Cisco IOS Basics

Download Template
IPv4 only, no IPv6 options, see other template. Uses case insensitive local AAA only with enable secret and a local user. SSH and line timeouts are set to 15 minutes for PCI-DSS compliance requirement. FTP crashdump destination configured, remove if you don't want it. Bear in mind this disables the AUX port on routers, it isn't there on most switches, and you may need to leave it enabled for OOB access with a modem or some other comms method.

cstubbs
July 9, 2012



Use loop0 or a specific interface if you need to




IP address for FTP server



!
hostname %{HOSTNAME}%
ip domain name %{DOMAIN}%
!
! Services Configuration
service nagle
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
service sequence-numbers
!
no service tcp-small-servers
no service udp-small-servers
no service finger
no service config
no service pad
!
ip subnet-zero
ip classless
ip cef
!
no ip domain-lookup
no ip source-route
no ip finger
no ip bootp server
no ip http server
no ip http secure-server
ip dhcp bootp ignore
!
clock timezone GMT 0
!
! Logging Configuration
logging buffered 8192 informational
logging console critical
logging facility local0
logging trap debug
logging host %{SYSLOG_DESTINATION}%
logging source-interface %{SYSLOG_SOURCE_INT}%
!
no enable password
enable secret %{ENABLE_PASSWORD}%
!
username %{LOCAL_USER_NAME}% privilege 0 secret %{LOCAL_USER_PASSWORD}%
!
aaa new-model
aaa authentication login default local-case enable
aaa authentication enable default enable
aaa session-id common
!
ip ssh time-out 15
ip ssh version 2
ip ssh authentication-retries 3
!
archive
 log config
   logging enable
   logging size 500
   notify syslog contenttype plaintext
   hidekeys
!
ip ftp username %{FTP_USERNAME}%
ip ftp password %{FTP_PASSWORD}%
ip ftp passive 
!
! Give our core dump files a unique name.
exception core-file %{HOSTNAME}%-core
exception protocol ftp
exception dump %{CRASHDUMP_FTP_SERVER}%
!
snmp-server ifindex persist
!
line con 0
 exec-timeout 900 0
!
! This all but completely disables the AUX port.
! Ensure this is not required as part of OOB access.
line aux 0
 transport input none
 transport output none
 no exec
 exec-timeout 0 1
 no password
!
line vty 0 15
 exec-timeout 900 0
 transport input telnet ssh
!

You must be logged in to comment.