⬆️ ⬇️

Cisco Router Basic Setup Template

Recently, Cisco routers (mostly 800–1800 series) for my company's branches often have to be configured from scratch so as not to recruit one and the same team a dozen times for myself has compiled a small template for various settings. I’ll say right away that I didn’t receive any certificates from Cisco, I didn’t read any books on these routers, I gained all my experience using scientific method, smoking manuals on cisco.com and some thoughtful borrowing of pieces of other configs ...



So, unpack the router, upload the latest firmware (for SSH, a minimum of Advanced Security is required), do

#erase startup-config

in order to get rid of pre-configured garbage and overload.



Configure authorization and access via SSH





! enable password encryption

service password-encryption

! use the new AAA model and local user base

aaa new-model

aaa authentication login default local

! we get the user with the maximum rights

username admin privilege 15 secret PASSWORD



! give the name of the router

hostname <...>

ip domain-name router.domain

! we generate a key for SSH

crypto key generate rsa modulus 1024

! SSH tuning

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 2

! and enable it on the remote console

line vty 0 4

transport input telnet ssh

privilege level 15




Setting up routing



')

! enable accelerated packet switching

ip cef



Time setting





! GMT + 2 time zone

clock timezone Ukraine 2

clock summer-time Ukraine recurring last Sun Mar 2:00 last Sun Oct 2:00

! NTP system clock update

ntp update-calendar

! It is better to set the ntp server by ip, because if the DNS server is not available when the DNS server is overloaded, then the settings by the names go off ...

ntp server NTP.SERVER.1.IP

ntp server NTP.SERVER.2.IP



Archiving Configs





! we include archiving of all changes of a config, hiding passwords in logs

archive

log config

logging enable

hidekeys




! history of config changes can be viewed by the command

show archive log config all



DNS setup





! enable name resolution

ip domain-lookup

! turn on the internal DNS server

ip dns server

! we register DNS provider

ip name-server XXX.XXX.XXX.XXX

! just in case we add several public DNS servers

ip name-server 4.2.2.2

ip name-server 208.67.222.222

ip name-server 208.67.220.220




LAN setting





! usually the internal switch ports on the router are combined in Vlan1

interface Vlan1

description === LAN ===

ip address 192.168.???.1




! we include on the interface counting of packets transmitted to customers - it is convenient to see who eats up traffic

ip accounting output-packets



! see the statistics can be a team

show ip accounting

! to clear

clear ip accounting



Setting up a DHCP server





! we exclude some addresses from a pool

ip dhcp excluded-address 192.168.???.1 192.168.???.99

! and configure the address pool

ip dhcp pool LAN

network 192.168.???.0 255.255.255.0

default-router 192.168.???.1

dns-server 192.168.???.1




Internet and Firewall Setup





! we configure the filter of the entering traffic (by default everything is prohibited)

ip access-list extended FIREWALL

permit tcp any any eq 22




! enable inspection of traffic between the local network and the Internet

ip inspect name INSPECT_OUT dns

ip inspect name INSPECT_OUT icmp

ip inspect name INSPECT_OUT ntp

ip inspect name INSPECT_OUT tcp router-traffic

ip inspect name INSPECT_OUT udp router-traffic

ip inspect name INSPECT_OUT icmp router-traffic




! set up a port on the Internet and put some protection on it

interface FastEthernet0/0

description === Internet ===

ip address ???.???.???.??? 255.255.255.???

ip virtual-reassembly

ip verify unicast reverse-path

no ip redirects

no ip directed-broadcast

no ip proxy-arp

no cdp enable

ip inspect INSPECT_OUT out

ip access-group FIREWALL in




! and finally, the default gateway

ip route 0.0.0.0 0.0.0.0 ???.???.???.???



NAT Setup





! on the internet interface

interface FastEthernet0/0

ip nat outside




! on the local interface

interface Vlan1

ip nat inside




! we create the list of IP having access to NAT

ip access-list extended NAT

permit ip host 192.168.???.??? any




! enable NAT on the external interface

ip nat inside source list NAT interface FastEthernet0/0 overload



! add inspection of popular protocols

ip inspect name INSPECT_OUT http

ip inspect name INSPECT_OUT https

ip inspect name INSPECT_OUT ftp



Disable unnecessary services





no service tcp-small-servers

no service udp-small-servers

no service finger

no service config

no service pad

no ip finger

no ip source-route

no ip http server

no ip http secure-server

no ip bootp server



UPD. Removed too much on the advice of habrouser

UPD2. Added disable unnecessary services

UPD3. Changed firewall setting (thanks to Fedia )

Source: https://habr.com/ru/post/87680/



All Articles