Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Have for the last couple of months been working on a new router script:

Preface: the task was to come up with a new router script to be used on all of our sites worlwide - a basic script covering:

- AAA (Tacacs+)

- Logging

- Security (Base line)

- Optimize memory (router - of course the valuse are different on some routers due to the hardware. But we are using 3845 routers almost everywhere).

Omitted from this script are: all keys, routing (the script does also cover BGP, EIGRP and OSPF), ACL`s, DMVPN configuration, extended ACL`s and Route-Maps.

Here it is, I welcome all comments and suggestions on the below script:

conf t
no logging console
no ip source-route
no ip bootp server
no service pad
no ip finger
no ip identd
no service tcp-small-servers
no service udp-small-servers
no service timestamps debug uptime
no ip http server
hostname XXXXXXXX
service password-encryption
service tcp-keepalives-in
password encryption aes
ip domain-name XXXXXXXXXXX
ip name server XXXXXXXXXXXXX
crypto key generate rsa
aaa new-model
tacacs-server host "Public IP Address single-connection key 0 "key-removed"
tacacs-server host XXXXXXXXX single-connection key 0 "key-removed"
tacacs-server host XXXXXXXXXX single-connection key 0 "key-removed"
interface loopback254
description +++ Tac_Lo_Int +++
ip address
no shut
ip ssh version 2
ip ssh timeout 30
ip ssh authentication-retries 3
ip tacacs source-interface loopback254
username XXXXXXXXXX password 0 "key-removed"
enable secret level 15 0 "key-removed"
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication fail-message "Wrong Username/Password - or use local account"
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
line vty 0 4
exec-timeout 6 0
session timeout 6 0
transport input ssh
transport output none
logging synchronous level 1
ip http secure-server
clock timezone GMT 1
service timestamps debug datetime localtime show-timezone msec
service timestamps log datetime localtime show-timezone msec
ntp server XXXXXXXXXX
ntp authentication-key 46 md5 "key-removed"
ntp trusted-key 46
ntp authenticate
banner login #
* You must have explicit, authorized permission to access or   *
* configure this device. Unauthorized attempts and actions to  *
* access or use this system may result in civil and/or criminal*
* penalties. All activities performed on this device are       *
* logged and monitored.                                        *
access-list 1 permit
access-list 11 permit
memory free low-watermark processor 91523
memory free low-watermark io 6710
memory reserve critical 1000
snmp-server community XXXXXXXX RO 1
snmp-server community XXXXXX RW 11
snmp-server trap-source Loopback254
snmp-server contact XXXXXXXXX
snmp-server enable traps cpu threshold
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps config
snmp-server host traps XXXXXXX cpu
snmp-server host "Public IP Addr" traps XXXXXXXXXX cpu
snmp-server host XXXXXXXXX
snmp-server host "Public IP Addr" XXXXXXX
logging host transport tcp port 1401 filtered stream 80
logging host "Public IP Addr" transport tcp port 1401 filtered stream 40
logging source-interface loopback254
logging facility syslog
logging trap informational
logging buffered



Re: Have for the last couple of months been working on a new rou

Some additions I can think of now are

1. Restrcit access to the device for HTTPS/ssh using ACL's

2. Some routers will have line vty 5 16, so your script have to capture the configs for the same.

3. Create named groups for AAA with TACACS/local instead of using default. it will be handy while using the same under line vty and consoles.Something like this
aaa authentication login T-AUTHEN group tacacs+ local

CreatePlease to create content