{{tag>[network cisco ios]}}
=====Cisco Catalyst 2960G - Configuration=====
* Model: [[http://www.cisco.com/c/en/us/support/switches/catalyst-2960g-48tc-l-switch/model.html#~rdtab0|WS-C2960G-48TC-L]]
* Version: Version 15.0(2)SE6
====Management / network configuration====
===Configure IP===
* Configure management IP address on VLAN 10conf t
interface vlan10
ip address 1.2.3.2 255.255.255.0
exit
ip default-gateway 1.2.3.1
===Disable services===
* Disable VTP.conf t
vtp mode off
* Disable clustering. no cluster run
* Disable vstack.no vstack
* Disable DHCP.no service dhcp
* Disable HTTP/S server. conf t
no ip http server
no ip http secure-server
* Disable small services (echo, discard, chargen...).no service tcp-small-servers
no service udp-small-servers
* Disable finger. no ip finger
* Ignore bootp. no ip dhcp bootp ignore
* Disable DNS lookups. no ip domain-lookup
* Disable Packet Assembler/Disassembler (PAD).no service pad
* Prevent loading config from TFTP service.no service config
* Disable CDP and LLDP on untrusted interfaces. conf t
interface range gigabitEthernet 0/2-48
no cdp enable
no lldp transmit
no lldp receive
===Enable services===
* Keepalives for TCP Sessions.conf t
service tcp-keepalives-in
service tcp-keepalives-out
===Authenticated NTP===
* Enable NTP. conf t
ntp authenticate
ntp authentication-key 150 md5 ticktock
ntp trusted-key 150
ntp server 1.2.3.50 key 150
ntp server 1.2.3.51 key 150
ntp source vlan10
* Linux NTP server config example.#ntp.conf
enable auth keys
keys /etc/ntp.keys
trustedkey 150
#ntp.keys
150 M ticktock
* Meinberg LANTIME M200 server example.Using the web interface.
- Go to tab 'NTP', then 'General Settings'
- Local Trusted Keys: 150
- Go to 'NTP Symmetric keys', click 'Edit NTP MD5 keys'
- Add: '#1 MD5 EXAMPLE
150 MD5 ticktock'
- Click Save Settings.
* Verify NTP synchronisation. #sh ntp associations
address ref clock st when poll reach delay offset disp
*~95.97.208.29 .PZF. 1 7 64 57 1.093 2.708 440.38
+~95.97.208.30 .PPS. 1 4 64 167 1.141 3.547 190.44
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
#sh ntp status
Clock is synchronized, stratum 2, reference is 95.97.208.29
nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17
reference time is D7912CA6.D0C5123E (23:26:30.815 UTC Sat Aug 9 2014)
clock offset is 2.7081 msec, root delay is 1.09 msec
root dispersion is 7945.18 msec, peer dispersion is 440.38 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000010 s/s
system poll interval is 64, last update was 289 sec ago.
===Deny client access to NTP server===
* Create access lists to deny client access! NTP access control
ntp access-group query-only 1 ! deny all NTP control queries
ntp access-group serve 1 ! deny all NTP time and control queries by default
ntp access-group peer 10 ! permit time sync to configured peer(s)/server(s) only
ntp access-group serve-only 1 ! deny all sync requests
!
! access control lists (ACLs)
access-list 1 remark utility ACL to block everything
access-list 1 deny any
!
access-list 10 remark NTP peers/servers we sync to/with
access-list 10 permit 95.97.208.29
access-list 10 permit 95.97.208.30
access-list 10 deny any
!
===Configure time zone===
* Configure time zone for the Netherlands.conf t
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
* Verify. sh clock detail
.01:36:47.946 CEST Sun Aug 10 2014
Time source is NTP
Summer time starts 02:00:00 CET Sun Mar 30 2014
Summer time ends 03:00:00 CEST Sun Oct 26 2014
===Configure logging timestamps===
* Configure timestamps.conf t
service sequence-numbers
service timestamps debug datetime localtime msec show-timezone
service timestamps log datetime localtime msec show-timezone
====VLANs====
===Management===
* Configure gigabitEthernet 0/1 for VLAN 10 (management).
interface gigabitEthernet 0/1
no shut
switchport mode access
switchport access vlan 10
description Management
===Native VLAN===
//Per default the native VLAN is VLAN 1. Change the native VLAN to the unused VLAN 20.//
* Change native VLAN to 20, for all interfaces conf t
interface range gigabitEthernet 0/1-48
switchport trunk native vlan 20
* Verify example:sh interfaces gigabitEthernet 0/10 trunk
Port Mode Encapsulation Status Native vlan
Gi0/10 auto 802.1q other 20
Port Vlans allowed on trunk
Gi0/10 none
Port Vlans allowed and active in management domain
Gi0/10 none
Port Vlans in spanning tree forwarding state and not pruned
Gi0/10 none
===VLAN 1===
* Shutdown VLAN 1. conf t
interface vlan1
shutdown
====Ports====
* Shutdown unused ports.
* No negotiate (DTP)
* Move them to an unused VLAN 20.
* Configure the range of ports: conf t
interface range gigabitEthernet 0/2-48
switchport mode access
switchport access vlan 20
switchport nonegotiate
shut
* Verify. #show interfaces status
Port Name Status Vlan Duplex Speed Type
Gi0/1 Management connected 10 a-full a-1000 10/100/1000BaseTX
Gi0/2 disabled 20 auto auto 10/100/1000BaseTX
Gi0/3 disabled 20 auto auto 10/100/1000BaseTX
Gi0/4 disabled 20 auto auto 10/100/1000BaseTX
Gi0/5 disabled 20 auto auto 10/100/1000BaseTX
Gi0/6 disabled 20 auto auto 10/100/1000BaseTX
Gi0/7 disabled 20 auto auto 10/100/1000BaseTX
Gi0/8 disabled 20 auto auto 10/100/1000BaseTX
Gi0/9 disabled 20 auto auto 10/100/1000BaseTX
...
====Access and authentication====
===PBKDF2 enable secret===
* Configure PBKDF2 enable secretconf t
enable algorithm-type sha256 secret test12345
===Configure serial console===
//When synchronous logging of unsolicited messages and debug command output is enabled, unsolicited device output appears on the console or printed after solicited device output appears or is printed. Unsolicited messages and debug command output appears on the console after the prompt for user input is returned. Therefore, unsolicited messages and debug command output are not interspersed with solicited device output and prompts. After the unsolicited messages appear, the console again displays the user prompt.//
* Configure serial consoleline console 0
logging sync
login local
===Setup SSH / disable telnet===
* Ensure that you have configured a host and domain name. sh run | include hostname
sh run | include domain-name
* Generate the RSA Keys config t
crypto key generate rsa
How many bits in the modulus [512]: 2048
* Configure vty's, this will also disable telnet.line vty 0 15
transport input ssh
login local
* Configure the SSH serverconf t
ip ssh version 2
ip ssh time-out 30
ip ssh authentication-retries 3
===Login banner===
* Configure login banner.conf t
banner login $Access for authorized users only!
$
end
===Configure users using strong password hashes===
//Thanks [[http://www.cook-security.nl|Dennis]], for providing the correct syntax!//
* Configure usersconfig t
username example algorithm-type sha256 secret test1234
do sh run | i example
username example secret 8 $8$yJq4f/MpacJJ.r$ZeCjRxMd6b3qKDrZ5tozyx8IJSV5B8B./LTbVAljEoA
===Login Password Retry Lockout===
* Configure AAA.conf t
aaa new-model
aaa local authentication attempts max-fail 5
aaa authentication login default local
===EXEC time-out===
* Configure EXEC time-out in 5 minutes.conf t
line con 0
exec-timeout 5
line vty 0 15
exec-timeout 5
====Logging====
===Disable logging to console===
* The switch does not check if a user is logged into the console port or a device (for example, a terminal) is attached to it; if console logging is enabled, messages are always sent to the console port (causing CPU load). conf t
#no logging console
* Or rate limit logging!
===Log events to syslog===
* Event log to syslog.conf t
logging
logging trap
===Archive configuration====
* Configure automatic archiving.conf t
archive
path scp://:@//file-
write-memory
====SNMPv3====
* Create access list to prevent access from other hosts: ip access-list standard SNMP
permit host
deny any log
* Configure SNMP Location & contact: snmp-server location
snmp-server contact
* Configure SNMP View: snmp-server view MIB-2 mib-2 included
* Configure SNMP group: snmp-server group READONLY v3 priv read MIB-2
* Create SNMP user:snmp-server user READONLY v3 auth sha priv aes 128 access SNMP
====To do====
* bpdu guard
* Enable dhcp snooping
* Dynamic arp inspection on access ports