Routers
Basic Configuration
Section titled “Basic Configuration”Initial Setup
Section titled “Initial Setup”enableconfig terminalSet System Clock
Section titled “Set System Clock”# clock set 14:30:00 16 Feb 2026Format: <HH:MM:SS> <DAY> <MONTH> <YEAR>
Global Configuration
Section titled “Global Configuration”Disable DNS lookups to prevent command delays:
(config)# no ip domain-lookupSet device hostname (recommended to do this first):
(config)# hostname <hostname>Set privileged EXEC password and enable encryption:
(config)# enable secret <password>(config)# service password-encryptionManagement Interface Configuration
Section titled “Management Interface Configuration”Configure an interface for management access:
(config)# interface <interface_name>(config-if)# ip address <ip> <subnet>(config-if)# no shutdown(config-if)# exitExample:
(config)# interface gigabitEthernet 0/0(config-if)# ip address 192.168.1.1 255.255.255.0(config-if)# no shutdown(config-if)# exitVTY Line Configuration (Remote Access)
Section titled “VTY Line Configuration (Remote Access)”Configure password for Telnet/SSH access:
(config)# line vty 0 15(config-line)# password <password>(config-line)# login(config-line)# exitSave Configuration
Section titled “Save Configuration”(config)# exit# copy running-config startup-configExtended Interior Gateway Routing Protocol (EIGRP)
Section titled “Extended Interior Gateway Routing Protocol (EIGRP)”Modify Interface Bandwidth
Section titled “Modify Interface Bandwidth”EIGRP uses bandwidth as a metric. You can modify it per interface:
(config)# interface <interface>(config-if)# bandwidth <number>Configure EIGRP
Section titled “Configure EIGRP”enable# config t(config)# router eigrp <AS_number>The AS (Autonomous System) number must match on all routers in the EIGRP domain.
Advertise Networks
Section titled “Advertise Networks”Broadcast to all interfaces on a network:
(config-router)# network <network_address>Advertise only a specific subnet using a wildcard mask:
(config-router)# network <network_address> <wildcard_mask>Example:
(config-router)# network 10.0.0.0(config-router)# network 192.168.1.0 0.0.0.255Redistribute Static Routes
Section titled “Redistribute Static Routes”Include static routes in EIGRP advertisements:
(config-router)# redistribute staticEIGRP Verification Commands
Section titled “EIGRP Verification Commands”View the EIGRP topology table:
# show ip eigrp topologyVerify neighbor adjacencies:
# show ip eigrp neighborsConfirm routing protocol configuration:
# show ip protocolsView the routing table:
# show ip routeOpen Shortest Path First (OSPFv2)
Section titled “Open Shortest Path First (OSPFv2)”Restart OSPF Process
Section titled “Restart OSPF Process”# clear ip ospf processConfigure OSPF
Section titled “Configure OSPF”(config)# router ospf <process_id>(config-router)# router-id <router_id>The process ID is locally significant (doesn’t need to match other routers). The router ID should be unique.
Advertise Networks
Section titled “Advertise Networks”(config-router)# network <network_ip> <wildcard_mask> area <area_number>Every OSPF domain must have an Area 0 (backbone area).
Example:
(config-router)# network 10.0.0.0 0.255.255.255 area 0(config-router)# network 192.168.1.0 0.0.0.255 area 1Advertise Default Route
Section titled “Advertise Default Route”Re-advertise a default route into OSPF:
(config-router)# default-information originateAdjust OSPF Cost Calculation
Section titled “Adjust OSPF Cost Calculation”Set reference bandwidth for more accurate cost calculations:
(config-router)# auto-cost reference-bandwidth <Mbps>Example:
(config-router)# auto-cost reference-bandwidth 10000This sets the reference to 10 Gbps for modern networks.
Configure Passive Interface
Section titled “Configure Passive Interface”Prevent an interface from sending OSPF hello packets:
(config-router)# passive-interface <interface>Useful for interfaces with no OSPF neighbors (e.g., user VLANs).
Set OSPF Priority
Section titled “Set OSPF Priority”Control DR/BDR election by setting interface priority:
(config)# interface <interface>(config-if)# ip ospf priority <0-255>- Priority 0: Router cannot become DR/BDR
- Higher priority: More likely to become DR
Modify OSPF Timers
Section titled “Modify OSPF Timers”Change hello interval (default is 10 seconds):
(config-if)# ip ospf hello-interval <seconds>Example:
(config-if)# ip ospf hello-interval 30Configure Point-to-Point Network
Section titled “Configure Point-to-Point Network”Set network type to point-to-point (no DR/BDR election):
(config-if)# ip ospf network point-to-pointRedistribute OSPF Routes
Section titled “Redistribute OSPF Routes”(config-if)# redistribute ospf <process_id> metric <bandwidth> <delay> <reliability> <load> <MTU>OSPF Verification Commands
Section titled “OSPF Verification Commands”View OSPF-enabled interfaces:
# show ip ospf interface briefVerify OSPF neighbor adjacencies:
# show ip ospf neighborDisplay OSPF routes in routing table:
# show ip route ospfStatic Routing
Section titled “Static Routing”Standard Static Route
Section titled “Standard Static Route”Uses next-hop IP address:
(config)# ip route <target_network> <subnet_mask> <next_hop_ip>Example:
(config)# ip route 10.0.0.0 255.255.255.0 192.168.1.254Default Static Route
Section titled “Default Static Route”Gateway of last resort (matches all destinations):
(config)# ip route 0.0.0.0 0.0.0.0 <next_hop_ip_or_exit_interface>Example:
(config)# ip route 0.0.0.0 0.0.0.0 203.0.113.1(config)# ip route 0.0.0.0 0.0.0.0 gigabitEthernet 0/1Summary Static Route
Section titled “Summary Static Route”Uses exit interface (requires recursive lookup):
(config)# ip route <target_network> <subnet_mask> <exit_interface>Example:
(config)# ip route 172.16.0.0 255.255.0.0 serial 0/0/0Routing Information Protocol (RIP)
Section titled “Routing Information Protocol (RIP)”Configure RIP
Section titled “Configure RIP”enable# show ip protocols# config terminal(config)# router rip(config-router)# version 2(config-router)# network <network_address>Example:
(config)# router rip(config-router)# version 2(config-router)# network 10.0.0.0(config-router)# network 192.168.1.0Router on a Stick (Inter-VLAN Routing)
Section titled “Router on a Stick (Inter-VLAN Routing)”Enable Physical Interface
Section titled “Enable Physical Interface”(config)# interface <port>(config-if)# no shutdownConfigure Sub-Interfaces
Section titled “Configure Sub-Interfaces”Create sub-interfaces for each VLAN:
(config)# interface <port>.<subinterface_number>(config-subif)# encapsulation dot1q <vlan_number>(config-subif)# ip address <ip> <subnet_mask>Example:
(config)# interface gigabitEthernet 0/0(config-if)# no shutdown
(config)# interface gigabitEthernet 0/0.10(config-subif)# encapsulation dot1q 10(config-subif)# ip address 192.168.10.1 255.255.255.0
(config)# interface gigabitEthernet 0/0.20(config-subif)# encapsulation dot1q 20(config-subif)# ip address 192.168.20.1 255.255.255.0DHCPv4 Configuration via Router
Section titled “DHCPv4 Configuration via Router”Create DHCP Pool
Section titled “Create DHCP Pool”(config)# ip dhcp pool <POOL_NAME>(dhcp-config)# network <network_address> <subnet_mask>(dhcp-config)# default-router <gateway_ip>(dhcp-config)# dns-server <dns_server_ip>(dhcp-config)# domain-name <example.com>(dhcp-config)# exitExclude IP Addresses
Section titled “Exclude IP Addresses”Reserve IPs for static assignments (gateways, servers, etc.):
(config)# ip dhcp excluded-address <start_ip> <end_ip>Example:
(config)# ip dhcp excluded-address 192.168.10.1 192.168.10.10
(config)# ip dhcp pool VLAN10(dhcp-config)# network 192.168.10.0 255.255.255.0(dhcp-config)# default-router 192.168.10.1(dhcp-config)# dns-server 8.8.8.8(dhcp-config)# domain-name example.comConfigure DHCP Relay (IP Helper)
Section titled “Configure DHCP Relay (IP Helper)”For DHCP across VLANs, configure on each router sub-interface:
(config)# interface <subinterface>(config-if)# ip helper-address <DHCP_server_ip>Example:
(config)# interface gigabitEthernet 0/0.10(config-subif)# ip helper-address 192.168.1.100Static NAT
Section titled “Static NAT”Static NAT creates a one-to-one mapping between private and public IP addresses.
Configure Inside and Outside Interfaces
Section titled “Configure Inside and Outside Interfaces”(config)# interface <inside_interface>(config-if)# ip nat inside(config-if)# exit
(config)# interface <outside_interface>(config-if)# ip nat outside(config-if)# exitCreate Static NAT Mapping
Section titled “Create Static NAT Mapping”(config)# ip nat inside source static <internal_ip> <external_ip>Example:
(config)# interface gigabitEthernet 0/0(config-if)# ip nat inside
(config)# interface gigabitEthernet 0/1(config-if)# ip nat outside
(config)# ip nat inside source static 192.168.1.10 203.0.113.5Dynamic NAT
Section titled “Dynamic NAT”Dynamic NAT maps private addresses to a pool of public addresses.
Create Access List
Section titled “Create Access List”Define which internal addresses can be translated:
(config)# access-list <list_number> permit <network_ip> <wildcard_mask>Configure Inside and Outside Interfaces
Section titled “Configure Inside and Outside Interfaces”(config)# interface <inside_interface>(config-if)# ip nat inside
(config)# interface <outside_interface>(config-if)# ip nat outsideCreate NAT Pool
Section titled “Create NAT Pool”(config)# ip nat pool <pool_name> <start_ip> <end_ip> netmask <subnet_mask>Apply NAT
Section titled “Apply NAT”(config)# ip nat inside source list <list_number> pool <pool_name>Example:
(config)# access-list 1 permit 192.168.1.0 0.0.0.255
(config)# interface gigabitEthernet 0/0(config-if)# ip nat inside
(config)# interface gigabitEthernet 0/1(config-if)# ip nat outside
(config)# ip nat pool PUBLIC_POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0(config)# ip nat inside source list 1 pool PUBLIC_POOLPort Address Translation (PAT)
Section titled “Port Address Translation (PAT)”PAT (also called NAT Overload) allows multiple private addresses to share a single public IP using different ports.
Create Access List
Section titled “Create Access List”(config)# access-list <list_number> permit <network_ip> <wildcard_mask>Configure Inside and Outside Interfaces
Section titled “Configure Inside and Outside Interfaces”(config)# interface <inside_interface>(config-if)# ip nat inside
(config)# interface <outside_interface>(config-if)# ip nat outsideCreate NAT Pool (Optional)
Section titled “Create NAT Pool (Optional)”(config)# ip nat pool <pool_name> <start_ip> <end_ip> netmask <subnet_mask>Apply PAT with Overload
Section titled “Apply PAT with Overload”(config)# ip nat inside source list <list_number> pool <pool_name> overloadOr use interface IP:
(config)# ip nat inside source list <list_number> interface <outside_interface> overloadExample:
(config)# access-list 1 permit 192.168.1.0 0.0.0.255
(config)# interface gigabitEthernet 0/0(config-if)# ip nat inside
(config)# interface gigabitEthernet 0/1(config-if)# ip nat outside
(config)# ip nat inside source list 1 interface gigabitEthernet 0/1 overloadAccess Control Lists (ACL)
Section titled “Access Control Lists (ACL)”ACL Placement Best Practices
Section titled “ACL Placement Best Practices”- Standard ACL: Place closest to destination (filters based on source IP only)
- Extended ACL: Place closest to source (filters based on source, destination, protocol, port)
Standard ACL (Numbered)
Section titled “Standard ACL (Numbered)”Standard ACLs filter based on source IP address only. Use ACL numbers 1-99 or 1300-1999.
(config)# access-list <1-99> remark <description>(config)# access-list <1-99> <permit/deny> <source_ip> <wildcard_mask>Apply to interface:
(config)# interface <interface>(config-if)# ip access-group <acl_number> <in/out>Example:
(config)# access-list 10 remark Block 192.168.1.0 network(config)# access-list 10 deny 192.168.1.0 0.0.0.255(config)# access-list 10 permit any
(config)# interface gigabitEthernet 0/1(config-if)# ip access-group 10 outStandard ACL (Named)
Section titled “Standard ACL (Named)”(config)# ip access-list standard <name>(config-std-nacl)# remark <description>(config-std-nacl)# <permit/deny> <source_ip> <wildcard_mask>(config-std-nacl)# <permit/deny> host <ip>(config-std-nacl)# <permit/deny> any(config-std-nacl)# exitApply to interface:
(config)# interface <interface>(config-if)# ip access-group <name> <in/out>Example:
(config)# ip access-list standard BLOCK_VLAN10(config-std-nacl)# remark Prevent VLAN 10 from accessing internet(config-std-nacl)# deny 192.168.10.0 0.0.0.255(config-std-nacl)# permit any
(config)# interface gigabitEthernet 0/1(config-if)# ip access-group BLOCK_VLAN10 outExtended ACL (Numbered)
Section titled “Extended ACL (Numbered)”Extended ACLs filter based on source IP, destination IP, protocol, and port. Use ACL numbers 100-199 or 2000-2699.
(config)# access-list <100-199> remark <description>(config)# access-list <100-199> <permit/deny> <protocol> <source_ip> <source_wildcard> <dest_ip> <dest_wildcard> eq <port>Apply to interface:
(config)# interface <interface>(config-if)# ip access-group <acl_number> <in/out>Example:
(config)# access-list 100 remark Block HTTP to web server(config)# access-list 100 deny tcp any host 192.168.1.100 eq 80(config)# access-list 100 permit ip any any
(config)# interface gigabitEthernet 0/0(config-if)# ip access-group 100 inExtended ACL (Named)
Section titled “Extended ACL (Named)”(config)# ip access-list extended <name>(config-ext-nacl)# remark <description>(config-ext-nacl)# <permit/deny> <protocol> <source> <destination> eq <port>(config-ext-nacl)# exitExample:
(config)# ip access-list extended BLOCK_TELNET(config-ext-nacl)# remark Block Telnet to all devices(config-ext-nacl)# deny tcp any any eq 23(config-ext-nacl)# permit ip any any
(config)# interface gigabitEthernet 0/0(config-if)# ip access-group BLOCK_TELNET inIPv6 ACL
Section titled “IPv6 ACL”(config)# ipv6 access-list <name>(config-ipv6-acl)# <permit/deny> <protocol> <source> <destination>(config-ipv6-acl)# exitExample:
(config)# ipv6 access-list BLOCK_IPV6_TELNET(config-ipv6-acl)# deny tcp any any eq 23(config-ipv6-acl)# permit ipv6 any any
(config)# interface gigabitEthernet 0/0(config-ipv6)# ipv6 traffic-filter BLOCK_IPV6_TELNET inACL Verification Commands
Section titled “ACL Verification Commands”# show access-lists# show access-lists <number/name># show ip interface <interface>IPSec VPN (Virtual Private Network)
Section titled “IPSec VPN (Virtual Private Network)”Site-to-Site IPSec VPN Configuration
Section titled “Site-to-Site IPSec VPN Configuration”Step 1: Configure ISAKMP Policy (Phase 1)
Section titled “Step 1: Configure ISAKMP Policy (Phase 1)”(config)# crypto isakmp policy <priority>(config-isakmp)# encryption <aes 256|aes|3des>(config-isakmp)# hash <sha256|sha|md5>(config-isakmp)# authentication pre-share(config-isakmp)# group <2|5|14|19|20>(config-isakmp)# lifetime <seconds>(config-isakmp)# exitDiffie-Hellman Groups:
- Group 2: 1024-bit (legacy, avoid)
- Group 5: 1536-bit
- Group 14: 2048-bit (recommended minimum)
- Group 19: 256-bit ECC
- Group 20: 384-bit ECC
Example:
(config)# crypto isakmp policy 10(config-isakmp)# encryption aes 256(config-isakmp)# hash sha256(config-isakmp)# authentication pre-share(config-isakmp)# group 14(config-isakmp)# lifetime 86400Step 2: Configure Pre-Shared Key
Section titled “Step 2: Configure Pre-Shared Key”(config)# crypto isakmp key <key_string> address <peer_ip>Example:
(config)# crypto isakmp key MySecretKey123 address 203.0.113.1Step 3: Configure IPSec Transform Set (Phase 2)
Section titled “Step 3: Configure IPSec Transform Set (Phase 2)”(config)# crypto ipsec transform-set <name> esp-aes 256 esp-sha256-hmacCommon Transform Options:
- esp-aes: AES encryption
- esp-3des: 3DES encryption
- esp-sha-hmac: SHA-1 authentication
- esp-sha256-hmac: SHA-256 authentication
Example:
(config)# crypto ipsec transform-set MYSET esp-aes 256 esp-sha256-hmacStep 4: Create Crypto ACL
Section titled “Step 4: Create Crypto ACL”Define interesting traffic (traffic to be encrypted):
(config)# ip access-list extended <acl_name>(config-ext-nacl)# permit ip <local_network> <wildcard> <remote_network> <wildcard>(config-ext-nacl)# exitExample:
(config)# ip access-list extended VPN-TRAFFIC(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255Step 5: Create Crypto Map
Section titled “Step 5: Create Crypto Map”(config)# crypto map <map_name> <sequence> ipsec-isakmp(config-crypto-map)# set peer <remote_peer_ip>(config-crypto-map)# set transform-set <transform_set_name>(config-crypto-map)# match address <acl_name>(config-crypto-map)# exitExample:
(config)# crypto map MYMAP 10 ipsec-isakmp(config-crypto-map)# set peer 203.0.113.1(config-crypto-map)# set transform-set MYSET(config-crypto-map)# match address VPN-TRAFFICStep 6: Apply Crypto Map to Interface
Section titled “Step 6: Apply Crypto Map to Interface”(config)# interface <outside_interface>(config-if)# crypto map <map_name>Example:
(config)# interface gigabitEthernet 0/1(config-if)# crypto map MYMAPComplete Site-to-Site VPN Example
Section titled “Complete Site-to-Site VPN Example”(config)# crypto isakmp policy 10(config-isakmp)# encryption aes 256(config-isakmp)# hash sha256(config-isakmp)# authentication pre-share(config-isakmp)# group 14(config-isakmp)# lifetime 86400
(config)# crypto isakmp key MySecureKey123! address 203.0.113.1
(config)# crypto ipsec transform-set STRONG esp-aes 256 esp-sha256-hmac
(config)# ip access-list extended VPN-ACL(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
(config)# crypto map VPNMAP 10 ipsec-isakmp(config-crypto-map)# set peer 203.0.113.1(config-crypto-map)# set transform-set STRONG(config-crypto-map)# match address VPN-ACL
(config)# interface gigabitEthernet 0/1(config-if)# crypto map VPNMAPIPSec Verification Commands
Section titled “IPSec Verification Commands”# show crypto isakmp sa# show crypto ipsec sa# show crypto session# show crypto map# show crypto isakmp policy# show crypto ipsec transform-setClear IPSec Sessions
Section titled “Clear IPSec Sessions”Force renegotiation by clearing security associations:
# clear crypto sa# clear crypto isakmpIPSec Troubleshooting
Section titled “IPSec Troubleshooting”Enable debugging (use cautiously in production):
# debug crypto isakmp# debug crypto ipsecDisable all debugging:
# no debug all# undebug allIPS (Intrusion Prevention System)
Section titled “IPS (Intrusion Prevention System)”IOS IPS Configuration
Section titled “IOS IPS Configuration”Step 1: Create IPS Directory
Section titled “Step 1: Create IPS Directory”# mkdir ips(config)# ip ips config location flash:ipsStep 2: Create IPS Rule
Section titled “Step 2: Create IPS Rule”(config)# ip ips name <rule_name>Example:
(config)# ip ips name IPS-RULEStep 3: Retire Signature Categories
Section titled “Step 3: Retire Signature Categories”Disable all signatures, then enable only the basic category to reduce false positives:
(config)# ip ips signature-category(config-ips-category)# category all(config-ips-category-action)# retired true(config-ips-category-action)# exit(config-ips-category)# category ios_ips basic(config-ips-category-action)# retired false(config-ips-category-action)# exit(config-ips-category)# exitStep 4: Apply IPS to Interface
Section titled “Step 4: Apply IPS to Interface”(config)# interface <interface>(config-if)# ip ips <rule_name> <in|out>Direction:
- in: Inspects incoming traffic
- out: Inspects outgoing traffic
Example:
(config)# interface gigabitEthernet 0/0(config-if)# ip ips IPS-RULE inComplete IPS Configuration Example
Section titled “Complete IPS Configuration Example”# mkdir ips(config)# ip ips config location flash:ips
(config)# ip ips name MYIPS
(config)# ip ips signature-category(config-ips-category)# category all(config-ips-category-action)# retired true(config-ips-category-action)# exit(config-ips-category)# category ios_ips basic(config-ips-category-action)# retired false(config-ips-category-action)# exit(config-ips-category)# exit
(config)# interface gigabitEthernet 0/0(config-if)# ip ips MYIPS in
(config)# interface gigabitEthernet 0/1(config-if)# ip ips MYIPS outIPS Verification Commands
Section titled “IPS Verification Commands”# show ip ips configuration# show ip ips signatures# show ip ips statistics# show ip ips all# show ip ips interfaceEnable/Disable Specific Signatures
Section titled “Enable/Disable Specific Signatures”(config)# ip ips signature-definition(config-sigdef)# signature <signature_id>(config-sigdef-sig)# status(config-sigdef-sig-status)# retired <true|false>(config-sigdef-sig-status)# enabled <true|false>IPS Event Actions
Section titled “IPS Event Actions”Configure what happens when a signature is triggered:
(config-sigdef-sig)# engine(config-sigdef-sig-engine)# event-action <deny-packet-inline|produce-alert|reset-tcp-connection>Action Types:
- deny-packet-inline: Drop the packet
- produce-alert: Generate an alert
- reset-tcp-connection: Send TCP RST