Basic Cisco Configuration

Following is a list of the most common Cisco device configuration commands that I am using when setting up a router or switch from scratch, such as hostname, username, logging, vty access, ntp, snmp, syslog. For a router, I am also listing some basic layer 3 interface commands, while for a switch I am listing STP and VTP examples as well as the interface settings for access and trunk ports.

This is not a detailed best practice list which can be used completely without thinking about it, but a list with the most common configurations from which to pick out the ones required for the current scenario. Kind of a template. Of course with IPv6 and legacy IP.

Please note that this is not a complete security guide either. It’s a quick reference for a basic/functional device configuration. I am not listing any specific security commands here such as denying all IPv6 extension headers, DHCP snooping or ARP inspection, etc. However, I am using strong crypto, only ssh with ACLs for the vty lines, and so on.

Also, note that not all commands are implemented in all IOS versions. For example, the security passwords min-length 12 works on a Cisco router w/ IOS 15.1(4)M9 but not on a Cisco switch 15.0(2)SE9. Refer to the well-known Cisco Feature Navigator NextGen Cisco Feature Navigator for all details.

Finally, a factory reset switch won’t run an SDM template that is capable of IPv6. You must set it e.g. to sdm prefer dual-ipv4-and-ipv6 default followed by a reload.

Please leave a comment if you’re missing something.

Basic System (Router & Switch)

The basis for all Cisco devices, regardless of router or switch:

Note: I am *not* using the no ip domain lookup configuration line since I am using a DNS server. If I would configure this no ip domain lookup, the router/switch won’t do any DNS lookups at all anymore. [Ref: Cisco Community – NO ip-domain lookup]

Router Specific

Basic routing and layer 3 (sub-) interfaces, NAT with PAT, and bogon filtering:

Switch Specific

Default gateway/routes, STP, VTP, and layer 2 interfaces (access and trunk):

 

Clear Config

To clear the complete config of a Cisco device you can use the following two commands to delete the startup-config as well as the vlan database (only if VTP is used):

 

Get Config

Just a rush of some basic show commands to get the whole information out of a Cisco router/switch. (Of course, you could use “show tech-support”, but this is too much to my mind.) Note that not all commands will work on every switch or router, but never mind, it’s a good starting point:

 

SSH Ciphers

To reach an outdated Cisco device with an up-to-date OpenSSH client from Linux you must specify the outdated ciphers such as:

Otherwise, you won’t be able to use SSH such as here (shell output from Ubuntu Linux):

The error log on the Cisco device looks like this:

 

For more posts about routing/switching you can follow the Routing” or “Switching” categories concerning various firewall/router vendors, or the “Cisco Router“/”Cisco Switch” tags for posts related to Cisco stuff.

Featured image: “Wiese…” by Fotos_von_Carlos is licensed under CC BY-NC-ND 2.0.

2 thoughts on “Basic Cisco Configuration

  1. Great overview, thanks. Generally we use the same config and only a few settings vary. Additionaly we use these settings:

    no service dhcp
    logging buffered 50000
    no logging console
    ip ssh logging events
    ip ssh dh min size 2048

Leave a Reply

Your email address will not be published. Required fields are marked *