Tuesday, March 26, 2013

Standard Cisco Router Configuration


Cisco Router Configuration
I would like to share Standard Cisco Router Configuration in order to give readers understand best practices for Standard Cisco Router Configuration.

I have seen the following issues resulting from a lack of configuration management:
  • Inability to determine user impact from network changes 
  • Increased reactive support issues and lower availability 
  • Increased time to resolve problems 
  • Higher network costs due to unused network components

Standard Cisco Router Configuration maintaining configuration management best-practices, you can expect several benefits such as improved network availability and lower costs. These include:
  • Lower support costs due to a decrease in reactive support issues. 
  • Lower network costs due to device, circuit, and user tracking tools and processes that identify unused network components. 
  • Improved network availability due to a decrease in reactive support costs and improved time to resolve problems. 

I recommend creating standard configurations for each device classification, such as router, LAN switch, WAN switch, Firewal or any other network devices. Global configuration commands apply to all like devices and include parameters such as service commands, IP commands, TACACS commands, vty configuration, banners, SNMP configuration, and Network Time Protocol (NTP) configuration.

Keep in mind that the output you are about to see might not exactly match to the following. The output basically varies; it highly depends on your router models and features activated or used. However in general, it should look something like this.

! Standard Cisco Router Configuartion
!
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname  SAMPLE-NAME
!
!
!card type t1 0 0
!card type t1 0 1
!
!
network-clock-participate wic 0 
network-clock-participate wic 1 
network-clock-select 1 T1 0/1/0
network-clock-select 2 T1 0/0/0
!
!
logging buffered 128000 debugging
logging reload warnings
!
!
clock timezone CST -6
clock summer-time CDT recurring
no ip source-route
ip cef
ip telnet source-interface Loopback0
!
ip ftp source-interface Loopback0
ip tftp source-interface Loopback0
ip domain lookup source-interface Loopback0
ip domain-name  SAMPLE-NAME.domain.net
!
ip name-server 172.36.80.34
ip name-server 172.27.26.36
!
interface null0
 no ip unreachables
!
interface Loopback0
 ip address 172.30.x.xxx  255.255.255.255
 no ip proxy-arp
 ip pim sparse-mode
 ip route-cache flow
!
interface Serial0/0/0:0
 description * * * Verizon MPLS Circuit ID# <<CircuitID>> * * *
 bandwidth 1536
 load-interval 30
 ip pim sparse-mode
 encapsulation frame-relay IETF
 max-reserved-bandwidth 90
 no shut
!
interface FastEthernet0/0
 description <3750E_Hostname> <Destination_Interface>
 no switchport
 ip address <IP> <Subnet_Mask> ! Same /31 as configured on 3750E
 no ip redirects
 no ip proxy-arp
 no shut
!
no ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
!
ip flow-export source Loopback0
ip flow-export version 5
ip flow-export destination xxxxxx 9995
!
no ip http server
no ip http secure-server
!
logging history size 10
logging history warnings
logging trap notifications
logging source-interface Loopback0
logging 172.36.92.124
!
access-list 10 permit 172.22.xx.xxxx
access-list 10 permit 172.27.xx.xxxx
access-list 20 permit 182.132.127.0 0.0.0.255
access-list 20 permit 188.104.13.0 0.0.0.255
access-list 30 permit 172.24.xx.xxxx
access-list 30 permit 172.27.xx.xxxx
access-list 30 permit 172.24.101.0 0.0.0.255
access-list 30 permit 172.24.172.0 0.0.0.255
access-list 40 permit 172.36.xx.xxxx
access-list 40 permit 172.38.xx.xxxx
access-list 1300 permit 172.36.xx.xxxx
access-list 1333 permit 128.113.119.128 0.0.0.63
!
snmp-server community [email protected]! RW 10
snmp-server community [email protected] RO 30
snmp-server community mrtg RO 1300
snmp-server community VBCCrep0rting RO 1333
snmp-server ifindex persist
snmp-server trap-source Loopback0
snmp-server location <<FacilityCode>> : <<FacilityInformation>>
snmp-server contact Network Operations 089 448 9332 Option #3
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps envmon
snmp-server enable traps config
snmp-server enable traps entity
snmp-server host 199.103.13.208 Getronics-NMC-trap 
snmp-server host 199.103.13.219 Getronics-NMC-trap 
snmp-server host 172.22.88.201 Voyence  config
snmp-server host 172.22.8.201 Voyence  config
!
tacacs-server host 172.53.102.16
tacacs-server host 172.57.124.16
tacacs-server timeout 10
tacacs-server key 7 00010asdfadfaE18090C32454D
tacacs-server directed-request
!
control-plane
!
!
banner login !
****************************************************
WARNING TO UNAUTHORIZED USERS:
This system is for use by authorized users only.
Any individual using this system, by such use,
acknowledges and consents to the right of the
company to monitor, access, use, and disclose any
information generated, received, or stored on the
systems, and waives any right of privacy or
expectation of privacy on the part of that
individual in connection with his or her use of
this system. Unauthorized and/or improper use of
this system, as delineated by corporate policies,
is not tolerated and the company may take formal
action against such individuals.
****************************************************!
!
!
line con 0
 access-class 20 in
 timeout login response 15
 password cisco
 logging synchronous
 transport preferred none
 stopbits 1
line vty 0 4
 access-class 20 in
 timeout login response 15
 password cisco
 logging synchronous
 transport preferred none
 transport input telnet ssh
line vty 5 15
 access-class 20 in
 timeout login response 15
 password cisco
 logging synchronous
 transport preferred none
 transport input telnet ssh
!
scheduler allocate 20000 1000
!ntp clock-period 17179555
ntp access-group peer 40
ntp server 172.38.xxx.xx
ntp server 172.36.xxx.xxx8 prefer

No comments:

Entertainment