Cisco IOS XE Configuration Reference
1 | aaa new-model |
2 | aaa authentication login default local |
3 | aaa authorization exec default local |
4 | aaa authorization network default local |
1 | login block-for 120 attempts 3 within 60 |
2 | login delay 5 |
3 | login on-failure log |
4 | login on-success log |
1 | radius-server host {{ ip }} key {{ key }} |
2 | |
3 | aaa group server radius NPS_Server |
4 | server {{ ip }} |
5 | |
6 | aaa new-model |
7 | aaa authentication login nps group NPS_Server local |
8 | aaa authorization exec nps group NPS_Server local |
9 | aaa accounting exec default start-stop group NPS_Server |
10 | aaa accounting system default start-stop group NPS_Server |
1 | banner login ^UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED |
2 | You must have explicit, authorized permission to access |
3 | or configure this device. Unauthorized attempts and |
4 | actions to access or use this system may result |
5 | in civil and/or criminal penalties. |
6 | All activities performed on this device are logged and monitored. |
1 | mkdir flash:/archived_config/ |
2 | archive |
3 | maximum 5 |
4 | log config |
5 | logging enable |
6 | logging size 200 |
7 | notify syslog contenttype plaintext |
8 | hidekeys |
9 | path flash:/archived_config/ |
10 | write-memory |
1 | line con 0 |
2 | session-timeout 5 |
3 | exec-timeout 5 0 |
4 | transport preferred none |
5 | line vty 0 4 |
6 | session-timeout 5 |
7 | access-class ssh_in in |
8 | exec-timeout 5 0 |
9 | login authentication nps |
10 | authorization exec nps |
11 | logging synchronous |
12 | transport preferred none |
13 | transport input ssh |
14 | transport output none |
15 | line vty 5 15 |
16 | session-timeout 5 |
17 | access-class ssh_in in |
18 | exec-timeout 5 0 |
19 | login authentication nps |
20 | authorization exec nps |
21 | logging synchronous |
22 | transport preferred none |
23 | transport input ssh |
24 | transport output none |
1 | no ip http server |
2 | no ip http secure-server |
1 | ip domain-name {{ config['domain'] }} |
2 | no ip domain-lookup |
1 | errdisable recovery cause bpduguard |
2 | errdisable recovery interval 1200 |
1 | hostname {{ hostname }} |
1 | ntp server {{ server }} source {{ ntpSource }} |
1 | access-list 15 permit {{ ip }} |
2 | ntp access-group peer 15 |
3 | clock timezone UTC 0 |
1 | snmp-server user {{ snmpUser }} {{ snmpGroup }} v3 auth sha {{ snmpAuth }} priv aes 256 {{ snmpPriv }} |
2 | access-list 99 permit {{ ip }} |
3 | snmp-server group sGroup v3 priv read RESTRICTED access 99 |
4 | snmp-server group sGroup v3 priv context vlan- match prefix access 99 |
5 | snmp-server view RESTRICTED iso included |
6 | snmp-server view RESTRICTED internet included |
1 | crypto key generate rsa modulus 4096 |
2 | ip ssh version 2 |
1 | logging origin-id hostname |
2 | logging host {{ host }} |
1 | vtp mode {{ vtp }} |
1 | interface range {{ type }} {{ slotNumber }}/1 - {{ ports }} |
2 | switchport mode access |
3 | switchport access vlan {{ vlan }} |
4 | switchport nonegotiate |
5 | spanning-tree portfast |
6 | spanning-tree bpduguard enable |
7 | no cdp enable |
1 | interface Port-channel1 |
2 | description Connection to Core |
3 | switchport trunk encapsulation dot1q |
4 | switchport trunk allowed vlan {{ allowedVlans }} |
5 | switchport mode trunk |
6 | switchport nonegotiate |
1 | interface range {{ type }} {{ slotNumber }}/1 - {{ ports }} |
2 | switchport trunk encapsulation dot1q |
3 | switchport mode trunk |
4 | switchport trunk allowed vlan {{ allowedVlans }} |
5 | switchport nonegotiate |
6 | channel-group 1 mode active |
7 | ip dhcp snooping trust |
8 | spanning-tree loopguard |
9 | cdp enable |
1 | interface vlan {{ id }} |
2 | ip address {{ ip }} |
1 | router bgp {{ local_asn }} |
2 | bgp log-neighbor-changes |
3 | address-family ipv4 unicast |
4 | neighbor {{ ip }} remote-as {{ asn }} |
5 | neighbor {{ ip }} route-map {{ map_out }} out |
6 | neighbor {{ ip }} route-map {{ map_in }} in |
7 | neighbor {{ ip }} ttl-security hops 1 |
8 | neighbor {{ ip }} disable-connected-check |
9 | neighbor {{ ip }} password {{ password }} |
10 | neighbor {{ ip }} activate |
11 | network {{ ip }} mask {{ mask }} |
12 | no auto-summary |
13 | no synchronization |
14 | exit-address-family |
15 | |
16 | route-map {{ name }} {{ action }} {{order}} |
17 | match ip address prefix-list {{ pre }} |
18 | |
19 | prefix-list {{ name }} seq {{ order }} {{ action }} {{ range }} |
1 | ip default-gateway {{ gateway }} |
1 | ip route 0.0.0.0 0.0.0.0 {{ defaultGW }} |
1 | ip access-list extended ssh_in |
2 | permit tcp {{ ip }} {{ mask }} any eq 22 |
3 | deny ip any any log |
1 | ip device tracking probe use-svi |
2 | ip device tracking probe delay 10 |
3 | tracking probe auto-source fallback 0.0.0.1 255.255.255.0 override |
1 | ip dhcp snooping |
2 | no ip dhcp snooping information option |
3 | ip dhcp snooping vlan {{ id }} |
4 | |
5 | interface {{ int}} |
6 | ip dhcp snooping trust |
1 | object-group network REMOTE-TRAFFIC |
2 | network-object {{ ip }} {{ subnet }} |
3 | |
4 | object-group network LOCAL-TRAFFIC |
5 | network-object {{ ip }} {{subnet }} |
6 | |
7 | access-list CORP_TUNNEL extended permit ip object-group LOCAL-TRAFFIC object-group REMOTE-TRAFFIC |
8 | |
9 | crypto ikev2 enable extern |
10 | crypto ikev2 policy 15 |
11 | encryption aes-256 |
12 | integrity sha256 |
13 | group 14 |
14 | prf sha |
15 | lifetime seconds 86400 |
16 | |
17 | crypto ipsec ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-SHA1 |
18 | protocol esp encryption aes-256 |
19 | protocol esp integrity sha-256 |
20 | |
21 | tunnel-group {{ local_tunnel }} type ipsec-l2l |
22 | tunnel-group {{ local_tunnel'] }} ipsec-attributes |
23 | ikev2 remote-authentication pre-shared-key {{ remote_pass }} |
24 | ikev2 local-authentication pre-shared-key {{ local_pass }} - " " |
25 | crypto map CRYPTOMAP 100 match address CORP_TUNNEL |
26 | crypto map CRYPTOMAP 100 set peer {{ local_tunnel }} |
27 | crypto map CRYPTOMAP 100 set ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-SHA1 |
28 | crypto map CRYPTOMAP interface extern |
29 | crypto isakmp identity address |
1 | spanning-tree mode {{ mode }} |
2 | spanning-tree vlan 1-4094 priority {{ priority }} |