Following is a list of the most common Cisco device configuration commands that I am using when setting up a router or switch from scratch, such as hostname, username, logging, vty access, ntp, snmp, syslog. For a router, I am also listing some basic layer 3 interface commands, while for a switch I am listing STP and VTP examples as well as the interface settings for access and trunk ports.
This is not a detailed best practice list which can be used completely without thinking about it, but a list with the most common configurations from which to pick out the ones required for the current scenario. Kind of a template. Of course with IPv6 and legacy IP.
Please note that this is not a complete security guide either. It’s a quick reference for a basic/functional device configuration. I am not listing any specific security commands here such as denying all IPv6 extension headers, DHCP snooping or ARP inspection, etc. However, I am using strong crypto, only ssh with ACLs for the vty lines, and so on.
Also, note that not all commands are implemented in all IOS versions. For example, the
security passwords min-length 12 works on a Cisco router w/ IOS 15.1(4)M9 but not on a Cisco switch 15.0(2)SE9. Refer to the well-known Cisco Feature Navigator NextGen Cisco Feature Navigator for all details.
Finally, a factory reset switch won’t run an SDM template that is capable of IPv6. You must set it e.g. to sdm prefer dual-ipv4-and-ipv6 default followed by a reload.
Please leave a comment if you’re missing something.
Basic System (Router & Switch)
The basis for all Cisco devices, regardless of router or switch:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 |
! ! hostname and DNS settings hostname CCNP-LAB-R1a ip domain name weberlab.de ip name-server 2003:de:2016:120::A08:53 ! ! ! this is just a dummy entry with the enable password "password" ! the dummy user weberjoh has a password of "asdfasdf" ! (note the "ip ssh pubkey-chain" later for SSH public key authentication) ! password-encryption for a basic hiding feature of plaintext passwords ! aaa new-model to use the username instead of some login/password commands for vty access ! default password length of 12 for all future passwords enable secret 5 $1$FdCb$spI/lHO.AREaK4fFrcLuw0 service password-encryption username weberjoh privilege 15 secret 5 $1$dZt.$HTgDJhM2cEld9SBRSrFfX1 aaa new-model security passwords min-length 12 ! ! ! banner example banner login ^###################################### # Webernetz.net Labor # # Finger weg wenn du nicht ich bist! # ###################################### ^ ! ! ! console port used with username login ! directly starts with privileged EXEC mode (requires that the user has priv 15) ! timeout of 1 hour ! of course you must adjust these values to your needs line con 0 exec-timeout 60 0 privilege level 15 logging synchronous history size 100 ! ! ! secure vty access, connections via ssh only ! timeout of 600 minutes = 10 hours aka one working day ! SSH public key authentication for user "weberjoh" ! details: https://networklessons.com/uncategorized/ssh-public-key-authentication-cisco-ios/ ! ACLs for both protocols, IPv6 and legacy IP ! "logging synchronous" on vty is needed if you're displaying logs within ! an SSH session with "terminal monitor" ! generation of the crypto key requires a hostname and domain name (set above) ! this command (crypto key generate ...) must be used only once crypto key generate rsa general-keys modulus 2048 ip ssh version 2 ip ssh logging events ip ssh dh min size 2048 ip ssh pubkey-chain username weberjoh key-hash ssh-rsa F6CB07741AC18888F65459330E8F2363 key-hash ssh-rsa CD746283016E122D7161FD23CDB0415D exit exit ! ipv6 access-list vty-access-v6 remark This is network xyz permit ipv6 2003:DE:2016::/48 any log remark This is special host foobar permit ipv6 host 2001:DB8::42 any log deny ipv6 any any log ip access-list standard vty-access-v4 remark This is network xyz permit 192.168.0.0 0.0.255.255 log remark This is special host foobar permit 10.0.0.42 log deny any log line vty 0 4 access-class vty-access-v4 in exec-timeout 600 0 privilege level 15 ipv6 access-class vty-access-v6 in logging synchronous history size 100 transport input ssh ! ! ! disable http server at all no ip http server no ip http secure-server ! ! ! time and date ! to have all log messages with the current date/time and not relative to the boot time ! as well as the timezone and year service timestamps debug datetime msec show-timezone year service timestamps log datetime msec show-timezone year ! timezone ! the "CET" and "CEST" are just strings that are displayed. They do not refer to anything. ! time settings for UTC+1 with daylight savings clock timezone CET 1 0 clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00 ! "ntp update-calender" syncs the hardware clock to the time received via NTP ! but it is not available on all platforms ! followed by the NTP servers either with IPv6 and/or prefer ntp update-calendar ntp server ipv6 2.de.pool.ntp.org ntp server ipv6 2.pool.ntp.org ntp server ntp1.weberlab.de ntp server ntp2.weberlab.de ntp server ntp3.weberlab.de prefer ! ! note that your interface IP addresses are *serving* NTP by default ! that is: if your IP/IPv6 addresses are publicly reachable, they will be found ! if you have a dedicated out-of-band mgmt-intf for reaching your configured NTP servers: ! disable NTP on all data interfaces on a per-interface basis: interface GigabitEthernet0/0 ntp disable ! if you do not have a dedicated out-of-band mgmt-intf for reaching your NTP servers: ! use ACLs, similar as shown here: https://labs.apnic.net/index.php/2014/03/10/ntp-for-evil/ ipv6 access-list ntp-block-v6 remark One ACL to block them all deny ipv6 any any log ipv6 access-list ntp-servers-v6 remark NTP servers to get the time from permit ipv6 host 2001:470:1f0b:16b0::dcfb:123 any deny ipv6 any any ip access-list standard ntp-block remark One ACL to block them all deny any log ip access-list standard ntp-servers remark NTP servers to get the time from permit 194.247.5.12 deny any ntp access-group peer ntp-servers ntp access-group serve ntp-block ntp access-group serve-only ntp-block ntp access-group query-only ntp-block ntp access-group ipv6 peer ntp-servers-v6 ntp access-group ipv6 serve ntp-block-v6 ntp access-group ipv6 serve-only ntp-block-v6 ntp access-group ipv6 query-only ntp-block-v6 ! ! ! SNMPv2c with readonly community string ! and ACLs for IPv6 and legacy IP but without logging ipv6 access-list snmp-access-v6 remark This is network xyz permit ipv6 2003:DE:2016:120::/64 any remark This is special host foobar permit ipv6 host 2001:DB8::42 any deny ipv6 any any ip access-list standard snmp-access-v4 remark This is network xyz permit 192.168.0.0 0.0.255.255 remark This is special host foobar permit 10.0.0.42 deny any snmp-server community n5rAD1ig314IqfioYBWw RO ipv6 snmp-access-v6 snmp-access-v4 snmp-server ifindex persist snmp-server location On the top of the rack snmp-server contact Johannes Weber ! syslog server/receiver for IPv6 and legacy IP with debugging level ! as well as logging size for buffered RAM logging host ipv6 2003:DE:2016:120::b10:514 logging 192.168.120.10 logging trap debugging logging buffered 64000 ! ! ! to save the startup-config after every "write mem" via scp ! yes, the username:password is present in plain text archive path scp://iosarchive:iospassword@scp.weberlab.de/$h-$t write-memory ! |
Note: I am *not* using the no ip domain lookup configuration line since I am using a DNS server. If I would configure this no ip domain lookup, the router/switch won’t do any DNS lookups at all anymore. [Ref: Cisco Community – NO ip-domain lookup]
Router Specific
Basic routing and layer 3 (sub-) interfaces, NAT with PAT, and bogon filtering:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 |
! ! basic routing services enabling ip cef ipv6 unicast-routing ipv6 cef ! ! ! and just to be really sure ! ip classless for VLSM and CIDR ! no ip source-route since it is evil ;) ip classless no ip source-route ! ! ! DHCP with excluded addresses ! standard server options (network, gateway, dns) ! and a static entry based on a MAC address ip dhcp excluded-address 192.168.10.1 192.168.10.9 ! ip dhcp pool VLAN10 network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 dns-server 192.168.120.22 domain-name weberlab.de ! ip dhcp pool KNOPPIX host 192.168.10.10 255.255.255.0 hardware-address 0021.70e9.bb47 ! ! ! default routes ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 192.168.120.1 ipv6 route ::/0 GigabitEthernet0/0 2003:de:2016:120::1 ! ! ! basic layer 3 interface ! unless you're an upstream subnet you must not send IPv6 RAs ! do not confuse all other IPv6 nodes, hence "suppress all" interface GigabitEthernet0/0 description This is a description ip address 192.168.120.25 255.255.255.0 ipv6 address 2003:51:6012:120::25/64 ipv6 nd ra suppress all ! ! basic subinterface ! (which sends RAs since they are not suppressed here) interface GigabitEthernet0/1.10 description VLAN 10 or whatever encapsulation dot1Q 10 ip address 192.168.10.1 255.255.255.0 ipv6 address 2003:51:6012:122::1/64 ! ! uRPF - Unicast Reverse Path Forwarding on a per-interface basis ! BE CAREFUL with this feature to not bite the hand that feeds you ! do not forget the "allow-default" on the interface that points to the default router ! otherwise use the second command interface GigabitEthernet0/0 ip verify unicast source reachable-via rx allow-default ! ip verify unicast source reachable-via rx ! ! ! a basic outgoing NAT with PAT looks like this ! ref: https://www.networkstraining.com/configuring-nat-on-cisco-routers/ ip access-list standard basic-nat permit 172.16.9.0 0.0.0.255 permit 192.168.42.0 0.0.0.255 ip nat inside source list basic-nat interface GigabitEthernet0/0 overload interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside ! ! forwarding a port from the outside to the inside is this ip nat inside source static tcp 192.168.42.12 22 193.24.225.54 2222 extendable ! ! ! in case of an edge router you want to filter for bogons ! and for your own public IP space coming from the outside ! while allowing the rest ;) ! refer to https://en.wikipedia.org/wiki/Bogon_filtering ! or https://en.wikipedia.org/wiki/Reserved_IP_addresses ipv6 access-list bogons-v6 remark Teredo tunneling deny ipv6 2001::/32 any remark documentation prefix deny ipv6 2001:DB8::/32 any remark 6to4 tunneling deprecated deny ipv6 2002::/16 any remark Teredo even older deny ipv6 3FFE::/16 any remark ULA deny ipv6 FC00::/7 any remark our very own IPv6 space deny ipv6 2003:DE:2016::/48 any remark now permitting everything else permit ipv6 any any ! ip access-list standard bogons-v4 remark local deny 0.0.0.0 0.255.255.255 remark RFC 1918 deny 10.0.0.0 0.255.255.255 remark shared space for CGN deny 100.64.0.0 0.63.255.255 remark loopback deny 127.0.0.0 0.255.255.255 remark APIPA deny 169.254.0.0 0.0.255.255 remark RFC 1918 deny 172.16.0.0 0.15.255.255 remark IETF Protocol Assignments deny 192.0.0.0 0.0.0.255 remark documentation TEST-NET-1 deny 192.0.2.0 0.0.0.255 remark RFC 1918 deny 192.168.0.0 0.0.255.255 remark benchmark testing something something deny 198.18.0.0 0.1.255.255 remark documentation TEST-NET-2 deny 198.51.100.0 0.0.0.255 remark documentation TEST-NET-3 deny 203.0.113.0 0.0.0.255 remark multicast and future use deny 224.0.0.0 31.255.255.255 remark our very own IPv4 space deny 185.23.77.0 0.0.0.255 remark now permitting everything else permit any ! interface GigabitEthernet0/0 ipv6 traffic-filter bogons-v6 in ip access-group bogons-v4 in ! |
Switch Specific
Default gateway/routes, STP, VTP, and layer 2 interfaces (access and trunk):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 |
! ! management (vlan) interface vlan 120 name Management-VLAN interface Vlan120 description This is the management VLAN interface ip address 192.168.120.5 255.255.255.0 ipv6 address 2003:de:2016:120::e51a:22/64 ! ! default routes ip default-gateway 192.168.120.1 ipv6 route ::/0 2003:de:2016:120::1 ! ! ! if you are using 3rd party SFPs ;) service unsupported-transceiver no errdisable detect cause gbic-invalid ! ! ! basic STP with PVST+ ! loopguard against unidirectional link failures ! portfast with bpduguard for all access ports spanning-tree mode rapid-pvst spanning-tree loopguard default spanning-tree portfast default spanning-tree portfast bpduguard default ! ! ! basic VTP settings ! if you are not using VTP then vtp mode transparent ! otherwise clear the configuration revision with a dummy domain ! and then use your real domain along with a password vtp mode server vtp version 2 vtp domain ThisIsADummy vtp domain weberlab.de vtp password ThisIsThePassword ! ! ! activating LLDP (in addition to CDP) lldp run ! activating UDLD (for detecting half-patched fiber cables) udld aggressive ! ! ! basic ACCESS ports with a dummy vlan and shutdown ! as well as port-security against MAC spoofing/flooding ! "switchport nonegotiate" disables DTP at all vlan 3 name dummy-access interface range gi0/1-24 description This port is not used yet switchport mode access switchport access vlan 3 switchport port-security switchport nonegotiate shutdown ! ! ! basic TRUNK ports with a dummy native vlan ! without a "shutdown" here ! without "port-security" as well, since trunk ports will see the same MAC multiple times ! the mere "switchport" is only needed on L3 switches where the interface could be in L3 mode ! the "encapsulation dot1q" is not needed everywhere ! the "trunk allowed vlan" must be adjusted of course ! "switchport nonegotiate" disables DTP at all vlan 2 name dummy-trunk-native interface range gi0/1-2 description This is a trunk port switchport switchport trunk encapsulation dot1q switchport trunk native vlan 2 switchport trunk allowed vlan { LIST | add LIST | all | except LIST | none | remove LIST } switchport mode trunk switchport nonegotiate ! ! ! if a port-security violation occurs, it shall recover itself after 60 seconds errdisable recovery cause psecure-violation errdisable recovery interval 60 ! |
Clear Config
To clear the complete config of a Cisco device you can use the following two commands to delete the startup-config as well as the vlan database (only if VTP is used):
1 2 |
write erase delete flash:vlan.dat |
Get Config
Just a rush of some basic show commands to get the whole information out of a Cisco router/switch. (Of course, you could use “show tech-support”, but this is too much to my mind.) Note that not all commands will work on every switch or router, but never mind, it’s a good starting point:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
! terminal length 0 show version show running-config full show vlans show ipv6 interface brief show ip interface brief show interfaces status show cdp neighbors show lldp neighbors show ipv6 neighbors show arp show mac address-table ! ! a few more common network protocols, if used show ipv6 route show ip route show ipv6 ospf neighbor show ip ospf neighbor show bgp all summary show standby brief show vrrp brief ! |
SSH Ciphers
To reach an outdated Cisco device with an up-to-date OpenSSH client from Linux you must specify the outdated ciphers such as:
1 |
ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-rsa -oCiphers=+aes256-cbc ccnp-lab-s4.weberlab.de |
Otherwise, you won’t be able to use SSH such as here (shell output from Ubuntu Linux):
1 2 |
weberjoh@jw-nb15-lx:~$ ssh ccnp-lab-s4 Unable to negotiate with 2003:51:6012:121::40 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 |
The error log on the Cisco device looks like this:
1 |
Mar 13 13:12:12.021: SSH2 0: kex algo not supported: client curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,di |
Featured image: “Wiese…” by Fotos_von_Carlos is licensed under CC BY-NC-ND 2.0.
Great overview, thanks. Generally we use the same config and only a few settings vary. Additionaly we use these settings:
no service dhcp
logging buffered 50000
no logging console
ip ssh logging events
ip ssh dh min size 2048
Hi Tobi.
Thanks for your hints. I have added three of them (2,4,5) to the list. Thx!