Cisco IOS Basics

IPv4 only, no IPv6 options, see other template. Uses case insensitive local AAA only with enable secret and a local user. SSH and line timeouts are set to 15 minutes for PCI-DSS compliance requirement. FTP crashdump destination configured, remove if you don't want it. Bear in mind this disables the AUX port on routers, it isn't there on most switches, and you may need to leave it enabled for OOB access with a modem or some other comms method.

July 9, 2012

Use loop0 or a specific interface if you need to

IP address for FTP server

hostname %{HOSTNAME}%
ip domain name %{DOMAIN}%
! Services Configuration
service nagle
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
service sequence-numbers
no service tcp-small-servers
no service udp-small-servers
no service finger
no service config
no service pad
ip subnet-zero
ip classless
ip cef
no ip domain-lookup
no ip source-route
no ip finger
no ip bootp server
no ip http server
no ip http secure-server
ip dhcp bootp ignore
clock timezone GMT 0
! Logging Configuration
logging buffered 8192 informational
logging console critical
logging facility local0
logging trap debug
logging host %{SYSLOG_DESTINATION}%
logging source-interface %{SYSLOG_SOURCE_INT}%
no enable password
enable secret %{ENABLE_PASSWORD}%
username %{LOCAL_USER_NAME}% privilege 0 secret %{LOCAL_USER_PASSWORD}%
aaa new-model
aaa authentication login default local-case enable
aaa authentication enable default enable
aaa session-id common
ip ssh time-out 15
ip ssh version 2
ip ssh authentication-retries 3
 log config
   logging enable
   logging size 500
   notify syslog contenttype plaintext
ip ftp username %{FTP_USERNAME}%
ip ftp password %{FTP_PASSWORD}%
ip ftp passive 
! Give our core dump files a unique name.
exception core-file %{HOSTNAME}%-core
exception protocol ftp
exception dump %{CRASHDUMP_FTP_SERVER}%
snmp-server ifindex persist
line con 0
 exec-timeout 900 0
! This all but completely disables the AUX port.
! Ensure this is not required as part of OOB access.
line aux 0
 transport input none
 transport output none
 no exec
 exec-timeout 0 1
 no password
line vty 0 15
 exec-timeout 900 0
 transport input telnet ssh