We use cookies to ensure you get the best experience on our website.
TERMINAL / SSH config
S1(config)# line console 0 Configure console access
S1(config-line)# password cisco Only possible through console connection
S1(config-line)# login Require authentication, enables connectivity
S1(config)# line vty 0 15 VTY config is for Telnet (0 15 – all possible lines)
S1(config-line)# password cisco If VTY pass is not set, Telnet is not possible
S1(config-line)# login
S1(config-line)# logging synchronous Stop CLI messages from interrupting commands
SECURITY SETTINGS
R1(config)# security passwords min-length 10 Set all passwords minimum length
R1(config)# login block-for secs attempts 3 within secs BEFORE any login command!
S1(config-line)# exec-timeout mins secs Priv EXEC idle timeout, 0 0 = infinite
S1(config-line)# timeout login response 15 Logging in timeout, in seconds
SSH CONFIG
S1# show ip ssh Check if switch supports SSH
S1(config)# ip domain-name cisco.com Domain name has to be unique(?)
S1(config)# crypto key generate rsa Enables SSH, recommended module length: 1024 bits
S1(config)# crypto key generate rsa general-keys modulus 1024 Same as above, params specified
S1(config)# username admin privilege 15 {password | secret} ccna User for local authentication
S1(config)# line vty 0 15
S1(config-line)# transport input ssh Restrict transmission to SSH only
S1(config-line)# login local Enable local authentication (local users DB)
S1(config-line)# exit
S1(config)# ip ssh time-out 75 Auth time-out 75 seconds
S1(config)# ip ssh authentication-retries 2 Auth retries 2
S1(config)# ip ssh version 2 Enable SSH2 (not always by default, 1 is insecure)
R1(config)# crypto key zeroize rsa Remove keys and disable SSH server
R1(config)# crypto key generate rsa label label Create keys without domain, use label
INTERFACE config
S1(config-if)# mdix auto Auto-negotiate straight-through/crossover cable type
S1(config-if)# duplex full [auto] When using mdix auto, duplex and speed should be
S1(config-if)# speed 100 [auto] set to auto as well
S1(config-if)# {ip | ipv6} mtu size set to auto as well
S1# show controllers ethernet-controller f0/1 phy | include Auto-MDIX Check MDIX status
S1(config-if)# description description Set description for the interface
S1(config-if)# clock rate 128000 Set clock rate for serial DCE connection
S1(config-if)# ipv6 address 2001:DB8:ACAD:1::/64 Set IPv6 address
S1(config-if)# ipv6 enable Auto-generate IPv6 link-local address
S1(config-if)# ipv6 address IPv6/length link-local Assign link-local add, override enable
S1(config-if)# ipv6 address IPv6/length eui-64 Assign IPv6 address using EUI-64
R1(config-if)# shutdown To manually change MAC address of the interface
R1(config-if)# mac-address aaaa.bbbb.cccc disable it, use mac-address and enable again
R1(config-if)# no shutdown Can reverse it with no mac-address
R1(config)# interface loopback 0 Set loopback interface number 0 (can have many)
R1(config-if)# ip address IPv4_address mask Assign unique address to the interface
R1# show {ip | ipv6} interface brief IPv4 interfaces summary
R1# show {ip | ipv6} interface [i-face] IPv4 interface[s] information
R1# show running-config interface f0/1 Current interface configuration
R1# show interfaces [i-face] Interface info and packet flow count
R1# show ipv6 routers [i-face] Show RA info received on interfaces
R1# show ipv6 neighbors All known neighbors
R1# clear counters [i-face] Clear all (or specific i-face) counters
DEBUGGING / LOGGING COMMANDS
R1(config)# logging console [level] Send system logging msgs to console line (default)
R1(config)# logging buffered Buffer log messages
R1(config)# no logging console Disable logging msgs on console line (save resources)
R1# terminal [no] monitor Send [disable] system msgs to all VTY lines
R1# debug ? List all debugging options
R1# [debug | undebug] all Turn on / off all debugging
R1# [no] debug ip icmp Example, debug ICMP traffic
R1# clear logging Empty log buffers
R1# show logging Current logging settings
R1# show logging | include changed state to up Filtering, for specific description
R1# show logging | begin June 12 22:35 Filtering, event past specific datetime
SYSLOG [UDP:514] For datetime clock has to be set, or NTP
R1(config)# service timestamps log {uptime | datetime} Timestamping, since boot or current time
R1(config)# logging 192.168.1.3 Set syslog server IP (to send msgs to)
R1(config)# logging source-interface g0/0 Set specific i-face as the source in syslog packets
R1(config)# logging trap {0|1|2|3|4|5|6|7} Set MAX level of messages to log, by number or name
R1(config)# logging trap {emergency|alert|critical|error|warning|notification|informational|debugging}
0:system unusable 1:immediate action needed 2:critical condition 3:error condition
4:warning condition 5:normal, significant condition 6:informational 7:debugging
:00:00:46 :%LINK-3-UPDOWN : Interface Port-channel1, changed state to up
seq no :timestamp:%facility-severity-MNEMONIC : description
SNMPv2 [Simple Network Management Protocol] [UDP:162]
R1(config)# ip access-list standard acl-name ACL used to grant access
R1(config-std-nacl)# permit 192.168.1.3
R1(config)# snmp-server community string {ro | rw} [acl-name] Community password+access level
R1(config)# snmp-server location text Device’s location (optional)
R1(config)# snmp-server contact text Contact details (optional)
Specify the recipient of traps (default=none!). enable traps with no args = over 60 types of traps sent!
R1(config)# snmp-server host IP [version{1| 2c | 3 [auth | noauth | priv]}] comm-string
R1(config)# snmp-server enable traps [notification-types] Enable traps. Use ? to check types
R1# show snmp [community] General info. community will show community string+ACL
SNMPv3
R1(config)# ip access-list standard acl-name Config ACL to permit access to hosts
R1(config-std-nacl)# permit source_net Then configure view, group, user
R1(config)# snmp-server view view-name oid-tree {included | excluded}
R1(config)# snmp-server group group-name v3 priv read view-name access [acl-number | acl-name]
R1(config)# snmp-server user username group-name v3 auth {md5 | sha} auth-password priv {des | 3des | aes {128 | 192 | 256}} priv-password
snmp-server user username groupname v3 [encrypted] [auth {md5 | sha} auth-password] [priv {des | 3des | aes {128 | 192 | 256}} priv-password]
R1# show snmp {group | user name | engineID } Show various stats
NetFlow
R1(config)# interface g0/0 Set i-face to monitor traffic on
R1(config-if)# ip flow ingress Capture data from incoming packets
R1(config-if)# ip flow egress Capture data from outgoiing packets
R1(config)# ip flow-export destination IP PORT Socket for NetFlow collector
R1(config)# ip flow-export version {1|5|7|8|9} Exported data format (default 1, but use 5+)
R1(config)# ip flow-export source i-face Set specific i-face as the source of packets
R1# show ip cache [verbose] flow Check NetFlow statistics
R1# show ip flow interface Check monitored interfaces
R1# show ip flow export Check export settings
IP SLAs [IP Service Level Agreements]
R1(config)# ip sla operation-number Operation number is used to identify SLA
R1(config-ip-sla)# icmp-echo 192.168.1.5 Example ECHO SLA, full command syntax below
R1(config-ip-sla-echo)# frequency 30 Default 60, range 1-604800 seconds
R1(config-ip-sla-echo)# exit
R1(config)#ip sla schedule 1 start-time now life forever Timing example, full syntax below
R1(config)# no ip sla operation-number Cancel SLA operation
icmp-echo {dest-ip | hostname} [source-ip {ip | hostname} | source-interface i-face]
ip sla schedule operation-number
[life {forever | seconds}]
[start-time {hh:mm
[:ss]
[month day | day month] | pending | now | after hh:mm:ss] [ageout seconds] [recurring]
life: run indefinitely or specified bumber of seconds, default 3600
start-time: when the operation starts: pending(wait until time), now(now), after(after elapsed time)
ageout: timeout if idle, to remove operation from memory, default 0 (never removed), range 2073600s
recurring: repeat daily
R1# show ip sla application Show available IP SLAs operations
R1# show ip sla configuration [number] Check all or specific operation details
R1# show ip sla statistics [number] Check all or specific operation stats
SVI
S1(config)# vlan 99 DO NOT use the default VLAN 1!
S1(config)# interface vlan 99
S1(config-if)# ip address 192.168.1.2 255.255.255.0
S1(config-if)# no shutdown
S1(config)# interface range f0/1–24,g0/1-2 Assign all interfaces
S1(config-if-range)# switchport access vlan 99 to VLAN 99
S1(config)# ip default-gateway 192.168.1.1 Set gateway for outgoing traffic
PORT SECURITY
S1(config)# interface range f0/1–24,g0/1-2 Select unused ports range
S1(config-if-range)# shutdown Disable them
S1(config)# ip dhcp snooping Enable DHCP detection
S1(config)# ip dhcp snooping vlan 10,20 Enable DHCP detection for specified VLANs
S1(config-if)# ip dhcp snooping trust Set interface as trusted (forwards all DHCP messages)
S1(config)# interface range f0/2–24,g0/1-2 Untrusted interfaces ONLY forward DHCPREQUEST
S1(config-if-range)# ip dhcp snooping limit rate 5 Limit DHCP query speed (per second)
S1(config-if)# switchport mode access Set interface in access mode
S1(config-if)# switchport port-security Enable port security
S1(config-if)# switchport port-security maximum 50 Set max number of MACs per port
S1(config-if)# switchport port-security mac-address MAC Add secure static MAC
S1(config-if)# switchport port-security mac-address sticky Enable dynamic learning(stores in run)
S1(config-if)# switchport port-security mac-address sticky MAC Manually add persistent sticky MAC
S1(config-if)# switchport port-security violation {protect | restrict | shutdown}
SHUTDOWN: default, close the i-face; PROTECT: drop packets, no warning; RESTRICT: drop packets, warning;
S1(config-if)# no switchport port-security mac-address MAC Delete MAC from table
S1(config-if)# no switchport port-security sticky interface ID Delete all MAC from i-face
S1# clear port-security [sticky | dynamic] [interface ID] Clear port-security
S1# show port-security [interface f0/1] Show interface security settings
S1# show run | begin FastEthernet 0/1 Persistent MACs are stored in running config
S1# show port-security address Show all configured secure MACs
S1# show interface f0/1 status Err-disabled indicates port shut down for violations
S1# show port-security interface f0/1 As above, called: secure shutdown
S1(config-if)# shutdown To enable interface shut down for violations
S1(config-if)# no shutdown have to shut and no shut it
MAC TABLE
S1(config)# mac address-table static 0050.56BE.6C89 vlan 99 interface f0/6 Add static MAC
S1(config)# mac-address-table aging-time seconds [vlan ID] Age-out timer, default 300 0-1000000)
S1# show [ip] arp
S1# show mac address-table [interface f0/1]
S1# show mac address-table [dynamic | aging-time]
S1# clear mac address-table dynamic
PVLAN EDGE [Private VLAN Edge]
S1(config-if)# switchport protected Set/unset interface in protected mode (PVLAN), data traffic
S1(config-if)# no switchport protected can’t pass between interfaces in protected mode
S1# show interfaces ID switchport Verify protected status
DTP [Dynamic Trunking Protocol]
S1(config-if)# switchport mode trunk To trunk from CISCO device to non-DTP one
S1(config-if)# switchport nonegotiate set link to trunk and disable DTP
S1# show dtp interface Show DTP status
switchport mode access Perma non-trunk link, negotiates to convert to non-trunk
switchport mode dynamic auto Converts to trunk if neighbor is trunk or desirable
switchport mode dynamic desirable Negotiates to convert (auto/trunk/desirable) link into trunk
switchport mode trunk Perma trunk link, negotiates to convert to trunk
switchport nonegotiate Disable DTP, only work on access/trunk interfaces
| AUTO | DESIRABLE | TRUNK | ACCESS | ||
| AUTO | ACCESS | TRUNK | TRUNK | ACCESS | It’s recommended to disable DTP on interfaces |
| DESIRABLE | TRUNK | TRUNK | TRUNK | ACCESS | When setting up a trunk link, it’s better to |
| TRUNK | TRUNK | TRUNK | TRUNK | LIMITED | use trunk / nonegotiate on the interface. |
| ACCESS | ACCESS | ACCESS | LIMITED | ACCESS |
VLAN config [normal ID: 1(2)-1005(1001) extended: 1006-4094]
S1(config)# vlan 100 Create VLAN 100, can use ranges but not in PT
S1(config-vlan)# name VLAN_name Name it
S1(config)# no vlan 100 Remove it (re-assign interfaces!)
S1(config-if)# switchport mode access Optional (secure!), set i-face to perma access mode
S1(config-if)# switchport access vlan id Assign i-face to VLAN,create VLAN if it doesn’t exist
S1(config-if)# no switchport access vlan Removes interface from VLAN
S1(config-if)# switchport mode trunk Set interface to trunk mode
S1(config-if)# switchport trunk native vlan id Set native VLAN for unlabeled 802.1Q
S1(config-if)# switchport trunk encapsulation dot1q Set encapsulation (ONLY if needed)
S1(config-if)# switchport trunk allowed vlan [add] id_list Set VLANs allowed on the link
S1(config-if)# no switchport trunk native vlan Reset to default (VLAN 1 is native)
S1(config-if)# no switchport trunk allowed vlan Reset to default (all VLANs allowed!)
S1(config-if)# switchport mode access Remove trunk link mode, set access
S1# show vlan [ brief | id ID | name name | summary ] Show VLAN info
S1# show interfaces [ ID | vlan ID]| switchport | trunk Show interface VLAN info
S1# delete flash:vlan.dat Erase VLAN config file (+erase startup-config)
S1# delete vlan.dat Shortcut if vlan.dat is in its default location
VTP [VLAN Trunk Protocol] [v1+v2: 1(2)-1005(1001) v3: 1006-4094]
S1(config)# vtp mode {server | client | transparent } Enable VTP, different modes
S1(config)# vtp domain name VTP domain name, same on all switches in the domain
S1(config)# vtp password password VTP password, same on all switches in the domain
Reset VTP config revision number to 0: change VTP domain to a nonexistent VTP domain and then back to the original name OR change VTP mode to transparent and then back to previous mode.
Extended VLANs (1006+) can only be configured on VTP transparent mode switches or use VTPv3!
S1# show vtp status Show VTP status
S1# show vtp password Show VTP password
SDM [Switch Database Manager]
S1(config)# sdm prefer ? Check available SDM templates
S1(config)# sdm prefer lanbase-routing Enable routing on Catalyst2960 (reload to make it work!)
S1# show sdm prefer Check current SDM template
SPAN [Switched Port Analyzer]
S1(config)# monitor session number source {interface i-face | vlan id[,id]} Source
S1(config)# monitor session number destination {interface i-face | vlan id[,id]} Destination
S1# show monitor Verify SPAN session config
SPANNING TREE: PVST+ [MAC multicast STP group: 01:80:C2:00:00:00]
S1(config)# spanning-tree vlan id root primary Root bridge, priority: 24576 (or lower)
S1(config)# spanning-tree vlan id root secondary Priority: 28672
S1(config)# spanning-tree vlan id priority value Set priority manually (4096 multiples)
Valid priority values (4096 increment, later adds VLAN ID): 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768 (CISCO default), 36864, 40960, 45056, 49152, 53248, 57344, and 61440
S1(config-if)# spanning-tree portfast Set i-face (ACCESS ONLY!) as edge port (RSTP)
S1(config)# spanning-tree portfast default Enable PortFast on all non-trunking i-faces
S1(config-if)# spanning-tree bpduguard enable BPDUGuard enables on one interface
S1(config)# spanning-tree bpduguard default Enable BPDUGuard on all PortFast interfaces
S1(config-if)# spanning-tree cost value Set port cost, 1-200000000
S1(config-if)# no spanning-tree cost Reset to default value
Default cost values: 10Gb/s: 2, 1Gb/s: 4, 100Mb/s: 19, 10Mb/s: 100
S1# show spanning-tree STP info, paths, cost, root, port states
S1# show spanning-tree active STP detailed info for active interfaces ONLY
S1# show spanning-tree vlan ID Show STP config for specific VLAN
CONFIGURE RapidPVST+ Usually, only mode change is needed, rest as in PVST+
S1(config)# spanning-tree mode rapid-pvst Change to RapidPVST+ (default’s PVST+)
S1(config-if)# spanning-tree link-type point-to-point Set link type on interfaces (SW-SW)
S1# clear spanning-tree detected-protocols Clear/renegotiate all detected STP
ETHERCHANNEL
S1(config)# int range f0/1-4 I-faces to form EChannel link
S1(config-if-range)# channel-group 1 mode active Create port channel i-face. Mode ACTIVE=LACP
S1(config-if-range)# no shutdown no shut after setting the channel mode
S1(config-if-range)# int port-channel 1 EC interface config mode
S1(config-if)# switchport mode trunk Settings. It is a good idea to shut down
S1(config-if)# switchport trunk allowed vlan ID,ID interfaces in the group before config
S1(config)# no int port-channel 1 REMOVE the port channel i-face if u need to reconfig!
PAgP(Port Aggregation Protocol) modes: ON/DESIRABLE/AUTO EChannel: ON+ON, DESIRABLE+AUTO/DESIRABLE
LACP(Link Aggregation Control Protocol) modes: ON/ACTIVE/PASSIVE EChannel: ON+ON, ACTIVE+ACTIVE/PASSIVE
S1# show interfaces port-channel1 Check specific channel interface
S1# show etherchannel [port-channel | summary] Shows port list / port channels info
S1# show interfaces i-face etherchannel Specific interface info (port status)
VLAN routing (old school, router-on-a-stick, layer 3 switch)
OLD SCHOOL NOT USED ANYMORE!
S1(config)# int range f0/4,f0/11 PC1 – S1 f0/11 PC2 – S1 f0/6
S1(config-if-range)# switchport mode access PC1: 172.17.10.21/24
S1(config-if-range)# switchport access vlan 10 PC2: 172.17.30.23/24
% Access VLAN does not exist. Creating vlan 10 S1 f0/4 – R1 g0/0
S1(config-if-range)# int range f0/5-6 S1 f0/5 – R1 g0/1
S1(config-if-range)# switchport mode access R1 g0/0: 172.17.10.1/24
S1(config-if-range)# switchport access vlan 30 R1 g0/1: 172.17.30.1/24
% Access VLAN does not exist. Creating vlan 30
R1(config)# int g0/0
R1(config-if)# ip address 172.17.10.1 255.255.255.0 VLAN 10: PC1, S1 f0/4, S1 f0/11
R1(config-if)# int g0/1 VLAN 30: PC2, S1 f0/5, S1 f0/6
R1(config-if)# ip address 172.17.30.1 255.255.255.0
R1(config-if)# int range g0/0-1 Configure VLANs, IPs and interfaces en R1
R1(config-if-range)# no shut
ROUTER-ON-A-STICK DOES NOT scale beyond 50 VLANs!
S1(config)# int f0/5 S1 f0/5 – R1 g0/0
S1(config-if)# switchport mode trunk Configure link to R1 as trunk
S1(config-if)# int f0/11 PC1 – S1 f0/11
S1(config-if)# switchport access vlan 10 PC1: 172.17.10.21/24
% Access VLAN does not exist. Creating vlan 10
S1(config-if)# int f0/6 PC2 – S1 f0/6
S1(config-if)# switchport access vlan 30 PC2: 172.17.30.23/24
% Access VLAN does not exist. Creating vlan 30
R1(config)# int g0/0.10 Configure sub-interfaces for the interface
R1(config-subif)# encapsulation dot1q 10 on which trunk link from S1 is connected
R1(config-subif)# ip address 172.17.10.1 255.255.255.0 Use VLAN ID in encapsulation command
R1(config-subif)# int g0/0.30
R1(config-subif)# encapsulation dot1q 30
R1(config-subif)# ip address 172.17.30.1 255.255.255.0
R1(config-subif)# int g0/0 no shutdown is only used on physical i-face
R1(config-if)# no shut Sub-interfaces will go up when physical does
LAYER 3 SWITCH
S1(config)# int f0/11
S1(config-if)# switchport access vlan 10 PC1 – S1 f0/11
% Access VLAN does not exist. Creating vlan 10 PC2 – S1 f0/6
S1(config-if)# int f0/6 S1 g0/1 – L3 g0/1
S1(config-if)# switchport access vlan 30
% Access VLAN does not exist. Creating vlan 30 PC1: 172.17.10.21/24
S1(config-if)# int g0/1 PC2: 172.17.30.23/24
S1(config-if)# switchport mode trunk Configure link to L3 as trunk
L3(config)# vlan 10 Configure VLANs on L3 switch
L3(config-vlan)# vlan 30 DO NOT skip this step like above in (S1)!
L3(config-vlan)# int vlan 10 VLANs have to be in the DB before SVIs config!
%LINK-5-CHANGED: Interface Vlan10, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol…
L3(config-if)# ip address 172.17.10.1 255.255.255.0 Configure SVI for each VLAN
L3(config-if)# int vlan 30 IP is the same as default gateway for PCs
%LINK-5-CHANGED: Interface Vlan30…
%LINEPROTO-5-UPDOWN: Line protocol…
L3(config-if)# ip address 172.17.30.1 255.255.255.0
L3(config-if)# exit
L3(config)# ip routing Enable IP routing
L3(config-if)# no switchport Set up routed port (P2P to other device). Set IP etc
R1(config-router)# ? Shows available protocol config commands
R1(config)# [ipv6] router ? Shows available IPv4/IPv6 routing protocols
R1# show [ip | ipv6] protocols Show current routing protocols info
R1# show {ip | ipv6} route [network] Routing table
R1# show {ip | ipv6} route [static | rip | ospf | …] Routing table, filtered by protocol
R1(config)# ip route network mask {nHop | exit_i-face [nHop]} [ADistance] Static IPv4
R1(config)# ipv6 route prefix/length { nHop | exit_i-face [nHop]} [ADistance] Static IPv6
R1(config)# ip route 0.0.0.0 0.0.0.0 {nHop | exit_i-face [nHop]} Default static IPv4
R1(config)# ipv6 route ::/0 { nHop | exit_i-face [nHop]} Default static IPv6
When using link-local IPv6 as next hop – always specify the exit interface!
HSRP [Hot Standby Router Protocol] [HSRPv1: 224.0.0.2 HSRPv2: 224.0.0.102 / FF02::66]
R1(config-if)# standby version 2 Use HSRP version 2. 1 is the default
R1(config-if)# standby ID ip virtual_IP Virtual IP. Same ID for all routers in same group!
R1(config-if)# standby ID priority value Set priority (0-255), default 100. High IP wins!
R1(config-if)# standby ID preempt Enable takeover as AVG if higher priority
R1(config-if)# standby ID name name Change/set group name
HSRPv1 supports group numbers from 0 to 255. HSRPv2 supports group numbers from 0 to 4095
HSRPv1 virtual MAC range: 0000.0C07.AC00 – 0000.0C07.ACFF (last 2 digits=group number)
HSRPv2 virtual MAC range: 0000.0C9F.F000-0000.0C9F.FFFF (IPv4) and 0005.73A0.0000-0005.73A0.0FFF (IPv6) For both IPv4/IPv6 last 3 digits in the MAC indicate the HSRP group number
R1# show standby [all] [brief] Verify HSRP state
R1# debug standby {errors | events | packets | terse} Debugging
GLBP [Gateway Load Balancing Protocol]
R1(config-if)# glbp ID ip virtual_IP Config virtual IP
R1(config-if)# glbp ID preempt Take over as AVG if higher priority
R1(config-if)# glbp ID priority value Set priority (1-255)
R1(config-if)# glbp ID load-balancing round-robin Set up load balancing
R1# show glbp [ID] [brief] Verify GLBP state
RIP [AD:120] [ALL RIPv2 ROUTERS: 224.0.0.9]
R1(config)#[no] router rip [Disable]Enable router config and RIP
R1(config-router)# version [1 | 2] Enable RIP / RIPv2
R1(config-router)# no version Sends RIP updates, listens to RIP+RIPv2 updates
R1(config-router)# no auto-summary Disable class-based network summarization, RIPv2 only
R1(config-router)# network 192.168.0.1 Announce all directly connected networks
R1(config-router)# passive-interface g0/0 Set passive interface(no routing updates sent)
R1(config-router)# no passive-interface g0/0 Disable passive interface
R1(config-router)# passive-interface default Set ALL interfaces passive, enable per int
R1(config-router)# default-information originate Announce default route 0.0.0.0
RIPng [AD:120] [ALL RIPng ROUTERS: FF02::9]
R1(config)# ipv6 unicast-routing Enable IPv6
R1(config)# interface g0/0 RIPng is enabled ON interfaces!
R1(config-if)# ipv6 rip DOMAIN enable Enable RIPng
R1(config-if)# ipv6 rip DOMAIN default-information originate Announce default route ::/0
BGP [AD eBGP:20 / iBGP:200]
R1(config)# router bgp AS-number Enable BGP, enter config mode
R1(config-router)# neighbor ip-address remote-as AS-number BGP neighbor + its AS number
R1(config-router)# network network-address [mask network-mask] Advertise network to neighbor
Networks advertised by BGP do NOT have to be directly connected, but have to be known (route). Advertising 0.0.0.0 on ISP side is possible, but not recommended. mask argument is required for classless networks.
R1# show ip bgp BGP table. Verify rcvd and advertised IPv4 networks
R1# show ip bgp summary Verify IPv4 BGP neighbors and other BGP information
EIGRP IPv4 [AD:90/170 external/5 summary] [MCAST: 224.0.0.10 MAC: 01-00-5E-00-00-0A]
R1(config)# [no] [ipv6] router eigrp ASid ASid (1-65k) differentiates INSTANCES in the domain!
R1(config-router)# eigrp router-id 1.1.1.1 Router ID, IPv4 format (can use loopback)
R1(config-router)# network network Enable for interfaces in the network.CLASSFUL!
R1(config-router)# network network wildcard_mask Using wildcard mask to specify an interface
R1(config-router)# [no] auto-summary Summarization (default OFF in IOS15+)
EIGRP IPv6 [AD:90/170 external/5 summary] [MCAST: FF02::A MAC: 01-00-5E-00-00-0A]
R1(config)# ipv6 unicast-routing Enable IPv6
R1(config)# int s0/0/0 Configure link-local IPv6 addresses on all
R1(config-if)# ipv6 address fe80::1 link-local interfaces that will exchange LSAs! FE80-FEBF
R1(config)# [no] ipv6 router eigrp ASid ASid (1-65k) differentiates INSTANCES in the domain!
R1(config-rtr)# eigrp router-id 1.1.1.1 Router ID, IPv4 format (can use loopback)
R1(config-rtr)# no shut For IPv6, no shut is required
R1(config)# interface s0/0/0 FOR THE PROCESS (AFTER router-id)!
R1(config-if)# ipv6 eigrp ASid EIGRP is enabled ON interfaces!
IPv4/IPv6 COMMON CONFIG
R1(config-router)# [no] passive-interface {i-face | default} Passive interfaces standard
R1(config-router)# eigrp log-neighbor-changes Default ON. Sends EIGRP msgs to the console
R1(config-router)# redistribute static Propagate added static routes
R1(config-if)# {ip|ipv6} summary-address eigrp ASid supernet mask Manual summary, on ALL i-faces!
R1(config-if)# [no] bandwidth kilobits BW adjustments
R1(config-if)# [no] delay tens-of-µseconds Delay adjustments
R1(config-if)# {ip|ipv6} bandwidth-percent eigrp ASid 40 BW used by EIGRP traffic (default 50%)
R1(config-if)# {ip|ipv6} hello-interval eigrp ASid 50 Default = 5 seconds
R1(config-if)# {ip|ipv6} hold-time eigrp ASid 150 Default = 3x hello interval
R1(config-router)# metric weights tos k1 k2 k3 k4 k5 Adjust metric, tos ALWAYS 0!
K1(1):bandwidth K2(0):load K3(1):delay K4(0):reliability K5(0):MTU size (unused)
Default formula: metric=(K1*bandwidth+K3*delay)*256 Reference BW is 10.000.000!
If K5=0: metric=([K1*bandwidth+(K2*bandwidth)/(256-load)+K3*delay)
Complete formula: metric=([K1*bandwidth+(K2*bandwidth)/(256-load)+K3*delay)*(K5/(reliability+K4))
Delays: Eth=1000, FE/FDDI=100, GE=10, T1/Serial(1024/64/56 kb/s)=20000 SLOWEST LINK BW+TOTAL OF DELAYS!
R1(config-router)# maximum-paths 32 Equal cost routes for balancing, 1 OFF, default 4, max 32
R1(config-router)# variance no Metric multiplier (1-128) to insert alternate routes as viable
R1(config-router)# traffic-share balanced Distribute traffic on routes, in proportion to metrics!
R1(config)# key chain chain_name Secure EIGRP
R1(config-keychain)# key key-id Creating the key (0-2147483647). Use
R1(config-keychain-key)# key-string key-string-text same keyid+keystring on all routers!
R1(config-if)# {ip|ipv6} authentication mode eigrp ASid md5 Auth, per int
R1(config-if)# {ip|ipv6} authentication key-chain eigrp ASid chain_name Auth, per int
R1# show {ip|ipv6} eigrp neighbors Show adjacency database / neighbor table
R1# show {ip|ipv6} eigrp [interface [brief | i-face]] EIGRP process [OR interface] shows
R1# show {ip|ipv6} eigrp topology [all-links] Show topology table (successors, FS, FD)
R1# debug eigrp fsm Debug DUAL Finite State Machine
OSPF v2 [AD:110] [ALL OSPF ROUTERS: 224.0.0.5 DR/BDR ONLY : 224.0.0.6]
R1(config)# router ospf process_id Enable OSPFv2, process ID is internal only
R1(config-router)# router-id 1.1.1.1 Configure router ID, IPv4 format
R1(config)# int l0 (l0 = loopback 0) Loopback int config for router-id
R1(config-if)# ip address 1.1.1.1 255.255.255.255 Always use /32 mask, don’t shut if used
R1(config-router)# network network wildcard_mask area id Configure each network, wildcard mask
R1(config-router)# network interface_ip 0.0.0.0area id OR use interface. Area 0 recommended
for single area. OSPF will advertise
Wildcard masks: substract subnet mask from 255.255.255.255 network connected on the interface
/24: 255.255.255.255 – 255.255.255.0 = 0.0.0.255 No priority or a tie: router ID will
/26: 255.255.255.255 – 255.255.255.192 = 0.0.0.63 be used to pick DR/DBR (high wins)!
/30: 255.255.255.255 – 255.255.255.252 = 0.0.0.3 Quad 0 makes OSPF use interface mask
in network announcements
R1(config-router)# passive-interface i-face Set passive interface(no routing updates sent)
R1(config-router)# no passive-interface g0/0 Disable passive interface
R1(config-router)# passive-interface default Set ALL interfaces passive, enable per int
R1(config-router)# area area-id authentication message-digest Global MD5 (key is number)
R1(config-if)# ip ospf message-digest-key key md5 password authentication config
R1(config-if)# ip ospf message-digest-key key md5 password Local (per int) MD5
R1(config-if)# ip ospf authentication message-digest authentication config
OSPF v3 [AD:110] [ALL OSPFv3 ROUTERS: FF02::5 DR/BDR ONLY : FF02::6]
R1(config)# ipv6 unicast-routing Enable IPv6
R1(config)# int s0/0/0 Configure link-local IPv6 addresses on all
R1(config-if)# ipv6 address fe80::1 link-local interfaces that will exchange LSAs! FE80-FEBF
R1(config)# ipv6 router ospf process_id Enter OSPFv3 config mode
R1(config-rtr)# router-id 1.1.1.1 Router ID, HAS to be done if no IPv4 i-faces
R1(config)# interface s0/0/0 OSPFv3 is enabled ON interfaces!
R1(config-if)# ipv6 ospf process_id area id Enable OSPFv3 on the interface
R1(config-if)# ipv6 ospf authentication ipsec spi Enable IPsec authentication on interfaces
OSPF v2/v3 COMMON CONFIG
R1(config-router)# default-information originate Announce default routes
R1(config-router)# auto-cost reference-bandwidth value Adjust reference BW, default is 100
R1(config-router)# redistribute {static | eigrp pID | rip | isis} [metric value] [subnets]
Redistribute routes. Default metric is 20 (1 for BGP). subnets for classless networks!
Default reference bandwidth: 100.000.000 bps Cost is: reference BW / interface BW
10Gbps GE : 100000000 / 10000000000 = 1 1Gbps GE: 100000000 / 1000000000 = 1
100Mbps FE: 100000000 / 100000000 = 1 10Mbps E: 100000000 / 10000000 = 10
1.544Mbps Serial: 100000000 / 1544000 = 64 128kbps Serial: 100000000 / 128000 = 781
64kbps Serial: 100000000 / 64000 = 1562 Reference BW: 1000 for 1GbEth, 10000 for 10GbEth
Always adjust it for networks faster than 100Mbps FastEth! Use the same reference BW on ALL routers!
R1(config-if)# {ip|ipv6} ospf hello-interval seconds Default = 10. no resets to default
R1(config-if)# {ip|ipv6} ospf dead-interval seconds Default = 4x hello interval
R1(config-if)# {ip|ipv6} ospf priority 255 DR/BDR/DROTHER priority (0)1-255 (0-can’t be DR/BDR)
R1(config-if)# bandwidth kilobits Adjust per interface bandwidth. On BOTH sides!
R1(config-if)# no bandwidth Reset to default. show int i-face to check it (BW)
R1(config-if)# {ip|ipv6} ospf cost 15625 Adjust the route metric. Compatibility/less CPU usage
R1# show {ip|ipv6} ospf neighbor Show adjacency database / neighbor table
R1# show {ip|ipv6} ospf database Show link-state database / topology table
R1# show {ip|ipv6} ospf [interface [brief | i-face]] OSPF process [OR interface] shows
R1# clear {ip|ipv6} ospf [process_id] process Reset/restart OSPF (forces Down/Init states)
To force DR/BDR election can also shut down all i-faces and then reenable them in order: DR/BDR/DROTHERS
ROUTE SUMMARIZATION ABR/ASBR will create discard routes to Null0
R1(config-router)# summary-address supernet mask External route summary (ASBR!)
R1(config-router)# area 1 range supernet mask Internal route summary for area 1 (ABR!)
PPP [Point-to-Point Protocol]
R1(config-if)# encapsulation ppp PPP on the i-face
R1(config-if)# compress [predictor | stac] Enable compression (software, affects performance)
R1(config-if)# [no] ppp quality percentage Link quality control, link closes if out of range
MULTILINK
R1(config)# interface multilink number Create multilink PPP bundle
R1(config-if)# ip address network mask
R1(config-if)# encapsulation ppp
R1(config-if)# ppp multilink
R1(config)# interface s0/0/0 Add i-faces to the group (repeat for each added)
R1(config-if)# encapsulation ppp Can remove IP, remove clock rate (if DTE) etc.
R1(config-if)# ppp multilink
R1(config-if)# ppp multilink group number Add i-face to multilink group
PPP CALLBACK
R1(config-if)# ppp callback request Client config
R1(config-if)# ppp callback accept Server config
AUTHENTICATION
R1(cnfig-if)# ppp authentication {chap|chap pap|pap chap|pap}[if-needed][list|default][callin]
[if-needed]: on async i-faces no auth if already provided (TACACS/XTACACS)
[list|default]: used with AAA/TACACS+, name of the list of auth methods to use
[callin]: authentication on incoming (received) calls only
R1(config)# aaa authentication ppp {default | list} [methods] Create default/named auth meth list
METHODS: local | local-case | krb5 | group radius | group tacacs+ | none | if-needed
R1(config)# username R2 password password User is the hostname of other end!
R1(config-if)# ppp authentication pap PAP authentication on the i-face
R1(config-if)# ppp pap sent-username R1 password password Passwords must match on both ends!
R1(config)# username username password password Usernames=hostnames of the other end!
R1(config-if)# ppp authentication chap CHAP config. Passwords must match!
R1# show ppp multilink Verify multilink info
R1# debug ppp {packet | negotiation | error | authentication | compression | cbcp}
packet: low level dump, negotiation: startup packets, error: protocol errors+stats, authentication: auth packets, compression: MPPC info, check for incorrect sequence number, cbcp: MSCB errors+stats
PPPoE [Point-to-Point Protocol over Ethernet] [MTU: 1492 MSS: 1452]
R1(config)# interface dialer number Create logical i-face
R1(config-if)# encapsulation ppp
R1(config-if)# ip address negotiated IP obtained from ISP
R1(config-if)# ip mtu 1492 Set MTU (8 bytes less, for PPPoE headers)!
R1(config-if)# dialer pool number Doesn’t have to match i-face number
R1(config-if)# ppp chap hostname hostname ISP provides hostname and password
R1(config-if)# ppp chap password password
R1(config-if)# no shut
R1(config-if)# interface g0/0 Configure phy i-face for PPPoE
R1(config-if)# no ip address PPPoE inserts 2 host routes into the routing table!
R1(config-if)# pppoe enable
R1(config-if)# pppoe-client dial-pool-number number SAME number as configured in dialer pool!
R1(config-if)# ip tcp adjust-mss 1452 Adjust Maximum Segment Size, if TCP over PPPoE fails
R1(config-if)# no shut 1500-8(PPPoE)-20(TCP)-20(IPv4)=1452
R1# show interface dialer number I-face status and info
R1# show pppoe session Current PPPoE sessions
R1# debug ppp negotiation Debug PPP negotiation
R1# show run | section interface dialer2 Check dialer i-face details
FRAME RELAY [DLCI: 16-992(1007)]
R1(config)# interface s0/0/0
R1(config-if)# ip address 10.1.1.1 255.255.255.0
R1(config-if)# encapsulation frame-relay [cisco | ietf] ietf: connecting to non-Cisco router
R1(config-if)# bandwidth kb/s Set BW, used by OSPF/EIGRP
LMI type(optional) Cisco has autosense
R1(config-if)# frame-relay lmi-type {cisco | ansi | q933a} Set LMI type, must match on both ends
R1(config-if)# keepalive seconds Adjust KA timer, default 10
LMI set manually = autosense DISABLED!
R1(config-if)# frame-relay map ip 10.1.1.2 102 broadcast cisco Static FR address mapping
R1(config-if)# frame-relay map proto proto_address DLCI [broadcast] [cisco | ietf]
broadcast: allow broad/multicast on the link (OSPF/EIGRP) ietf: when connecting to non-Cisco router
R1(config-if)# no frame-relay inverse-arp Disable iARP on the i-face
R1# clear frame-relay inarp Clear DYNAMIC iARP entries
R1(config-if)# encapsulation frame-relay Encapsulation on phy i-face, rest on sub!
R1(config)# interface s0/0/0.123 {multipoint | point-to-point} Configure FR subi-face (IP,BW!)
R1(config-subif)# frame-relay interface-dlci 123 P2P or multipoint when IPv4 iARP is enabled!
R1(config-if)# no encapsulation frame-relay Back to default HDLC encapsulation
R1# show frame-relay map Frame Relay address mappings
R1# show frame-relay lmi Local Management Interface stats+info
R1# show frame-relay pvc [interface i-face] [DLCI] Show PVC stats, totals or per PVC/i-face/DLCI
R1# show interfaces i-face I-faces info
R1# clear counters [i-face] Clear all (or specific i-face) counters
R1# debug frame-relay lmi Debug: 0x0(DLCI OK but unusable) 0x2(AOK) 0x4(no DLCI ATM)
HDLC [High-Level Data Link Control]
R1# encapsulation hdlc Set HDLC globally (if it isn’t)
R1(config-if)# encapsulation hdlc HDLC on the i-face (default on sync serial i-faces)
SERIAL DN/PROTO DN (DTE): cable/HW fail, no line, no CD signal
SERIAL UP/PROTO DN (DTE): local/remote mis-config/fail, no keepalives, noisy line, timing fail. Put modem/CSU/DSU in loopback mode, use show interfaces serial – if PROTO comes up, ISP fail.
SERIAL UP/PROTO DN (DCE): clockrate, no SCTE support on DTE, remote CSU/DSU fail
SERIAL UP/PROTO UP(LOOPED): loopback (no loopback), disable CSU/DSU manual loopback mode
SERIAL UP/PROTO DN(DISABLED): IFACE/CSU/DSU hardware problem, WAN ISP high error rate
SERIAL DN(ADMIN)/PROTO DN: no shutdown, duplicate IPs
R1# debug serial interface Serial i-face debugging
R1# show controllers serial-i-face Check cable connection on the i-face etc.
R1# show controllers cbus Same as above, for Cisco7000 series routers
GRE [Generic Routing Encapsulation] [IP protocol field: 47]
R1(config)# interface tunnel number Create tunnel i-face
R1(config-if)# tunnel mode gre ip Set tunnel mode, optional -> default: GRE
R1(config-if)# ip address 192.168.2.1 255.255.255.0 IP for tunnel i-face!
R1(config-if)# tunnel source 209.165.201.1 IP for phy i-face that’ll carry the tunnel
R1(config-if)# tunnel destination 198.133.219.87 IP for phy i-face on the other end of the link
R1(config-if)# router ospf 1 Config OSPF to exchange routes over the tunnel
R1(config-router)# network 192.168.2.0 0.0.0.255 area 0
R1# show interface tunnel number Tunnel i-face status and info
IPSec VPN
R1(config)# license boot module c2900 technology-package securityk9 Install security if needed
R1(config)# end R1# copy running-config startup-config R1# reload
R1(config)# access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
ACL to mark traffic (from 1.0 to 3.0) as interesting – will be encrypted)
PHASE 1
R1(config)# crypto isakmp policy 10 Priority 10 (used in negotiations)
R1(config-isakmp)# encryption [aes | des | 3des] Encrypt method (default: des)
R1(config-isakmp)# authentication pre-share Auth method
R1(config-isakmp)# group [1 | 2 | 5] DH group
R1(config-isakmp)# hash [md5 | sha] Hashing (default: SHA)
R1(config-isakmp)# lifetime seconds IKE SA life(60-86400), default 86400
R1(config-isakmp)# exit
R1(config)# crypto isakmp key cisco address 10.2.2.2 Create key (IP of the other end)
PHASE 2
R1(config)# crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac Config transform set
R1(config)# crypto map VPN-MAP 10 ipsec-isakmp Config map, seq. 10 (priority, lower=better)
R1(config-crypto-map)# description VPNtoR3 Seq is used to pick among same named maps
R1(config-crypto-map)# set peer 10.2.2.2 IP of the tunnel exit (where traffic goes)
R1(config-crypto-map)# set transform-set VPN-SET Apply chosen transform set
R1(config-crypto-map)# match address 110 Apply ACL to filter traffic to encrypt
R1(config-crypto-map)# exit
R1(config)# interface S0/0/0 Apply map to the public i-face (tunnel start)
R1(config-if)# crypto map VPN-MAP
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
REPEAT ON THE OTHER END OF THE TUNNEL, ADJUSTING ACL and IPs!
R1# show crypto ipsec {sa | transform-set} Check/verify tunnel settings and operation
R1# show crypto {isakmp {sa | policy} | map | …} Other show commands
GRE over IPSec
R1(config)# access-list 101 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.3.255
R1(config)# access-list 101 permit ip 10.0.0.0 0.255.255.255 172.16.4.0 0.0.3.255
R1(config)# crypto isakmp policy 101
R1(config-isakmp)# encryption aes R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 5
R1(config-isakmp)# exit
R1(config)# crypto isakmp key cisco address 64.100.13.2 Two tunnels, to 2 different peers
R1(config)# crypto isakmp key cisco address 64.102.46.2
R1(config)# crypto ipsec transform-set R1_Set esp-aes esp-sha-hmac
R1(config)# crypto map R1_Map 101 ipsec-isakmp
R1(config-crypto-map)# set peer 64.100.13.2
R1(config-crypto-map)# set peer 64.102.46.2
R1(config-crypto-map)# set transform-set R1_Set
R1(config-crypto-map)# match address 101
R1(config-crypto-map)# exit
R1(config)# interface S0/0/0 R1(config-if)# crypto map R1_Map
R1(config)# interface tunnel 0 Create another GRE tunnel
R1(config-if)# ip address 192.168.0.1 255.255.255.252 to 64.102.46.2!
R1(config-if)# tunnel source s0/0/0
R1(config-if)# tunnel destination 64.100.13.2
R1(config-if)# tunnel mode gre ip
REPEAT ON OTHER 2 ENDs OF TUNNELs, ADJUSTING ACLs and IPs!
IP route from R1 to 172.16.0.0/172.16.4.0 networks: use next-hop IP of the tunnel i-face!
IP route from R2/R3 to the 10.0.0.0 network: use the next-hop IP of the tunnel i-face!
ACLs
STANDARD
R1(config)# access-list NO {permit | deny | remark} source [wildcard] [log]
R1(config)# access-list 2 deny 192.168.10.0 0.0.0.255 Standard ACLs no: 1-99,1300-1999
R1(config)# access-list 2 permit any any=0.0.0.0 255.255.255.255
R1(config)# access-list 1 permit host 192.168.10.10 host=255.255.255.255 (before IP!)
R1(config)# access-list 1 deny any It’s implicit but NOT tracked. Define it for tracking!
R1(config)# access-list 1 remark Permit hosts from… ACL remark (100 chars limit)
log sends messages to console
EXTENDED
R1(c)# access-list number {permit | deny | remark} protocol {source wildcard} [OP PORT] {destination wildcard} [OP PORT] [established] Extended ACLs no: 100-199,2000-2699
OP: eq|lt|gt|neq|range: equal, less than, greater than, not equal
protocol: tcp, udp, icmp, ip (ip contains all others) Can’t filter ports if set to ip!
PORT: UDP/TCPport number or name (ftp, ftp-data, www, pop3, smtp, telnet, domain etc.)
established: let pass returning TCP connections – for TCP only!
R1(config)# access-list 1 deny icmp any any [ICMP-type [ICMP-code] | ICMP-message]
ICMP types: echo, echo-reply, unreachable, time-exceeded, packet-too-big, fragments
STANDARD ACL – close to DST: filters ONLY on source IP
EXTENDED ACL – close to SRC: filters on source/destination IP, TCP/UDP ports, protocols
3P: ONLY 1 ACL per protocol (IPv4/IPv6), per direction (IN/OUT), per interface
IPv6 ACLs: named ONLY!
R1(config)# access-list 101 permit tcp any any eq ? Check available port number/name options
R1(config)# access-list 101 permit ip any any Counter implicit deny any, if there’s no permit statements in ACL!
NAMED CONFIG MODE
R1(config)# ip access-list {standard | extended} NAME Named ACL config
R1(config-std-nacl)# {permit | deny | remark} source [wildcard] [log]
EDITING
R1(config)# show access-list 1 Check ACL for line numbers to edit
R1(config)# ip access-list {standard | extended} 1 Open ACL for editing. Number is the name
R1(config-std-nacl)# no 10 Remove error line (10) (sequence number)
R1(config-std-nacl)# 10 deny host 192.168.10.10 Add new definition for that line (10)
R1(config-std-nacl)# end
R1(config-if)# ip access-group {number | name} {in | out} Apply ACL to interface
R1(config-if)# no ip access-group Remove ACL to interface
R1(config-line)# access-class {number | name} {in [vrf-also] | out} Apply ACL to VTY lines
R1(config)# no access-list number Remove ACL (in some IOS, remove from i-faces first!)
R1(config)# no ip access-list extended name Remove named, extended ACL
IPv6 ACLs
R1(config)# ipv6 access-list name Named ONLY!
R1(config-ipv6-acl)# {permit | deny | remark} protocol {source-prefix/length} [OP PORT] {destination-prefix/length} [OP PORT] [established] Can use host and any keywords
R1(config-ipv6-acl)# deny ipv6 2001:db8:cafe:30::/64 any example
R1(config-ipv6-acl)# permit ipv6 any any example
R1(config-if)# ipv6 traffic-filter name {in | out} Apply ACL to the interface
R1(config-if)# no ipv6 traffic-filter name [in | out] Remove ACL from the interface
R3(config)# ipv6 access-list RESTRICTED-ACCESS Example. Editing lines in IPv6 ACL
R3(config-ipv6-acl)# permit ipv6 any 2001:db8:cafe:10::/64 sequence 10
R3(config-ipv6-acl)# end
R1# show [ip | ipv6] access-lists [number | name]
R1# clear access-list counters [number | name] Clear all, or specific ACL counters
NAT: STATIC
R1(config)# ip nat inside source static local_ip global_ip Configure static translation
R1(config)# int s0/0/0 Configure INSIDE (LAN side) interface
R1(config-if)# ip nat inside on the router
R1(config)# int s0/1/0 Configure OUTSIDE (WAN side) interface
R1(config-if)# ip nat outside on the router
ALWAYS remove incorrect translation from the interface before applying the new one! (no ip nat outside)
R1(config)# no ip nat inside source static Remove translation
NAT: DYNAMIC
R1(config)# ip nat pool name startIP endIP {netmask mask | prefix-length prefix} Config IP pool
R1(config)# access-list ACL_no permit IP [wildcard] ACL to allow private IPs to translate
R1(config)# ip nat inside source list ACL_no pool name Dynamic NAT (pool)
R1(config)# int s0/0/0 R1(config-if)# ip nat inside R1(config)# int s0/1/0 R1(config-if)# ip nat outside
POOL: available public IPs ACL: private IPs to translate!
R1(config)# ip nat translation timeout seconds Change default 24h timeout
R1# clear ip nat translation * Erase all dynamic translations
R1# clear ip nat translation inside global_IP local_IP [outside local_IP global_IP]
R1# clear ip nat translation protocol inside global_IP global_port local_IP local_port [outside local_IP local_port global_IP global_port]
NAT OVERLOAD: PAT
MULTIPLE PUBLIC IPs
R1(config)# ip nat pool name startIP endIP {netmask mask | prefix-length prefix} Config IP pool
R1(config)# access-list ACL_no permit IP [wildcard] ACL to allow IPs to translate
R1(config)# ip nat inside source list ACLno pool name overload Multi public IP PAT (pool)
R1(config)# int s0/0/0 R1(config-if)# ip nat inside R1(config)# int s0/1/0 R1(config-if)# ip nat outside
SINGLE PUBLIC IP
R1(config)# access-list ACL_no permit IP [wildcard] ACL to allow IPs to translate
R1(config)# ip nat inside source list ACLno interface IF overload Single public IP PAT (i-face)
R1(config)# int s0/0/0 R1(config-if)# ip nat inside R1(config)# int s0/1/0 R1(config-if)# ip nat outside
IF: public IP on the outside facing interface to which private IPs will translate
PORT FORWARDING
R1(config)# ip nat inside source {static {tcp | udp local_IP local_port global_IP global_port} [extendable]
R1(config)# int s0/0/0 R1(config-if)# ip nat inside R1(config)# int s0/1/0 R1(config-if)# ip nat outside
R1# clear ip nat statistics Erase stats (to verify operation)
R1# clear ip nat translation * Erase all dynamic translations
R1# show ip nat translations [verbose] Translations’ info. Verbose for more
R1# show ip nat statistics Various NAT stats
R1# debug ip nat [detailed] NAT debugging, detailed for more info
R1# show access-lists Check defined ACLs and hits
DHCP
R1(config)# no service dhcp Disable DHCP service. Enabled by default in IOS!
R1(config)# service dhcp Enable DHCP, no effect is parameters are not set
R1(config)# ip dhcp excluded-address low_IP [high_IP] Configure excluded IPs, range or one
R1(config)# ip dhcp pool pool_ame Configure IP pool
R1(dhcp-config)# network network_ip [mask | prefix] REQUIRED: define addresses to assign
R1(dhcp-config)# default-router IP [IP2…IP8] REQUIRED: gateway IP(s)
R1(dhcp-config)# dns-server IP [IP2…IP8] DNS server(s)
R1(dhcp-config)# domain-name name Domain name
R1(dhcp-config)# lease {days [hours][mins] | infinite} Lease expiry time
R1(dhcp-config)# netbios-name-server IP [IP2…IP8] NetBIOS WINS server(s)
R1(config-if)# ip address dhcp Set interface to obtain IP from DHCP server
R1(config-if)# ip helper-address IP Set on inside i-face to route to outside DHCP server
helper-address forwards UDP ports 37: time, 49: TACACS, 53: DNS, 67: DHCP/BOOTP client, 68: DHCP/BOOTP server, 69: TFTP, 137: NetBIOS name service, 138: NetBIOS datagram service
R1# show run | include no service dhcp Check is the service is NOT disabled
R1# show run | section dhcp Verify service settings
R1# show ip dhcp server statistics Check DHCP message statistics
R1# show ip dhcp binding Check DHCP IP-MAC bindings
R1# show ip dhcp conflict Display all address conflicts registered
R1# debug ip dhcp server events Review server events
R1(config)# access-list 100 permit udp any any eq 67 Debug DHCP traffic with ACL to filter
R1(config)# access-list 100 permit udp any any eq 68 for DHCP traffic
R1# debug ip packet 100
SLAAC [ALL DHCP AGENTS: FF02::1:2 ALL DHCP SERVERS: FF05::1:3]
R1(config)# ipv6 unicast-routing Enable IPv6
R1(config-if)# no ipv6 nd managed-config-flag Reset M and O flags to 0 to make sure
R1(config-if)# no ipv6 nd other-config-flag it’s full SLAAC mode. SLAAC is default in IOS
M=0, O=0 -> SLAAC
STATELESS DHCPv6
R1(config)# ipv6 unicast-routing
R1(config)# ipv6 dhcp pool pool_name Create IP pool (enters config mode)
R1(config-dhcpv6)# dns-server IP DNS server(s)
R1(config-dhcpv6)# domain-name name Domain name
R1(config-if)# ipv6 dhcp server pool_name DHCP is enabled on the interface!
R1(config-if)# ipv6 nd other-config-flag Set O flag to enable stateless DHCPv6
M=0, O=1 -> stateless DHCPv6
R1(config-if)# ipv6 enable Set client interface to ask/receive config
R1(config-if)# ipv6 address autoconfig from stateless DHCPv6 server
STATEFUL DHCPv6
R1(config)# ipv6 unicast-routing
R1(config)# ipv6 dhcp pool pool_name Configure IP pool. Lease times in seconds!
R1(config-dhcpv6)# address prefix IPv6_prefix [lifetime {valid preferred | infinite}]
R1(config-dhcpv6)# dns-server IP DNS server(s)
R1(config-dhcpv6)# domain-name name Domain name
R1(config-if)# ipv6 dhcp server pool_name DHCP is enabled on the interface!
R1(config-if)# ipv6 nd managed-config-flag Set M flag to enable stateful DHCPv6
R1(config-if)# ipv6 enable Set client interface to ask/receive config
R1(config-if)# ipv6 address dhcp from stateful DHCPv6 server
R1(config-if)# ipv6 dhcp relay destination IPv6addy Set relay, on inside i-face!
R1# show ipv6 dhcp binding Check DHCPv6 IP-MAC bindings
R1# show ipv6 dhcp conflict Display all address conflicts registered
R1# show ipv6 dhcp pool Verify server: 0 clients = stateless
R1# debug ipv6 dhcp detail Check messages between client-server
BASIC config / commands
S1(config)# hostname S1 Set hostname
S1(config)# service password-encryption Encrypt all passwords in config files
S1(config)# enable secret class Set encrypted priv EXEC password
S1(config)# no ip domain-lookup Disable DNS lookup on typos
S1(config)# banner motd #your_message_here# Set MOTD banner, using # as delimiter
R1(config-if)# exit Exit to global config mode
R1(config-if)# end Exit to priv EXEC mode (CTRL+Z/CTRL+C)
R1# auto secure Guided security settings config mode
R1# ping [IP] PING tool, no IP = extended mode
R1# traceroute [IP] TRACEROUTE tool, no IP = extended mode
R1# show users Show connected sessions
R1# show history Command history. Default buffer is 10 lines
R1# terminal history size 200 Adjust size of the history buffer, in lines
FILE SYSTEM OPS Can use common FS commands: dir, cd, pwd, mkdir/rmdir, more
R1# show file systems Show all file systems available on the device
BOOT IMAGE/SEQ
R1(config)# boot system path_to_image_file Set system var pointing to system boot image
R1# show bootvar / show boot in older IOS Check current setting of boot var
Can enter few system paths, for redundancy!
OUTPUT FILTERING
R1# show running-config | section section_name Only show section starting with section_name
R1# show running-config | begin expression Show starting from expression
R1# show running-config | include expression Only show lines with expression
R1# show running-config | exclude expression DO NOT show lines with expression
NTP
R1# clock set 17:00:00 18 Feb 2013 Set time and date
R1(config)# ntp master stratum Set to work as NTP server (default stratum is 8)
R1(config)# ntp server IP Connect to NTP server (at IP) to sync clock
R1# show ntp associations Show connected servers
R1# show ntp status Show protocol status, clock etc.
R1# show clock [detail] Show time [and source]
MANUAL DNS
R1(config)# [ip | ipv6] host hostname IP_address Manually set hostname-IP mappings
HTTP/HTTPS
R1# show ip http server status Check if HTTP server is running
R1(config)# [no] ip http [server | secure-server] Enable HTTP |HTTPS server
R1(config)# ip http authentication local HTTP server will use local user db
CDP [Cisco Discovery Protocol] Should be disabled – security risk!
R1(config)# [no] cdp run Enable/disable on all interfaces
R1(config-if)# [no] cdp enable Enable/disable per interface
R1# show cdp Verify status of CDP. Enabled by default on Cisco devices!
R1# show cdp neighbors [detail] Show CDP enabled connected devices info
R1# show cdp interface Show CDP enabled interfaces
LLDP [Link Layer Discovery Protocol]
R1(config)# [no] lldp run Enable globally
R1(config-if)# lldp transmit Enable on i-face. Transmitting and receiving LLDP packets
R1(config-if)# lldp receive has to be configured separately
R1# show lldp Verify status
R1# show lldp neighbors [detail] Show LLDP enabled connected devices info
LICENSING
R1# show license [feature] Show licenses info / features
R1# show license udi Show Unique Device Identifier
R1# license install path_to_license_file Install license. RELOAD after!
R1# license save path_to__file Save ALL licenses to 1 file.
Restore with license install
R1(config)# license accept end user agreement Auto accept EULA on install
R1(config)# license boot module name technology-package name Install Evaluation RTU license
REMOVING LICENSES Can’t remove built-in/eval licenses!
R1(config)# license boot module name technology-package name disable Disable the tech pack
R1# reload
R1# license clear feature-name Remove the license
R1(config)# no license boot module name technology-package name disable Enable the tech pack
R1# reload
INIT / RELOAD
S1# show flash In switches, check for vlan.dat
S1# delete vlan.dat and remove it to restore default VLAN config
R1# erase startup-config
R1# reload
PASSWORD RECOVERY [Terminal:9600 baud rate / no parity / 8 data bits / 1 stop bit / no flow control]
rommon 1 > confreg 0x2142 In ROMMON mode, change register value (default is 0x2102)
rommon 2 > reset PuTTY break sequence: CTRL+BREAK (enter during boot/decompressing)
R1# copy startup-config running-config Copy factory default startup to run
R1(config)# enable secret cisco Set your new passwords
R1(config)# config-register 0x2102 Set register back to the default value
R1# copy running-config startup-config Copy run to startup
R1# reload Reload that shit
SYSTEM CRASH RECOVERY [switch; boot loader access]
1. Connect PC to the console port. Configure terminal emulation software
2. Unplug the switch power cord.
3. Reconnect the power cord to the switch and, within 15 seconds, press and hold down the Mode button while the System LED is still flashing green.
4. Continue pressing the Mode button until the System LED turns briefly amber and then solid green; then release the Mode button.
5. The boot loader switch: prompt appears in the terminal emulation software on the PC.
TROUBLESHOOTING
R1# show processes cpu
R1# show memory
Cześć Podróżniku!
Ta strona ma nie być typowym poradnikiem w IT, Głównym jej cel to zapisanie krótkich notatek, które mogą się przydać w codziennym życiu podczas korzystania/konfiguracji różnych urządzeń np. Ustawienia DHCP na Routerze Cisco, Ustawieniu Karty sieciowej na Linuxie itp.
Wszelkie prawa zastrzeżone
Dodaj komentarz