Router configuration implements the Layer 3 routing decisions that move traffic between networks. CompTIA Network+ N10-009 tests router configuration in the Network Implementation domain — static routes, dynamic routing protocol configuration, inter-VLAN routing, and router security hardening. A misconfigured router creates black holes, routing loops, or security vulnerabilities that affect the entire network.
Practice this topic
Static routes: manually configured routes — 'ip route 192.168.2.0 255.255.255.0 10.0.0.2' on a Cisco router (destination network, mask, next-hop IP). Advantages: predictable, no overhead, no convergence time. Disadvantages: no failover (if the next-hop is down, traffic is dropped), manual updates required when topology changes. Default static route: 'ip route 0.0.0.0 0.0.0.0 [next-hop]' — matches any destination not in the routing table, used for internet access.
Dynamic routing protocols: OSPF, EIGRP, RIP, BGP. Configuration involves enabling the protocol, defining which networks to advertise, and setting parameters. OSPF: 'router ospf 1' → 'network 10.0.0.0 0.0.0.255 area 0' — advertises all interfaces in the 10.0.0.0/24 range into OSPF area 0. Administrative distance (AD): router's trust level for routes from different sources — directly connected = 0, static = 1, OSPF = 110, RIP = 120, external BGP = 20.
Routing table: the router selects the best route using: longest prefix match first (most specific route wins — /28 beats /24 beats default route), then lowest AD, then lowest metric. Always verify routes with 'show ip route' — understand each entry: C (connected), S (static), O (OSPF), R (RIP), B (BGP).
Route redistribution: importing routes from one routing protocol into another. Requires careful configuration to avoid routing loops and metric translation issues. Redistribution points are where different routing domains meet.
Router-on-a-stick: one physical router interface, multiple sub-interfaces — each sub-interface carries a VLAN using 802.1Q encapsulation. 'interface GigabitEthernet0/0.10' → 'encapsulation dot1q 10' → 'ip address 192.168.10.1 255.255.255.0'. The connected switch port must be configured as a trunk. One physical connection between router and switch handles all VLANs. Bandwidth bottleneck for inter-VLAN traffic at high volume.
Layer 3 switch (SVI — Switched Virtual Interface): the modern, high-performance approach to inter-VLAN routing. Create an SVI for each VLAN: 'interface Vlan10' → 'ip address 192.168.10.1 255.255.255.0' → 'no shutdown'. Enable IP routing: 'ip routing'. Layer 3 switches route in hardware (ASIC) — much faster than router-on-a-stick. Best practice for data center and campus inter-VLAN routing.
DHCP helper address: when a router provides inter-VLAN routing and subnets have remote DHCP servers, configure IP helper to forward DHCP broadcasts as unicast: 'ip helper-address [DHCP server IP]' on each Layer 3 interface/SVI that serves a subnet with DHCP clients.
Console and VTY access: routers have a console port (direct serial connection), AUX port (modem access), and VTY lines (virtual terminals — SSH/Telnet). Always configure SSH instead of Telnet: 'transport input ssh' on VTY lines. Set enable secret (MD5 hashed) not enable password (cleartext). Configure a login banner: 'banner motd' — legal requirement in many organizations.
AAA (Authentication, Authorization, Accounting): centralizes access control. Configure routers to authenticate admin access via RADIUS or TACACS+ server: RADIUS encrypts only the password; TACACS+ encrypts the entire packet and separates authentication, authorization, and accounting. TACACS+ is preferred for device administration; RADIUS for network access (VPN, 802.1X).
Control Plane Policing (CoPP): limits traffic destined for the router's CPU. Without CoPP, a flood of routing protocol packets or management traffic can overwhelm the CPU. CoPP uses QoS policy maps to rate-limit different traffic types to the control plane.
ACLs on router interfaces: standard ACLs (match source IP only) — place as close to destination as possible. Extended ACLs (match source, destination, port, protocol) — place as close to source as possible. 'ip access-group ACL-NAME in|out' applies ACL to an interface. Implicit deny at end of every ACL — always verify what is permitted before applying.
The router always chooses the route with the lowest metric
Route selection has three steps in order: 1) longest prefix match (most specific wins), 2) lowest administrative distance (most trusted source), 3) lowest metric (within same protocol). A /28 static route will ALWAYS beat a /24 OSPF route to the same destination regardless of metric, because the /28 is more specific. Metric is only compared between routes from the same routing protocol
These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.
A router's routing table contains: OSPF route to 10.0.0.0/8 (metric 20), static route to 10.1.1.0/24 (AD=1), and EIGRP route to 10.1.0.0/16 (metric 100). A packet arrives destined for 10.1.1.50. Which route is used?
Explanation: Longest prefix match wins first: 10.1.1.0/24 (/24) is more specific than 10.1.0.0/16 (/16) which is more specific than 10.0.0.0/8 (/8). The /24 static route matches 10.1.1.50 more specifically than either the /16 or /8 routes. After longest prefix match, AD and metric are only tiebreakers when multiple routes exist with the same prefix length. The /24 static route is used.
Both are AAA protocols, but they differ in design: RADIUS encrypts only the password in authentication packets; TACACS+ encrypts the entire packet body — more secure. RADIUS combines authentication and authorization; TACACS+ separates them into three distinct functions (Authentication, Authorization, Accounting) — more flexible for granular command authorization. RADIUS is better for network access (VPN clients, 802.1X); TACACS+ is better for device administration (controlling which CLI commands each admin can run). Cisco devices support both; many organizations use TACACS+ for routers/switches and RADIUS for VPN/wireless.
Try free Router Configuration practice questions with explanations, topic links and progress tracking.