Cisco Device Standard Configuration Procedure

Objective:

This instruction is to implement a standard configuration on all Cisco switches and routers, including hostname, security credentials, remote access setup, and VLAN interface configuration.

A standardised configuration promotes consistency and predictability, lowers troubleshooting time, and greatly simplifies device maintenance. A standard configuration sets a baseline security policy across the network and helps to prevent misconfiguration, which could expose the network to attackers. 

Target Audience:

The Network Administrator holds the responsibility of deploying and maintaining Cisco devices. 

Prerequisites:

The network administrator must have console access to the device, which can be achieved through a terminal emulator such as PuTTY or Tera Term.

Device powered on and accessible.

Knowledge of assigned hostname, VLAN ID, IP address, and passwords.

Configuration Steps:

1. Enter global configuration mode.

enable

configure terminal

2. Set host name.

hostname <DeviceName>

3. Configure the MOTD banner.

Banner must state that unauthorised access is a criminal offence under UK law. A banner   

Command:

banner motd # ... #

Example of banner:

**************************************************************************

* WARNING: This device is part of a PRIVATE NETWORK.                *

*                                                                    *

* Unauthorised access or use of this equipment is strictly prohibited.  *

* Such actions constitute an offence under the Computer Misuse Act 1990.*

*                                                                    *

* If you are not authorised to use this system, disconnect immediately. *

* All access attempts are logged and monitored.                     *

**************************************************************************

4. Enable secret to protect access from privilege level. Ensure secure access to privileged EXEC mode. Follow these recommendations when creating an "enable" password.

Password requirements:

Minimum Length: 12 characters

Character Variety:

At least one uppercase letter (A–Z)

At least one lowercase letter (a–z)

At least one number (0–9)

At least one special character (e.g., !@#$%^&*()-_=+)

Avoid Common Patterns:

No dictionary words or easily guessable phrases (e.g., admin123, password)

No personal information (e.g., names, birthdays)

No reuse of previous passwords within the last 5 rotations.

enable secret <StrongSecretPassword>

5. Configure the console line password.

Recommendations as shown above.

line console 0

password <ConsolePassword>

login

exit

6. Configure VTY lines for remote access.

line vty 0 4

password <VTYPassword>

login

transport input ssh

exit

7. Configure SSH for secure remote access.

To ensure secure remote access to Cisco switches and routers, follow these recommendations when configuring SSH:

Cryptographic standards:

Minimum RSA Key Length: 1024 bits. Recommended: 2048 bits or higher for stronger security.

Use SSH version 2 only (ip ssh version 2) — SSHv1 is deprecated and insecure.

Disable Telnet: Ensure transport input ssh is set to block Telnet access.

Use local authentication or integrate with AAA (e.g., RADIUS/TACACS+) for centralized control.

Limit VTY access using ACLs to trusted IP ranges, if required.

ip domain-name <yourdomain.local>

crypto key generate rsa

  (Choose 1024 or 2048 bits)

username <admin> privilege 15 secret <AdminPassword>

ip ssh version 2

Set idle timeout to disconnect inactive sessions .

exec-timeout 5 0

Enable logging for SSH access attempts and failures.

The RSA keys must be periodically rotated and regenerate if compromised.

8. Configure the VLAN interface for remote management and access.

interface vlan <VLAN_ID>

ip address <IP_Address> <Subnet_Mask>

no shutdown

exit

9. Set the default gateway if applicable.

Ensure the gateway IP belongs to a trusted router or firewall.

ip default-gateway <Gateway_IP>

10. Save configuration.

To ensure that device configurations are preserved and recoverable, follow these best practices:

Only save configurations after testing and validating changes.

Use change control procedures to document what was changed and why.

end

write memory

OR 

copy running-config startup-config

Optional: create a backup configuration when required.

If storing configs externally, encrypt files using tools like GPG or AES.

Disable unnecessary services (e.g., HTTP, Telnet) that could expose config data.

copy running-config tftp:

Access to configuration files must be limited via ACLs, role-based access, or AAA.

Post Configuration Check:

Verify the hostname with “show running-config | include hostname”.

Test SSH access using `ssh admin@<IP_Address>`

 Confirm VLAN interface is up with `show ip interface brief`

Ensure configuration is saved with `show startup-config`.

If you have any doubts or require further clarification, please consult your line manager before proceeding.