! ============================================================
! VantagePoint Networks — Cisco Catalyst 9500 L3 Core Switch
! Hardened Baseline · CIS Level 1 Compliant
! IOS-XE 17.x
! ============================================================
! DEPLOYMENT NOTES:
!   1. Replace all <VARIABLES> with your site values
!   2. Review VLAN assignments for your environment
!   3. Update SNMP community strings before deployment
!   4. Test in lab before pushing to production
! ============================================================

! --- Global Settings ---
hostname CORE-SW-01
!
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no service pad
no service finger
no service udp-small-servers
no service tcp-small-servers
no service config
!
! --- Security Banner ---
banner login ^C
===============================================================
  UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
  You must have explicit, authorized permission to access or
  configure this device. All activities are monitored and logged.
  Unauthorized access attempts will be reported.
===============================================================
^C
!
! --- Clock & NTP ---
clock timezone UTC 0
ntp server <NTP_SERVER_1> prefer
ntp server <NTP_SERVER_2>
ntp authenticate
ntp authentication-key 1 md5 <NTP_AUTH_KEY>
ntp trusted-key 1
!
! --- AAA Configuration ---
aaa new-model
aaa authentication login default local
aaa authentication login CONSOLE local
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default local
aaa authorization commands 15 default local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
!
! --- Local User Accounts ---
username <ADMIN_USER> privilege 15 algorithm-type scrypt secret <ADMIN_PASSWORD>
username <READONLY_USER> privilege 1 algorithm-type scrypt secret <READONLY_PASSWORD>
!
! --- TACACS+ (if using centralised auth) ---
! tacacs server TACACS-PRIMARY
!  address ipv4 <TACACS_SERVER_1>
!  key <TACACS_KEY>
!  timeout 5
! tacacs server TACACS-SECONDARY
!  address ipv4 <TACACS_SERVER_2>
!  key <TACACS_KEY>
!  timeout 5
!
! --- Password Policy ---
security passwords min-length 12
login block-for 120 attempts 3 within 60
!
! --- Console & VTY Hardening ---
line console 0
 login authentication CONSOLE
 exec-timeout 5 0
 logging synchronous
 transport input none
 stopbits 1
!
line vty 0 4
 login authentication default
 exec-timeout 10 0
 transport input ssh
 transport output none
 access-class VTY-ACL in
!
line vty 5 15
 login authentication default
 exec-timeout 10 0
 transport input ssh
 transport output none
 access-class VTY-ACL in
!
! --- SSH Hardening ---
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 3
ip ssh maxstartups 2
ip ssh dh min size 2048
crypto key generate rsa modulus 4096
!
! --- Disable Unnecessary Services ---
no ip http server
no ip http secure-server
no ip source-route
no ip gratuitous-arps
no cdp run
no ip bootp server
no ip finger
no ip identd
no ip rcmd rcp-enable
no ip rcmd rsh-enable
no service dhcp
no mop enabled
!
! --- Logging ---
logging buffered 64000 informational
logging console critical
logging monitor informational
logging trap informational
logging source-interface Vlan10
logging host <SYSLOG_SERVER_1>
logging host <SYSLOG_SERVER_2>
!
! --- SNMP v3 (v2c disabled) ---
no snmp-server community public
no snmp-server community private
snmp-server group SNMPV3-RO v3 priv read SNMPV3-VIEW
snmp-server group SNMPV3-RW v3 priv read SNMPV3-VIEW write SNMPV3-VIEW
snmp-server user <SNMPV3_USER> SNMPV3-RO v3 auth sha <SNMP_AUTH_PASS> priv aes 256 <SNMP_PRIV_PASS>
snmp-server view SNMPV3-VIEW iso included
snmp-server host <SNMP_TRAP_DEST> version 3 priv <SNMPV3_USER>
snmp-server enable traps
snmp-server ifindex persist
!
! --- IP Settings ---
ip routing
ip cef
ip tcp synwait-time 10
ip tcp path-mtu-discovery
no ip domain-lookup
ip domain-name <DOMAIN_NAME>
ip name-server <DNS_SERVER_1>
ip name-server <DNS_SERVER_2>
!
! --- ACLs ---
ip access-list standard VTY-ACL
 10 permit <MGMT_SUBNET> <MGMT_WILDCARD>
 20 deny any log
!
ip access-list extended MGMT-PLANE-ACL
 10 permit tcp <MGMT_SUBNET> <MGMT_WILDCARD> any eq 22
 20 permit udp <NTP_SERVER_1> 0.0.0.0 any eq 123
 30 permit udp <NTP_SERVER_2> 0.0.0.0 any eq 123
 40 permit udp <SYSLOG_SERVER_1> 0.0.0.0 any eq 514
 50 deny ip any any log
!
! --- Control Plane Policing ---
control-plane
 service-policy input COPP-POLICY
!
! --- VLAN Database ---
vlan 10
 name MGMT
vlan 20
 name USERS
vlan 30
 name SERVERS
vlan 40
 name VOICE
vlan 50
 name PRINTERS
vlan 100
 name DMZ
vlan 999
 name QUARANTINE
vlan 1000
 name NATIVE-UNUSED
!
! --- SVI Interfaces ---
interface Vlan10
 description == MANAGEMENT VLAN ==
 ip address <MGMT_IP> <MGMT_MASK>
 no ip proxy-arp
 no ip redirects
 no ip unreachables
 no shutdown
!
interface Vlan20
 description == USER VLAN ==
 ip address <USERS_GW_IP> <USERS_MASK>
 ip helper-address <DHCP_SERVER>
 no ip proxy-arp
 no ip redirects
 no ip unreachables
 no shutdown
!
interface Vlan30
 description == SERVER VLAN ==
 ip address <SERVERS_GW_IP> <SERVERS_MASK>
 no ip proxy-arp
 no ip redirects
 no ip unreachables
 no shutdown
!
interface Vlan40
 description == VOICE VLAN ==
 ip address <VOICE_GW_IP> <VOICE_MASK>
 ip helper-address <DHCP_SERVER>
 no ip proxy-arp
 no ip redirects
 no ip unreachables
 no shutdown
!
interface Vlan999
 description == QUARANTINE - NO ROUTING ==
 no ip address
 shutdown
!
! --- Physical Interfaces ---
! Uplink to Firewall
interface TenGigabitEthernet1/0/1
 description == UPLINK TO FW-CORE-01 port2 ==
 no switchport
 ip address <FW_LINK_IP> <FW_LINK_MASK>
 no ip proxy-arp
 no ip redirects
 no ip unreachables
 no cdp enable
 no shutdown
!
! vPC / StackWise Virtual link to CORE-SW-02
interface TenGigabitEthernet1/0/47
 description == SVL LINK TO CORE-SW-02 ==
 stackwise-virtual link 1
 no shutdown
!
interface TenGigabitEthernet1/0/48
 description == SVL LINK TO CORE-SW-02 ==
 stackwise-virtual link 1
 no shutdown
!
! Trunk to Distribution switches
interface TenGigabitEthernet1/0/2
 description == TRUNK TO DIST-01 (Building A) ==
 switchport mode trunk
 switchport trunk native vlan 1000
 switchport trunk allowed vlan 10,20,30,40,50
 switchport nonegotiate
 spanning-tree portfast disable
 spanning-tree guard root
 channel-group 1 mode active
 no shutdown
!
interface TenGigabitEthernet1/0/3
 description == TRUNK TO DIST-02 (Building B) ==
 switchport mode trunk
 switchport trunk native vlan 1000
 switchport trunk allowed vlan 10,40,50,60,70
 switchport nonegotiate
 spanning-tree portfast disable
 spanning-tree guard root
 channel-group 2 mode active
 no shutdown
!
interface TenGigabitEthernet1/0/4
 description == TRUNK TO DIST-03 (Building C) ==
 switchport mode trunk
 switchport trunk native vlan 1000
 switchport trunk allowed vlan 10,70,80,90
 switchport nonegotiate
 spanning-tree portfast disable
 spanning-tree guard root
 channel-group 3 mode active
 no shutdown
!
! --- Port Channels ---
interface Port-channel1
 description == PO TO DIST-01 ==
 switchport mode trunk
 switchport trunk native vlan 1000
 switchport trunk allowed vlan 10,20,30,40,50
 switchport nonegotiate
!
interface Port-channel2
 description == PO TO DIST-02 ==
 switchport mode trunk
 switchport trunk native vlan 1000
 switchport trunk allowed vlan 10,40,50,60,70
 switchport nonegotiate
!
interface Port-channel3
 description == PO TO DIST-03 ==
 switchport mode trunk
 switchport trunk native vlan 1000
 switchport trunk allowed vlan 10,70,80,90
 switchport nonegotiate
!
! --- Spanning Tree ---
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 4096
spanning-tree loopguard default
spanning-tree portfast bpduguard default
!
! --- HSRP (if dual-core without StackWise) ---
! interface Vlan20
!  standby version 2
!  standby 20 ip <USERS_HSRP_VIP>
!  standby 20 priority 110
!  standby 20 preempt delay minimum 60
!  standby 20 authentication md5 key-string <HSRP_KEY>
!  standby 20 track 1 decrement 20
!
! --- OSPF Routing ---
router ospf 1
 router-id <OSPF_ROUTER_ID>
 passive-interface default
 no passive-interface TenGigabitEthernet1/0/1
 network <MGMT_NETWORK> <MGMT_WILDCARD> area 0
 network <USERS_NETWORK> <USERS_WILDCARD> area 0
 network <SERVERS_NETWORK> <SERVERS_WILDCARD> area 0
 network <FW_LINK_NETWORK> <FW_LINK_WILDCARD> area 0
 default-information originate
 area 0 authentication message-digest
!
! --- DHCP Snooping ---
ip dhcp snooping
ip dhcp snooping vlan 20,30,40,50
no ip dhcp snooping information option
!
! --- Dynamic ARP Inspection ---
ip arp inspection vlan 20,30,40,50
ip arp inspection validate src-mac dst-mac ip
!
! --- IP Source Guard ---
! Applied per access port:
! ip verify source
!
! --- Unused Port Hardening ---
interface range GigabitEthernet1/0/10-44
 description == UNUSED - SHUTDOWN ==
 switchport mode access
 switchport access vlan 999
 switchport nonegotiate
 spanning-tree portfast
 spanning-tree bpduguard enable
 no cdp enable
 shutdown
!
! --- Archive & Config Management ---
archive
 log config
  logging enable
  logging size 500
  notify syslog contenttype plaintext
  hidekeys
!
! --- Aliases (optional convenience) ---
alias exec sir show ip route
alias exec sib show ip interface brief
alias exec svb show vlan brief
alias exec spo show port-channel summary
!
! ============================================================
! END OF CONFIGURATION
! VantagePoint Networks · vantagepointnetworks.com
! ============================================================
end