Cisco Base Security Configuration
# How to Use This Document
This document isserves intended to beas a guide tofor the proper configuration of an ICS IT Cisco SwitchSwitch. andIt does not attemptaim to giveprovide theusers userwith a basefoundational knowledge of Cisco commands and functions.
The document is separateddivided by configuration code intent used with Cisco IOS switches. The codeorder andof the orderpresented presentedcode is not intended to indicate the proper order ofcorrect implementation sequence, and furtheradditional configurationconfigurations may be requirednecessary from one block to theanother.
next.
## Procedures
The following code blocks can be implemented in any order onceafter the switch has been booted to the IOS command line. Each code block can also be implementedused on it’s ownindependently or used to verify an existing configuration.
## Initial Configuration
### Services
Set up switch services.
Copy
```plaintext
the code below:
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
```
### Hostname
Set the hostname of the switch.
Copy
```plaintext
the code below, alter for your environment and device:
hostname Hostname
```
### Logging
Set up logging.
Copy
```plaintext
the code below, alter for your environment and device:
logging file flash:LOG_SWITCH8 89999 notifications
logging count
logging buffered 16000
logging console critical
no logging monitor
login on-failure log
login on-success log
archive
```
### logSecurity
config
logging enable
notify syslog contenttype plaintext
hidekeys
Security
Set the main administration password.
Copy
```plaintext
the code below, alter for your environment and device:
enable secret 5 $1$17Sv$8ggwbemNPWiYG5OfzyDj10
```
### Users
Set up users.
Copy
```plaintext
the code below, alter for your environment and device:
username username privilege 15 secret 5 $1$0OSy$a3Efm134K8B.CiI0FJrT9.
username username2 privilege 15 secret 5 $1$.JaZ$mQGaaM632DVlyAxIkyqxx0
```
### Time Settings
Set your time zone and daylight savings time details.
Copy
```plaintext
the code below, alter for your environment and device:
no aaa new-model
clock timezone PST -8 0
clock summer-time PST recurring
system mtu routing 1500
```
## Routing and DNS
Set the domain source and domain name server addresses.
Copy
```plaintext
the code below, alter for your environment and device:
no ip source-route
ip routing
no ip gratuitous-arps
!
ip domain-list pacs.local.lan
ip domain-lookup source-interface Vlan10
ip domain-name pacs.local.lan
ip name-server 192.168.0.1
ip name-server 192.168.0.2
```
## Spanning-tree settings
Set the spanning-tree portfast settings.
Copy
```plaintext
the code below:
spanning-tree mode pvst
spanning-tree portfast edge default
spanning-tree portfast edge bpduguard default
spanning-tree portfast edge bpdufilter default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
no cdp run
```
## SSH Access
Set up SSH access.
Copy
```plaintext
the code below:
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip tftp source-interface Loopback0
ip ssh time-out 60
ip ssh version 2
ip scp server enable
```
## Access List
Set up the access list to limit device access to the shell interface. Include administration end points as IP addresses, one per line. IP addresses not listed will be denied access.
Copy
```plaintext
the code below, alter for your environment and device:
logging facility local1
logging source-interface Vlan10
access-list 38 remark *** Permitted Access Sources ***
access-list 38 permit 192.168.0.100
access-list 38 permit 192.168.0.101
```
## Warning Banner
Set up the MOTD login working banner by following the terminal prompts and copy pasting as needed from the code below.
Copy
```plaintext
the code below:
banner login
================================================================================
_ **WARNING TO USERS OF THIS SYSTEM**
_
This computer system, including all related equipment, networks, and network
devices, is provided by [entity or business name] in accordance with
the policy for official use and limited personal use. This system may not
be connected to the Internet, in any way, unless specifically authorized by the
[authorizing individual or entity].
_
All computer systems may be monitored for all lawful purposes, including
but not limited to, ensuring that use is authorized, for management of the
system, to facilitate protection against unauthorized access, and to verify
security procedures, survivability and operational security. Any information on
this computer system may be examined, recorded, copied and used for authorized
purposes at any time. All information, including personal information, placed or
sent over this system may be monitored, and users of this system are reminded
that such monitoring does occur. Therefore, there should be no expectation of
privacy with respect to use of this system.
_
By logging into this computer system, you acknowledge and consent to the
monitoring of this system. Evidence of your use, authorized or unauthorized,
collected during monitoring may be used for civil, criminal, administrative, or
other adverse action. Unauthorized or illegal use may subject you to
prosecution.
_
================================================================================
```
## Transport and Monitoring
### Transport
Set up transporttransport.
and```plaintext
stuffs
Copy the code below:
line con 0
exec-timeout 15 0
logging synchronous
login local
line vty 0 4
access-class 38 in
exec-timeout 9 0
logging synchronous
login local
