Basic Configuration Is Where Every Cisco Engagement Starts
The day you walk into a new role, the first commands you type on every router are some combination of hostname, interface ... ip address ... no shutdown, banner motd, and service password-encryption. Before any routing protocol, before any ACL, before any VPN, the device needs basic configuration that makes it operable, identifiable, and minimally reachable.
This article covers the workhorse Cisco IOS configuration commands: interfaces (regular and sub-interfaces), DHCP server, CDP, banners, hostnames, and the cleanup commands that should be in every router’s baseline.
Hostname and Domain
Router(config)# hostname R1-EDGE
R1-EDGE(config)# ip domain-name corp.local
R1-EDGE(config)# no ip domain-lookupno ip domain-lookup is non-obvious but life-changing. By default, when you mistype a command, the router thinks it’s a hostname and tries to DNS-resolve it. With no DNS server configured, that means a 20-second timeout you can’t cancel. Always disable on lab and most production routers; you can re-enable for specific use cases.
Interfaces — Physical, Loopback, Sub-interface, Null
Physical Layer 3 interface
R1(config)# interface GigabitEthernet0/1
R1(config-if)# description Uplink to core
R1(config-if)# ip address 10.1.1.1 255.255.255.0
R1(config-if)# no shutdownAlways set a description. The day someone else has to figure out what each interface does, the description is the difference between a 5-minute investigation and a 30-minute one.
Sub-interfaces (router on a stick)
One physical interface trunked to a switch can carry multiple VLANs by creating sub-interfaces:
R1(config)# interface GigabitEthernet0/0
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)# interface GigabitEthernet0/0.10
R1(config-subif)# encapsulation dot1Q 10
R1(config-subif)# ip address 10.10.0.1 255.255.255.0
R1(config-subif)# exit
R1(config)# interface GigabitEthernet0/0.20
R1(config-subif)# encapsulation dot1Q 20
R1(config-subif)# ip address 10.20.0.1 255.255.255.0The physical interface stays unconfigured at L3 (no IP). The sub-interface number doesn’t have to match the VLAN tag, but matching makes the config readable. Use the native VLAN keyword to mark the untagged sub-interface:
R1(config-subif)# encapsulation dot1Q 1 nativeLoopback interfaces
Virtual interfaces always up unless explicitly shut down. Used for management addresses, BGP peering, OSPF/EIGRP router-id sourcing.
R1(config)# interface Loopback0
R1(config-if)# ip address 10.255.0.1 255.255.255.255Convention: /32 for management/router-id loopbacks, with a structured numbering scheme (10.255.0.X per device).
Null0 interface
The bit bucket. Routes pointing at Null0 are silently dropped. Used to advertise a summary route into a routing protocol while the components don’t actually exist on this router yet:
R1(config)# ip route 192.168.0.0 255.255.0.0 Null0Setting clock rate (DCE end of serial)
R1(config-if)# clock rate 64000Required on the DCE end of a back-to-back serial cable in lab environments. Real-world serial WAN deployments use a CSU/DSU which provides clocking automatically.
Bandwidth (informational, but routing protocols use it)
R1(config-if)# bandwidth 1544Set to the actual link speed in Kbps. Routing protocols like EIGRP and OSPF use this for their cost calculations — if it’s wrong, your metrics are wrong.
DHCP Server on the Router
Small offices often have the local router as the DHCP server for the LAN. Cisco IOS makes this trivial:
! Exclude addresses you don’t want assigned (servers, gateway, etc.)
R1(config)# ip dhcp excluded-address 10.10.0.1 10.10.0.10
! The pool itself
R1(config)# ip dhcp pool LAN-VLAN10
R1(config-dhcp)# network 10.10.0.0 255.255.255.0
R1(config-dhcp)# default-router 10.10.0.1
R1(config-dhcp)# dns-server 1.1.1.1 8.8.8.8
R1(config-dhcp)# domain-name corp.local
R1(config-dhcp)# lease 7Verifying:
R1# show ip dhcp binding
R1# show ip dhcp poolDHCP Relay (when the server is elsewhere)
If the DHCP server is on a different subnet (often a Windows DHCP server), the router needs to relay broadcasts:
R1(config)# interface GigabitEthernet0/0.10
R1(config-subif)# ip helper-address 10.1.1.50ip helper-address forwards DHCP DISCOVER (and several other UDP broadcasts — TFTP, NetBIOS, etc.) as unicast to the helper. To restrict to DHCP only:
R1(config)# no ip forward-protocol udp tftp
R1(config)# no ip forward-protocol udp nameserver
! ... etc, leave only bootpsCDP — Cisco Discovery Protocol
CDP runs by default and lets Cisco devices learn about each other at L2. Useful for documentation; potential information leak in some environments.
! Globally disable / enable
R1(config)# no cdp run
R1(config)# cdp run
! Per-interface (e.g., disable on Internet-facing)
R1(config-if)# no cdp enable
! View neighbors
R1# show cdp neighbors
R1# show cdp neighbors detailshow cdp neighbors detail reveals the neighbor’s IP address, IOS version, and platform — gold for inventorying an unfamiliar network. Disable CDP on Internet-facing interfaces; you don’t want that information leaking outside.
Banners
Set legal/security banners on every router. Three banner contexts:
R1(config)# banner motd #
! ! ! AUTHORIZED USE ONLY ! ! !
This system is the property of Corp Inc. Unauthorized access
is prohibited. All sessions are logged.
#
R1(config)# banner login #
Login required. All access logged.
#
R1(config)# banner exec #
Welcome to R1. Be careful in here.
#The # is the delimiter — type any character, then end with the same character. banner motd shows pre-login; banner login shows after MOTD before username; banner exec shows after successful login.
Setting the Clock
Set the clock manually for ad-hoc lab work; use NTP in production.
R1# clock set 14:30:00 6 May 2026
R1(config)# clock timezone EST -5
R1(config)# clock summer-time EDT recurringHTTP Server (turn it off)
The IOS HTTP server is on by default in some images. Unless you actively use the web UI, disable it:
R1(config)# no ip http server
R1(config)# no ip http secure-serverCommon Pitfalls
- Forgetting
no shutdown. Cisco interfaces ship administratively down. Configure the IP, but the interface stays down until you bring it up. - Native VLAN mismatch on trunks. If the switch trunk has native VLAN 1 and your router sub-interface uses native VLAN 99, frames in VLAN 1 are tagged differently — spanning tree gets weird and traffic blackholes.
- Wrong bandwidth statement. Routing protocols compute metrics from the bandwidth statement. If the statement says 1.544 Mbps but the link is actually 100 Mbps, OSPF cost is way off.
- DHCP excluded-address forgotten. Without it, the router will hand out 10.10.0.1 (the gateway itself) to a client. The first DHCP issue is always “duplicate IP” on the gateway.
- CDP on the WAN. CDP packets contain version, model, IPs — everything an attacker needs.
no cdp enableon every Internet-facing interface. ip domain-lookupstill on. First mistype hangs your console for 20 seconds while the router tries DNS. Always includeno ip domain-lookupin the baseline template.
The Baseline Template
Every new Cisco router I configure starts from this template:
hostname R1-EDGE
no ip domain-lookup
ip domain-name corp.local
service password-encryption
no ip http server
no ip http secure-server
banner motd #
AUTHORIZED USE ONLY
#
clock timezone EST -5
clock summer-time EDT recurring
ntp server 0.pool.ntp.org
logging buffered 32768 informational
service timestamps log datetime msec
service timestamps debug datetime msecThen interfaces, DHCP, routing — in that order. Skipping the baseline because “I’ll come back to it later” is the easiest way to forget banner/timestamps/timezone, and those are the items most likely to bite during a 3 AM troubleshoot.