Skip to content

Routers

Terminal window
enable
config terminal
Terminal window
# clock set 14:30:00 16 Feb 2026

Format: <HH:MM:SS> <DAY> <MONTH> <YEAR>

Disable DNS lookups to prevent command delays:

Terminal window
(config)# no ip domain-lookup

Set device hostname (recommended to do this first):

Terminal window
(config)# hostname <hostname>

Set privileged EXEC password and enable encryption:

Terminal window
(config)# enable secret <password>
(config)# service password-encryption

Configure an interface for management access:

Terminal window
(config)# interface <interface_name>
(config-if)# ip address <ip> <subnet>
(config-if)# no shutdown
(config-if)# exit

Example:

Terminal window
(config)# interface gigabitEthernet 0/0
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# no shutdown
(config-if)# exit

Configure password for Telnet/SSH access:

Terminal window
(config)# line vty 0 15
(config-line)# password <password>
(config-line)# login
(config-line)# exit
Terminal window
(config)# exit
# copy running-config startup-config

EIGRP uses bandwidth as a metric. You can modify it per interface:

Terminal window
(config)# interface <interface>
(config-if)# bandwidth <number>
Terminal window
enable
# config t
(config)# router eigrp <AS_number>

The AS (Autonomous System) number must match on all routers in the EIGRP domain.

Broadcast to all interfaces on a network:

Terminal window
(config-router)# network <network_address>

Advertise only a specific subnet using a wildcard mask:

Terminal window
(config-router)# network <network_address> <wildcard_mask>

Example:

Terminal window
(config-router)# network 10.0.0.0
(config-router)# network 192.168.1.0 0.0.0.255

Include static routes in EIGRP advertisements:

Terminal window
(config-router)# redistribute static

View the EIGRP topology table:

Terminal window
# show ip eigrp topology

Verify neighbor adjacencies:

Terminal window
# show ip eigrp neighbors

Confirm routing protocol configuration:

Terminal window
# show ip protocols

View the routing table:

Terminal window
# show ip route
Terminal window
# clear ip ospf process
Terminal window
(config)# router ospf <process_id>
(config-router)# router-id <router_id>

The process ID is locally significant (doesn’t need to match other routers). The router ID should be unique.

Terminal window
(config-router)# network <network_ip> <wildcard_mask> area <area_number>

Every OSPF domain must have an Area 0 (backbone area).

Example:

Terminal window
(config-router)# network 10.0.0.0 0.255.255.255 area 0
(config-router)# network 192.168.1.0 0.0.0.255 area 1

Re-advertise a default route into OSPF:

Terminal window
(config-router)# default-information originate

Set reference bandwidth for more accurate cost calculations:

Terminal window
(config-router)# auto-cost reference-bandwidth <Mbps>

Example:

Terminal window
(config-router)# auto-cost reference-bandwidth 10000

This sets the reference to 10 Gbps for modern networks.

Prevent an interface from sending OSPF hello packets:

Terminal window
(config-router)# passive-interface <interface>

Useful for interfaces with no OSPF neighbors (e.g., user VLANs).

Control DR/BDR election by setting interface priority:

Terminal window
(config)# interface <interface>
(config-if)# ip ospf priority <0-255>
  • Priority 0: Router cannot become DR/BDR
  • Higher priority: More likely to become DR

Change hello interval (default is 10 seconds):

Terminal window
(config-if)# ip ospf hello-interval <seconds>

Example:

Terminal window
(config-if)# ip ospf hello-interval 30

Set network type to point-to-point (no DR/BDR election):

Terminal window
(config-if)# ip ospf network point-to-point
Terminal window
(config-if)# redistribute ospf <process_id> metric <bandwidth> <delay> <reliability> <load> <MTU>

View OSPF-enabled interfaces:

Terminal window
# show ip ospf interface brief

Verify OSPF neighbor adjacencies:

Terminal window
# show ip ospf neighbor

Display OSPF routes in routing table:

Terminal window
# show ip route ospf

Uses next-hop IP address:

Terminal window
(config)# ip route <target_network> <subnet_mask> <next_hop_ip>

Example:

Terminal window
(config)# ip route 10.0.0.0 255.255.255.0 192.168.1.254

Gateway of last resort (matches all destinations):

Terminal window
(config)# ip route 0.0.0.0 0.0.0.0 <next_hop_ip_or_exit_interface>

Example:

Terminal window
(config)# ip route 0.0.0.0 0.0.0.0 203.0.113.1
(config)# ip route 0.0.0.0 0.0.0.0 gigabitEthernet 0/1

Uses exit interface (requires recursive lookup):

Terminal window
(config)# ip route <target_network> <subnet_mask> <exit_interface>

Example:

Terminal window
(config)# ip route 172.16.0.0 255.255.0.0 serial 0/0/0
Terminal window
enable
# show ip protocols
# config terminal
(config)# router rip
(config-router)# version 2
(config-router)# network <network_address>

Example:

Terminal window
(config)# router rip
(config-router)# version 2
(config-router)# network 10.0.0.0
(config-router)# network 192.168.1.0
Terminal window
(config)# interface <port>
(config-if)# no shutdown

Create sub-interfaces for each VLAN:

Terminal window
(config)# interface <port>.<subinterface_number>
(config-subif)# encapsulation dot1q <vlan_number>
(config-subif)# ip address <ip> <subnet_mask>

Example:

Terminal window
(config)# interface gigabitEthernet 0/0
(config-if)# no shutdown
(config)# interface gigabitEthernet 0/0.10
(config-subif)# encapsulation dot1q 10
(config-subif)# ip address 192.168.10.1 255.255.255.0
(config)# interface gigabitEthernet 0/0.20
(config-subif)# encapsulation dot1q 20
(config-subif)# ip address 192.168.20.1 255.255.255.0
Terminal window
(config)# ip dhcp pool <POOL_NAME>
(dhcp-config)# network <network_address> <subnet_mask>
(dhcp-config)# default-router <gateway_ip>
(dhcp-config)# dns-server <dns_server_ip>
(dhcp-config)# domain-name <example.com>
(dhcp-config)# exit

Reserve IPs for static assignments (gateways, servers, etc.):

Terminal window
(config)# ip dhcp excluded-address <start_ip> <end_ip>

Example:

Terminal window
(config)# ip dhcp excluded-address 192.168.10.1 192.168.10.10
(config)# ip dhcp pool VLAN10
(dhcp-config)# network 192.168.10.0 255.255.255.0
(dhcp-config)# default-router 192.168.10.1
(dhcp-config)# dns-server 8.8.8.8
(dhcp-config)# domain-name example.com

For DHCP across VLANs, configure on each router sub-interface:

Terminal window
(config)# interface <subinterface>
(config-if)# ip helper-address <DHCP_server_ip>

Example:

Terminal window
(config)# interface gigabitEthernet 0/0.10
(config-subif)# ip helper-address 192.168.1.100

Static NAT creates a one-to-one mapping between private and public IP addresses.

Terminal window
(config)# interface <inside_interface>
(config-if)# ip nat inside
(config-if)# exit
(config)# interface <outside_interface>
(config-if)# ip nat outside
(config-if)# exit
Terminal window
(config)# ip nat inside source static <internal_ip> <external_ip>

Example:

Terminal window
(config)# interface gigabitEthernet 0/0
(config-if)# ip nat inside
(config)# interface gigabitEthernet 0/1
(config-if)# ip nat outside
(config)# ip nat inside source static 192.168.1.10 203.0.113.5

Dynamic NAT maps private addresses to a pool of public addresses.

Define which internal addresses can be translated:

Terminal window
(config)# access-list <list_number> permit <network_ip> <wildcard_mask>
Terminal window
(config)# interface <inside_interface>
(config-if)# ip nat inside
(config)# interface <outside_interface>
(config-if)# ip nat outside
Terminal window
(config)# ip nat pool <pool_name> <start_ip> <end_ip> netmask <subnet_mask>
Terminal window
(config)# ip nat inside source list <list_number> pool <pool_name>

Example:

Terminal window
(config)# access-list 1 permit 192.168.1.0 0.0.0.255
(config)# interface gigabitEthernet 0/0
(config-if)# ip nat inside
(config)# interface gigabitEthernet 0/1
(config-if)# ip nat outside
(config)# ip nat pool PUBLIC_POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0
(config)# ip nat inside source list 1 pool PUBLIC_POOL

PAT (also called NAT Overload) allows multiple private addresses to share a single public IP using different ports.

Terminal window
(config)# access-list <list_number> permit <network_ip> <wildcard_mask>
Terminal window
(config)# interface <inside_interface>
(config-if)# ip nat inside
(config)# interface <outside_interface>
(config-if)# ip nat outside
Terminal window
(config)# ip nat pool <pool_name> <start_ip> <end_ip> netmask <subnet_mask>
Terminal window
(config)# ip nat inside source list <list_number> pool <pool_name> overload

Or use interface IP:

Terminal window
(config)# ip nat inside source list <list_number> interface <outside_interface> overload

Example:

Terminal window
(config)# access-list 1 permit 192.168.1.0 0.0.0.255
(config)# interface gigabitEthernet 0/0
(config-if)# ip nat inside
(config)# interface gigabitEthernet 0/1
(config-if)# ip nat outside
(config)# ip nat inside source list 1 interface gigabitEthernet 0/1 overload
  • Standard ACL: Place closest to destination (filters based on source IP only)
  • Extended ACL: Place closest to source (filters based on source, destination, protocol, port)

Standard ACLs filter based on source IP address only. Use ACL numbers 1-99 or 1300-1999.

Terminal window
(config)# access-list <1-99> remark <description>
(config)# access-list <1-99> <permit/deny> <source_ip> <wildcard_mask>

Apply to interface:

Terminal window
(config)# interface <interface>
(config-if)# ip access-group <acl_number> <in/out>

Example:

Terminal window
(config)# access-list 10 remark Block 192.168.1.0 network
(config)# access-list 10 deny 192.168.1.0 0.0.0.255
(config)# access-list 10 permit any
(config)# interface gigabitEthernet 0/1
(config-if)# ip access-group 10 out
Terminal window
(config)# ip access-list standard <name>
(config-std-nacl)# remark <description>
(config-std-nacl)# <permit/deny> <source_ip> <wildcard_mask>
(config-std-nacl)# <permit/deny> host <ip>
(config-std-nacl)# <permit/deny> any
(config-std-nacl)# exit

Apply to interface:

Terminal window
(config)# interface <interface>
(config-if)# ip access-group <name> <in/out>

Example:

Terminal window
(config)# ip access-list standard BLOCK_VLAN10
(config-std-nacl)# remark Prevent VLAN 10 from accessing internet
(config-std-nacl)# deny 192.168.10.0 0.0.0.255
(config-std-nacl)# permit any
(config)# interface gigabitEthernet 0/1
(config-if)# ip access-group BLOCK_VLAN10 out

Extended ACLs filter based on source IP, destination IP, protocol, and port. Use ACL numbers 100-199 or 2000-2699.

Terminal window
(config)# access-list <100-199> remark <description>
(config)# access-list <100-199> <permit/deny> <protocol> <source_ip> <source_wildcard> <dest_ip> <dest_wildcard> eq <port>

Apply to interface:

Terminal window
(config)# interface <interface>
(config-if)# ip access-group <acl_number> <in/out>

Example:

Terminal window
(config)# access-list 100 remark Block HTTP to web server
(config)# access-list 100 deny tcp any host 192.168.1.100 eq 80
(config)# access-list 100 permit ip any any
(config)# interface gigabitEthernet 0/0
(config-if)# ip access-group 100 in
Terminal window
(config)# ip access-list extended <name>
(config-ext-nacl)# remark <description>
(config-ext-nacl)# <permit/deny> <protocol> <source> <destination> eq <port>
(config-ext-nacl)# exit

Example:

Terminal window
(config)# ip access-list extended BLOCK_TELNET
(config-ext-nacl)# remark Block Telnet to all devices
(config-ext-nacl)# deny tcp any any eq 23
(config-ext-nacl)# permit ip any any
(config)# interface gigabitEthernet 0/0
(config-if)# ip access-group BLOCK_TELNET in
Terminal window
(config)# ipv6 access-list <name>
(config-ipv6-acl)# <permit/deny> <protocol> <source> <destination>
(config-ipv6-acl)# exit

Example:

Terminal window
(config)# ipv6 access-list BLOCK_IPV6_TELNET
(config-ipv6-acl)# deny tcp any any eq 23
(config-ipv6-acl)# permit ipv6 any any
(config)# interface gigabitEthernet 0/0
(config-ipv6)# ipv6 traffic-filter BLOCK_IPV6_TELNET in
Terminal window
# show access-lists
# show access-lists <number/name>
# show ip interface <interface>
Terminal window
(config)# crypto isakmp policy <priority>
(config-isakmp)# encryption <aes 256|aes|3des>
(config-isakmp)# hash <sha256|sha|md5>
(config-isakmp)# authentication pre-share
(config-isakmp)# group <2|5|14|19|20>
(config-isakmp)# lifetime <seconds>
(config-isakmp)# exit

Diffie-Hellman Groups:

  • Group 2: 1024-bit (legacy, avoid)
  • Group 5: 1536-bit
  • Group 14: 2048-bit (recommended minimum)
  • Group 19: 256-bit ECC
  • Group 20: 384-bit ECC

Example:

Terminal window
(config)# crypto isakmp policy 10
(config-isakmp)# encryption aes 256
(config-isakmp)# hash sha256
(config-isakmp)# authentication pre-share
(config-isakmp)# group 14
(config-isakmp)# lifetime 86400
Terminal window
(config)# crypto isakmp key <key_string> address <peer_ip>

Example:

Terminal window
(config)# crypto isakmp key MySecretKey123 address 203.0.113.1
Terminal window
(config)# crypto ipsec transform-set <name> esp-aes 256 esp-sha256-hmac

Common Transform Options:

  • esp-aes: AES encryption
  • esp-3des: 3DES encryption
  • esp-sha-hmac: SHA-1 authentication
  • esp-sha256-hmac: SHA-256 authentication

Example:

Terminal window
(config)# crypto ipsec transform-set MYSET esp-aes 256 esp-sha256-hmac

Define interesting traffic (traffic to be encrypted):

Terminal window
(config)# ip access-list extended <acl_name>
(config-ext-nacl)# permit ip <local_network> <wildcard> <remote_network> <wildcard>
(config-ext-nacl)# exit

Example:

Terminal window
(config)# ip access-list extended VPN-TRAFFIC
(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
Terminal window
(config)# crypto map <map_name> <sequence> ipsec-isakmp
(config-crypto-map)# set peer <remote_peer_ip>
(config-crypto-map)# set transform-set <transform_set_name>
(config-crypto-map)# match address <acl_name>
(config-crypto-map)# exit

Example:

Terminal window
(config)# crypto map MYMAP 10 ipsec-isakmp
(config-crypto-map)# set peer 203.0.113.1
(config-crypto-map)# set transform-set MYSET
(config-crypto-map)# match address VPN-TRAFFIC
Terminal window
(config)# interface <outside_interface>
(config-if)# crypto map <map_name>

Example:

Terminal window
(config)# interface gigabitEthernet 0/1
(config-if)# crypto map MYMAP
Terminal window
(config)# crypto isakmp policy 10
(config-isakmp)# encryption aes 256
(config-isakmp)# hash sha256
(config-isakmp)# authentication pre-share
(config-isakmp)# group 14
(config-isakmp)# lifetime 86400
(config)# crypto isakmp key MySecureKey123! address 203.0.113.1
(config)# crypto ipsec transform-set STRONG esp-aes 256 esp-sha256-hmac
(config)# ip access-list extended VPN-ACL
(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
(config)# crypto map VPNMAP 10 ipsec-isakmp
(config-crypto-map)# set peer 203.0.113.1
(config-crypto-map)# set transform-set STRONG
(config-crypto-map)# match address VPN-ACL
(config)# interface gigabitEthernet 0/1
(config-if)# crypto map VPNMAP
Terminal window
# show crypto isakmp sa
# show crypto ipsec sa
# show crypto session
# show crypto map
# show crypto isakmp policy
# show crypto ipsec transform-set

Force renegotiation by clearing security associations:

Terminal window
# clear crypto sa
# clear crypto isakmp

Enable debugging (use cautiously in production):

Terminal window
# debug crypto isakmp
# debug crypto ipsec

Disable all debugging:

Terminal window
# no debug all
# undebug all
Terminal window
# mkdir ips
(config)# ip ips config location flash:ips
Terminal window
(config)# ip ips name <rule_name>

Example:

Terminal window
(config)# ip ips name IPS-RULE

Disable all signatures, then enable only the basic category to reduce false positives:

Terminal window
(config)# ip ips signature-category
(config-ips-category)# category all
(config-ips-category-action)# retired true
(config-ips-category-action)# exit
(config-ips-category)# category ios_ips basic
(config-ips-category-action)# retired false
(config-ips-category-action)# exit
(config-ips-category)# exit
Terminal window
(config)# interface <interface>
(config-if)# ip ips <rule_name> <in|out>

Direction:

  • in: Inspects incoming traffic
  • out: Inspects outgoing traffic

Example:

Terminal window
(config)# interface gigabitEthernet 0/0
(config-if)# ip ips IPS-RULE in
Terminal window
# mkdir ips
(config)# ip ips config location flash:ips
(config)# ip ips name MYIPS
(config)# ip ips signature-category
(config-ips-category)# category all
(config-ips-category-action)# retired true
(config-ips-category-action)# exit
(config-ips-category)# category ios_ips basic
(config-ips-category-action)# retired false
(config-ips-category-action)# exit
(config-ips-category)# exit
(config)# interface gigabitEthernet 0/0
(config-if)# ip ips MYIPS in
(config)# interface gigabitEthernet 0/1
(config-if)# ip ips MYIPS out
Terminal window
# show ip ips configuration
# show ip ips signatures
# show ip ips statistics
# show ip ips all
# show ip ips interface
Terminal window
(config)# ip ips signature-definition
(config-sigdef)# signature <signature_id>
(config-sigdef-sig)# status
(config-sigdef-sig-status)# retired <true|false>
(config-sigdef-sig-status)# enabled <true|false>

Configure what happens when a signature is triggered:

Terminal window
(config-sigdef-sig)# engine
(config-sigdef-sig-engine)# event-action <deny-packet-inline|produce-alert|reset-tcp-connection>

Action Types:

  • deny-packet-inline: Drop the packet
  • produce-alert: Generate an alert
  • reset-tcp-connection: Send TCP RST