! ============================================================ ! VantagePoint Networks — Cisco ISR 4431 WAN Edge Router ! Hardened Baseline · CIS Level 1 Compliant ! IOS-XE 17.x ! ============================================================ ! DEPLOYMENT NOTES: ! 1. Replace all with your site values ! 2. Update BGP ASN and ISP peering details ! 3. Review crypto/VPN config for your tunnel requirements ! 4. Test failover before going live ! ============================================================ ! --- Global Settings --- hostname WAN-RTR-01 ! service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers no service pad no service finger no service udp-small-servers no service tcp-small-servers no service config ! ! --- Security Banner --- banner login ^C =============================================================== UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. All activities are monitored and logged. =============================================================== ^C ! ! --- Clock & NTP --- clock timezone UTC 0 ntp server prefer ntp server ntp authenticate ntp authentication-key 1 md5 ntp trusted-key 1 ! ! --- AAA Configuration --- aaa new-model aaa authentication login default local aaa authentication login CONSOLE local aaa authentication enable default enable aaa authorization console aaa authorization exec default local aaa authorization commands 15 default local aaa session-id common ! ! --- Local Users --- username privilege 15 algorithm-type scrypt secret username privilege 1 algorithm-type scrypt secret ! ! --- Password Policy --- security passwords min-length 12 login block-for 120 attempts 3 within 60 ! ! --- Console & VTY --- line console 0 login authentication CONSOLE exec-timeout 5 0 logging synchronous transport input none ! line vty 0 4 login authentication default exec-timeout 10 0 transport input ssh transport output none access-class VTY-ACL in ! ! --- SSH --- ip ssh version 2 ip ssh time-out 60 ip ssh authentication-retries 3 ip ssh dh min size 2048 crypto key generate rsa modulus 4096 ! ! --- Disable Unnecessary Services --- no ip http server no ip http secure-server no ip source-route no ip gratuitous-arps no cdp run no ip bootp server no service dhcp ! ! --- DNS & Domain --- ip domain-name ip name-server ip name-server no ip domain-lookup ! ! --- IP CEF --- ip cef ip routing ip tcp synwait-time 10 ip tcp path-mtu-discovery ! ! --- Logging --- logging buffered 64000 informational logging console critical logging trap informational logging source-interface Loopback0 logging host logging host ! ! --- SNMP v3 --- no snmp-server community public no snmp-server community private snmp-server group SNMPV3-RO v3 priv read SNMPV3-VIEW snmp-server user SNMPV3-RO v3 auth sha priv aes 256 snmp-server view SNMPV3-VIEW iso included snmp-server host version 3 priv snmp-server enable traps ! ! --- ACLs --- ip access-list standard VTY-ACL 10 permit 20 deny any log ! ip access-list extended WAN-INBOUND 10 remark --- Allow established return traffic --- 10 permit tcp any any established 20 remark --- Allow ICMP types for path MTU --- 20 permit icmp any any packet-too-big 25 permit icmp any any echo-reply 26 permit icmp any any time-exceeded 27 permit icmp any any unreachable 30 remark --- Allow BGP from ISP peer --- 30 permit tcp host host eq bgp 31 permit tcp host eq bgp host 40 remark --- Allow IPsec VPN --- 40 permit esp any any 41 permit udp any any eq isakmp 42 permit udp any any eq non500-isakmp 50 remark --- Allow NTP from known sources --- 50 permit udp host any eq 123 51 permit udp host any eq 123 90 remark --- Deny and log everything else --- 90 deny ip any any log ! ip access-list extended WAN-OUTBOUND 10 remark --- Block RFC1918 leaving WAN --- 10 deny ip 10.0.0.0 0.255.255.255 any 11 deny ip 172.16.0.0 0.15.255.255 any 12 deny ip 192.168.0.0 0.0.255.255 any 20 remark --- Block bogon sources --- 20 deny ip 0.0.0.0 0.255.255.255 any 21 deny ip 127.0.0.0 0.255.255.255 any 30 permit ip any any ! ! --- Loopback (Router-ID & Mgmt source) --- interface Loopback0 description == ROUTER-ID / MGMT SOURCE == ip address 255.255.255.255 no shutdown ! ! --- WAN Interface (ISP-facing) --- interface GigabitEthernet0/0/0 description == WAN UPLINK TO ISP == ip address ip access-group WAN-INBOUND in ip access-group WAN-OUTBOUND out ip verify unicast source reachable-via rx no ip proxy-arp no ip redirects no ip unreachables no cdp enable no mop enabled no mop sysid negotiation auto no shutdown ! ! --- WAN Interface 2 (Secondary ISP / backup) --- interface GigabitEthernet0/0/1 description == WAN BACKUP TO ISP2 == ip address ip verify unicast source reachable-via rx no ip proxy-arp no ip redirects no ip unreachables no cdp enable no shutdown ! ! --- LAN Interface (to Core Switch) --- interface GigabitEthernet0/0/2 description == LAN LINK TO CORE-SW-01 == ip address no ip proxy-arp no ip redirects no ip unreachables no shutdown ! ! --- LAN Interface 2 (to Core Switch 2) --- interface GigabitEthernet0/0/3 description == LAN LINK TO CORE-SW-02 == ip address no ip proxy-arp no ip redirects no ip unreachables no shutdown ! ! --- OSPF (Internal Routing) --- router ospf 1 router-id passive-interface default no passive-interface GigabitEthernet0/0/2 no passive-interface GigabitEthernet0/0/3 network 0.0.0.0 area 0 network area 0 network area 0 default-information originate always metric 10 area 0 authentication message-digest auto-cost reference-bandwidth 10000 ! ! --- BGP (ISP Peering) --- router bgp bgp router-id bgp log-neighbor-changes no bgp default ipv4-unicast ! ! Primary ISP neighbor remote-as neighbor description PRIMARY-ISP neighbor password neighbor timers 30 90 neighbor fall-over ! ! Secondary ISP (if applicable) ! neighbor remote-as ! neighbor description BACKUP-ISP ! neighbor password ! address-family ipv4 unicast neighbor activate neighbor route-map ISP1-IN in neighbor route-map ISP1-OUT out neighbor prefix-list DENY-BOGONS in neighbor maximum-prefix 500000 80 restart 15 ! network mask ! ! Redistribute connected with route-map ! redistribute connected route-map CONNECTED-TO-BGP exit-address-family ! ! --- Route Maps --- route-map ISP1-IN permit 10 set local-preference 200 ! route-map ISP1-OUT permit 10 match ip address prefix-list OUR-PREFIXES ! ! --- Prefix Lists --- ip prefix-list OUR-PREFIXES seq 10 permit / ! ip prefix-list DENY-BOGONS seq 10 deny 0.0.0.0/8 le 32 ip prefix-list DENY-BOGONS seq 20 deny 10.0.0.0/8 le 32 ip prefix-list DENY-BOGONS seq 30 deny 100.64.0.0/10 le 32 ip prefix-list DENY-BOGONS seq 40 deny 127.0.0.0/8 le 32 ip prefix-list DENY-BOGONS seq 50 deny 169.254.0.0/16 le 32 ip prefix-list DENY-BOGONS seq 60 deny 172.16.0.0/12 le 32 ip prefix-list DENY-BOGONS seq 70 deny 192.0.2.0/24 le 32 ip prefix-list DENY-BOGONS seq 80 deny 192.168.0.0/16 le 32 ip prefix-list DENY-BOGONS seq 90 deny 198.18.0.0/15 le 32 ip prefix-list DENY-BOGONS seq 100 deny 198.51.100.0/24 le 32 ip prefix-list DENY-BOGONS seq 110 deny 203.0.113.0/24 le 32 ip prefix-list DENY-BOGONS seq 120 deny 224.0.0.0/3 le 32 ip prefix-list DENY-BOGONS seq 999 permit 0.0.0.0/0 le 24 ! ! --- Site-to-Site VPN (IKEv2 template) --- ! crypto ikev2 proposal IKEV2-PROPOSAL ! encryption aes-cbc-256 ! integrity sha512 ! group 20 ! ! ! crypto ikev2 policy IKEV2-POLICY ! proposal IKEV2-PROPOSAL ! ! ! crypto ikev2 keyring SITE-B-KEYRING ! peer SITE-B ! address ! pre-shared-key ! ! ! crypto ikev2 profile SITE-B-PROFILE ! match identity remote address 255.255.255.255 ! authentication remote pre-share ! authentication local pre-share ! keyring local SITE-B-KEYRING ! ! ! crypto ipsec transform-set AES256-SHA512 esp-aes 256 esp-sha512-hmac ! mode tunnel ! ! ! crypto map VPN-MAP 10 ipsec-isakmp ! set peer ! set transform-set AES256-SHA512 ! set ikev2-profile SITE-B-PROFILE ! match address VPN-TRAFFIC-SITE-B ! ! ! ip access-list extended VPN-TRAFFIC-SITE-B ! permit ip ! ! --- IP SLA (ISP Health Check) --- ip sla 1 icmp-echo source-interface GigabitEthernet0/0/0 frequency 10 timeout 3000 ip sla schedule 1 life forever start-time now ! track 1 ip sla 1 reachability delay down 30 up 60 ! ! Floating static route as BGP backup ip route 0.0.0.0 0.0.0.0 track 1 ip route 0.0.0.0 0.0.0.0 250 ! ! --- Control Plane Policing --- ip access-list extended COPP-CRITICAL permit tcp any any eq bgp permit tcp any eq bgp any permit ospf any any permit pim any any ! ip access-list extended COPP-IMPORTANT permit tcp any any eq 22 permit udp any any eq 161 permit udp any eq 123 any ! ip access-list extended COPP-NORMAL permit icmp any any echo permit icmp any any echo-reply permit udp any any eq 53 ! class-map match-all COPP-CRITICAL-CLASS match access-group name COPP-CRITICAL class-map match-all COPP-IMPORTANT-CLASS match access-group name COPP-IMPORTANT class-map match-all COPP-NORMAL-CLASS match access-group name COPP-NORMAL ! policy-map COPP-POLICY class COPP-CRITICAL-CLASS police rate 5000 pps burst 5000 packets conform-action transmit exceed-action transmit class COPP-IMPORTANT-CLASS police rate 2000 pps burst 2000 packets conform-action transmit exceed-action drop class COPP-NORMAL-CLASS police rate 500 pps burst 500 packets conform-action transmit exceed-action drop class class-default police rate 200 pps burst 200 packets conform-action transmit exceed-action drop ! control-plane service-policy input COPP-POLICY ! ! --- Archive --- archive log config logging enable logging size 500 notify syslog contenttype plaintext hidekeys ! ! --- Aliases --- alias exec sir show ip route alias exec sib show ip interface brief alias exec sbgp show ip bgp summary alias exec sospf show ip ospf neighbor ! ! ============================================================ ! END OF CONFIGURATION ! VantagePoint Networks · vantagepointnetworks.com ! ============================================================ end