Internet works — sometimes. SSH is open to the world. No logs. NTP not configured, so timestamps are meaningless. When an incident happens, investigation is impossible.
This is the typical state of edge routers. Nobody configures them properly from day one, and technical debt accumulates until a breach forces action.
Here’s the baseline every IOS-XE edge router needs.
Secure Management Plane
AAA Configuration
Always configure AAA, even for local authentication:
! Enable AAAaaa new-model
! Local authentication fallbackaaa authentication login default localaaa authentication login CONSOLE localaaa authorization consoleaaa authorization exec default local
! Create local admin user with privilege 15username admin privilege 15 algorithm-type scrypt secret <strong-password>
! Alternative: TACACS+ with local fallbackaaa authentication login default group tacacs+ localaaa authorization exec default group tacacs+ localaaa accounting exec default start-stop group tacacs+
tacacs server PRIMARY address ipv4 10.0.1.100 key 7 <encrypted-key> timeout 3tacacs server SECONDARY address ipv4 10.0.1.101 key 7 <encrypted-key> timeout 3
aaa group server tacacs+ TACACS-SERVERS server name PRIMARY server name SECONDARYSSH Hardening
Disable telnet. Configure SSH properly:
! Generate RSA key (2048 minimum, 4096 preferred)crypto key generate rsa modulus 4096 label SSH-KEY
! SSH version 2 onlyip ssh version 2ip ssh time-out 60ip ssh authentication-retries 3
! Disable weak algorithmsip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctrip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512
! VTY configurationline vty 0 15 login authentication default transport input ssh transport output ssh exec-timeout 15 0 logging synchronous access-class VTY-ACCESS in
! Consoleline con 0 login authentication CONSOLE exec-timeout 15 0 logging synchronousVTY Access Control
Restrict who can SSH:
! ACL for management accessip access-list extended VTY-ACCESS 10 permit tcp 10.0.0.0 0.255.255.255 any eq 22 log 20 permit tcp 192.168.1.0 0.0.0.255 any eq 22 log 30 deny ip any any log
! Apply to VTY linesline vty 0 15 access-class VTY-ACCESS inSNMPv3
If you need SNMP, use v3 with authentication and encryption:
! Disable SNMP v1/v2cno snmp-server community publicno snmp-server community private
! SNMPv3 configurationsnmp-server group MONITORING v3 privsnmp-server user monitor MONITORING v3 auth sha <auth-password> priv aes 256 <priv-password>
! Restrict SNMP sourcesnmp-server host 10.0.1.50 version 3 priv monitor
! ACL to restrict SNMP (apply to interface or use control-plane)ip access-list extended SNMP-ACCESS permit udp host 10.0.1.50 any eq snmp deny udp any any eq snmp logIP SLA for Real Failover
The Problem with Link State
Interface up ≠ Internet works. Your uplink can be “up” while the ISP has internal issues.
! Interface is UPRouter#show ip interface briefGigabitEthernet0/0/0 203.0.113.2 YES NVRAM up up
! But Internet is unreachableRouter#ping 8.8.8.8.....Success rate is 0 percent (0/5)IP SLA Configuration
Track actual reachability, not just link state:
! ICMP echo to reliable targetip sla 1 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/0 frequency 10 threshold 1000 timeout 2000ip sla schedule 1 life forever start-time now
ip sla 2 icmp-echo 1.1.1.1 source-interface GigabitEthernet0/0/0 frequency 10 threshold 1000 timeout 2000ip sla schedule 2 life forever start-time now
! Track SLA resultstrack 1 ip sla 1 reachabilitytrack 2 ip sla 2 reachability
! Track both (require both to be up)track 10 list boolean and object 1 object 2
! Or track either (failover if both fail)track 20 list boolean or object 1 object 2Static Route with Tracking
! Primary default route (tracked)ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 203.0.113.1 10 track 10
! Backup default route (higher metric, activates when primary fails)ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 198.51.100.1 20When track 10 goes down, primary route is removed, backup takes over.
Verify SLA Status
Router#show ip sla statisticsIPSLAs Latest Operation Statistics
IPSLA operation id: 1 Latest RTT: 12 millisecondsLatest operation start time: 10:30:15 UTC Thu Mar 13 2026Latest operation return code: OKNumber of successes: 1000Number of failures: 2
Router#show trackTrack 1 IP SLA 1 reachability Reachability is Up 1 change, last change 00:15:32 Latest operation return code: OK Latest RTT (millisecs) 12
Track 10 List boolean and Boolean AND is Up 1 change, last change 00:15:32 object 1 Up object 2 UpLogging Configuration
Timestamps and Buffered Logging
! Enable timestamps on all logsservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezone
! Buffered logging (local storage)logging buffered 1000000 informationallogging buffered xml
! Console logging (limit to critical)logging console critical
! Monitor logging (terminal)logging monitor informationalSyslog Configuration
! Remote syslog serverslogging host 10.0.1.50 transport udp port 514logging host 10.0.1.51 transport tcp port 514
! Logging source interfacelogging source-interface Loopback0
! Facilitylogging facility local6
! Log levellogging trap informationalArchive Logging
Capture configuration changes:
! Archive configurationarchive log config logging enable logging size 500 notify syslog contenttype plaintext hidekeys
! View config changesRouter#show archive log config allNTP Configuration
Without accurate time, logs are useless for incident response:
! NTP serversntp server 10.0.1.10 preferntp server 10.0.1.11
! Or public NTP (less ideal)ntp server 0.pool.ntp.orgntp server 1.pool.ntp.org
! NTP authentication (optional but recommended)ntp authenticatentp authentication-key 1 md5 <key>ntp trusted-key 1ntp server 10.0.1.10 key 1
! Timezoneclock timezone UTC 0! orclock timezone EST -5clock summer-time EDT recurring
! VerifyRouter#show ntp statusClock is synchronized, stratum 3, reference is 10.0.1.10Common Mistakes
Mistake 1: ACL Applied Wrong Direction
! WRONG: ACL blocking return trafficinterface GigabitEthernet0/0/0 ip access-group INBOUND in ! This blocks return traffic!
! The ACL:ip access-list extended INBOUND permit tcp any any eq 80 deny ip any any
! Traffic flows: Inside → Outside (port 80)! Return traffic: Outside → Inside (source port 80, dest port random)! ACL blocks the return because dest port isn't 80!Fix: Use reflexive ACLs or proper stateful inspection:
! Better approach: permit establishedip access-list extended INBOUND permit tcp any any established permit tcp any any eq 80 deny ip any any logMistake 2: SLA Checks Wrong Target
! WRONG: Checking ISP's gateway onlyip sla 1 icmp-echo 203.0.113.1 ! ISP gateway source-interface GigabitEthernet0/0/0
! ISP gateway is up, but their upstream is down! Your router thinks everything is fineFix: Check destinations beyond ISP’s network:
! Better: Check real Internet destinationsip sla 1 icmp-echo 8.8.8.8 ! Google DNSip sla 2 icmp-echo 1.1.1.1 ! Cloudflare DNSMistake 3: NAT + ACL Ordering
NAT changes addresses. ACL evaluation order matters:
! Inbound traffic:! 1. ACL on interface (original destination IP)! 2. NAT translation (changes destination)! 3. Routing (uses NAT'd address)
! Outbound traffic:! 1. Routing decision! 2. NAT translation (changes source)! 3. ACL on interface (NAT'd source IP!)Fix: Understand where your ACL is evaluated:
! Inbound ACL - matches ORIGINAL destinationinterface GigabitEthernet0/0/0 ip nat outside ip access-group OUTSIDE-IN in
! ACL matches the public IP, before NAT translationip access-list extended OUTSIDE-IN permit tcp any host 203.0.113.10 eq 443 ! Public IPMistake 4: Forgetting logging on deny
! WRONG: Silent dropsip access-list extended BLOCK-BAD deny ip 10.0.0.0 0.255.255.255 any permit ip any any
! Can't tell what's being blockedFix: Always log deny actions:
! Better: Log blocked trafficip access-list extended BLOCK-BAD deny ip 10.0.0.0 0.255.255.255 any log permit ip any anyComplete Edge Baseline
Putting it all together:
! === MANAGEMENT ===aaa new-modelaaa authentication login default localaaa authorization exec default local
username admin privilege 15 algorithm-type scrypt secret <password>
ip ssh version 2ip ssh time-out 60crypto key generate rsa modulus 4096 label SSH-KEY
line vty 0 15 login authentication default transport input ssh exec-timeout 15 0 access-class VTY-ACCESS in
ip access-list extended VTY-ACCESS permit tcp 10.0.0.0 0.255.255.255 any eq 22 log deny ip any any log
! === TIME ===clock timezone UTC 0ntp server 10.0.1.10 preferntp server 10.0.1.11
! === LOGGING ===service timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezonelogging buffered 1000000 informationallogging host 10.0.1.50logging source-interface Loopback0logging trap informational
archive log config logging enable
! === IP SLA ===ip sla 1 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/0 frequency 10ip sla schedule 1 life forever start-time now
ip sla 2 icmp-echo 1.1.1.1 source-interface GigabitEthernet0/0/0 frequency 10ip sla schedule 2 life forever start-time now
track 10 list boolean and object 1 object 2
! === ROUTING ===ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 203.0.113.1 10 track 10ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 198.51.100.1 20Verification Commands
! AAA statusshow aaa sessionsshow aaa servers
! SSH sessionsshow sshshow ip ssh
! SLA statusshow ip sla statisticsshow ip sla configurationshow trackshow track brief
! Loggingshow loggingshow archive log config all
! NTPshow ntp statusshow ntp associations
! ACL hitsshow access-listsshow ip access-lists VTY-ACCESSThe Lesson
Every edge router needs:
- Secure management — AAA, SSH-only, ACL on VTY
- Real failover — IP SLA tracking actual reachability, not just link state
- Proper logging — timestamps, buffered, syslog, NTP
- Configuration auditing — archive log config
Common mistakes that break production:
- ACL in wrong direction (blocks return traffic)
- SLA checking ISP gateway instead of Internet destinations
- NAT/ACL ordering confusion
- Silent denies without logging
This baseline isn’t optional — it’s the minimum for production. Configure it on day one, not after an incident forces you to investigate with no logs and wrong timestamps.