ITPROSEC Cisco Switch / Router Runbook Example

ITPROSEC Cisco Switch / Router Runbook Example

This Runbook example is using Switch / Router as an example to show how to create a document to run for your IT system for those repetitive and recurring processes or procedures.

Table of Contents

1 General Information. 2

1.1 Product 2

1.2 Product Manager, Contact Person. 2

1.3 Subsystems of the Application. 3

1.4 Brief description of the Product 3

2 Summary of Security Requirements. 4

2.1 Security Requirements. 4

2.2 Immaterial Damage. 4

2.3 Material/Financial Damage. 4

3 System Overview.. 5

3.1 Product Description. 5

3.2 Architecture. 5

3.3 Purpose and Function of the System.. 5

3.4 Deployed Hardware & Software. 5

4 System Design and Implementation. 5

4.1 Approved Scope of Operation. 5

4.2 Network Plan. 6

4.3 Dependencies. 6

https://www.cisco.com/en/US/customer/support/tsd_most_requested_tools.html 6

http://www.cisco.com/c/en/us/support/web/tools-catalog.html 6

4.4 System Internal Interfaces. 6

4.5 External Interfaces. 6

4.6 Authentication. 7

4.7 Authorization. 7

4.8 User Administration & Access Rights. 7

4.8.1 Legal & regulatory Conditions. 7

4.8.2 Roles & Users. 7

4.8.3 Technical Users. 8

4.9 Configuration. 8

5 Processes. 8

5.1 Dependent Processes. 8

5.2 Processes based on this Product 8

6 System Operation. 8

6.1 Regular Maintenance. 8

6.2 Updates & Patch-Management 8

6.3 High Availability. 8

6.4 Monitoring & Reporting. 9

6.5 Logging. 9

6.6 Backup & Archiving. 9

6.7 Troubleshooting. 9

Diagnosing Problems. 9

Switch POST Results. 9

Switch LEDs. 9

Switch Connections. 10

Bad or Damaged Cable. 10

Ethernet and Fiber Cables. 10

Link Status. 10

10/100/1000 Port Connections. 10

SFP Modules. 11

Interface Settings. 11

Ping End Device. 11

Spanning Tree Loops. 11

Switch Performance. 12

Speed, Duplex, and Autonegotiation. 12

Autonegotiation and Network Interface Cards. 12

Cabling Distance. 12

Resetting the Switch to the Factory Default Settings. 12

6.8 Recovery. 13

6.9 Vendor Contracts. 13

6.10 Related SLA´s and Services. 13

6.11 Contact Persons & Call Management 13

7 References. 13

http://www.cisco.com/c/en/us/products/switches/catalyst-3850-series-switches/literature.html 13

Features. 14

Access Control 14

SNMP. 15

Stacking. 15

DHCP. 16

Interfaces. 16

Loopback Interfaces. 16

VLAN Interfaces. 17

Spanning-Tree. 17

Logging. 17

Port-Channel 17

Routing. 18

NTP. 18

Misc. 18

Appendix. 18

Configuration Template. 18

1 General Information

1.1 Product

Product Name:                    <Cisco Switch Setup and Config Guide>
Approved at:                     <29.04.2015>
Approved by:                     <name>

1.2 Product Manager, Contact Person

[Mandatory]

Product Manager:                 
Additional contact person:       
External Partners:               

1.3 Subsystems of the Application  

1.4 Brief description of the Product

ITPROSEC Standard Access Switch. This Switch is used to connect the clients and printers to the LAN data network. The uplinks are connected to the distribution Switches. Access switches are used in commercial and in production areas.

2 Summary of Security Requirements

2.1 Security Requirements

[Mandatory] The security requirements of an application are derived from the potential damage that can occur if the confidentiality, integrity or availability of the application or data processed is affected.

Objective no damage minor major high
confidentiality X      
integrity   X    
availability     X  

2.2 Immaterial Damage

[Mandatory] Please classify the potential immaterial damage with respect to confidentiality, integrity and availability.

Immaterial Damage no damage minor major high
confidentiality X      
integrity   X    
availability
System unavailable for
10 min X      
1 hour X      
6 hours   X    
1 day     X  
1 week       X

2.3 Material/Financial Damage

[Mandatory] Please classify the potential material damage with respect to confidentiality, integrity and availability.

Damage (EURO) 0-50T 50-200T 200T-1mio >1mio
confidentiality X      
integrity X      
availability
System unavailable for
10 min X      
1 hour X      
6 hours X      
1 day X      
1 week X      

3 System Overview

3.1 Product Description

http://www.cisco.com/en/US/products/ps10745/products_data_sheets_list.html

3.2 Architecture

Switches are used to connect “end equipment” like clients and printer to the Local Area Network.  10G uplink modules are used to connect the access switches to the distribution switches. L2 functionality is used and several VLANs are separated because of security requirements. In most cases VLANs are separated by VRF technology at the distribution switches and connected via a Firewall at the core to implement a controlled connection to the commercial network.

3.3 Purpose and Function of the System

See 3.2

3.4 Deployed Hardware & Software

[Mandatory] List all deployed hardware and software (incl. versions).

Product (Firmware-)Version
   

The devices used as ITPROSEC standard access switches are in 2015:

Cisco3750X series – followed by Cisco3850 series

Cisco2960-X series

Cisco2960CG series

In the device expert system, a always actual list of the access switches including used sw version is available.

https://sharepoint.accounts.local:6060/

4 System Design and Implementation

4.1 Approved Scope of Operation

See configuration template below

4.2 Network Plan

Detailed network drawings are available at:

P:\PROJECTS3\ISO32\Network\intern\Plaene

4.3 Dependencies

Refere to the Cisco software advisor tool:

https://www.cisco.com/en/US/customer/support/tsd_most_requested_tools.html

http://www.cisco.com/c/en/us/support/web/tools-catalog.html

4.4 System Internal Interfaces

The virtual line access (line vty 0 15) is controlled by ip access-lists

“mgmt-inbound”  or “access-list 15”

e.g.:

        10 permit ip 10.104.4.18/32 10.104.98.65/32

        20 permit ip 10.103.33.0/28 10.104.98.65/32

        30 permit ip 10.104.98.0/24 10.104.98.65/32

        40 permit ip 10.108.192.0/24 10.104.98.65/32

        50 permit ip 10.126.14.10/32 10.104.98.65/32

        60 permit ip 10.126.14.13/32 10.104.98.65/32

        70 permit ip 10.104.20.80/28 10.104.98.0/24  

4.5 External Interfaces

The system needs acccess to:

Central network authentication server using the tacacs+ protocol.

Time-server using the ntp protocol

Logging server using the Syslog protocol

CDP to everyone

Every L2 protocol

ICMP type 3, type 9, type 10, type 11

4.6 Authentication

[Mandatory] What kind of authentication is used? Describe the process and variations, also regarding security issues.

4.7 Authorization

Authentication is done via tacacs+ using the central Cisco ACS Server.

4.8 User Administration & Access Rights

To get access rights to the device the following default procedure is to apply:

  • Open a ticket in Maximo by the team leader or head of the admin’s department.
  • Enter the user in the tacacs system with dedicated right-profile, or
  • Add the user to an existing group of admins

4.8.1 Legal & regulatory Conditions

This system includes cryptography and certificates. Depending on the country where the device is used, export is regulated due to legal restrictions.

4.8.2 Roles & Users

There are two levels of access:

  1. Privilege level 15: full access to read, write and change the config
  2. Privilege level 3: special defined access for dedicated admins with read only rights

# default settings for login/accounting for admins:

username script privilege 15 secret 5 xxxx

!

aaa new-model

!

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ none

!

aaa session-id common

#using ssh only, telnet is not allowed.

ip ssh version 2

ip scp server enable

#access-policy:

line vty 0 15

 access-class 15 in

 exec-timeout 30 0

 transport input ssh

 transport output none

access-list 15 permit <host or Lan range>

4.8.3 Technical Users

For auto-backup functionality and as local fallback-user the user “script” is implemented:

username script privilege 15 secret 5 xxxx

4.9 Configuration

The current configuration is always stored in the Device Expert. There are two device expert systems. One in the commercial (“green”) environment and one in the secure segment (“red”) for devices located in production or HSA environments.

e.g. the commercial area:

https://sharepoint.accounts.local:6060/NCMContainer.cc

5 Processes

5.1 Dependent Processes

5.2 Processes based on this Product

6 System Operation

6.1 Regular Maintenance

This logfiles on the Syslog Server are to be review manually for errors.

6.2 Updates & Patch-Management

Updates should be done yearly and in case of critical security issues without work around.

6.3 High Availability

There is not any HA configuration implemented.

6.4 Monitoring & Reporting

Monitoring is done by Nagios / ICINGA

6.5 Logging

The following syslog server is used.

https://log02.accounts.local

6.6 Backup & Archiving

Configuration Backup is done automatically every day/night by Device Expert:

https://sharepoint.accounts.local:6060/NCMContainer.cc

6.7 Troubleshooting

Diagnosing Problems

The switch LEDs provide troubleshooting information about the switch. They show POST failures, port-connectivity problems, and overall switch performance. You can also get statistics from the device manager, the CLI, or an SNMP workstation. See the software configuration guide, the switch command reference guide on Cisco.com, or the documentation that came with your SNMP application for details.

Switch POST Results

As the switch powers on, it begins the power-on self-test (POST), a series of tests that runs automatically to ensure that the switch functions properly. It might take several minutes for the switch to complete POST.

When the switch begins POST, the Status LED turns green. The System LED blinks green, and the other LEDs stay green.

When POST completes successfully, the System LED remains green. The XPS LED is green for some time and then returns to its operating status. The other LEDs turn off and return to their operating status. If the switch fails POST, the System and Ethernet management port LEDs turn amber.


Note POST failures are usually fatal. Contact your Cisco technical support representative if your switch does not pass POST.


Switch LEDs

Look at the port LEDs for information when troubleshooting the switch. See the “LEDs” section on page 1-9 for descriptions of the LED colors and their meanings.

Switch Connections

Bad or Damaged Cable

Always examine the cable for marginal damage or failure. A cable might be just good enough to connect at the physical layer, but it could corrupt packets as a result of subtle damage to the wiring or connectors. You can identify this situation because the port has many packet errors or the port constantly flaps (loses and regains link).

•Exchange the copper or fiber-optic cable with a known good cable.

•Look for broken or missing pins on cable connectors.

•Rule out any bad patch panel connections or media convertors between the source and destination. If possible, bypass the patch panel or eliminate media convertors (fiber-optic-to-copper).

•Try the cable in another port to see if the problem follows the cable.

•Catalyst 3750-X switch StackWise cable: remove and inspect the cable and StackWise port for bent pins or damaged connectors. If the StackWise cable is bad, replace it with a known good cable.

Ethernet and Fiber Cables

Make sure that you have the correct cable:

•For Ethernet, use Category 3 copper cable for 10 Mbps UTP connections. Use either Category 5, Category 5e, or Category 6 UTP for 10/100 or 10/100/1000 Mbps connections.

•Verify that you have the correct fiber-optic cable for the distance and port type. Make sure that the connected device ports match and use the same type encoding, optical frequency, and fiber type. For more information about cabling, see the “SFP and SFP+ Module Cable Specifications” section on page B-5.

•Determine if a copper crossover cable was used when a straight-through was required, or the reverse. Enable auto-MDIX on the switch, or replace the cable. See Table 2-3 for recommended Ethernet cables.

Link Status

Verify that both sides have link. A broken wire or a shut down port can cause one side to show link even though the other side does not have link.

A port LED that is on does not guarantee that the cable is functional. It might have encountered physical stress, causing it to function at a marginal level. If the port LED does not turn on:

•Connect the cable from the switch to a known good device.

•Make sure that both ends of the cable are connected to the correct ports.

•Verify that both devices have power.

•Verify that you are using the correct cable type. See Appendix B, “Connector and Cable Specifications” for more information.

•Look for loose connections. Sometimes a cable appears to be seated but is not. Disconnect the cable and then reconnect it.

10/100/1000 Port Connections

A port appears to malfunction:

•Verify the status of all ports. See Table 1-8 on page 1-11 for descriptions of the LEDs and their meanings.

•Use the show interfaces privileged EXEC command to see if the port is error-disabled, disabled, or shut down. Re-enable the port if necessary.

•Verify the cable type. See Appendix B, “Connector and Cable Specifications.”

SFP Modules

Use only Cisco network modules and SFP modules.

•Inspect the network module and SFP module. Exchange the suspect module with a known good module.

•Verify that the module is supported on this platform. (The switch release notes on Cisco.com list the SFP and SFP+ modules that the switch supports.)

•Use the show interfaces privileged EXEC command to see if the port or module is error-disabled, disabled, or shut down. Re-enable the port if needed.

•Make sure that all fiber connections are clean and securely connected.

•For CX1 module connections, make sure that cable routing does not violate the minimum allowed cable bend radius. See the module documentation for specific cabling requirements.


Note When ordering or using CX1 cables, ensure that the version identifier is 2 or higher.


•For long wave SFP+ modules, a mode conditioning patch might improve performance over maximum link distances with MMF connections.

Interface Settings

Verify that the port or interface is not disabled or powered off. If a port or interface is manually shut down on either side of the link, it does not come up until you re-enable the interface. Use the show interfaces privileged EXEC command to see if the interface is error-disabled, disabled, or shut down on either side of the connection. If needed, re-enable the interface.

Ping End Device

Ping from the directly connected switch first, and then work your way back port by port, interface by interface, trunk by trunk, until you find the source of the connectivity issue. Make sure that each switch can identify the end device MAC address in its Content-Addressable Memory (CAM) table.

Spanning Tree Loops

STP loops can cause serious performance issues that look like port or interface problems.

A unidirectional link can cause loops. It occurs when the traffic sent by the switch is received by the neighbor, but the traffic from the neighbor is not received by the switch. A broken cable, other cabling problems, or a port issue could cause this one-way communication.

You can enable UniDirectional Link Detection (UDLD) on the switch to help identify unidirectional link problems. For information about enabling UDLD on the switch, see the “Understanding UDLD” section in the software configuration guide on Cisco.com.

Switch Performance

Speed, Duplex, and Autonegotiation

Port statistics that show a large amount of alignment errors, frame check sequence (FCS), or late-collisions errors, might mean a speed or duplex mismatch.

A common issue occurs when duplex and speed settings are mismatched between two switches, between a switch and a router, or between the switch and a workstation or server. Mismatches can happen when manually setting the speed and duplex or from autonegotiation issues between the two devices.

To maximize switch performance and to ensure a link, follow one of these guidelines when changing the duplex or the speed settings:

•Let both ports autonegotiate both speed and duplex.

•Manually set the speed and duplex parameters for the interfaces on both ends of the connection.

•If a remote device does not autonegotiate, use the same duplex settings on the two ports. The speed parameter adjusts itself even if the connected port does not autonegotiate.

Autonegotiation and Network Interface Cards

Problems sometimes occur between the switch and third-party network interface cards (NICs). By default, the switch ports and interfaces autonegotiate.Laptops or other devices are commonly set to autonegotiate, yet sometimes issues occur.

To troubleshoot autonegotiation problems, try manually setting both sides of the connection. If this does not solve the problem, there could be a problem with the firmware or software on the NIC. You can resolve this by upgrading the NIC driver to the latest version.

Cabling Distance

If the port statistics show excessive FCS, late-collision, or alignment errors, verify that the cable distance from the switch to the connected device meets the recommended guidelines. See the “Cable and Adapter Specifications” section on page B-5.

Resetting the Switch to the Factory Default Settings

If you have configured a new switch with a wrong IP address, or if all of the switch LEDs start blinking when you try to enter Express Setup mode, you can clear the IP address that is configured on the switch.


Note Resetting the switch deletes the configuration and reboots the switch.


To reset the switch:

1. Press and hold the Mode button (Figure 1-2 on page 1-4).

The switch LEDs begin blinking after about 2 seconds. If the LEDs above the mode button turn solid green, you can release the Mode button and run Express Setup to configure the switch. If the LEDs do not turn solid green, continue with the next step.

2. Continue holding down the Mode button. The LEDs stop blinking after an additional 8 seconds, and then the switch reboots.

The switch now behaves like an unconfigured switch. You can configure the switch by using Express Setup as described in the switch getting started guide on Cisco.com.

You can also configure the switch by using the CLI setup procedure. See Appendix C, “Configuring the Switch with the CLI-Based Setup Program.”

 

6.8 Recovery

Refere to 7 References

6.9 Vendor Contracts

There is a maintenance contract available at Cisco Systems via the company Computacenter.

A list of the system which are in maintanance can be found at C operating manuals ISO6: Cisco-Maintanance-Computacenter-2010-11-12.xls

https://eshare.itprosec.com/organization/global_it_portal/EMEA/GLOBAL/ISO6/Operating%20Manuals/Cisco-Maintanance-Computacenter-2010-11-12.xls

6.10 Related SLA´s and Services

There are not any SLAs.

6.11 Contact Persons & Call Management

Revere to the Disaster recovery handbook.

7 References

Detailed information about the Cisco Catalyst Switches are available at:

http://www.cisco.com/c/en/us/products/switches/catalyst-3850-series-switches/literature.html

http://www.cisco.com/c/en/us/products/switches/catalyst-2960-x-series-switches/literature.html

The IOS operating system should be C<model>E-LANBASEK9-M Version

Features

The IPBASE IOS is to be installed and used with the “lanbase” feature license.

The only network services allowed to run on the switch are CDP, NTP, SSH version 2 and SNMP server (v2c and v3). All other services must be disabled. Services that must be explicitly disabled or made inaccessible:

  • DHCP server and relay agent
  • PAD
  • VTP
  • HTTP
  • Telnet
  • SSH version 1

#default security parameters:

service password-encryption

service sequence-numbers

no ip http server

no ip http secure-server

no ip domain-lookup

Access Control

A local user “admin” with password “ccInst87” has to be configured with privilege level 15.

The password encryption feature has to be enabled.

In addition, the two default local users have to be added with the following pre-defined password hashes:

username cisco privilege 15 secret 5 $1$04e6$aWoM9H27hYyTkL07YDKCg1

username script privilege 15 secret 5 $1$ebK8$Gx9wtzjgG07L.8wvlWNXG0

TACACS+ will be configured using the ITPROSEC servers according to the following statements:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ none

tacacs-server host 10.126.14.10 key xxyy

tacacs-server host 10.126.14.13 key xxyy

tacacs-server directed-request

Remote access to the device has to be restricted using the numbered VTY access list “15”:

access-list 15 remark SSH access vty-in

access-list 15 permit 10.103.33.0 0.0.0.15

access-list 15 permit 10.14.131.0 0.0.0.255

(..)

line vty 0 15

  access-class 15 in

Only the first 16 (0-15) VTY lines are enabled. All other VTY lines must be disabled.

An inactivity timeout on the VTY lines and the console has to be set to 30 minutes.

Transport protocols on the VTY lines must be restricted to incoming SSH only.

SNMP

For legacy reasons SNMP version 2c will be configured using the following configuration statements:

snmp-server view mactrack iso included

snmp-server view mactrack system included

snmp-server view mactrack dot1dBridge included

snmp-server view mactrack cisco excluded

snmp-server view mactrack local excluded

snmp-server view mactrack ifEntry included

snmp-server view mactrack ciscoStackMIB included

snmp-server view mactrack ciscoVtpMIB included

snmp-server view mactrack ciscoVlanMembershipMIB included

snmp-server view mactrack lip.2 excluded

snmp-server community xxxxxxx view mactrack RO 10

snmp-server contact ISO6

snmp-server host 10.103.33.8 te5as

In addition to this configuration, a SNMP v3 view and group should be configured according to the following configuration:

snmp-server view v3view iso included

snmp-server view v3view internet included

snmp-server view v3view cisco excluded

snmp-server view v3view ip.21 excluded

snmp-server view v3view ip.24 excluded

snmp-server view v3view local excluded

snmp-server view v3view ciscoConfig included

snmp-server view v3view ciscoEnvMonMIB included

snmp-server view v3view ciscoCdpMIB included

snmp-server view v3view ciscoImageMIB included

snmp-server view v3view ciscoRttMonMIB included

snmp-server view v3view ciscoConfigManMIB included

snmp-server view v3view ciscoVtpMIB included

snmp-server view v3view ciscoMemoryPoolMIB included

snmp-server view v3view ciscoVlanMembershipMIB included

snmp-server view v3view ciscoStpExtensionsMIB included

snmp-server view v3view ciscoPagpMIB included

snmp-server view v3view ciscoEntityFRUControlMIB included

snmp-server view v3view ciscoVlanIfTableRelationshipMIB included

snmp-server view v3view ciscoIfExtensionMIB included

snmp-server view v3view lip.2 excluded

snmp-server view v3view ciscoProcessMIB.1.1 included

snmp-server group v3group v3 priv read v3view

Access should be restricted by the following standard numbered access-list number 10:

access-list 10 remark SNMP Security

access-list 10 permit 10.104.4.18

access-list 10 permit 10.103.33.0 0.0.0.15

The SNMP contact string is “ISO32” and the SNMP location string should contain the building (GLOBALxx) followed by a whitespace and the distribution room number. (e.g.: “GLOBAL15 1075-15”)

Stacking

The switches have to be numbered top-to-bottom. The switch number 1 is the top switch and preferred stack master with a switch priority value of 10.

The stack master will be the switch with the first 10GBase port (TenGigEthernet1/1/1) connected to the first Nexus 7000 access router.

The switch number 2 (below the stack master) is configured with stacking priority 5. This switch has it’s second 10GBase port (TenGigEthernet2/1/2) connected to the Nexus 7000 access router. If there is only one 3750-X switch, than the second 10GBase port (TenGigEthernet1/1/2) is used instead.

All other stack members do not have a TenGigabitEthernet module installed and share the default switch stack priority.

All other switches in the stack should be arranged in order of their number in ascending order from top of the rack to bottom.

Example for a stack of five switches:

Location Stack Number priority Role Uplink
topmost 1 10 master TenGig1/1/1
below top 2 5 member TenGig2/1/2
middle 3 default member
above lowest 4 default member
lowest 5 default member

If it is not feasible during installation to sort the switches by their MAC address in order to ensure this ordering, the stack priority has to be configured explicitly.

The persistent stack-mac timer has to be set to 0 (disabling stack MAC change).

DHCP

The Nexus access routers or gateways in subsidiaries ill provide DHCP relay functionality.

The DHCP service must be disabled on all access switches.

Interfaces

The switchport negotiation feature must be disabled on all interfaces.

The 48 RJ45 ports on each switch are configured as switchport mode access.

The udld feature is set to aggressive by default.

The VLANs of the commercial VRF that are provided on the switch stack are pre-configured on the interfaces of the corresponding stack member according to the IP Concept table. Those stack members of which the stack number is noted in the “stack members” column must have the corresponding VLAN of that row configured on the 1000BaseTX ports (ports 1 to 48). Up to three stack members share the same VLAN on their access ports.

Loopback Interfaces

There is no loopback interface on the access switch.

VLAN Interfaces

Only the first (lowest numbered) VLAN interface from the commercial VRF is configured as an IP-Interface.

The IP address for the switch is the host address 5 in the corresponding subnet (for example: 10.14.30.5 in VLAN 230 on switch sglobal020-05).

Spanning-Tree

Spanning-tree protocol is Rapid-per-Vlan-Spanning-Tree (rapid-pvst).

BPDU-Guard is enabled.

All access ports should have port-fast enabled.

# on core-switches = distribution layer switches set the spanning-tree root bridge priority:

spanning-tree vlan 1-4094 priority 16384 (will be root bridge)

spanning-tree vlan 1-4094 priority 8192 (will be secondary root bridge)

that’s important to prevent, that access-switches become root bridge in the network.

Logging

Logging on the device console has to be restricted to “alert” level (1).

Local logging buffer size should be 64kiByte (65536 Byte) ad level “notifications”.

Timestamps should include microseconds.

Logging messages will be sent to the server log02.accounts.local using syslog protocol.

Port-Channel

The uplink to the Nexus Access Router has to be configured as Port-Channel interface 1 on the access switch using LACP protocol.

#default settings for portchannels (etherchannels)

interface Port-channel1

 description M:Uplink

 switchport trunk encapsulation dot1q

 switchport mode trunk

 switchport nonegotiate

!

interface TenGigabitEthernet1/1/1

 description to-Eth 7/1

 switchport trunk encapsulation dot1q

 switchport mode trunk

 switchport nonegotiate

 channel-protocol lacp

 channel-group 1 mode active

!

interface TenGigabitEthernet2/1/2

 description to-Eth 7/1

 switchport trunk encapsulation dot1q

 switchport mode trunk

 switchport nonegotiate

 channel-protocol lacp

 channel-group 1 mode active

Routing

With only the LANBASE feature licensed, there is no routing configuration supported.

The default gateway is to be set to the lowest IP address in the management VLAN (last octett is 1).

NTP

The NTP servers 10.104.4.27 (ntp01) is configured as default NTP server in MUC1. In subsidiaries the VPN routers LAN interface is used as NTP server.

The Timezone is UTC.

Misc

A RSA key-pair labeled “sshkey” has to be generated for use with SSHv2.

All other RSA keys and and certificates (e.g. defaults) must be deleted.

Please refer to the configuration template in the Appendix of this document for the configuration.

Appendix

Please feel free to use the following ITPROSEC access switch configuration template.

Configuration Template

**********************************************************!

config example:

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service sequence-numbers

no service dhcp

!

hostname tor-sg-sw-dc1-04

!

boot-start-marker

boot-end-marker

!

logging buffered 65536 notifications

!

username user1 privilege 15 secret 5 xxx

username user2 privilege 15 secret 5 xxx

username script privilege 15 secret 5 xxx

!

!

aaa new-model

!

!

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ none

!

!

!

aaa session-id common

switch 1 provision ws-c2960s-48td-l

switch 2 provision ws-c2960s-48td-l

stack-mac persistent timer 0

no ip source-route

no ip gratuitous-arps

!

no ip domain-lookup

ip domain-name mgmt.intern

vtp domain GLOBAL

vtp mode off

udld aggressive

!

!

no setup express

!

!

!

spanning-tree mode rapid-pvst

spanning-tree portfast bpduguard default

spanning-tree extend system-id

!

!

vlan internal allocation policy ascending

!

vlan 222

 name commercial-222

!

ip ssh source-interface Loopback0

ip ssh version 2

ip scp server enable

!

!

interface Loopback0

 no ip address

!

interface Port-channel1

 description M:Uplink to VPC

 switchport mode trunk

 switchport nonegotiate

!

interface FastEthernet0

 no ip address

 shutdown

!

interface GigabitEthernet1/0/1

 description U:Vlan222

 switchport access vlan 222

 switchport mode access

 switchport nonegotiate

 spanning-tree portfast

!

interface TenGigabitEthernet1/0/1

 description M:nac101 Eth 1/4

 switchport mode trunk

 switchport nonegotiate

 channel-protocol lacp

 channel-group 1 mode active

!

!

!

interface Vlan222

 description Commercial VLAN

 ip address 10.14.22.5 255.255.255.0

 no ip redirects

!

ip default-gateway 10.14.22.1

no ip http server

no ip http secure-server

!

ip sla enable reaction-alerts

logging trap notifications

logging 10.104.98.21

!

access-lists are to be discussed: (depends on commercial or production area)

access-list 10 remark SNMP Security

access-list 10 permit 10.103.33.0 0.0.0.15

access-list 15 remark SSH Security

access-list 15 permit 10.103.33.0 0.0.0.15

access-list 15 permit 10.14.131.0 0.0.0.255

access-list 15 permit 10.14.135.0 0.0.0.255

access-list 15 permit host 10.104.19.10

access-list 15 permit host 10.104.7.160

snmp-server group cacti v3 auth match prefix

snmp-server group cacti v3 priv read cacti

snmp-server group v3group v3 priv read v3view

snmp-server view cacti iso included

snmp-server view cacti internet included

snmp-server view cacti mib-2 included

snmp-server view cacti system included

snmp-server view cacti dot1dBridge included

snmp-server view cacti cisco included

snmp-server view cacti snmpMIB included

snmp-server view cacti local excluded

snmp-server view cacti ciscoConfig included

snmp-server view cacti ciscoMgmt included

snmp-server view cacti ifEntry included

snmp-server view cacti ciscoStackMIB included

snmp-server view cacti ciscoImageMIB included

snmp-server view cacti ciscoVtpMIB included

snmp-server view cacti ciscoVlanMembershipMIB included

snmp-server view cacti lip.2 excluded

snmp-server view v3view iso included

snmp-server view v3view internet included

snmp-server view v3view cisco excluded

snmp-server view v3view ip.21 excluded

snmp-server view v3view ip.24 excluded

snmp-server view v3view local excluded

snmp-server view v3view ciscoConfig included

snmp-server view v3view ciscoStackMIB included

snmp-server view v3view ciscoEnvMonMIB included

snmp-server view v3view ciscoCdpMIB included

snmp-server view v3view ciscoImageMIB included

snmp-server view v3view ciscoRttMonMIB included

snmp-server view v3view ciscoConfigManMIB included

snmp-server view v3view ciscoVtpMIB included

snmp-server view v3view ciscoMemoryPoolMIB included

snmp-server view v3view ciscoVlanMembershipMIB included

snmp-server view v3view ciscoStpExtensionsMIB included

snmp-server view v3view ciscoPagpMIB included

snmp-server view v3view ciscoEntityFRUControlMIB included

snmp-server view v3view ciscoVlanIfTableRelationshipMIB included

snmp-server view v3view ciscoVlanIfTableRelationshipMIB included

snmp-server view v3view ciscoIfExtensionMIB included

snmp-server view v3view lip.2 excluded

snmp-server view v3view ciscoProcessMIB.1.1 included

snmp-server view mactrack iso included

snmp-server view mactrack system included

snmp-server view mactrack dot1dBridge included

snmp-server view mactrack cisco excluded

snmp-server view mactrack local excluded

snmp-server view mactrack ifEntry included

snmp-server view mactrack ciscoStackMIB included

snmp-server view mactrack ciscoVtpMIB included

snmp-server view mactrack ciscoVlanMembershipMIB included

snmp-server view mactrack lip.2 excluded

snmp-server community xxxx view mactrack RO 10

snmp-server community xxx RO 10

snmp-server location GLOBAL04-1033-04

snmp-server contact ISO32

snmp-server host 10.103.33.8 xxx

tacacs-server host 10.126.14.10 key xxx

tacacs-server host 10.126.14.13 key xxx

tacacs-server directed-request

banner login ^C

This is an actively monitored system. Unauthorized access prohibited.

Dieses System wird ueberwacht. Unbefugter Zugriff verboten!

^C

!

!

line con 0

 exec-timeout 30 0

line vty 0 4

 access-class 15 in

 exec-timeout 30 0

 transport input ssh

 transport output ssh

line vty 5 15

 access-class 15 in

 exec-timeout 30 0

 transport input ssh

 transport output none

!

ntp clock-period 22519233

ntp server 10.104.68.31

ntp server 10.104.4.27

end

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.