March 16, 2010 at 09:50

Cisco Router Basic Configuration Template

    Recently, I often have to configure Cisco routers (mainly 800-1800 series) from scratch for the branches of my company and in order not to type the same commands for the third dozen times, I made up a small configuration template for myself for different occasions. I’ll say right away that I didn’t receive any certificates from Cisco, I didn’t read any books on these routers, I gained all my experience using the scientific poking method, smoking manuals on cisco.com and some thoughtful borrowing of pieces of other people's configs ...

    So we unpack the router, fill in the latest firmware (for SSH A minimum of Advanced Security is required), we do in
    #erase startup-config
    order to get rid of the pre-configured garbage and reboot.

    Configure SSH authorization and access



    ! enable password encryption
    service password-encryption
    ! We use the new AAA model and local user base
    aaa new-model
    aaa authentication login default local
    ! we get the user with the maximum rights
    username admin privilege 15 secret PASSWORD

    ! give a name to the router
    hostname <...>
    ip domain-name router.domain
    ! generate a key for SSH
    crypto key generate rsa modulus 1024
    ! tuning SSH
    ip ssh time-out 60
    ip ssh authentication-retries 2
    ip ssh version 2
    ! and enable it on the remote console
    line vty 0 4
     transport input telnet ssh
     privilege level 15

    Routing setup



    ! enable accelerated packet switching
    ip cef

    Time setting



    ! time zone GMT + 2
    clock timezone Ukraine 2
    clock summer-time Ukraine recurring last Sun Mar 2:00 last Sun Oct 2:00
    ! updating the system clock via NTP
    ntp update-calendar
    ! It is better to set the ntp server by ip, because if the DNS server is not overloaded, then the settings by name will fly off ...
    ntp server NTP.SERVER.1.IP
    ntp server NTP.SERVER.2.IP

    Config Archiving



    ! enable archiving of all configuration changes, hiding passwords in the logs ! the configuration change history can be viewed with the command
    archive
     log config
      logging enable
      hidekeys


    show archive log config all

    DNS setup



    ! enable name resolution
    ip domain-lookup
    ! turn on the internal DNS server
    ip dns server
    ! register the DNS provider
    ip name-server XXX.XXX.XXX.XXX
    ! just in case, add a few public DNS servers
    ip name-server 4.2.2.2
    ip name-server 208.67.222.222
    ip name-server 208.67.220.220

    LAN setup



    ! usually the internal switch ports on the router are combined in Vlan1 ! we enable the counting of packets transmitted to clients on the interface - it’s convenient to see who eats the traffic ! You can see the statistics team ! clear
    interface Vlan1
     description === LAN ===
     ip address 192.168.???.1


     ip accounting output-packets


    show ip accounting

    clear ip accounting

    DHCP server setup



    ! exclude some addresses from the pool
    ip dhcp excluded-address 192.168.???.1 192.168.???.99
    ! and configure the address pool
    ip dhcp pool LAN
       network 192.168.???.0 255.255.255.0
       default-router 192.168.???.1
       dns-server 192.168.???.1

    Configure Internet and Firewall



    ! configure the filter for incoming traffic (by default, everything is prohibited) ! enable traffic inspection between the local network and the Internet ! configure the port on the Internet and hang on it some protection ! and finally, the default gateway
    ip access-list extended FIREWALL
     permit tcp any any eq 22


    ip inspect name INSPECT_OUT dns
    ip inspect name INSPECT_OUT icmp
    ip inspect name INSPECT_OUT ntp
    ip inspect name INSPECT_OUT tcp router-traffic
    ip inspect name INSPECT_OUT udp router-traffic
    ip inspect name INSPECT_OUT icmp router-traffic


    interface FastEthernet0/0
     description === Internet ===
     ip address ???.???.???.??? 255.255.255.???
     ip virtual-reassembly
     ip verify unicast reverse-path
     no ip redirects
     no ip directed-broadcast
     no ip proxy-arp
     no cdp enable
     ip inspect INSPECT_OUT out
     ip access-group FIREWALL in


    ip route 0.0.0.0 0.0.0.0 ???.???.???.???

    NAT setup



    ! on the Internet interface ! on the local interface ! create a list of IPs with access to NAT ! enable NAT on the external interface ! add inspection of popular protocols
    interface FastEthernet0/0
     ip nat outside


    interface Vlan1
     ip nat inside


    ip access-list extended NAT
     permit ip host 192.168.???.??? any


    ip nat inside source list NAT interface FastEthernet0/0 overload


    ip inspect name INSPECT_OUT http
    ip inspect name INSPECT_OUT https
    ip inspect name INSPECT_OUT ftp

    Disabling unnecessary services



    no service tcp-small-servers
    no service udp-small-servers
    no service finger
    no service config
    no service pad
    no ip finger
    no ip source-route
    no ip http server
    no ip http secure-server
    no ip bootp server

    UPD Removed unnecessary on the advice of UPD2
    habrowser. Added disabling unnecessary
    UPD3 services . Changed the firewall setting (thanks to Fedia )
    Tags:

    Also popular now: