10-15-2007 12:27 AM - edited 03-05-2019 07:05 PM
Hi,
we are trying to standardize our Network Devices in terms of global configuration for Switches, routers, Access Points, etc. and we have been trying to building the optiomal config. Would you please comment what would you change in here?
Global Configuration:
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
hostname [hostname]
logging buffered 50000 warnings
logging monitor notifications
enable secret [secret password]
enable password [enable password]
username [Username] privilege 15 secret [PASSWORD]
aaa new-model
aaa authentication fail-message ^C
User Authentication has failed. If you are not an authorized user,
please disconnect immediately.
Any unauthorized access attempts will be investigated and will be
subject to prosecution under local laws and ordinances.
^C
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization network default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa authentication enable default group tacacs+ enable
aaa session-id common
clock timezone cet 1 [other's to be applied]
errdisable recovery cause all
errdisable recovery interval 900
ip subnet-zero
ip domain-name <DOMAIN SUFFIX APPLICABLE>
ip name-server (Central DNS Server of Region)
ip name-server (Central DNS Server of Region2)
login block-for 300 attempts 5 within 30
login on-failure log
login delay 2
spanning-tree mode pvst
spanning-tree logging
service nagle
service tcp-keepalives-in
service tcp-keepalives-out
ip default-gateway [default gw IP]
ip classless
no service finger
no service tcp-small-servers
no service udp-small-servers
no service pad
no tftp-server
no service config
no boot network
no ip source-route
no ip finger
no ip identd
no ip http server
no ip http secure-server
logging trap warnings
logging facility auth
logging [CiscoWorks IP]
snmp-server community [read community] RO
snmp-server community [write community] RW
snmp-server enable traps snmp authentication linkdown linkup coldstart
snmp-server enable traps config
snmp-server host [ciscoworks IP] version 2c [read community]
snmp-server trap-authentication
tacacs-server host [Cisco ACS IP] key [encryption key - found in ACS]
tacacs-server host [Cisco ACS IP] key [encryption key - found in ACS]
tacacs-server timeout 10
radius-server source-ports 1645-1646
banner exec ^C
aaaaa
^C
banner login ^C
bbb
^C
banner motd ^CCddd
Global IT - IOS^C
ntp server [ntp ip address]
line con 0
login authentication local
session-timeout 10
line vty 0 4
password 7 [password]
session-timeout 10
line vty 5 15
password 7 [password]
session-timeout 10
!
10-15-2007 03:36 AM
Globalization on configuration, mmmhk, I guess this is one if the items where there will be many different opinions, so here are my comments :-)
Personally, I would prefer to see the local timezone in the local logging like you do, but others may like to see the GMT time in there. In all cases I would consider using NTP for time sunchronization (seems to be missing in your template).
Also, if you are using timezones and NTP, you should set the daylightsavings depending on the country the device is in (unless you like changing this manually each 6 months ;-))
"clock summer-time
I would add a more meaningfull motd banner that also warns that unauthorized login attempts will be logged.
I noticed the spanning-tree mode set for PVST, depending on the mix iof switrthes you have in place or plan to have it may be worth looking into RPVST.
Depending on what security level you need, you may want to consider the following:
Setting up different local users with different levels of access and configure the associated privilege level commands.
Putting a access-list on you snmp access
Just a couple of comments and thoughts.
HTH,
Leo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide