Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

2960G 12.2.55-SE9 in public inet; config

Hi,

I would like to put a 2960G with version 12.2.55-SE9 in public inet and therefore have setup this config based on cisco hardening sheet. Any recommendations are welcome if this is "enough" or even bad things are set (except of http secure-server being available).
Thank you very much in advance.

Martin
 

!
version 12.2
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
no service dhcp
!
hostname n-ext1-swi01
!
boot-start-marker
boot-end-marker
!
enable secret 5 <secret>
!
username <user> privilege 15 secret 5 <secret>
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
!
!
!
aaa session-id common
clock timezone MET 1
clock summer-time MET recurring last Sun Mar 2:00 last Sun Oct 3:00
system mtu routing 1500
no ip source-route
ip icmp rate-limit unreachable 100
ip dhcp bootp ignore
!
!
no ip domain-lookup
!
!
crypto pki trustpoint TP-self-signed-811688448
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-811688448
 revocation-check none
 rsakeypair TP-self-signed-811688448
!
!
crypto pki certificate chain TP-self-signed-811688448
 certificate self-signed 01
  30820243 ........ ........ ........ ........ ........ ........ ........
  ........ ........ ........ ........ ........ ........ ........ ........
  ........ ........
  quit
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh source-interface GigabitEthernet0/11
ip ssh version 2
!
!
interface GigabitEthernet0/1
 switchport mode access
 no lldp transmit
 no lldp receive
 no cdp enable
!
.
.
.
.
!
interface GigabitEthernet0/24
 switchport mode access
 no lldp transmit
 no lldp receive
 no cdp enable
!
interface Vlan1
 ip address 213.xxx.xxx.xxx 255.255.255.192
 no ip route-cache
!
ip default-gateway 213.xxx.xxx.xxx
no ip http server
ip http access-class 10
ip http authentication aaa
ip http secure-server
access-list 10 remark *************************************
access-list 10 remark limit access
access-list 10 permit 217.xxx.xxx.xxx
access-list 10 permit 213.xxx.xxx.xxx
access-list 10 deny   any
no cdp run
!
line con 0
line vty 0 4
 access-class 10 in
 exec-timeout 720 0
 transport input telnet ssh
 transport output telnet ssh
line vty 5 15
 access-class 10 in
 exec-timeout 720 0
 transport input telnet ssh
 transport output telnet ssh
!
ntp server 92.53.103.108 prefer
end
Everyone's tags (1)
114
Views
0
Helpful
0
Replies
CreatePlease to create content