
Cisco Router Basic Configuration Template
Recently, I often have to configure Cisco routers (mainly 800-1800 series) from scratch for the branches of my company and in order not to type the same commands for the third dozen times, I made up a small configuration template for myself for different occasions. I’ll say right away that I didn’t receive any certificates from Cisco, I didn’t read any books on these routers, I gained all my experience using the scientific poking method, smoking manuals on cisco.com and some thoughtful borrowing of pieces of other people's configs ...
So we unpack the router, fill in the latest firmware (for SSH A minimum of Advanced Security is required), we do in
order to get rid of the pre-configured garbage and reboot.
! enable password encryption
! We use the new AAA model and local user base
! we get the user with the maximum rights
! give a name to the router
! generate a key for SSH
! tuning SSH
! and enable it on the remote console
! enable accelerated packet switching
! time zone GMT + 2
! updating the system clock via NTP
! It is better to set the ntp server by ip, because if the DNS server is not overloaded, then the settings by name will fly off ...
! enable archiving of all configuration changes, hiding passwords in the logs ! the configuration change history can be viewed with the command
! enable name resolution
! turn on the internal DNS server
! register the DNS provider
! just in case, add a few public DNS servers
! usually the internal switch ports on the router are combined in Vlan1 ! we enable the counting of packets transmitted to clients on the interface - it’s convenient to see who eats the traffic ! You can see the statistics team ! clear
! exclude some addresses from the pool
! and configure the address pool
! configure the filter for incoming traffic (by default, everything is prohibited) ! enable traffic inspection between the local network and the Internet ! configure the port on the Internet and hang on it some protection ! and finally, the default gateway
! on the Internet interface ! on the local interface ! create a list of IPs with access to NAT ! enable NAT on the external interface ! add inspection of popular protocols
UPD Removed unnecessary on the advice of UPD2
habrowser. Added disabling unnecessary
UPD3 services . Changed the firewall setting (thanks to Fedia )
So we unpack the router, fill in the latest firmware (for SSH A minimum of Advanced Security is required), we do in
#erase startup-config
order to get rid of the pre-configured garbage and reboot.
Configure SSH authorization and access
! enable password encryption
service password-encryption
! We use the new AAA model and local user base
aaa new-model
aaa authentication login default local
! we get the user with the maximum rights
username admin privilege 15 secret PASSWORD
! give a name to the router
hostname <...>
ip domain-name router.domain
! generate a key for SSH
crypto key generate rsa modulus 1024
! tuning SSH
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
! and enable it on the remote console
line vty 0 4
transport input telnet ssh
privilege level 15
Routing setup
! enable accelerated packet switching
ip cef
Time setting
! time zone GMT + 2
clock timezone Ukraine 2
clock summer-time Ukraine recurring last Sun Mar 2:00 last Sun Oct 2:00
! updating the system clock via NTP
ntp update-calendar
! It is better to set the ntp server by ip, because if the DNS server is not overloaded, then the settings by name will fly off ...
ntp server NTP.SERVER.1.IP
ntp server NTP.SERVER.2.IP
Config Archiving
! enable archiving of all configuration changes, hiding passwords in the logs ! the configuration change history can be viewed with the command
archive
log config
logging enable
hidekeys
show archive log config all
DNS setup
! enable name resolution
ip domain-lookup
! turn on the internal DNS server
ip dns server
! register the DNS provider
ip name-server XXX.XXX.XXX.XXX
! just in case, add a few public DNS servers
ip name-server 4.2.2.2
ip name-server 208.67.222.222
ip name-server 208.67.220.220
LAN setup
! usually the internal switch ports on the router are combined in Vlan1 ! we enable the counting of packets transmitted to clients on the interface - it’s convenient to see who eats the traffic ! You can see the statistics team ! clear
interface Vlan1
description === LAN ===
ip address 192.168.???.1
ip accounting output-packets
show ip accounting
clear ip accounting
DHCP server setup
! exclude some addresses from the pool
ip dhcp excluded-address 192.168.???.1 192.168.???.99
! and configure the address pool
ip dhcp pool LAN
network 192.168.???.0 255.255.255.0
default-router 192.168.???.1
dns-server 192.168.???.1
Configure Internet and Firewall
! configure the filter for incoming traffic (by default, everything is prohibited) ! enable traffic inspection between the local network and the Internet ! configure the port on the Internet and hang on it some protection ! and finally, the default gateway
ip access-list extended FIREWALL
permit tcp any any eq 22
ip inspect name INSPECT_OUT dns
ip inspect name INSPECT_OUT icmp
ip inspect name INSPECT_OUT ntp
ip inspect name INSPECT_OUT tcp router-traffic
ip inspect name INSPECT_OUT udp router-traffic
ip inspect name INSPECT_OUT icmp router-traffic
interface FastEthernet0/0
description === Internet ===
ip address ???.???.???.??? 255.255.255.???
ip virtual-reassembly
ip verify unicast reverse-path
no ip redirects
no ip directed-broadcast
no ip proxy-arp
no cdp enable
ip inspect INSPECT_OUT out
ip access-group FIREWALL in
ip route 0.0.0.0 0.0.0.0 ???.???.???.???
NAT setup
! on the Internet interface ! on the local interface ! create a list of IPs with access to NAT ! enable NAT on the external interface ! add inspection of popular protocols
interface FastEthernet0/0
ip nat outside
interface Vlan1
ip nat inside
ip access-list extended NAT
permit ip host 192.168.???.??? any
ip nat inside source list NAT interface FastEthernet0/0 overload
ip inspect name INSPECT_OUT http
ip inspect name INSPECT_OUT https
ip inspect name INSPECT_OUT ftp
Disabling unnecessary services
no service tcp-small-servers
no service udp-small-servers
no service finger
no service config
no service pad
no ip finger
no ip source-route
no ip http server
no ip http secure-server
no ip bootp server
UPD Removed unnecessary on the advice of UPD2
habrowser. Added disabling unnecessary
UPD3 services . Changed the firewall setting (thanks to Fedia )