Have for the last couple of months been working on a new router script:

Unanswered Question
Mar 23rd, 2010

Preface: the task was to come up with a new router script to be used on all of our sites worlwide - a basic script covering:

- AAA (Tacacs+)

- Logging

- Security (Base line)

- Optimize memory (router - of course the valuse are different on some routers due to the hardware. But we are using 3845 routers almost everywhere).

Omitted from this script are: all keys, routing (the script does also cover BGP, EIGRP and OSPF), ACL`s, DMVPN configuration, extended ACL`s and Route-Maps.

Here it is, I welcome all comments and suggestions on the below script:

conf t
no logging console
no ip source-route
no ip bootp server
no service pad
no ip finger
no ip identd
no service tcp-small-servers
no service udp-small-servers
no service timestamps debug uptime
no ip http server
hostname XXXXXXXX
service password-encryption
service tcp-keepalives-in
password encryption aes
ip domain-name XXXXXXXXXXX
ip name server XXXXXXXXXXXXX
crypto key generate rsa
aaa new-model
tacacs-server host "Public IP Address single-connection key 0 "key-removed"
tacacs-server host XXXXXXXXX single-connection key 0 "key-removed"
tacacs-server host XXXXXXXXXX single-connection key 0 "key-removed"
interface loopback254
description +++ Tac_Lo_Int +++
ip address
no shut
ip ssh version 2
ip ssh timeout 30
ip ssh authentication-retries 3
ip tacacs source-interface loopback254
username XXXXXXXXXX password 0 "key-removed"
enable secret level 15 0 "key-removed"
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication fail-message "Wrong Username/Password - or use local account"
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
line vty 0 4
exec-timeout 6 0
session timeout 6 0
transport input ssh
transport output none
logging synchronous level 1
ip http secure-server
clock timezone GMT 1
service timestamps debug datetime localtime show-timezone msec
service timestamps log datetime localtime show-timezone msec
ntp server XXXXXXXXXX
ntp authentication-key 46 md5 "key-removed"
ntp trusted-key 46
ntp authenticate
banner login #
* You must have explicit, authorized permission to access or   *
* configure this device. Unauthorized attempts and actions to  *
* access or use this system may result in civil and/or criminal*
* penalties. All activities performed on this device are       *
* logged and monitored.                                        *
access-list 1 permit
access-list 11 permit
memory free low-watermark processor 91523
memory free low-watermark io 6710
memory reserve critical 1000
snmp-server community XXXXXXXX RO 1
snmp-server community XXXXXX RW 11
snmp-server trap-source Loopback254
snmp-server contact XXXXXXXXX
snmp-server enable traps cpu threshold
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps config
snmp-server host traps XXXXXXX cpu
snmp-server host "Public IP Addr" traps XXXXXXXXXX cpu
snmp-server host XXXXXXXXX
snmp-server host "Public IP Addr" XXXXXXX
logging host transport tcp port 1401 filtered stream 80
logging host "Public IP Addr" transport tcp port 1401 filtered stream 40
logging source-interface loopback254
logging facility syslog
logging trap informational
logging buffered


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dhananjoy chowdhury Wed, 03/24/2010 - 09:01

Some additions I can think of now are

1. Restrcit access to the device for HTTPS/ssh using ACL's

2. Some routers will have line vty 5 16, so your script have to capture the configs for the same.

3. Create named groups for AAA with TACACS/local instead of using default. it will be handy while using the same under line vty and consoles.Something like this
aaa authentication login T-AUTHEN group tacacs+ local


This Discussion