Security Template
-----Output Omitted-------
!
version 12.2
service nagle
no service pad
no service boot network
no service boot host
no service password-recovery
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
!
exception memory ignore overflow io
exception memory ignore overflow processor
exception crashinfo maximum files 5
!
!
memory reserve critical
!
hostname Access-Layer-Switch
!
boot-start-marker
boot-end-marker
!
logging buffered 256000
enable secret 5 $1$PtbF$hMMlkjren;fbjekrbklnw***QodiYaHn9.C/
!
username administrator privilege 15 secret 5 $T9CWsvjvE6Q
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization commands 15 default local
!
!
!
aaa session-id common
clock timezone CST -6
switch 1 provision ws-c3750g-48ps
system mtu routing 1500
vtp domain radiormi.com
vtp mode transparent
authentication mac-move permit
udld aggressive
ip subnet-zero
ip domain-name cityofhouston.net
!
!
ip ssh time-out 60
ip ssh authentication-retries 3
ip ssh source-interface GigabitEthernet 0/1
!
archive
log config
logging enabled
log size 200
hidekeys
notify syslog
!
!
!
secure boot-image
secure boot-config
!
configuration mode exclusive auto
!
ip dhcp snooping vlan 36-39
no ip dhcp snooping information option
!
mls qos map cos-dscp 0 8 16 24 34 46 48 56
mls qos map ip-prec-dscp 0 8 16 24 34 46 48 56
mls qos srr-queue input priority-queue 1 bandwidth 40
mls qos queue-set output 1 threshold 1 400 400 100 400
mls qos queue-set output 1 threshold 2 400 400 100 400
mls qos queue-set output 1 buffers 10 40 20 30
mls qos
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan XX
name Cameras-A
!
vlan XX
name Cameras-B
!
vlan XX
name Hosts
!
vlan XX
name Auxillary
!
!
!
interface range GigabitEthernet1/0/1
description Camera
switchport access vlan 38
switchport mode access
switchport port-security
switchport port-security aging time 5
switchport port-security violation restrict
switchport port-security aging type inactivity
switchport port-security max 1
srr-queue bandwidth share 1 75 25 5
srr-queue bandwidth shape 3 0 0 0
priority-queue out
mls qos trust dscp
storm-control broadcast level 10.00
storm-control multicast level 10.00
spanning-tree portfast
spanning-tree bpduguard enable
snmp-trap link-status
!
interface GigabitEthernet1/0/2
description Firetide
switchport access vlan XX
switchport mode access XX
switchport port-security
switchport port-security aging time 5
switchport port-security violation restrict
switchport port-security aging type inactivity
switchport port-security max 1 (number of Devices + Node)
srr-queue bandwidth share 1 75 25 5
srr-queue bandwidth shape 3 0 0 0
priority-queue out
mls qos trust dscp
storm-control broadcast level 10.00
storm-control multicast level 10.00
spanning-tree portfast
spanning-tree bpduguard enable
snmp-trap link-status
!
interface GigabitEthernet1/0/3
description Encoder
switchport access vlan XX
switchport mode access XX
srr-queue bandwidth share 1 75 25 5
srr-queue bandwidth shape 3 0 0 0
priority-queue out
mls qos trust dscp
storm-control broadcast level 10.00
storm-control multicast level 10.00
spanning-tree portfast
spanning-tree bpduguard enable
snmp-trap link-status
!
interface GigabitEthernet1/0/4
description Workstation
switchport access vlan XX
switchport mode access XX
switchport port-security
switchport port-security aging time 5
switchport port-security violation restrict
switchport port-security aging type inactivity
switchport port-security max 1
srr-queue bandwidth share 1 75 25 5
srr-queue bandwidth shape 3 0 0 0
priority-queue out
mls qos trust dscp
storm-control broadcast level 10.00
storm-control multicast level 10.00
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/6
description Firewall-Routed
switchport access vlan XX (access-vlan represents point to point SVI)
switchport mode access
switchport port-security
switchport port-security aging time 5
switchport port-security violation restrict
switchport port-security aging type inactivity
switchport port-security max 1 (if using inside NATing, may change)
srr-queue bandwidth share 1 75 25 5
srr-queue bandwidth shape 3 0 0 0
priority-queue out
mls qos trust dscp
storm-control broadcast level 10.00
storm-control multicast level 10.00
spanning-tree portfast
spanning-tree bpduguard enable
snmp trap link-status
!
interface GigabitEthernet1/0/7
description Server-Virtual
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlans x-z (only allow VLANs present)
switchport trunk native vlan xx
srr-queue bandwidth share 1 75 25 5
srr-queue bandwidth shape 3 0 0 0
priority-queue out
mls qos trust dscp
storm-control broadcast level 10.00
storm-control multicast level 10.00
spanning-tree portfast trunk
spanning-tree bpduguard enable
snmp-trap link-status
!
interface GigabitEthernet1/0/8
description Server-Physical
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlans x-z (only allow VLANs present)
switchport trunk native vlan xx
srr-queue bandwidth share 1 75 25 5
srr-queue bandwidth shape 3 0 0 0
priority-queue out
mls qos trust dscp
storm-control broadcast level 10.00
storm-control multicast level 10.00
spanning-tree portfast trunk
spanning-tree bpduguard enable
snmp-trap link-status
!
interface GigabitEthernet1/0/24
description Workstation
switchport access vlan 39
switchport mode access
shutdown
srr-queue bandwidth share 1 75 25 5
srr-queue bandwidth shape 3 0 0 0
priority-queue out
mls qos trust dscp
storm-control broadcast level 10.00
storm-control multicast level 10.00
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/49
description MDF2
switchport trunk encapsulation dot1q
switchport trunk native vlan 36
switchport trunk allowed vlan 36-39
switchport mode trunk
load-interval 30
srr-queue bandwidth share 1 75 25 5
srr-queue bandwidth shape 3 0 0 0
priority-queue out
mls qos trust dscp
storm-control broadcast level 10.00
storm-control multicast level 10.00
ip dhcp snooping trust
!
interface GigabitEthernet1/0/50
description MDF1
switchport trunk encapsulation dot1q
switchport trunk native vlan 36
switchport trunk allowed vlan 36-39
switchport mode trunk
load-interval 30
srr-queue bandwidth share 1 75 25 5
srr-queue bandwidth shape 3 0 0 0
priority-queue out
mls qos trust dscp
storm-control broadcast level 10.00
storm-control multicast level 10.00
ip dhcp snooping trust
!
interface GigabitEthernet1/0/51
shutdown
!
interface GigabitEthernet1/0/52
shutdown
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan39
description Inband-Mgmt-L2
ip address 10.111.39.11 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
!
ip default-gateway 10.111.39.1
ip classless
no ip http server
!
!
control-plane host
management-interface GigabitEthernet 0/1 allow ssh https
!
ip sla enable reaction-alerts
logging trap 6
logging buffered 6
no logging console
no logging monitor
logging source-interface loopback 0
logging trap notifications
access-list 199 permit ip 10.111.38.240 0.0.0.3 host 10.112.38.1
access-list 199 permit ip host 10.111.38.1 10.112.38.240 0.0.0.3
access-list 199 permit ip 10.111.38.240 0.0.0.3 10.112.38.240 0.0.0.3
access-list 199 permit ip 10.111.38.240 0.0.0.3 host 10.112.32.10
access-list 199 permit ip host 10.111.32.10 10.112.38.240 0.0.0.3
snmp-server community confident8 RO
snmp-server community test RO
snmp enable traps
!
!
line con 0
exec-timeout 9 0
line vty 0 4
exec-timeout 9 0
login local
transport input telnet
line vty 5 15
exec-timeout 15 0
login local
transport input telnet
!
ntp clock-period 36028823
ntp server 10.111.39.3
ntp server 10.111.39.2 prefer
end
-----Output Omitted-------