Rule Catalog

Add a description to physical interfaces for documentation.

Configure "vlan trunk allowed <vlans>" on trunk interfaces.

Add a name to VLANs for documentation using "name <vlan-name>".

Configure a manager password for administrative access.

Add description to interface: description <text>

MLAG configuration requires: domain-id, peer-link, peer-address, and local-interface.

Configure hostname using: hostname <device-name>

Configure NTP server for accurate time synchronization.

Enable SSH server for secure remote management. Disable telnet if enabled.

Configure "host <ip-address>" for the RADIUS server.

Configure "opmode wpa2-aes" or "opmode wpa3-sae-aes" for secure encryption.

Add "bgp router-id <ip>" to explicitly set router ID.

Add "bridge-vids <vlan-ids>" to define allowed VLANs on the bridge.

Add "alias <description>" under the interface stanza.

Enable SSH2: enable ssh2

Configure sysname using: configure snmp sysname "<name>"

Use descriptive VLAN names: create vlan "<meaningful-name>" tag <id>

Configure trusted hosts for each admin user using "set trusthost1", "set trusthost2", etc.

Enable logging on all firewall policies using "set logtraffic all" or "set logtraffic utm".

Configure hostname under "config system global" using "set hostname <name>".

Add a description to the interface using "description <text>" command.

Configure system name using "sysname <hostname>" command.

Configure SSH-only access on VTY lines using "protocol inbound ssh".

Trunk ports should have explicit allowed VLAN list

Access ports should have spanning-tree portfast enabled

All interfaces should have a description

Trunk ports should disable DTP (Dynamic Trunking Protocol)

VTY lines should have access-class configured for SSH access control

Interfaces should have a description for documentation

SSH should be configured for version 2 only

Telnet service should be disabled

Login banner should be configured

OSPF areas should have authentication configured

Remote syslog server should be configured

Configure "router-id" under routing-options stanza.

Add a final term with "then discard" or "then reject" to explicitly deny unmatched traffic.

Configure "root-authentication" under system stanza with encrypted-password or ssh-rsa.

Add drop rule for input chain: add chain=input action=drop

Disable unused services: /ip service disable telnet,ftp,www,api,api-ssl

Configure system identity: /system identity set name=MyRouter

Use "enable algorithm-type scrypt secret <password>" for strong encryption.

Add "switchport mode access" to explicitly configure access mode.

Ensure interfaces have descriptive labels for operational clarity.

Ensure IP addresses are not Multicast, Broadcast, or Network ID addresses.

Use "secret" instead of "password", or encrypt with type 7/8/9.

Add "switchport nonegotiate" to disable DTP on trunk ports connected to non-Cisco devices.

Configure BGP router-id: bgp > router-id <ip-address>

Add description to port: port X/Y/Z > description "<description>"

Configure system name using: system > name "<hostname>"

Enable log-end (and optionally log-start) on all security rules.

Configure hostname under deviceconfig > system.

Apply a Zone Protection Profile to each zone to protect against flood attacks and reconnaissance.

Configure default VLAN: default-vlan-id <vlan-id>

Configure system name: snmp-server name "<name>"

Configure I-SID for VLAN: vlan i-sid <vlan-id> <isid>

Set "default-action drop" or "default-action reject" for each firewall ruleset.

Add "description" to each physical interface.

Use "encrypted-password" with a pre-hashed password, or let VyOS hash it during configuration.

Configure "host-name" under system stanza.