cisco_catalyst

Cisco Catalyst 2960G - Configuration

Cisco Catalyst 2960G - Configuration

Model: WS-C2960G-48TC-L
Version: Version 15.0(2)SE6

Management / network configuration

Configure IP

Configure management IP address on VLAN 10

conf t
interface vlan10
ip address 1.2.3.2 255.255.255.0
exit
ip default-gateway 1.2.3.1

Disable services

Disable VTP.
```
conf t
vtp mode off
```
Disable clustering.
```
no cluster run
```
Disable vstack.
```
no vstack
```
Disable DHCP.
```
no service dhcp
```

Disable HTTP/S server.

conf t
no ip http server
no ip http secure-server

Disable small services (echo, discard, chargen…).

no service tcp-small-servers
no service udp-small-servers

Disable finger.
```
no ip finger
```
Ignore bootp.
```
no ip dhcp bootp ignore
```
Disable DNS lookups.
```
no ip domain-lookup
```
Disable Packet Assembler/Disassembler (PAD).
```
no service pad
```
Prevent loading config from TFTP service.
```
no service config
```

Disable CDP and LLDP on untrusted interfaces.

conf t
interface range gigabitEthernet 0/2-48
no cdp enable
no lldp transmit
no lldp receive

Enable services

Keepalives for TCP Sessions.

conf t
service tcp-keepalives-in
service tcp-keepalives-out

Authenticated NTP

Enable NTP.

conf t
ntp authenticate
ntp authentication-key 150 md5 ticktock
ntp trusted-key 150
ntp server 1.2.3.50 key 150
ntp server 1.2.3.51 key 150
ntp source vlan10

Linux NTP server config example.

#ntp.conf
enable auth keys
keys /etc/ntp.keys
trustedkey 150

#ntp.keys
150 M ticktock

Meinberg LANTIME M200 server example.

Using the web interface.
- Go to tab 'NTP', then 'General Settings' 
- Local Trusted Keys: 150
- Go to 'NTP Symmetric keys', click 'Edit NTP MD5 keys'
- Add: '#1 MD5 EXAMPLE
        150 MD5 ticktock'
- Click Save Settings.

Verify NTP synchronisation.

#sh ntp associations

  address         ref clock       st   when   poll reach  delay  offset   disp
*~95.97.208.29    .PZF.            1      7     64    57  1.093   2.708 440.38
+~95.97.208.30    .PPS.            1      4     64   167  1.141   3.547 190.44
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

#sh ntp status
Clock is synchronized, stratum 2, reference is 95.97.208.29
nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17
reference time is D7912CA6.D0C5123E (23:26:30.815 UTC Sat Aug 9 2014)
clock offset is 2.7081 msec, root delay is 1.09 msec
root dispersion is 7945.18 msec, peer dispersion is 440.38 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000010 s/s
system poll interval is 64, last update was 289 sec ago.

Deny client access to NTP server

Create access lists to deny client access

! NTP access control
ntp access-group query-only 1   ! deny all NTP control queries
ntp access-group serve 1        ! deny all NTP time and control queries by default
ntp access-group peer 10        ! permit time sync to configured peer(s)/server(s) only
ntp access-group serve-only 1   ! deny all sync requests
!
! access control lists (ACLs)
access-list 1 remark utility ACL to block everything
access-list 1 deny any
!
access-list 10 remark NTP peers/servers we sync to/with
access-list 10 permit 95.97.208.29
access-list 10 permit 95.97.208.30
access-list 10 deny any
!

Configure time zone

Configure time zone for the Netherlands.

conf t
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00

Verify.

sh clock detail
.01:36:47.946 CEST Sun Aug 10 2014
Time source is NTP
Summer time starts 02:00:00 CET Sun Mar 30 2014
Summer time ends 03:00:00 CEST Sun Oct 26 2014

Configure logging timestamps

Configure timestamps.

conf t
service sequence-numbers
service timestamps debug datetime localtime msec show-timezone
service timestamps log datetime localtime msec show-timezone

VLANs

Management

Configure gigabitEthernet 0/1 for VLAN 10 (management).

interface gigabitEthernet 0/1
no shut
switchport mode access
switchport access vlan 10
description Management

Native VLAN

Per default the native VLAN is VLAN 1. Change the native VLAN to the unused VLAN 20.

Change native VLAN to 20, for all interfaces

conf t
interface range gigabitEthernet 0/1-48
switchport trunk native vlan 20

Verify example:

sh interfaces gigabitEthernet 0/10 trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi0/10      auto             802.1q         other         20

Port        Vlans allowed on trunk
Gi0/10      none

Port        Vlans allowed and active in management domain
Gi0/10      none

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/10      none

VLAN 1

Shutdown VLAN 1.
```
conf t
interface vlan1
shutdown
```

Ports

Shutdown unused ports.
No negotiate (DTP)
Move them to an unused VLAN 20.

Configure the range of ports:

conf t
interface range gigabitEthernet 0/2-48
switchport mode access
switchport access vlan 20
switchport nonegotiate
shut

Verify.

#show interfaces status

Port      Name               Status       Vlan       Duplex  Speed Type
Gi0/1     Management         connected    10         a-full a-1000 10/100/1000BaseTX
Gi0/2                        disabled     20           auto   auto 10/100/1000BaseTX
Gi0/3                        disabled     20           auto   auto 10/100/1000BaseTX
Gi0/4                        disabled     20           auto   auto 10/100/1000BaseTX
Gi0/5                        disabled     20           auto   auto 10/100/1000BaseTX
Gi0/6                        disabled     20           auto   auto 10/100/1000BaseTX
Gi0/7                        disabled     20           auto   auto 10/100/1000BaseTX
Gi0/8                        disabled     20           auto   auto 10/100/1000BaseTX
Gi0/9                        disabled     20           auto   auto 10/100/1000BaseTX
...
<snip>

Access and authentication

PBKDF2 enable secret

Configure PBKDF2 enable secret

conf t
enable algorithm-type sha256 secret test12345

Configure serial console

When synchronous logging of unsolicited messages and debug command output is enabled, unsolicited device output appears on the console or printed after solicited device output appears or is printed. Unsolicited messages and debug command output appears on the console after the prompt for user input is returned. Therefore, unsolicited messages and debug command output are not interspersed with solicited device output and prompts. After the unsolicited messages appear, the console again displays the user prompt.

Configure serial console
```
line console 0
logging sync
login local
```

Setup SSH / disable telnet

Ensure that you have configured a host and domain name.
```
sh run | include hostname
sh run | include domain-name
```

Generate the RSA Keys

config t
crypto key generate rsa
How many bits in the modulus [512]: 2048

Configure vty's, this will also disable telnet.
```
line vty 0 15
transport input ssh
login local
```

Configure the SSH server

conf t
ip ssh version 2
ip ssh time-out 30
ip ssh authentication-retries 3

Login banner

Configure login banner.

conf t
banner login $Access for authorized users only!

$
end

Configure users using strong password hashes

Thanks Dennis, for providing the correct syntax!

Configure users

config t
username example algorithm-type sha256 secret test1234
do sh run | i example
username example secret 8 $8$yJq4f/MpacJJ.r$ZeCjRxMd6b3qKDrZ5tozyx8IJSV5B8B./LTbVAljEoA

Login Password Retry Lockout

Configure AAA.

conf t
aaa new-model
aaa local authentication attempts max-fail 5
aaa authentication login default local

EXEC time-out

Configure EXEC time-out in 5 minutes.

conf t
line con 0
 exec-timeout 5
line vty 0 15
 exec-timeout 5

Logging

Disable logging to console

The switch does not check if a user is logged into the console port or a device (for example, a terminal) is attached to it; if console logging is enabled, messages are always sent to the console port (causing CPU load).
```
conf t
#no logging console
```
Or rate limit logging!

Log events to syslog

Event log to syslog.

conf t
logging <host>
logging trap <level>

Archive configuration

Configure automatic archiving.

conf t
archive
 path scp://<username>:<password>@<hostname>/<directory>/file-
 write-memory

SNMPv3

Create access list to prevent access from other hosts:

ip access-list standard SNMP
  permit host <ip-address monitoring host>
  deny any log

Configure SNMP Location & contact:

snmp-server location <location>
snmp-server contact <email address>

Configure SNMP View:
```
snmp-server view MIB-2 mib-2 included
```

Configure SNMP group:

snmp-server group READONLY v3 priv read MIB-2

Create SNMP user:

snmp-server user <username> READONLY v3 auth sha <passphrase> priv aes 128 <passphrase> access SNMP

To do

bpdu guard
Enable dhcp snooping
Dynamic arp inspection on access ports

Table of Contents