Here is generic Cisco Catalyst Switch Secure Configuration Template
Model 3750
Data Vlan ; AAA
Voice Vlan ; BBB
Native Vlan ; CCC
Global Configuration
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service pt-vty-logging
!
vtp mode transparent
udld aggressiv
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree bpdufilterdefault
errdisable recovery interval 300
errdisable recovery cause bpduguard
ip dhcp snooping
ip arp inspection
aaa new-model
aaa group server tacacs+ ACS_NET
server x.x.x.x
!
aaa authentication username-prompt "Local Username: "
aaa authentication login default group ACS_NET local
aaa authentication login VTY_NET group ACS_NET local
aaa authentication login CON_NETgroup ACS_NET local
aaa authorization config-commands
aaa authorization exec default group ACS_NET none
aaa authorization commands 1 default group ACS_NET none
aaa authorization commands 15 default group ACS_NET none
aaa accounting commands 15 default stop-only group ACS_NET
ip subnet-zero
no ip source-route
no ip finger
no ip host-routing
no ip domain-lookup
no ip http server
ip tcp path-mtu-discovery
ip tcp
vlan internal allocation policy ascending
tacacs-server host 10.44.108.27
tacacs-server directed-request
tacacs-server key 7 110B1B1337425A
!
line con 0
exec-timeout 15 0
password 7 [pwd]
logging synchronous
login authentication CON_NET
transport output none
stopbits 1
line vty 0 15
exec-timeout 15 0
password 7 [pwd]
logging synchronous
login authentication VTY_NET
length 0
access-class 1 in
transport input ssh
access-class 1 in
Access Port on Fastethernet
interface FastEthernet x/x
switchport
switchport mode access AAA
switchport nonegotiate
switchport voice vlan BBB
no cdp enable
storm-control broadcast level 60.00 40.00
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
mls qos trust cos
auto qos voip trust
shutdown
Access Port on GigabitEthernet
interface GigabitEthernet x/x
switchport
switchport mode access AAA
switchport nonegotiate
switchport voice vlan BBB
no cdp enable
storm-control broadcast level 15.00 10.00
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
shutdown
Trunk Port
interface GigabitEthernet x/x
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan CCC
switchport nonegotiate
switchport trunk allowed vlan [data vlan ], [voice vlan] and [mgmt vlan]
storm-control broadcast level 15.00 10.00
spanning-tree guard loop
shutdown