Minimum Default Configuration on Cisco Switch/Router

  • Hostname

Hostnames must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphens. Names must be 63 characters or fewer. If you establish sessions to multiple devices, the hostname helps you keep track of where you enter commands. Creating an all numeric hostname is not recommended but the name will be accepted after an error is returned.

  • Enable secret

To provide an additional layer of security, particularly for passwords that cross the network, this allow you to establish an encrypted password that users must enter to access enable mode (the default), or any privilege level you specify.Service timestamps command

To configure the system to apply a time stamp to debugging messages or system logging messages, use the service timestamps command in global configuration mode.

  • no ip domain-lookup

By default, when a command in user or enable mode is entered into a router and this command is not recognized, the router believes that this is the host name of a device that the user is attempting to reach using telnet. Therefore, the router tries to resolve the unrecognized command into an IP address by doing an IP domain lookup.

  • aaa new-model

When you enable aaa new-model then the default for authentication becomes local – and this generates the prompt for a user name, and will check the entered user name against any locally configured user names and passwords.

  • Username xxx secret xxx

Use the username command in global configuration mode to establish a username-based authentication system.

  • Login authentication

use the login authentication command in line configuration mode to enable authentication, authorization, and accounting (AAA) authentication for logins.

  • Restricting VTY Access by Protocol

By default, Cisco routers will allow VTY access via other protocols besides Telnet. To be safe, disable all unused protocols from accessing from VTYs. This will prevent anybody from gaining VTY access through one of these other protocols. In Ex. only allowed telnet and SSH protocols.

lat – Enables Digital LAT protocol connections

mop – Enables Maintenance Operation Protocol (MOP) transport

nasi – Enables NetWare Access Servers Interface (NASI) transport

none – Disables all input protocols

pad – Enables X.3 PAD connections

rlogin – Enables the Unix rlogin protocol

ssh – Enables the Secure Shell (SSHv1) protocol

telnet – Enables inbound Telnet connections

v120 – Enables the V.120 protocol

  • Implementing Banners

Login banners are mainly used to display a warning message for security purposes. Although a banner alone will not repel the crafty hacker, it will provide a certain level of legal protection. If unauthorized users suspect that organization is serious about legal action, then they are less likely to target devices.

  • Time zone

To set the time zone for display purposes, use the clock timezone global configuration command.

  • NTP server

To allow the software clock to be synchronized by a Network Time Protocol (NTP) time server, use the ntp server command in global configuration mode.

Configuration as below #

Minimum Default Configuration on Cisco Switch-Router



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s