport port-security mac-address sticky | |
! Access ports | |
interface range FastEthernet0/1-8 | |
description Mechanics - Access port | |
switchport access vlan 70 | |
interface range FastEthernet0/9-17 | |
description Customer Service - Access port | |
switchport access vlan 40 | |
interface range FastEthernet0/18-20 | |
description Accounting - Access port | |
switchport access vlan 60 | |
! Datacenter | |
interface range Fast0/21-22 | |
description Datacenter VLAN access port | |
switchport access vlan 90 | |
! Management | |
interface range Fast0/23-24 | |
description Management VLAN access port | |
switchport access vlan 99 | |
! Console views | |
parser view LocalTech | |
secret 5 $1$aD3t$Ear2zeQzhCJgepX2O34WT. | |
commands interface include shutdown | |
commands configure include interface | |
commands exec include all traceroute | |
commands exec include all ping | |
commands exec include configure terminal | |
commands exec include configure | |
commands exec include all show | |
commands exec include all debug | |
commands exec include no | |
commands configure include interface FastEthernet0/1 | |
commands configure include interface FastEthernet0/2 | |
! NTP | |
ip name-server 8.8.8.8 | |
ntp logging | |
ntp authentication-key 1 md5 1354 7 | |
ntp authenticate | |
ntp trusted-key 1 | |
ntp update-calendar | |
ntp server 10.0.1.210 burst | |
ntp server 10.0.1.211 burst | |
clock timezone CET 1 | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment