system-view ! !##### Standardize Login Banner ##### header login # ***************************************************************************** !!! WARNING! ONLY AUTHORIZED USERS ARE ALLOWED TO LOGIN UNDER PENALTY OF LAW !!! <additional_banner_text_here> ***************************************************************************** # ! ! !##### Disable other banners not needed ##### undo copyright-info enable undo header motd undo header legal undo header incoming undo header shell ! ! !##### Disable Unnecessary Services ##### undo ip http enable undo telnet server enable ! ! !##### SSH Configuration ##### ssh server enable ssh server authentication-retries 3 ssh server authentication-timeout 60 ! !#### Optional: Generate SSH keys #### !# WARNING! SSH keys should be created !#if this is a pristine network device (out of the box) public-key local create dsa 1024 ! public-key local create rsa 1024 ! ! !##### Configure Local Administrator Account ##### local-user admin !# WARNING! The password here should be in clear text (the configuration will s ave it in encrypted) password cipher <admin_password> authorization-attribute level 3 service-type ssh terminal quit ! !##### Configure Super (enable) Password ##### !# WARNING! The password here should be in clear text (the configuration will sa ve it in encrypted) super password level 3 cipher <super_password> ! ! !##### Define Management Access-lists (ACLs) ##### !#WARNING! These ACLs are required to restrict access to the network device acl number 2000 name Remote-Management-ACL rule 10 remark # Network Administrator Workstation #
rule 10 permit source <admin_workstation_ip> 0
!# place additional rules if needed quit ! acl number 2001 name SNMP-Management-ACL rule 10 remark # Network Monitoring Server # rule 10 permit source <monitoring_server_ip> 0 !# place additional rules if needed quit ! ! !##### Device Login Access Configuration ##### ! Secure remote access (only SSH allowed) user-interface vty 0 15 undo user privilege level authentication-mode scheme protocol inbound ssh !# WARNING! Enable below ACL only when confirmed operational to prevent lockout !acl 2000 inbound quit ! ! Secure auxiliary access user-interface aux 0 authentication-mode scheme quit ! ! Secure console access user-interface con 0 authentication-mode scheme quit ! ! !##### Syslog Configuration ##### info-center enable info-center loghost <syslog_server_ip> info-center logbuffer size 1024 info-center trapbuffer size 1024 info-center timestamp loghost no-year-date ! ! !##### SNMP version2 Configuration ##### snmp-agent snmp-agent sys-info version v2c snmp-agent sys-info location <device_location> snmp-agent sys-info contact <device_administrator_contact_information> snmp-agent community read <snmp_read_community_string> acl 2001 snmp-agent community write <snmp_write_community_string> acl 2001 ! !##### Timezone & NTP Configuration ##### !# WARNING! Important for troubleshooting and correlating network incidents clock timezone <time_zone_string> [add/minus] <hour_offset> ntp-service unicast-server <ntp_server_ip> ! ! !##### Exit System-View mode ##### return lldp should not enable globally and it should only enable on trusted interfaces
Unnecessary services should disable
DHCP DNS Below services must disable HTTP Telnet Timeout setting Exec Timeout Idle-Timeout Banners Warning banners Timestamps logging timestamps Configuration Change notification should enable in logging snmp-agent trap enable