Standard for configuration of Switches

Unanswered Question
Oct 15th, 2007


we are trying to standardize our Network Devices in terms of global configuration for Switches, routers, Access Points, etc. and we have been trying to building the optiomal config. Would you please comment what would you change in here?

Global Configuration:

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

hostname [hostname]

logging buffered 50000 warnings

logging monitor notifications

enable secret [secret password]

enable password [enable password]

username [Username] privilege 15 secret [PASSWORD]

aaa new-model

aaa authentication fail-message ^C

User Authentication has failed. If you are not an authorized user,

please disconnect immediately.

Any unauthorized access attempts will be investigated and will be

subject to prosecution under local laws and ordinances.


aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization network default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa authentication enable default group tacacs+ enable

aaa session-id common

clock timezone cet 1 [other's to be applied]

errdisable recovery cause all

errdisable recovery interval 900

ip subnet-zero


ip name-server (Central DNS Server of Region)

ip name-server (Central DNS Server of Region2)

login block-for 300 attempts 5 within 30

login on-failure log

login delay 2

spanning-tree mode pvst

spanning-tree logging

service nagle

service tcp-keepalives-in

service tcp-keepalives-out

ip default-gateway [default gw IP]

ip classless

no service finger

no service tcp-small-servers

no service udp-small-servers

no service pad

no tftp-server

no service config

no boot network

no ip source-route

no ip finger

no ip identd

no ip http server

no ip http secure-server

logging trap warnings

logging facility auth

logging [CiscoWorks IP]

snmp-server community [read community] RO

snmp-server community [write community] RW

snmp-server enable traps snmp authentication linkdown linkup coldstart

snmp-server enable traps config

snmp-server host [ciscoworks IP] version 2c [read community]

snmp-server trap-authentication

tacacs-server host [Cisco ACS IP] key [encryption key - found in ACS]

tacacs-server host [Cisco ACS IP] key [encryption key - found in ACS]

tacacs-server timeout 10

radius-server source-ports 1645-1646

banner exec ^C



banner login ^C



banner motd ^CCddd

Global IT - IOS^C

ntp server [ntp ip address]

line con 0

login authentication local

session-timeout 10

line vty 0 4

password 7 [password]

session-timeout 10

line vty 5 15

password 7 [password]

session-timeout 10


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
l.mourits Mon, 10/15/2007 - 03:36

Globalization on configuration, mmmhk, I guess this is one if the items where there will be many different opinions, so here are my comments :-)

Personally, I would prefer to see the local timezone in the local logging like you do, but others may like to see the GMT time in there. In all cases I would consider using NTP for time sunchronization (seems to be missing in your template).

Also, if you are using timezones and NTP, you should set the daylightsavings depending on the country the device is in (unless you like changing this manually each 6 months ;-))

"clock summer-time recurring et cetera"

I would add a more meaningfull motd banner that also warns that unauthorized login attempts will be logged.

I noticed the spanning-tree mode set for PVST, depending on the mix iof switrthes you have in place or plan to have it may be worth looking into RPVST.

Depending on what security level you need, you may want to consider the following:

Setting up different local users with different levels of access and configure the associated privilege level commands.

Putting a access-list on you snmp access

Just a couple of comments and thoughts.




This Discussion