ITPROSEC Cisco Switch / Router Runbook Example
This Runbook example is using Switch / Router as an example to show how to create a document to run for your IT system for those repetitive and recurring processes or procedures.
Table of Contents
1.2 Product Manager, Contact Person. 2
1.3 Subsystems of the Application. 3
1.4 Brief description of the Product 3
2 Summary of Security Requirements. 4
2.3 Material/Financial Damage. 4
3.3 Purpose and Function of the System.. 5
3.4 Deployed Hardware & Software. 5
4 System Design and Implementation. 5
4.1 Approved Scope of Operation. 5
https://www.cisco.com/en/US/customer/support/tsd_most_requested_tools.html 6
http://www.cisco.com/c/en/us/support/web/tools-catalog.html 6
4.4 System Internal Interfaces. 6
4.8 User Administration & Access Rights. 7
4.8.1 Legal & regulatory Conditions. 7
5.2 Processes based on this Product 8
6.2 Updates & Patch-Management 8
10/100/1000 Port Connections. 10
Speed, Duplex, and Autonegotiation. 12
Autonegotiation and Network Interface Cards. 12
Resetting the Switch to the Factory Default Settings. 12
6.10 Related SLA´s and Services. 13
6.11 Contact Persons & Call Management 13
http://www.cisco.com/c/en/us/products/switches/catalyst-3850-series-switches/literature.html 13
1 General Information
1.1 Product
Product Name: <Cisco Switch Setup and Config Guide>
Approved at: <29.04.2015>
Approved by: <name>
1.2 Product Manager, Contact Person
[Mandatory]
Product Manager:
Additional contact person:
External Partners:
1.3 Subsystems of the Application
1.4 Brief description of the Product
ITPROSEC Standard Access Switch. This Switch is used to
connect the clients and printers to the LAN data network. The uplinks are
connected to the distribution Switches. Access switches are used in commercial
and in production areas.
2 Summary of Security Requirements
2.1 Security Requirements
[Mandatory] The security requirements of an application are derived from the potential damage that can occur if the confidentiality, integrity or availability of the application or data processed is affected.
Objective | no damage | minor | major | high |
confidentiality | X | |||
integrity | X | |||
availability | X |
2.2 Immaterial Damage
[Mandatory] Please classify the potential immaterial damage with respect to confidentiality, integrity and availability.
Immaterial Damage | no damage | minor | major | high | |
confidentiality | X | ||||
integrity | X | ||||
availability
System unavailable for… | 10 min | X | |||
1 hour | X | ||||
6 hours | X | ||||
1 day | X | ||||
1 week | X |
2.3 Material/Financial Damage
[Mandatory] Please classify the potential material damage with respect to confidentiality, integrity and availability.
Damage (EURO) | 0-50T | 50-200T | 200T-1mio | >1mio | |
confidentiality | X | ||||
integrity | X | ||||
availability
System unavailable for… | 10 min | X | |||
1 hour | X | ||||
6 hours | X | ||||
1 day | X | ||||
1 week | X |
3 System Overview
3.1 Product Description
3.2 Architecture
Switches are used to connect “end equipment” like clients and printer to the Local Area Network. 10G uplink modules are used to connect the access switches to the distribution switches. L2 functionality is used and several VLANs are separated because of security requirements. In most cases VLANs are separated by VRF technology at the distribution switches and connected via a Firewall at the core to implement a controlled connection to the commercial network.
3.3 Purpose and Function of the System
See 3.2
3.4 Deployed Hardware & Software
[Mandatory] List all deployed hardware and software (incl. versions).
Product | (Firmware-)Version |
The devices used as ITPROSEC standard access switches are in 2015:
Cisco3750X series – followed by Cisco3850 series
Cisco2960-X series
Cisco2960CG series
In the device expert system, a always actual list of the access switches including used sw version is available.
4 System Design and Implementation
4.1 Approved Scope of Operation
See configuration template below
4.2 Network Plan
Detailed network drawings are available at:
P:\PROJECTS3\ISO32\Network\intern\Plaene
4.3 Dependencies
Refere to the Cisco software advisor tool:
https://www.cisco.com/en/US/customer/support/tsd_most_requested_tools.html
http://www.cisco.com/c/en/us/support/web/tools-catalog.html
4.4 System Internal Interfaces
The virtual line access (line vty 0 15) is controlled by ip access-lists
“mgmt-inbound” or “access-list 15”
e.g.:
10 permit ip 10.104.4.18/32 10.104.98.65/32
20 permit ip 10.103.33.0/28 10.104.98.65/32
30 permit ip 10.104.98.0/24 10.104.98.65/32
40 permit ip 10.108.192.0/24 10.104.98.65/32
50 permit ip 10.126.14.10/32 10.104.98.65/32
60 permit ip 10.126.14.13/32 10.104.98.65/32
70 permit ip 10.104.20.80/28 10.104.98.0/24
4.5 External Interfaces
The system needs acccess to:
Central network authentication server using the tacacs+ protocol.
Time-server using the ntp protocol
Logging server using the Syslog protocol
CDP to everyone
Every L2 protocol
ICMP type 3, type 9, type 10, type 11
4.6 Authentication
[Mandatory] What kind of authentication is used? Describe the process and variations, also regarding security issues.
4.7 Authorization
Authentication is done via tacacs+ using the central Cisco ACS Server.
4.8 User Administration & Access Rights
To get access rights to the device the following default procedure is to apply:
- Open a ticket in Maximo by the team leader or head of the admin’s department.
- Enter the user in the tacacs system with dedicated right-profile, or
- Add the user to an existing group of admins
4.8.1 Legal & regulatory Conditions
This system includes cryptography and certificates. Depending on the country where the device is used, export is regulated due to legal restrictions.
4.8.2 Roles & Users
There are two levels of access:
- Privilege level 15: full access to read, write and change the config
- Privilege level 3: special defined access for dedicated admins with read only rights
# default settings for login/accounting for admins:
username script privilege 15 secret 5 xxxx
!
aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ none
!
aaa session-id common
#using ssh only, telnet is not allowed.
ip ssh version 2
ip scp server enable
#access-policy:
line vty 0 15
access-class 15 in
exec-timeout 30 0
transport input ssh
transport output none
access-list 15 permit <host or Lan range>
4.8.3 Technical Users
For auto-backup functionality and as local fallback-user the user “script” is implemented:
username script privilege 15 secret 5 xxxx
4.9 Configuration
The current configuration is always stored in the Device Expert. There are two device expert systems. One in the commercial (“green”) environment and one in the secure segment (“red”) for devices located in production or HSA environments.
e.g. the commercial area:
5 Processes
5.1 Dependent Processes
5.2 Processes based on this Product
6 System Operation
6.1 Regular Maintenance
This logfiles on the Syslog Server are to be review manually for errors.
6.2 Updates & Patch-Management
Updates should be done yearly and in case of critical security issues without work around.
6.3 High Availability
There is not any HA configuration implemented.
6.4 Monitoring & Reporting
Monitoring is done by Nagios / ICINGA
6.5 Logging
The following syslog server is used.
6.6 Backup & Archiving
Configuration Backup is done automatically every day/night by Device Expert:
6.7 Troubleshooting
Diagnosing Problems
The switch LEDs provide troubleshooting information about the switch. They show POST failures, port-connectivity problems, and overall switch performance. You can also get statistics from the device manager, the CLI, or an SNMP workstation. See the software configuration guide, the switch command reference guide on Cisco.com, or the documentation that came with your SNMP application for details.
Switch POST Results
As the switch powers on, it begins the power-on self-test (POST), a series of tests that runs automatically to ensure that the switch functions properly. It might take several minutes for the switch to complete POST.
When the switch begins POST, the Status LED turns green. The System LED blinks green, and the other LEDs stay green.
When POST completes successfully, the System LED remains green. The XPS LED is green for some time and then returns to its operating status. The other LEDs turn off and return to their operating status. If the switch fails POST, the System and Ethernet management port LEDs turn amber.
Note POST failures are usually fatal. Contact your Cisco technical support representative if your switch does not pass POST.
Switch LEDs
Look at the port LEDs for information when troubleshooting the switch. See the “LEDs” section on page 1-9 for descriptions of the LED colors and their meanings.
Switch Connections
Bad or Damaged Cable
Always examine the cable for marginal damage or failure. A cable might be just good enough to connect at the physical layer, but it could corrupt packets as a result of subtle damage to the wiring or connectors. You can identify this situation because the port has many packet errors or the port constantly flaps (loses and regains link).
•Exchange the copper or fiber-optic cable with a known good cable.
•Look for broken or missing pins on cable connectors.
•Rule out any bad patch panel connections or media convertors between the source and destination. If possible, bypass the patch panel or eliminate media convertors (fiber-optic-to-copper).
•Try the cable in another port to see if the problem follows the cable.
•Catalyst 3750-X switch StackWise cable: remove and inspect the cable and StackWise port for bent pins or damaged connectors. If the StackWise cable is bad, replace it with a known good cable.
Ethernet and Fiber Cables
Make sure that you have the correct cable:
•For Ethernet, use Category 3 copper cable for 10 Mbps UTP connections. Use either Category 5, Category 5e, or Category 6 UTP for 10/100 or 10/100/1000 Mbps connections.
•Verify that you have the correct fiber-optic cable for the distance and port type. Make sure that the connected device ports match and use the same type encoding, optical frequency, and fiber type. For more information about cabling, see the “SFP and SFP+ Module Cable Specifications” section on page B-5.
•Determine if a copper crossover cable was used when a straight-through was required, or the reverse. Enable auto-MDIX on the switch, or replace the cable. See Table 2-3 for recommended Ethernet cables.
Link Status
Verify that both sides have link. A broken wire or a shut down port can cause one side to show link even though the other side does not have link.
A port LED that is on does not guarantee that the cable is functional. It might have encountered physical stress, causing it to function at a marginal level. If the port LED does not turn on:
•Connect the cable from the switch to a known good device.
•Make sure that both ends of the cable are connected to the correct ports.
•Verify that both devices have power.
•Verify that you are using the correct cable type. See Appendix B, “Connector and Cable Specifications” for more information.
•Look for loose connections. Sometimes a cable appears to be seated but is not. Disconnect the cable and then reconnect it.
10/100/1000 Port Connections
A port appears to malfunction:
•Verify the status of all ports. See Table 1-8 on page 1-11 for descriptions of the LEDs and their meanings.
•Use the show interfaces privileged EXEC command to see if the port is error-disabled, disabled, or shut down. Re-enable the port if necessary.
•Verify the cable type. See Appendix B, “Connector and Cable Specifications.”
SFP Modules
Use only Cisco network modules and SFP modules.
•Inspect the network module and SFP module. Exchange the suspect module with a known good module.
•Verify that the module is supported on this platform. (The switch release notes on Cisco.com list the SFP and SFP+ modules that the switch supports.)
•Use the show interfaces privileged EXEC command to see if the port or module is error-disabled, disabled, or shut down. Re-enable the port if needed.
•Make sure that all fiber connections are clean and securely connected.
•For CX1 module connections, make sure that cable routing does not violate the minimum allowed cable bend radius. See the module documentation for specific cabling requirements.
Note When ordering or using CX1 cables, ensure that the version identifier is 2 or higher.
•For long wave SFP+ modules, a mode conditioning patch might improve performance over maximum link distances with MMF connections.
Interface Settings
Verify that the port or interface is not disabled or powered off. If a port or interface is manually shut down on either side of the link, it does not come up until you re-enable the interface. Use the show interfaces privileged EXEC command to see if the interface is error-disabled, disabled, or shut down on either side of the connection. If needed, re-enable the interface.
Ping End Device
Ping from the directly connected switch first, and then work your way back port by port, interface by interface, trunk by trunk, until you find the source of the connectivity issue. Make sure that each switch can identify the end device MAC address in its Content-Addressable Memory (CAM) table.
Spanning Tree Loops
STP loops can cause serious performance issues that look like port or interface problems.
A unidirectional link can cause loops. It occurs when the traffic sent by the switch is received by the neighbor, but the traffic from the neighbor is not received by the switch. A broken cable, other cabling problems, or a port issue could cause this one-way communication.
You can enable UniDirectional Link Detection (UDLD) on the switch to help identify unidirectional link problems. For information about enabling UDLD on the switch, see the “Understanding UDLD” section in the software configuration guide on Cisco.com.
Switch Performance
Speed, Duplex, and Autonegotiation
Port statistics that show a large amount of alignment errors, frame check sequence (FCS), or late-collisions errors, might mean a speed or duplex mismatch.
A common issue occurs when duplex and speed settings are mismatched between two switches, between a switch and a router, or between the switch and a workstation or server. Mismatches can happen when manually setting the speed and duplex or from autonegotiation issues between the two devices.
To maximize switch performance and to ensure a link, follow one of these guidelines when changing the duplex or the speed settings:
•Let both ports autonegotiate both speed and duplex.
•Manually set the speed and duplex parameters for the interfaces on both ends of the connection.
•If a remote device does not autonegotiate, use the same duplex settings on the two ports. The speed parameter adjusts itself even if the connected port does not autonegotiate.
Autonegotiation and Network Interface Cards
Problems sometimes occur between the switch and third-party network interface cards (NICs). By default, the switch ports and interfaces autonegotiate.Laptops or other devices are commonly set to autonegotiate, yet sometimes issues occur.
To troubleshoot autonegotiation problems, try manually setting both sides of the connection. If this does not solve the problem, there could be a problem with the firmware or software on the NIC. You can resolve this by upgrading the NIC driver to the latest version.
Cabling Distance
If the port statistics show excessive FCS, late-collision, or alignment errors, verify that the cable distance from the switch to the connected device meets the recommended guidelines. See the “Cable and Adapter Specifications” section on page B-5.
Resetting the Switch to the Factory Default Settings
If you have configured a new switch with a wrong IP address, or if all of the switch LEDs start blinking when you try to enter Express Setup mode, you can clear the IP address that is configured on the switch.
Note Resetting the switch deletes the configuration and reboots the switch.
To reset the switch:
1. Press and hold the Mode button (Figure 1-2 on page 1-4).
The switch LEDs begin blinking after about 2 seconds. If the LEDs above the mode button turn solid green, you can release the Mode button and run Express Setup to configure the switch. If the LEDs do not turn solid green, continue with the next step.
2. Continue holding down the Mode button. The LEDs stop blinking after an additional 8 seconds, and then the switch reboots.
The switch now behaves like an unconfigured switch. You can configure the switch by using Express Setup as described in the switch getting started guide on Cisco.com.
You can also configure the switch by using the CLI setup procedure. See Appendix C, “Configuring the Switch with the CLI-Based Setup Program.”
6.8 Recovery
Refere to 7 References
6.9 Vendor Contracts
There is a maintenance contract available at Cisco Systems via the company Computacenter.
A list of the system which are in maintanance can be found at C operating manuals ISO6: Cisco-Maintanance-Computacenter-2010-11-12.xls
6.10 Related SLA´s and Services
There are not any SLAs.
6.11 Contact Persons & Call Management
Revere to the Disaster recovery handbook.
7 References
Detailed information about the Cisco Catalyst Switches are available at:
http://www.cisco.com/c/en/us/products/switches/catalyst-3850-series-switches/literature.html
The IOS operating system should be C<model>E-LANBASEK9-M Version
Features
The IPBASE IOS is to be installed and used with the “lanbase” feature license.
The only network services allowed to run on the switch are CDP, NTP, SSH version 2 and SNMP server (v2c and v3). All other services must be disabled. Services that must be explicitly disabled or made inaccessible:
- DHCP server and relay agent
- PAD
- VTP
- HTTP
- Telnet
- SSH version 1
#default security parameters:
service password-encryption
service sequence-numbers
no ip http server
no ip http secure-server
no ip domain-lookup
Access Control
A local user “admin” with password “ccInst87” has to be configured with privilege level 15.
The password encryption feature has to be enabled.
In addition, the two default local users have to be added with the following pre-defined password hashes:
username cisco privilege 15 secret 5 $1$04e6$aWoM9H27hYyTkL07YDKCg1
username script privilege 15 secret 5 $1$ebK8$Gx9wtzjgG07L.8wvlWNXG0
TACACS+ will be configured using the ITPROSEC servers according to the following statements:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ none
tacacs-server host 10.126.14.10 key xxyy
tacacs-server host 10.126.14.13 key xxyy
tacacs-server directed-request
Remote access to the device has to be restricted using the numbered VTY access list “15”:
access-list 15 remark SSH access vty-in
access-list 15 permit 10.103.33.0 0.0.0.15
access-list 15 permit 10.14.131.0 0.0.0.255
(..)
line vty 0 15
access-class 15 in
Only the first 16 (0-15) VTY lines are enabled. All other VTY lines must be disabled.
An inactivity timeout on the VTY lines and the console has to be set to 30 minutes.
Transport protocols on the VTY lines must be restricted to incoming SSH only.
SNMP
For legacy reasons SNMP version 2c will be configured using the following configuration statements:
snmp-server view mactrack iso included
snmp-server view mactrack system included
snmp-server view mactrack dot1dBridge included
snmp-server view mactrack cisco excluded
snmp-server view mactrack local excluded
snmp-server view mactrack ifEntry included
snmp-server view mactrack ciscoStackMIB included
snmp-server view mactrack ciscoVtpMIB included
snmp-server view mactrack ciscoVlanMembershipMIB included
snmp-server view mactrack lip.2 excluded
snmp-server community xxxxxxx view mactrack RO 10
snmp-server contact ISO6
snmp-server host 10.103.33.8 te5as
In addition to this configuration, a SNMP v3 view and group should be configured according to the following configuration:
snmp-server view v3view iso included
snmp-server view v3view internet included
snmp-server view v3view cisco excluded
snmp-server view v3view ip.21 excluded
snmp-server view v3view ip.24 excluded
snmp-server view v3view local excluded
snmp-server view v3view ciscoConfig included
snmp-server view v3view ciscoEnvMonMIB included
snmp-server view v3view ciscoCdpMIB included
snmp-server view v3view ciscoImageMIB included
snmp-server view v3view ciscoRttMonMIB included
snmp-server view v3view ciscoConfigManMIB included
snmp-server view v3view ciscoVtpMIB included
snmp-server view v3view ciscoMemoryPoolMIB included
snmp-server view v3view ciscoVlanMembershipMIB included
snmp-server view v3view ciscoStpExtensionsMIB included
snmp-server view v3view ciscoPagpMIB included
snmp-server view v3view ciscoEntityFRUControlMIB included
snmp-server view v3view ciscoVlanIfTableRelationshipMIB included
snmp-server view v3view ciscoIfExtensionMIB included
snmp-server view v3view lip.2 excluded
snmp-server view v3view ciscoProcessMIB.1.1 included
snmp-server group v3group v3 priv read v3view
Access should be restricted by the following standard numbered access-list number 10:
access-list 10 remark SNMP Security
access-list 10 permit 10.104.4.18
access-list 10 permit 10.103.33.0 0.0.0.15
The SNMP contact string is “ISO32” and the SNMP location string should contain the building (GLOBALxx) followed by a whitespace and the distribution room number. (e.g.: “GLOBAL15 1075-15”)
Stacking
The switches have to be numbered top-to-bottom. The switch number 1 is the top switch and preferred stack master with a switch priority value of 10.
The stack master will be the switch with the first 10GBase port (TenGigEthernet1/1/1) connected to the first Nexus 7000 access router.
The switch number 2 (below the stack master) is configured with stacking priority 5. This switch has it’s second 10GBase port (TenGigEthernet2/1/2) connected to the Nexus 7000 access router. If there is only one 3750-X switch, than the second 10GBase port (TenGigEthernet1/1/2) is used instead.
All other stack members do not have a TenGigabitEthernet module installed and share the default switch stack priority.
All other switches in the stack should be arranged in order of their number in ascending order from top of the rack to bottom.
Example for a stack of five switches:
Location | Stack Number | priority | Role | Uplink |
topmost | 1 | 10 | master | TenGig1/1/1 |
below top | 2 | 5 | member | TenGig2/1/2 |
middle | 3 | default | member | – |
above lowest | 4 | default | member | – |
lowest | 5 | default | member | – |
If it is not feasible during installation to sort the switches by their MAC address in order to ensure this ordering, the stack priority has to be configured explicitly.
The persistent stack-mac timer has to be set to 0 (disabling stack MAC change).
DHCP
The Nexus access routers or gateways in subsidiaries ill provide DHCP relay functionality.
The DHCP service must be disabled on all access switches.
Interfaces
The switchport negotiation feature must be disabled on all interfaces.
The 48 RJ45 ports on each switch are configured as switchport mode access.
The udld feature is set to aggressive by default.
The VLANs of the commercial VRF that are provided on the switch stack are pre-configured on the interfaces of the corresponding stack member according to the IP Concept table. Those stack members of which the stack number is noted in the “stack members” column must have the corresponding VLAN of that row configured on the 1000BaseTX ports (ports 1 to 48). Up to three stack members share the same VLAN on their access ports.
Loopback Interfaces
There is no loopback interface on the access switch.
VLAN Interfaces
Only the first (lowest numbered) VLAN interface from the commercial VRF is configured as an IP-Interface.
The IP address for the switch is the host address 5 in the corresponding subnet (for example: 10.14.30.5 in VLAN 230 on switch sglobal020-05).
Spanning-Tree
Spanning-tree protocol is Rapid-per-Vlan-Spanning-Tree (rapid-pvst).
BPDU-Guard is enabled.
All access ports should have port-fast enabled.
# on core-switches = distribution layer switches set the spanning-tree root bridge priority:
spanning-tree vlan 1-4094 priority 16384 (will be root bridge)
spanning-tree vlan 1-4094 priority 8192 (will be secondary root bridge)
that’s important to prevent, that access-switches become root bridge in the network.
Logging
Logging on the device console has to be restricted to “alert” level (1).
Local logging buffer size should be 64kiByte (65536 Byte) ad level “notifications”.
Timestamps should include microseconds.
Logging messages will be sent to the server log02.accounts.local using syslog protocol.
Port-Channel
The uplink to the Nexus Access Router has to be configured as Port-Channel interface 1 on the access switch using LACP protocol.
#default settings for portchannels (etherchannels)
interface Port-channel1
description M:Uplink
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface TenGigabitEthernet1/1/1
description to-Eth 7/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
channel-protocol lacp
channel-group 1 mode active
!
interface TenGigabitEthernet2/1/2
description to-Eth 7/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
channel-protocol lacp
channel-group 1 mode active
Routing
With only the LANBASE feature licensed, there is no routing configuration supported.
The default gateway is to be set to the lowest IP address in the management VLAN (last octett is 1).
NTP
The NTP servers 10.104.4.27 (ntp01) is configured as default NTP server in MUC1. In subsidiaries the VPN routers LAN interface is used as NTP server.
The Timezone is UTC.
Misc
A RSA key-pair labeled “sshkey” has to be generated for use with SSHv2.
All other RSA keys and and certificates (e.g. defaults) must be deleted.
Please refer to the configuration template in the Appendix of this document for the configuration.
Appendix
Please feel free to use the following ITPROSEC access switch configuration template.
Configuration Template
**********************************************************!
config example:
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
no service dhcp
!
hostname tor-sg-sw-dc1-04
!
boot-start-marker
boot-end-marker
!
logging buffered 65536 notifications
!
username user1 privilege 15 secret 5 xxx
username user2 privilege 15 secret 5 xxx
username script privilege 15 secret 5 xxx
!
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ none
!
!
!
aaa session-id common
switch 1 provision ws-c2960s-48td-l
switch 2 provision ws-c2960s-48td-l
stack-mac persistent timer 0
no ip source-route
no ip gratuitous-arps
!
no ip domain-lookup
ip domain-name mgmt.intern
vtp domain GLOBAL
vtp mode off
udld aggressive
!
!
no setup express
!
!
!
spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
spanning-tree extend system-id
!
!
vlan internal allocation policy ascending
!
vlan 222
name commercial-222
!
ip ssh source-interface Loopback0
ip ssh version 2
ip scp server enable
!
!
interface Loopback0
no ip address
!
interface Port-channel1
description M:Uplink to VPC
switchport mode trunk
switchport nonegotiate
!
interface FastEthernet0
no ip address
shutdown
!
interface GigabitEthernet1/0/1
description U:Vlan222
switchport access vlan 222
switchport mode access
switchport nonegotiate
spanning-tree portfast
!
interface TenGigabitEthernet1/0/1
description M:nac101 Eth 1/4
switchport mode trunk
switchport nonegotiate
channel-protocol lacp
channel-group 1 mode active
!
!
!
interface Vlan222
description Commercial VLAN
ip address 10.14.22.5 255.255.255.0
no ip redirects
!
ip default-gateway 10.14.22.1
no ip http server
no ip http secure-server
!
ip sla enable reaction-alerts
logging trap notifications
logging 10.104.98.21
!
access-lists are to be discussed: (depends on commercial or production area)
access-list 10 remark SNMP Security
access-list 10 permit 10.103.33.0 0.0.0.15
access-list 15 remark SSH Security
access-list 15 permit 10.103.33.0 0.0.0.15
access-list 15 permit 10.14.131.0 0.0.0.255
access-list 15 permit 10.14.135.0 0.0.0.255
access-list 15 permit host 10.104.19.10
access-list 15 permit host 10.104.7.160
snmp-server group cacti v3 auth match prefix
snmp-server group cacti v3 priv read cacti
snmp-server group v3group v3 priv read v3view
snmp-server view cacti iso included
snmp-server view cacti internet included
snmp-server view cacti mib-2 included
snmp-server view cacti system included
snmp-server view cacti dot1dBridge included
snmp-server view cacti cisco included
snmp-server view cacti snmpMIB included
snmp-server view cacti local excluded
snmp-server view cacti ciscoConfig included
snmp-server view cacti ciscoMgmt included
snmp-server view cacti ifEntry included
snmp-server view cacti ciscoStackMIB included
snmp-server view cacti ciscoImageMIB included
snmp-server view cacti ciscoVtpMIB included
snmp-server view cacti ciscoVlanMembershipMIB included
snmp-server view cacti lip.2 excluded
snmp-server view v3view iso included
snmp-server view v3view internet included
snmp-server view v3view cisco excluded
snmp-server view v3view ip.21 excluded
snmp-server view v3view ip.24 excluded
snmp-server view v3view local excluded
snmp-server view v3view ciscoConfig included
snmp-server view v3view ciscoStackMIB included
snmp-server view v3view ciscoEnvMonMIB included
snmp-server view v3view ciscoCdpMIB included
snmp-server view v3view ciscoImageMIB included
snmp-server view v3view ciscoRttMonMIB included
snmp-server view v3view ciscoConfigManMIB included
snmp-server view v3view ciscoVtpMIB included
snmp-server view v3view ciscoMemoryPoolMIB included
snmp-server view v3view ciscoVlanMembershipMIB included
snmp-server view v3view ciscoStpExtensionsMIB included
snmp-server view v3view ciscoPagpMIB included
snmp-server view v3view ciscoEntityFRUControlMIB included
snmp-server view v3view ciscoVlanIfTableRelationshipMIB included
snmp-server view v3view ciscoVlanIfTableRelationshipMIB included
snmp-server view v3view ciscoIfExtensionMIB included
snmp-server view v3view lip.2 excluded
snmp-server view v3view ciscoProcessMIB.1.1 included
snmp-server view mactrack iso included
snmp-server view mactrack system included
snmp-server view mactrack dot1dBridge included
snmp-server view mactrack cisco excluded
snmp-server view mactrack local excluded
snmp-server view mactrack ifEntry included
snmp-server view mactrack ciscoStackMIB included
snmp-server view mactrack ciscoVtpMIB included
snmp-server view mactrack ciscoVlanMembershipMIB included
snmp-server view mactrack lip.2 excluded
snmp-server community xxxx view mactrack RO 10
snmp-server community xxx RO 10
snmp-server location GLOBAL04-1033-04
snmp-server contact ISO32
snmp-server host 10.103.33.8 xxx
tacacs-server host 10.126.14.10 key xxx
tacacs-server host 10.126.14.13 key xxx
tacacs-server directed-request
banner login ^C
This is an actively monitored system. Unauthorized access prohibited.
Dieses System wird ueberwacht. Unbefugter Zugriff verboten!
^C
!
!
line con 0
exec-timeout 30 0
line vty 0 4
access-class 15 in
exec-timeout 30 0
transport input ssh
transport output ssh
line vty 5 15
access-class 15 in
exec-timeout 30 0
transport input ssh
transport output none
!
ntp clock-period 22519233
ntp server 10.104.68.31
ntp server 10.104.4.27
end