Cisco Catalyst 6500 IOS Configuration Template
By Vince
! ***** Fill in the parameters within the angle brackets *****
! ***** Catalyst 6500 Native configuration template *****
!****************************************************************
!
mls rate-limit unicast ip icmp unreachable acl-drop 10
mls rate-limit unicast ip icmp redirect 10
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
logging buffered 11024
service password-encryption
enable secret <password>
no enable password
ip multicast-routing
clock timezone GST 0
!
hostname <hostname>
!
!
! ***************************************************************
! * Configure DNS parameters
! * Enable UDLD in aggressive mode
! * Enable full ip flow tracking for mls
! * Enable TCP path mtu discovery
! * Enable QOS and re-map COS to DSCP values
! * Rate limit ip redirect and unreachable to the Switch process at 10 PPS
! ***************************************************************
!
ip subnet-zero
ip domain lookup
ip domain-list <domain that switch is in>
ip name-server <www.xxx.yyy.zzz>
udld aggressive
udld message time 7
mls flow ip full
ip tcp path-mtu-discovery age-timer 30
mls qos map cos-dscp 0 8 16 26 32 46 48 56
mls qos map ip-prec-dscp 0 8 16 26 32 46 48 56
mls qos
mls aclmerge algorithm odm
mls aclmerge odm optimizations
!
!
! ***************************************************************
! * Set the VTP domain to the name of the switch and the VTP mode to transparent
! ***************************************************************
!
vtp domain <hostname>
vtp mode transparent
!
errdisable recovery cause all
errdisable recovery interval 60
!
!
! ***************************************************************
! * Configure Spanning Tree
! * Set the spanning tree root or secondary root for the vlan. If this is the HSRP
! * primary for this vlan, the priority should be set to 8192. If this is the HSRP
! * standby, the priority should be set to 16384.
! ***************************************************************
!
spanning-tree mode rapid-pvst
spanning-tree vlan <vlan list> priority <value 8192 for primary or 16384 for secondary>
spanning-tree extend system-id
spanning-tree portfast bpduguard default
!
!
! ********************
! * Configure VLANs
! ********************
!
vlan <vlan number>
name Data_Vlan
vlan <voice vlan number>
name Voice_Vlan
!
!
! ********************
! * Standard Fastethernet interfaces (2q1p2t ports), configure as a range
! ********************
!
interface range FastEthernet <Start interface> - <End Interface Number>
switchport
switchport host
switchport access vlan <vlan>
switchport voice vlan <voice vlan number>
no snmp trap link-status
mls qos trust extend cos 0
mls qos trust cos
priority-queue cos-map 1 5
power inline auto
no shut
!
!
! ***************************************************************
! * Uplink Ports
! * Configure the uplink ports to trunk with 802.1q encapsulation
! * Only trunk vlans that are needed
! * Set port to trust DSCP values from the MDF
! ***************************************************************
!
interface range GigabitEthernet <Start interface> - <End Interface Number>
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan <vlan list, NOT vlan 1>
switchport mode trunk
mls qos trust cos
no shut
!
!
! ********************
! * Always disable interface VLAN 1
! ********************
!
interface Vlan1
no ip address
shutdown
!
!
! ***************************************************************
! * Layer 3 Vlan Interfaces No HSRP
! * Enable PIM on the interface
! * Do Not enable PIM on VOICE vlans
! ***************************************************************
!
interface vlan <vlan Number>
ip address <IP Address> <Netmask>
ip helper-address <helper address>
no ip redirects
no ip directed-broadcast
ip pim sparse-dense-mode
no shut
!
!
! ***************************************************************
! Use the configurations below for configuring HSRP
! ***************************************************************
!
! ***************************************************************
! * Layer 3 Interfaces (Primary HSRP)
! ***************************************************************
! * Enable PIM on the interface
! * Configure the standby HSRP IP address
! * Configure the HSRP timers 1 & 3 respectively
! * Configure the HSRP priority (115) & premept delay (15)
! * Configure interface tracking for HSRP
! * Do Not enable PIM on VOICE vlans
! ***************************************************************
!
interface vlan <vlan Number>
ip address <ip address> <netmask>
ip helper-address <helper address>
no ip redirects
no ip directed-broadcast
ip pim sparse-dense-mode
standby <group number> ip <HSRP address>
standby <group number> timers 1 3
standby <group number> priority 115 preempt delay 15
standby <group number> track <uplink interface> 20
no shut
!
! ***************************************************************
! * Layer 3 Interfaces (HSRP Standby)
! ***************************************************************
! * Enable PIM on the interface
! * Configure the standby HSRP IP address
! * Configure the HSRP timers 1 & 3 respectively
! * Configure the HSRP priority
! * Configure interface tracking for HSRP
! * Do Not enable PIM on VOICE vlans
! ***************************************************************
!
interface vlan <vlan Number>
ip address <ip address> <netmask>
ip helper-address <helper address>
no ip redirects
no ip directed-broadcast
ip pim sparse-dense-mode
standby <group number> ip <HSRP address>
standby <group number> timers 1 3
standby <group number> priority 100 preempt delay 15
standby <group number> track <uplink interface> 20
no shut
!
!
! ***************************************************************
! * Set the syslog server
! * Disable the HTTP server for web management
! ***************************************************************
!
logging trap debugging
no ip http server
logging <logging server IP address>
!
!
! ********************
! * Set SNMP system variables
! ********************
!
snmp-server community <Read-Only String> RO
snmp-server location <site/building>
snmp-server contact <contact-name>
snmp-server enable traps
snmp-server ifindex persist
no snmp-server enable traps syslog
no snmp-server chassis-id
snmp-server trap-source vlan <management vlan>
no snmp-server enable traps snmp authentication
!
!
! ********************
! * Configure the tacacs+ servers
! ********************
!
tacacs-server host <Primary tacacs server IP>
tacacs-server host <Secondary tacacs server IP>
tacacs-server timeout 10
tacacs-server key <tacacs key>
!
!
! ********************
! * Set the Banner exactly as shown below
! ********************
!
Banner motd ^
THIS IS A PRIVATE COMPUTER SYSTEM --- USAGE MAY BE
MONITORED AND UNAUTHORIZED ACCESS OR USE MAY RESULT
IN CRIMINAL OR CIVIL PROSECUTION
^
!
!
! ********************
! * Configure timeout timers and login passwords on all available
! * console and vty lines
! ********************
!
line con 0
exec-timeout 10 0
password <password>
logg sync
line vty 0 15
exec-timeout 20 0
password <password>
transport input telnet
logg sync
!
! ********************
! * Configure SSH if correct code
! * Use version 2 of SSH if supported
! ********************
!
ip ssh version 2
line vty 0 15
transport input telnet ssh
!
crypto key generate rsa
!
!
! ********************
! * Set the NTP Server
! ********************
!
ntp server <local ntp server or pool.ntp.org>
!
!
! ********************
! * Configure tacacs+ if using an ACS server, otherwise do not configure
! * Remove ACS auth from console in case of emergency
! ********************
aaa new-model
aaa authentication login no_tacacs enable
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization commands 0 default group tacacs+ if-authenticated none
aaa authorization commands 15 default group tacacs+ if-authenticated none
aaa accounting update newinfo
aaa accounting commands 15 default start-stop group tacacs+
line con 0
login authentication no_tacacs