IOS Router Golden Templates
Click here for sample data !------------------------------------------ ! -- Logging Settings !------------------------------------------ service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone logging buffered 1000000 logging trap 7 logging [[Syslog Server]] no logging console logging on logging source [[Logging Source Gi0/0/0)]] !------------------------------------------ ! -- TACACs Authentication Settings !------------------------------------------ username [[Local User]] secret [[Local Password]] enable secret [[Enable Secret]] aaa new-model aaa authentication login default group tacacs+ local aaa authorization exec default group tacacs+ if-authenticated aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+ tacacs server [[TACACs Server Name]] address ipv4 [[TACACs Server IP]] key [[TACACs Key]] timeout 3 service password-encryption !------------------------------------------ ! -- Local Authentication Settings !------------------------------------------ username [[Local User]] secret [[Local Password]] enable secret [[Enable Secret]] aaa new-model aaa authentication login default local aaa authorization exec default local service password-encryption !------------------------------------------ ! -- Date / Time Settings !------------------------------------------ clock timezone [[Clock Timezone Name]] [[Clock Hours offset from UTC (-6)]] clock summer-time [[Clock Timezone Name in Summer]] recurring ntp server [[NTP Server]] source [[NTP Source Interface (Gi0/0/0)]] prefer !------------------------------------------ ! -- DNS Settings !------------------------------------------ ip domain lookup ip domain name [[Domain Name]] ip name-server [[Primary DNS Server]] ip name-server [[Secondary DNS Server]] !------------------------------------------ ! -- Enable SSH !------------------------------------------ crypto key generate rsa usage-keys mod 2048 !------------------------------------------ ! -- TFTP Backup Settings !------------------------------------------ This command set will backup the router configs to a TFTP Server when the config is saved to NVRAM. archive log config hidekeys logging enable notify syslog path tftp://[[TFTP Archive Server]]/$h write-memory !------------------------------------------ ! -- Internet ACL Settings to block ! -- private IP prefixes and VoIP !------------------------------------------ ip access-list extended [[Public ACL]] deny ip 127.0.0.0 0.255.255.255 any log deny ip 192.168.0.0 0.0.255.255 any log deny ip 172.16.0.0 0.0.15.255 any log deny ip 10.0.0.0 0.255.255.255 any log deny udp any any range 5060 5061 log deny tcp any any range 5060 5061 log deny tcp any any range 1720 1721 log deny udp any any range 1720 1721 log permit ip any any interface [[Outside Interface (Gi0/1)]] ip access-group [[Public ACL]] in !------------------------------------------ ! -- Internet ACL Settings to block ! -- private IP prefixes !------------------------------------------ ip access-list extended [[Public ACL]] deny ip 127.0.0.0 0.255.255.255 any log deny ip 192.168.0.0 0.0.255.255 any log deny ip 172.16.0.0 0.0.15.255 any log deny ip 10.0.0.0 0.255.255.255 any log permit ip any any interface [[Outside Interface (Gi0/1)]] ip access-group [[Public ACL]] in !------------------------------------------ ! -- SNMP Settings !------------------------------------------ snmp-server community [[SNMP Community String]] RO SNMP ip access-list standard SNMP permit [[SNMP Management Server IP]] !------------------------------------------ ! -- VTY Settings !------------------------------------------ ip access-list standard VTY permit 10.0.0.0 0.255.255.255 permit 192.168.0.0 0.0.255.255 permit 172.16.0.0 0.0.31.255 line con 0 logging sync line 1 modem InOut transport input all autoselect ppp stopbits 1 speed 115200 flowcontrol hardware line aux 0 line vty 0 15 logging sync access-class VTY in transport input ssh !------------------------------------------ !-- QOS Settings !------------------------------------------ class-map match-any AF4 match ip dscp af41 match ip dscp af42 match ip dscp af43 class-map match-any AF3 match ip dscp af31 match ip dscp af32 match ip dscp af33 class-map match-any AF2 match ip dscp af21 match ip dscp af22 match ip dscp af23 class-map match-any AF1 match ip dscp af11 match ip dscp af12 match ip dscp af13 class-map match-any VOICE match ip dscp ef ! ! policy-map [[VoIP QOS Policy-Map]] class VOICE priority 768 police 768000 9600 conform-action transmit exceed-action set-dscp-transmit af41 class AF4 bandwidth remaining percent 30 class AF3 bandwidth remaining percent 20 class AF2 bandwidth remaining percent 10 class AF1 bandwidth remaining percent 5 class class-default bandwidth remaining percent 35 interface [[VoIP WAN Interface (Se0/0/0)]] service-policy output [[VoIP QOS Policy-Map]] !------------------------------------------ !-- Banners !------------------------------------------ banner motd # **********************************WARNING!********************************** THIS IS A PRIVATE INTEREST COMPUTER SYSTEM. THIS COMPUTER SYSTEM IS PROVIDED FOR THE PROCESSING OF PRIVATE INFORMATION ONLY. USE OF THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS. THIS SYSTEM WILL BE MONITORED TO ENSURE INFORMATION SECURITY SYSTEM INTEGRITY, AND THAT USE OF THIS SYSTEM IS FOR AUTHORIZED PURPOSES ONLY. THE USE OF THIS COMPUTER SYSTEM CONSTITUTES CONSENT TO MONITORING. INFORMATION DERIVED FROM THE SYSTEM MONITORING MAY BE USED AS A BASIS FOR ADMINISTRATIVE, DISCIPLINARY, OR CRIMINAL PROCEEDINGS. IF YOU ARE NOT AN AUTHORIZED USER OF THIS SYSTEM EXIT IMMEDIATELY. **********************************WARNING!********************************** # banner login # **********************************WARNING!********************************** THIS IS A PRIVATE INTEREST COMPUTER SYSTEM. THIS COMPUTER SYSTEM IS PROVIDED FOR THE PROCESSING OF PRIVATE INFORMATION ONLY. USE OF THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS. THIS SYSTEM WILL BE MONITORED TO ENSURE INFORMATION SECURITY SYSTEM INTEGRITY, AND THAT USE OF THIS SYSTEM IS FOR AUTHORIZED PURPOSES ONLY. THE USE OF THIS COMPUTER SYSTEM CONSTITUTES CONSENT TO MONITORING. INFORMATION DERIVED FROM THE SYSTEM MONITORING MAY BE USED AS A BASIS FOR ADMINISTRATIVE, DISCIPLINARY, OR CRIMINAL PROCEEDINGS. IF YOU ARE NOT AN AUTHORIZED USER OF THIS SYSTEM EXIT IMMEDIATELY. **********************************WARNING!********************************** # !------------------------------------------ ! -- Security Configs !------------------------------------------ no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps security passwords min-length 6 security authentication failure rate 10 log login block-for 5 attempts 5 within 5 ip ssh time-out 60 ip ssh authentication-retries 5 logging facility local2 logging trap debugging service sequence-numbers logging console critical logging buffered int GigabitEthernetX/X/X no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply



Syslog Server:
Logging Source Gi0/0/0):
Local User:
Local Password:
Enable Secret:
TACACs Server Name:
TACACs Server IP:
TACACs Key:
Domain Name:
Clock Timezone Name:
Clock Hours offset from UTC (-6):
Clock Timezone Name in Summer:
NTP Server:
NTP Source Interface (Gi0/0/0):
Primary DNS Server:
Secondary DNS Server:
TFTP Archive Server:
Public ACL:
Outside Interface (Gi0/1):
SNMP Community String:
SNMP Management Server IP:
VoIP WAN Interface (Se0/0/0):
VoIP QOS Policy-Map:


Use this code to post the full script to your own page:



Use this code to post only the variables to your own page: