Cisco IOS XE Configuration Reference
Authentication
AAA Local
Login Rules
RADIUS
Management
Banner
Config Archive
Console/VTY
Disable HTTP/HTTPS
Domain Name
Error Disable
Hostname
NTP
NTP Access List
SNMPv3
SSH
Syslog
VTP Mode
Network
Access Port Interface
Port Channel
Uplink Interface
Vlan Interface
Route
BGP
Default Gateway
Static Route
Security
Access List
Device Tracking
DHCP Snooping
IPSEC VPN ASA
STP
Spanning Tree Config
| 1 | aaa new-model |
| 2 | aaa authentication login default local |
| 3 | aaa authorization exec default local |
| 4 | aaa authorization network default local |
| 1 | login block-for 120 attempts 3 within 60 |
| 2 | login delay 5 |
| 3 | login on-failure log |
| 4 | login on-success log |
| 1 | radius-server host {{ ip }} key {{ key }} |
| 2 | |
| 3 | aaa group server radius NPS_Server |
| 4 | server {{ ip }} |
| 5 | |
| 6 | aaa new-model |
| 7 | aaa authentication login nps group NPS_Server local |
| 8 | aaa authorization exec nps group NPS_Server local |
| 9 | aaa accounting exec default start-stop group NPS_Server |
| 10 | aaa accounting system default start-stop group NPS_Server |
| 1 | banner login ^UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED |
| 2 | You must have explicit, authorized permission to access |
| 3 | or configure this device. Unauthorized attempts and |
| 4 | actions to access or use this system may result |
| 5 | in civil and/or criminal penalties. |
| 6 | All activities performed on this device are logged and monitored. |
| 1 | mkdir flash:/archived_config/ |
| 2 | archive |
| 3 | maximum 5 |
| 4 | log config |
| 5 | logging enable |
| 6 | logging size 200 |
| 7 | notify syslog contenttype plaintext |
| 8 | hidekeys |
| 9 | path flash:/archived_config/ |
| 10 | write-memory |
| 1 | line con 0 |
| 2 | session-timeout 5 |
| 3 | exec-timeout 5 0 |
| 4 | transport preferred none |
| 5 | line vty 0 4 |
| 6 | session-timeout 5 |
| 7 | access-class ssh_in in |
| 8 | exec-timeout 5 0 |
| 9 | login authentication nps |
| 10 | authorization exec nps |
| 11 | logging synchronous |
| 12 | transport preferred none |
| 13 | transport input ssh |
| 14 | transport output none |
| 15 | line vty 5 15 |
| 16 | session-timeout 5 |
| 17 | access-class ssh_in in |
| 18 | exec-timeout 5 0 |
| 19 | login authentication nps |
| 20 | authorization exec nps |
| 21 | logging synchronous |
| 22 | transport preferred none |
| 23 | transport input ssh |
| 24 | transport output none |
| 1 | no ip http server |
| 2 | no ip http secure-server |
| 1 | ip domain-name {{ config['domain'] }} |
| 2 | no ip domain-lookup |
| 1 | errdisable recovery cause bpduguard |
| 2 | errdisable recovery interval 1200 |
| 1 | hostname {{ hostname }} |
| 1 | ntp server {{ server }} source {{ ntpSource }} |
| 1 | access-list 15 permit {{ ip }} |
| 2 | ntp access-group peer 15 |
| 3 | clock timezone UTC 0 |
| 1 | snmp-server user {{ snmpUser }} {{ snmpGroup }} v3 auth sha {{ snmpAuth }} priv aes 256 {{ snmpPriv }} |
| 2 | access-list 99 permit {{ ip }} |
| 3 | snmp-server group sGroup v3 priv read RESTRICTED access 99 |
| 4 | snmp-server group sGroup v3 priv context vlan- match prefix access 99 |
| 5 | snmp-server view RESTRICTED iso included |
| 6 | snmp-server view RESTRICTED internet included |
| 1 | crypto key generate rsa modulus 4096 |
| 2 | ip ssh version 2 |
| 1 | logging origin-id hostname |
| 2 | logging host {{ host }} |
| 1 | vtp mode {{ vtp }} |
| 1 | interface range {{ type }} {{ slotNumber }}/1 - {{ ports }} |
| 2 | switchport mode access |
| 3 | switchport access vlan {{ vlan }} |
| 4 | switchport nonegotiate |
| 5 | spanning-tree portfast |
| 6 | spanning-tree bpduguard enable |
| 7 | no cdp enable |
| 1 | interface Port-channel1 |
| 2 | description Connection to Core |
| 3 | switchport trunk encapsulation dot1q |
| 4 | switchport trunk allowed vlan {{ allowedVlans }} |
| 5 | switchport mode trunk |
| 6 | switchport nonegotiate |
| 1 | interface range {{ type }} {{ slotNumber }}/1 - {{ ports }} |
| 2 | switchport trunk encapsulation dot1q |
| 3 | switchport mode trunk |
| 4 | switchport trunk allowed vlan {{ allowedVlans }} |
| 5 | switchport nonegotiate |
| 6 | channel-group 1 mode active |
| 7 | ip dhcp snooping trust |
| 8 | spanning-tree loopguard |
| 9 | cdp enable |
| 1 | interface vlan {{ id }} |
| 2 | ip address {{ ip }} |
| 1 | router bgp {{ local_asn }} |
| 2 | bgp log-neighbor-changes |
| 3 | address-family ipv4 unicast |
| 4 | neighbor {{ ip }} remote-as {{ asn }} |
| 5 | neighbor {{ ip }} route-map {{ map_out }} out |
| 6 | neighbor {{ ip }} route-map {{ map_in }} in |
| 7 | neighbor {{ ip }} ttl-security hops 1 |
| 8 | neighbor {{ ip }} disable-connected-check |
| 9 | neighbor {{ ip }} password {{ password }} |
| 10 | neighbor {{ ip }} activate |
| 11 | network {{ ip }} mask {{ mask }} |
| 12 | no auto-summary |
| 13 | no synchronization |
| 14 | exit-address-family |
| 15 | |
| 16 | route-map {{ name }} {{ action }} {{order}} |
| 17 | match ip address prefix-list {{ pre }} |
| 18 | |
| 19 | prefix-list {{ name }} seq {{ order }} {{ action }} {{ range }} |
| 1 | ip default-gateway {{ gateway }} |
| 1 | ip route 0.0.0.0 0.0.0.0 {{ defaultGW }} |
| 1 | ip access-list extended ssh_in |
| 2 | permit tcp {{ ip }} {{ mask }} any eq 22 |
| 3 | deny ip any any log |
| 1 | ip device tracking probe use-svi |
| 2 | ip device tracking probe delay 10 |
| 3 | tracking probe auto-source fallback 0.0.0.1 255.255.255.0 override |
| 1 | ip dhcp snooping |
| 2 | no ip dhcp snooping information option |
| 3 | ip dhcp snooping vlan {{ id }} |
| 4 | |
| 5 | interface {{ int}} |
| 6 | ip dhcp snooping trust |
| 1 | object-group network REMOTE-TRAFFIC |
| 2 | network-object {{ ip }} {{ subnet }} |
| 3 | |
| 4 | object-group network LOCAL-TRAFFIC |
| 5 | network-object {{ ip }} {{subnet }} |
| 6 | |
| 7 | access-list CORP_TUNNEL extended permit ip object-group LOCAL-TRAFFIC object-group REMOTE-TRAFFIC |
| 8 | |
| 9 | crypto ikev2 enable extern |
| 10 | crypto ikev2 policy 15 |
| 11 | encryption aes-256 |
| 12 | integrity sha256 |
| 13 | group 14 |
| 14 | prf sha |
| 15 | lifetime seconds 86400 |
| 16 | |
| 17 | crypto ipsec ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-SHA1 |
| 18 | protocol esp encryption aes-256 |
| 19 | protocol esp integrity sha-256 |
| 20 | |
| 21 | tunnel-group {{ local_tunnel }} type ipsec-l2l |
| 22 | tunnel-group {{ local_tunnel'] }} ipsec-attributes |
| 23 | ikev2 remote-authentication pre-shared-key {{ remote_pass }} |
| 24 | ikev2 local-authentication pre-shared-key {{ local_pass }} - " " |
| 25 | crypto map CRYPTOMAP 100 match address CORP_TUNNEL |
| 26 | crypto map CRYPTOMAP 100 set peer {{ local_tunnel }} |
| 27 | crypto map CRYPTOMAP 100 set ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-SHA1 |
| 28 | crypto map CRYPTOMAP interface extern |
| 29 | crypto isakmp identity address |
| 1 | spanning-tree mode {{ mode }} |
| 2 | spanning-tree vlan 1-4094 priority {{ priority }} |