hostname EC-51-switch1
ip domain name mathiaspetit.be

crypto key generate rsa modulus 2048
ip ssh version 2

ip address 192.168.1.1 255.255.255.0
ip access-group dos in
no ip redirects (disabel ip redirects)
no ip route cache (disable fast switching)
no ip proxy-arp (prevent switch or router from replying arp requests)
no ip unreachables (stops from sending icmp destiantion unreachable messages because this can reveil network top)
no shut
exit

ntp server 192.168.120.1
ntp server 192.168.120.2

no ip name-server (clear dns server settings)
ip name-server 192.168.20.1
ip name-server 192.168.20.2

banner login ^ text ^

Disable WSMA
no wsma agent config
no wsma agent filesys
no wsma agent notify
no wsma agent exec
no wsma profile listener httplistener
no wsma profile listener httpslinsteneer

Security Hardening ip & web services
no ip source-route (disable source routing)
no ip http server (disable http & https)
no ip http secure-server (disable http & https)
no ip http authentication local (disable http-based local auth)

Syslog logging
logging host 123.4.123.1
logging host 123.4.123.2
logging host 172.30.40.111 transport udp port 5555
logging monitor informational
logging trap informational
no logigng console
logigng buffered 65536 informational
login on-failure log

VTY Line config remote access
line vty 0 4
exec-timeout 60 0
logging synchronous (prevent log messages from interupting)
transport input ssh
transport output ssh
!
line vty 5 15
exec-timeout 60 0
logging synchronous (prevent log messages from interupting)
transport input ssh
transport output ssh

Default route
ip default-gateway 192.168.0.254

Default STP
spanning-tree extend systemid (adds the vlan ID to the bridge ID used by STP)
spanning-tree portfast bpduguard default (enables BDPU guard on all portfast-enabled ports)
spanning-tree loopguard default (enables loopguard locally by stopping port to fw state if bpdu stop unexpeckted)
udld enable (enables unidirectional link detection)

MGMT services
no ip http server
no ip http sercure-server
ip scp server enable (enables file transport over ssh)
lldp run (start the link layer disc prot)
snmp-server location sesam street, floor 13 Rack Rm M-Row, (sets a description of the device physical location)
snmp-server chasis-id SERIAL F1234556

ACL for VoIP/ Network Control
Extended ACLS allow UDP traffic in specific port ranges:
ip access-list extended Network_CONTROL_ACL
ip access-list extended VOICE_BEARER_ACL
remark Cisco VoIP, Cisco Telepresence, and Avaya VoIP phones
permit udp any any range 16384 32768 dscp 46
remark avaya road warrior
permit udp any any range 13001 13100 dscp 46
remark Nortel VoIP Phones
permit udp any any range 5200 5392 dscp 46
permit udp any any range 2300 2363 dscp 46
permit udp any any range 2001 2002 dscp 46
remark VTC Polycom mobile unit audio ports
permit udp any any range 12300 12399 dscp 46
remark Bluejeans RTP
permit udp any any range 5001 5999

AAA (Authentication, Auhtorization, Accounting)
aaa new-model (enables AAA framework)
aaa group server tacacs+ EIT (creates TACACs+ server group, and adds two servers for auth)
server name Server1
server name Server2
aaa authentication login default group tacacs+ enable (tries TACACs+ first, then falls back to local enabled pw)
aaa authentication login no_tacacs enable (set different login auth methods)
aaa authentication login aaatacacs group tacacs+ line (set different login auth methods)
aaa authentication login console group tacacs+ enable none (set different login auth methods)
aaa authentication login auxport line (set different login auth methods)
aaa authentication enable default group tacacs+ enable line (cotnrol enable mode access using tacacs+ first)

aaa authorization exec default group tacacs+ if-authenticated (Authorizes CLI commands)
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacafs+ (enables accoutning logs via tacacs+ for exec sessions)
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop grou p tacacs+

VLAN Config
vlan 2
name Users
vlan 5
name Admin
vlan 50
name MGMT
vlan 70
name Wireless_Network

Trunk port config
interface GigE1/1/1
description Trunkport Twe1/0/5
switchport mode trunk
load-interval 30 (set the traffic stat refresh rate to every 30 secs for better troubleshooting)
logging event link-status
service-policy output QUEUING_OUT (applies a QOS policy named on outbound traffic

Access port config
interface range Gig1/0/1-48
switchport access vlan 2
switchport voice vlan 500
switchport mode access
no logging event link-status
no snmp trap link-status
spanning-tree portfast