Hello and thanks for visiting my Cisco configuration guide and command reference. All of this information can be found on Cisco's website, but it is extremely scattered. This guide will walk you through a number of simpe to advanced Cisco device configurations. All basic configurations are Internet/network ready.
Please note some of the commands and configurations are feature set dependent. E.g. the security feature set is required to configure a firewall on an IOS router. If you cannot find what you are looking for visit the Contact Me section of my blog to send me a message or request.
Quick Links
| Router Commands | Catalyst Commands | Aironet Commands | ASA Commands |
| Basic Configuration | Basic Configuration | Basic Configuration | Basic Configuration |
| Remote Access IPSec VPN | Spanning Tree | Multiple SSIDs | Remote Access IPSec VPN |
| NAT / PAT / ACLs | Configuring VTP | NAT / PAT / ACLs | |
| WAN Failover | PAgP / LACP | WAN Failover | |
| IOS Routing | IOS Site to Site VPN | ASA Routing | ASA Site to Site VPN |
| EIGRP | IPSec VPN | EIGRP | IPSec VPN |
| OSPF | GRE VPN | OSPF | |
| BGP | DMVPN |
Router Commands - Basic Configuration
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ROUTER
logging rate-limit console all 10 except critical
enable secret 5 <removed for security purposes>
aaa new-model
aaa session-id common
clock timezone est -5
clock summer-time est recurring
no ip source-route
ip dhcp pool 10.10.10.0
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1.1
domain-name domain.local
dns-server 10.10.10.1
lease 0 8
exit
ip dhcp excluded-address 10.10.10.1 10.10.10.50
ip cef
no ipv6 cef
ip domain name domain.local
ip dns server
ip name-server <removed for security purposes>
ip name-server <removed for security purposes>
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall ftp
ip inspect name firewall dns
ip inspect name firewall time
ip inspect name firewall timed
ip inspect name firewall smtp
username admin privilege 15 secret 5 <removed for security purposes>
crypto key generate rsa usage-keys label sshkey
ip ssh rsa keypair-name sshkey
ip ssh version 2
interface GigabitEthernet0/0
description outside
ip address <WAN IP>
ip access-group 100 in
ip nat outside
ip inspect firewall out
ip virtual-reassembly
duplex auto
speed auto
exit
interface GigabitEthernet0/1
description inside
encapsulation dot1q 1 native
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
exit
no ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle <number of seconds> life <number of seconds> requests <max number of request>
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
access-list 1 permit 10.10.10.0 0.0.0.255 log
access-list 1 deny any log
access-list 100 permit icmp any any echo-reply
access-list 100 permit udp any eq domain any
access-list 100 permit tcp any any established
access-list 100 deny ip any any
banner login ^
WARNING, unauthorised access to this device or network is prohibited.
^
banner exec ^
Please make changes carefully and test the running config BEFORE writing to the startup config.
^
line con 0
session-timeout 15
logging synchronous
no modem enable
transport preferred none
exit
line vty 0 4
session-timeout 15
access-class 1 in
logging synchronous
transport preferred none
transport input ssh
exit
line vty 5 15
session-timeout 15
access-class 1 in
logging synchronous
transport preferred none
transport input ssh
exit
ntp master 1
ntp update-calendar
ntp server <removed for security purposes>
exit
copy run start
Catalyst Commands - Basic Configuration
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname SWITCH
logging rate-limit console all 10 except critical
enable secret 4 <removed for security purposes>
username admin privilege 15 secret 4 <removed for security purposes>
aaa new-model
aaa session-id common
clock timezone est -5 0
clock summer-time est recurring
system mtu routing 1500
no ip domain-lookup
ip domain-name domain.local
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
crypto key generate rsa usage-keys label sshkey
ip ssh rsa keypair-name sshkey
ip ssh version 2
interface range gigabitEthernet 0/1 - 46
switchport access vlan 1
switchport mode access
interface GigabitEthernet0/47
switchport mode trunk
interface GigabitEthernet0/48
switchport mode trunk
interface Vlan1
description Default vlan inside
ip address 10.10.10.2 255.255.255.0
no ip route-cache
ip default-gateway 10.10.10.1
no ip http server
ip http secure-server
access-list 1 permit 10.10.10.0 0.0.0.255
banner login ^
WARNING, unauthorised access to this device or network is prohibited.
^
banner exec ^
Please make changes carefully and test the running config BEFORE writing to the startup config.
^
line con 0
session-timeout 15
logging synchronous
transport preferred none
exit
line vty 0 4
session-timeout 15
access-class 1 in
logging synchronous
transport preferred none
transport input ssh
exit
line vty 5 15
session-timeout 15
access-class 1 in
logging synchronous
transport input ssh
exit
ntp peer 10.10.10.1
exit
copy run start
Aironet Commands - Basic Configuration
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ACCESSPOINT
logging rate-limit console all 10 except critical
enable secret 5 <removed for security purposes>
aaa new-model
aaa session-id common
clock timezone est -5
clock summer-time est recurring
ip domain name domain.local
dot11 syslog
dot11 ssid WIFISSID
vlan 1
authentication open
guest-mode
exit
username admin privilege 15 secret 5 <removed for security purposes>
crypto key generate rsa usage-keys label sshkey
ip ssh rsa keypair-name sshkey
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 1 key 1 size 128 <removed for security purposes> transmit-key
encryption vlan 1 mode wep mandatory
ssid WIFISSID
no shut
exit
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 10.10.10.3 255.255.255.0
no ip route-cache
ip default-gateway 10.10.10.1
no ip http server
ip http secure-server
access-list 1 permit 10.10.10.0 0.0.0.255
bridge 1 route ip
banner login ^
WARNING, unauthorised access to this device or network is prohibited.
^
banner exec ^
Please make changes carefully and test the running config BEFORE writing to the startup config.
^
line con 0
session-timeout 15
logging synchronous
transport preferred none
exit
line vty 0 4
session-timeout 15
access-class 1 in
logging synchronous
transport preferred none
transport input ssh
exit
line vty 5 15
session-timeout 15
access-class 1 in
logging synchronous
transport preferred none
transport input ssh
exit
sntp server 10.10.10.1
exit
copy run start
ASA Commands - Basic Configuration
hostname CISCOASA
domain-name domain.local
enable password <removed for security purposes>
passwd <removed for security purposes>
username admin password <removed for security purposes> privilege 15
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
exit
interface Vlan2
nameif outside
security-level 0
ip address <WAN IP>
exit
interface Ethernet0/0
switchport access vlan 2
exit
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
exit
access-list outside_access_in extended permit icmp any any echo-reply
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside <removed for security purposes> 1
http server enable
http 10.10.10.0 255.255.255.0 inside
crypto key generate rsa
ssh 10.10.10.0 255.255.255.0 inside
ssh version 2
ssh timeout 5
dhcpd address 10.10.10.50-10.10.10.254 inside
dhcpd enable inside
class-map inspection_default
match default-inspection-traffic
exit
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
exit
exit
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
exit
write mem