Router / Switch Erase Configuration

Router>enable
Router#dir
# List Flash content
Router#dir nvram:
# List NVRAM content
Router#delete vlan.dat
Router#delete flash:multiple-fs
# Erases certificates
Router#erase startup-config / wr e # Erases flash:config.text and flash:privateconfig.text
Router#reload
# System configuration has been modified. Save? [yes/no]: no
# Proceed with reload? [confirm]
Router Basic Configuration
Router>enable
Router#config term
Router(config)#alias exec c config t
#Avoids typing config t
Router(config)#no ip domain-lookup
Router(config)#ip tcp synwait 5
#Avoid domain-lookup for
30 sec
Router(config)#ip classless / no ip classless
#no ip classless =
classfull
Router(config)#hostname R1
R1(config)#enable secret cisco
R1(config)#banner motd "Authorized Personnel Only"
R1(config)#line console 0
R1(config-line)#logging synchronous
R1(config-line)#no exec-timeout
#Timeouts Overload the CPU on
GNS3
R1(config-line)#password cisco
R1(config-line)#login
(Optional) R1(config-line)#no login
#Disables password
(Optional) R1(config-line)#privilege level 15
#Auto-privileged mode
R1(config-line)#line vty 0 4
R1(config-line)#password cisco
(Optional) R1(config-line)#no login
#Disables password
(Optional) R1(config-line)#privilege level 15
#Auto-privileged mode
R1(config-line)#login
R1(config-line)#interface fa0/0
R1(config-if)#description Connection to Mars
R1(config-if)#speed 100
R1(config-if)#duplex full
(Serial Link) R1(config-if)#clock rate 9600
R1(config-if)#ip address 192.168.7.126 255.255.255.128 / no ip address
192.168.7.126 255.255.255.128
R1(config-if)#no shutdown
R1(config-if)#interface fa0/1
R1(config-if)#description connection to switch1
R1(config-if)#ip address 192.168.7.190 255.255.255.192
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#copy running-config startup-config

Router Static Routes

Router(config)#ip route network-address subnet-mask { next_hope_ip | exitiface }
#adds route
Router(config)#ip route 172.16.1.0 255.255.255.0 172.16.2.2
Router(config)#ip route 172.16.1.0 255.255.255.0 s0/0
Router(config)#ip route 192.168.2.0 255.255.255.0 fastethernet 0/1 172.16.2.2
Router(config)#no ip route network-address subnet-mask { next_hope_ip |
exit-iface } #deletes route
Router(config)#ip route 0.0.0.0 0.0.0.0 [exit-interface | ip-address ]
#default Static Route
Router(config)#ip route 192.168.0.0 255.255.0.0 Null0
#sends traffic to
the null interface (discarded)
Router Show Commands
Router#show flash
Router#show running-config / startup-config
Router#show ip route / show ip route <network_address>
Router#show ip interface brief
Router#show interfaces
#shows the status and detailed description
for all interfaces
Router#show interfaces <interface_name>
#show interfaces serial0/0/0
Router#show protocol
Router#show controllers <interface_name>
#shows DTE/DCE information if
use with s0/0
Router#show ip rip database
Router#show ip protocols
#Routing protocols operating on the
router
Router Debug
Router#debug ip routing
any route
Router#undebug ip routing
Router#undebug all
Router CDP
Router#show cdp neighbors
Router#show cdp neighbors detail
working one or not
Router(config)#no cdp run
Router(config-if)#no cdp enable

#displays routing table processes for

#Displays neighbor IP either a

#Disables CDP globally
#Disables CDP on interface

Switch SDM Template Selection

Switch>enable
Switch#show sdm prefer

# shows default template

Switch(config)#sdm prefer dual-ipv4-and-ipv6 routing

# allocates
memory for ipv6 operations on 3560
Switch(config)#sdm prefer lanbase-routing
# allocates memory for
ipv6 operations on 2960
Switch(config-if)#exit
Switch#reload
Switch Basic Configuration
Router>enable
Router#config term
Router(config)#hostname S1
S1(config)#banner motd "Authorized Personnel Only"
Switch1(config)#vtp file nvram: vlan.dat (Router working as switch)
S1(config)#enable secret cisco
S1(config)#no ip routing
#Disables routing (Using L3 as
L2 device)
S1(config)#ip routing
#Enables routing on L3
switches (def=disabled)
S1(config)#no ip domain-lookup
S1(config)#vtp mode transparent / vtp transparent (router)
S1(config)#line console 0
S1(config-line)#logging synchronous
S1(config-line)#no exec-timeout
#Timeouts Overload the CPU on
GNS3
S1(config-line)#password cisco
S1(config-line)#login
(Optional) S1(config-line)#no login
#Disables password
(Optional) S1(config-line)#privilege level 15
#Auto-privileged mode
S1(config-line)#line vty 0 15
S1(config-line)#password cisco
S1(config-line)#transport input telnet
S1(config-line)#login
(Optional) S1(config-line)#no login
#Disables password
(Optional) S1config-line)#privilege level 15
#Auto-privileged mode
S1(config-line)#exit
S1(config)#ip default-gateway 172.17.99.1
S1(config)#duplex auto
S1(config)#speed auto
S1(config)#int range f0/0 - 15
S1(config-if-range)#shutdown
S1(config-if-range)#exit
S1#vlan database (Router working as switch)
S1(vlan)#vlan 99 name mgmt (Router working as switch)
S1(vlan)#exit

S1(config)#interface vlan99
S1(config-if)#ip address 172.17.99.11 255.255.255.0
S1(config-if)#no shutdown
S1(config-if)#exit
S1(config)#copy running-config startup-config
S1#show ip interface brief
Note: The Mgmt ips won't be pingable until the trunks are active. Even to
themselves.

Switch Mgmt Configuration

S1#vlan database (Not needed on an actual switch)
S1(vlan)#vlan 99 name mgmt
S1(vlan)#exit
S1(config)#interface vlan99
S1(config-if)#ip address 172.17.99.11 255.255.255.0
S1(config-if)#no shutdown
S1(config-if)#exit
S1(config)#interface f0/0
S1(config-if)#switchport access vlan 99
S1(config-if)#exit
Switch Enable Access Ports (connected to PCs)
S1(config)#interface range f0/6 , f0/11 , f0/15
S1(config-if-range)#switchport mode access
S1(config-if-range)#no shutdown
S1(config-if-range)#exit
S1#show protocols
Switch Assign Ports to Vlans
S1(config)#interface range f0/6 - 10
S1(config-if-range)#switchport access vlan 30
S1(config-if-range)#interface range f0/11 - 14
S1(config-if-range)#switchport access vlan 10
S1(config-if-range)#interface f0/15
S1(config-if)#switchport access vlan 99
S1(config-if)#exit
S1#show vlan-switch brief
S1#show vlan-switch id 10 / 20 / 30 / n
Switch Trunk Ports
S1(config)#interface range f0/1 - 2
S1(config-if-range)#switchport mode trunk
S1(config-if-range)#switchport trunk native vlan 99
S1(config-if-range)#no shutdown
S1(config-if-range)#exit
S1(config)#exit
S1#show interface trunk
Note: All vlans are allowed on a trunk by default, but they must much on both ends
of the trunk.
Vlans 1, 1002-1005 are reserved and cannot be removed.
S1(config-if)#switchport trunk allowed vlan all / add <vlan id> / remove
<vlan id>

Switch EtherChannels between Switches

S1(config)#interface range f0/7 - 8
S1(config-if-range)#switchport mode trunk
S1(config-if-range)#switchport nonegotiate
[3560] S1(config-if-range)#switchport trunk encapsulation dot1q
S1(config-if-range)#channel-group 1 mode desirable
S1(config-if-range)#no shutdown
S1(config-if-range)#exit
S1(config)#end
S1#show interface trunk
S1#show etherchannel summary
Switch Time Configuration
S1#show clock
S1#clock set 14:45:00 29 July 2015
S1#config t
S1(config)#clock timezone CTS -6
S1(config)#clock summer-time CDT recurring
S1(config)#end
S1#show clock detail
Switch NTP Master
S1#config t
S1(config)#ntp master 10
#Stratum <1-15>
(Optional) S1(config)#ntp authenticate
(Optional) S1(config)#ntp authentication-key 1 md5 pa$$word
(Optional) S1(config)#ntp trusted-key 1
S1(config)#end
S1#show ntp status
#NTP may take up to 5 minutes to
synchronize
S1#show ntp associations
Address
ref clock
st when poll reach delay offset disp
*~127.127.1.1
.LOCL.
9
12
16 377 0.000 0.000 0.226
Note: The internal server created by the ntp master command resides on
127.127.x.1
Execute show ntp associations to know the right address.
S1#show clock
# software clock
S1#show calendar
# hardware clock
S1(config)#ntp update-calendar
# syncs soft with hard clock.
Switch NTP Clients
S1#config t
S1(config)#ntp server 172.16.99.1
(Optional) S1(config)#ntp authenticate
(Optional) S1(config)#ntp authentication-key 1 md5 pa$$word
(Optional) S1(config)#ntp trusted-key 1
S1(config)#end
S1#show ntp status
#NTP may take up to 5 minutes to
synchronize
S1#show ntp associations
Switch NTP ACLs
S1#config t
S1(config)#access-list 1 permit 127.127.x.1
server ip

#ntp generated master

S1(config)#access-list 2 permit 172.16.0.0 0.0.255.255

devices on 172.16.0.0/16
S1(config)#ntp access-group peer 1
S1(config)#ntp access-group serve-only 2
S1(config)# ntp access-group ?
Peer
Provide full access
Query-only Allow only control queries
Serve
Provide server and query access
Serve-only Provide only server access

#allows only

Switch SNMP Configuration

S1#config t
S1(config)#snmp-server location Rack 1
S1(config)#snmp-server contact Student
S1(config)#snmp-server chassis-id Cisco 3560v2
S1(config)#ip access-list standard NMS-SERVERS
S1(config-std-nacl)#permit 172.0.0.0 0.0.0.255
S1(config-std-nacl)#exit
S1(config)#snmp-server view NMS-LIMIT iso included
S1(config)#snmp-server view NMS-LIMIT 1.3.6.1.2.1.4.21 excluded
S1(config)#snmp-server view NMS-LIMIT 1.3.6.1.2.1.4.22 excluded
S1(config)#snmp-server view NMS-LIMIT 1.3.6.1.2.1.4.35 excluded
S1(config)#snmp-server view NMS-LIMIT 1.3.6.1.2.1.3 excluded
S1(config)#snmp-server view NMS-LIMIT 1.3.6.1.6.3.15 excluded
S1(config)#snmp-server view NMS-LIMIT 1.3.6.1.6.3.16 excluded
S1(config)#snmp-server view NMS-LIMIT 1.3.6.1.6.3.18 excluded
Switch SNMP Version 3
S1(config)#snmp-server
NMS-SERVERS
S1(config)#snmp-server
priv aes 128 cisco123
S1(config)#snmp-server
S1(config)#snmp-server
S1(config)#snmp-server
Switch SNMP Version 2
S2(config)#snmp-server
SERVERS
S2(config)#snmp-server
S2(config)#snmp-server
S2(config)#snmp-server

group ccnp-switch3 v3 priv read NMS-LIMIT access

user student ccnp-switch3 v3 auth sha cisco123
host 172.16.99.100 traps version 3 priv student
ifindex persist
enable traps
community ccnp-switch2 view NMS-LIMIT ro NMShost 172.16.99.100 version 2c ccnp-switch2
ifindex persist
enable traps

Switch SNMP Debug

S1(config)#end
S1#debug snmp packets
S1#config t
S1(config)#
Jul 30 18:27:05.274: SNMP: Queuing packet to 172.16.99.100
Jul 30 18:27:05.274: SNMP: V2 Trap, reqid 1, errstat 0, erridx 0
sysUpTime.0 = 37646
snmpTrapOID.0 = ciscoConfigManMIB.2.0.1

ccmHistoryEventEntry.3.7 = 1
ccmHistoryEventEntry.4.7 = 2
ccmHistoryEventEntry.5.7 = 3
S1(config)#end
S1#undebug all
Switch SNMP View Commands
S1#show snmp
S1#show snmp view
S1#show snmp group
S1#show snmp user
S2#show snmp community
Switch DHCP IPv4
S1#config t
S1(config)#ip dhcp excluded-address 192.168.10.1 192.168.10.10
S1(config)#ip dhcp excluded-address 192.168.10.254
S1(config)#ip dhcp pool R1_LAN
S1(dhcp-config)#network 192.168.10.0 255.255.255.0
S1(dhcp-config)#default-router 192.168.10.1
#gateway
S1(dhcp-config)#dns-server 192.168.10.1
#dns
S1(dhcp-config)#exit
S1(config)#end
S1#show ip dhcp binding
Switch STATELESS DHCP IPv6
S1#config t
S1(config)#ipv6 dhcp pool MANAGEMENT_IPV6_DHCP
S1(config-dhcpv6)#dns-server 2001:db8:3115:99:100
S1(config-dhcpv6)#exit
# Associating IPv6 pool with interface vlan99
S1(config)#interface vlan 99
S1(config-if)#ipv6 dhcp server MANAGEMENT_IPV6_DHCP
S1(config-if)#ipv6 nd other-config-flag
S1(dhcp-config)#exit
S1(config)#end
Switch STATEFUL DHCP IPv6
S1#config t
S1(config)#ipv6 dhcp pool VLAN120_IPV6_DHCP
S1(config-dhcpv6)#address prefix 2001:db8:3115:120::/64
S1(config-dhcpv6)#dns-server 2001:db8:3115:99::100
S1(config-dhcpv6)#domain-name switch.ccnp
S1(config-dhcpv6)#exit
S1(config)#interface port-channel 2
S1(config-if)#ipv6 dhcp server VLAN120_IPV6_POOL
# Associating IPv6 pool with interface vlan120 on a different switch(S2)
S2(config)#interface vlan 120
S2(config-if)#ipv6 nd managed-config-flag
S2(dhcp-config)#exit
Switch DHCP Relay
S2(config)# int vlan 120

S2(config-if)# ipv6 dhcp relay destination 2001:db8:3115:99::d1 fa0/1 #IPv6

S2(config-if)# ip helper-address 10.1.99.1
#IPv4
S2(config-if)# exit

IP SLA:
IP SLA allows to monitor network performance using generated traffic between the
devices.
DLS1(config)# ip sla 1
DLS1(config-ip-sla)# icmp-echo 172.16.100.101 # Server at the other side of a
l2 / l3 device
DLS1(config-ip-sla-echo)# exit
DLS1(config)# ip sla 2
DLS1(config-ip-sla)# icmp-echo 172.16.200.101 # Server at the other side of a
l2 / l3 device
DLS1(config-ip-sla-echo)# exit
DLS1(config)# ip sla 3
DLS1(config-ip-sla)# udp-jitter 172.16.99.101 5000
side
DLS1(config-ip-sla-jitter)# exit
DLS1(config)# ip sla 4
DLS1(config-ip-sla)# udp-jitter 172.16.99.102 5000
the other side
DLS1(config-ip-sla-jitter)# exit
DLS1(config)#
DLS1(config)#
DLS1(config)#
DLS1(config)#

ip
ip
ip
ip

sla
sla
sla
sla

schedule
schedule
schedule
schedule

1
2
3
4

life
life
life
life

forever
forever
forever
forever

#L2 switch at the other

#Another L2 switch at

start-time
start-time
start-time
start-time

now
now
now
now

ALS1(config)#ip sla responder

#Enables sending and receiving
IP SLAs control packets
ALSS1(config)#ip sla responder udp-echo ipaddress 172.16.99.1 port 5000
# udp jitter responder
Note: 172.16.99.1 is the IP of the IP monitor DLS1
DLS1# show ip sla configuration 1/2/3/4
DLS1# show ip sla statistics 1/2/3/4
ALS1# show ip sla responder
SPAN (Switch Port Analyzer):
Allows for traffic monitoring from a source to be sent to a destination running a
protocol analyzer like Wireshark. There is local SPAN, Remote Span, and VLAN span.
Remote SPAN allows the source and destination ports to be on different switches.
Requires a vlan (RSPAN vlan) configured only for remote span functionality not for
data.

DLS1(config)# vlan 300

DLS1(config-vlan)# name REMOTE_SPAN
DLS1(config-vlan)# remote-span

#SPAN Vlan

ALS1(config)# monitor session 1 source interface Fa0/6

source
ALS1(config)# monitor session 1 destination remote vlan 300
ALS1# show monitor

#Traffic

ALS2(config)# monitor session 10 source remote vlan 300 #Traffic destination

ALS2(config)# monitor session 10 destination interface Fa0/7
# PC with
wireshark on this port
ALS2# show monitor
@Monitor Station at destination fa0/7
Ping from source of traffic somewhere
Analyze traffic captured by Wireshark
HSRP:
HSRP provides redundancy in the network.
The traffic can be load-balanced by using the standby <group-number> priority
<value> command.
DLS1(config)# interface vlan 99
DLS1(config-if)# ip address 172.16.99.1 255.255.255.0
DLS1(config-if)# standby 99 ip 172.16 99.5
DLS1(config-if)# standby 99 preempt
DLS1(config-if)# standby 99 priority 110
DLS1(config-if)# exit
DLS2(config)# interface vlan 99
DLS2(config-if)# ip address 172.16.99.2 255.255.255.0
DLS2(config-if)# standby 99 ip 172.16.99.5
DLS2(config-if)# standby 99 preempt
DLS2(config-if)# exit
DLS1(config)# interface vlan 10
DLS1(config-if)# ip address 172.16.10.1 255.255.255.0
DLS1(config-if)# standby 10 ip 172.16.10.5
DLS1(config-if)# standby 10 preempt
DLS1(config-if)# standby 10 priority 110
DLS1(config-if)# exit
DLS2(config)# interface vlan 10
DLS2(config-if)# ip address 172.16.10.2 255.255.255.0
DLS2(config-if)# standby 10 ip 172.16.10.5
DLS2(config-if)# standby 10 preempt
DLS2(config-if)# exit
C:\>ping 172.16.10.5
Reply from 172.16.10.5: bytes=32 time=1ms TTL=127
DLS1# show standby
Vlan10 - Group 10
State is Active
2 state changes, last state change 00:01:36
Virtual IP address is 172.16.10.5
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec

Next hello sent in 0.560 secs

Preemption enabled
Active router is local
Standby router is 172.16.10.2, priority 100 (expires in 10.704 sec)
Note: Notice the last two digits (XX) in the MAC (0000.0c07.acXX) = HSRP
group number.
The MAC address is 0000.0c07.ac0a. (0a = decimal # 10)
DLS1# show standby brief
Interface
Grp Pri
P
State Active
Standby
Virtual IP
Vl10
10
150 P
Active
local 172.16.10.2 172.16.10.5
Vl99
99
150 P
Active
local 172.16.99.2 172.16.99.5
P= P indicates configured to preempt.

HSRP Authentication:
DLS1(config)# int vlan 10
DLS1(config-if)# standby 10 authentication password
# Plain text 8
chars max
DLS1(config-if)# standby 10 authentication md5 key-string cisco123
#
Encryption enabled
HSRP Interface Tracking:
Enables the priority of a standby group router to be automatically adjusted, based
on the availability of the router interfaces. When a tracked interface becomes
unavailable, the HSRP priority of the router is decreased. HSRP tracking features
ensures a router with an unavailable key interface will relinquish the active router
role.
DLS1# conf t
DLS1(config)# ip sla 10
DLS1(config-ip- sla)# icmp-echo 209.165.200.254
DLS1(config-ip- sla-echo)# frequency 5
DLS1(config-ip- sla-echo)# ip sla schedule 10 life forever start-time now
DLS1(config)# track 100 ip sla 10
DLS1(config)# int vlan 10
DLS1(config-if)# standby 10 track 100 decrement 70
DLS1(config-if)# exit
DLS1# show ip sla configuration
DLS1# show ip sla statistics
DLS1# show standby
VRRP (Virtual Router Redundancy Protocol):
DLS1(config)# interface Vlan10
DLS1(config-if)# ip address 172.16.10.1 255.255.255.0
DLS1(config-if)# vrrp 10 ip 172.16.10.5
DLS1(config-if)# vrrp 10 priority 150
master forwarder
DLS1(config-if)# exit

# vrrp priority defines

DLS2(config)# interface Vlan30

DLS2(config-if)# ip address 172.16.30.2 255.255.255.0
DLS2(config-if)# vrrp 10 ip 172.16.30.2
#vvrp priority defined by
higher IP

DLS1# show vrrp

DLS1# show vrrp
Interface
Grp
Vl10
10
172.16.10.5
Vl99
99
172.16.99.5

brief
Pri
Time Own Pre
150 3414
Y

State
Master

Master addr Group addr

172.16.10.1

150

Master

172.16.99.1

3414

VRRP Tracking:
VRRP can only perform object tracking.
DLS1(config)# track 1 int loop 200 line-protocol
DLS1(config-track)# int vlan 99
DLS1(config-if)# vrrp 99 track 1 decrement 60

Router NAT
Router>enable
Router#config term
Router(config)#alias
Configure an ACL to Permit NAT
R2(config)#ip access-list standard R2NAT
R2(config-std-nacl)#permit 192.168.10.0 0.0.0.255
R2(config)#ip access-list extended NAT
R2(config-std-nacl)#permit ip 192.168.10.0 0.0.0.255 any
R2(config-std-nacl)#permit ip 192.168.11.0 0.0.0.255 any
Configure static NAT for an inside web server
R2(config)#ip nat inside source static 192.168.20.254 209.165.202.131
Configure Dynamic NAT Overload
Define the address pool and configure dynamic NAT.
R2(config)#ip nat pool R2POOL 209.165.202.128 209.165.202.130 netmask
255.255.255.252
R2(config)#ip nat inside source list R2NAT pool R2POOL overload
Configure PAT (Port Address Translation = only 1 inside global IP)
R2(config)#ip nat inside source list NAT interface S0/0/1 overload
Specify inside and outside NAT interfaces
R2(config-if)#int f0/0
R2(config-if)#ip nat inside
R2(config-if)#int s0/1/0
R2(config-if)#ip nat outside
Seeing and Clearing Pools
R2#show ip nat translations
R2#clear ip nat translation *

Switch VTP Setup (Server)

S1#vlan database
S1(vlan)#vtp server
S1(vlan)#vtp domain Cisco
S1(vlan)#vtp password cisco
S1(vlan)#vtp pruning (Optional - must be enabled locally on every switch not supported by PT)
S1(vlan)#exit
S1#show vtp status
S1#show vtp counters
Switch Vlans (on the VTP Server)
S1#vlan database
S1(vlan)#vlan 10 name faculty (On a switch: 2 commands)
S1(vlan)#vlan 20 name students (On a switch: 2 commands)
S1(vlan)#vlan 30 name guest (On a switch: 2 commands)
S1(vlan)#vlan 99 name mgmt (Optional) (On a switch: 2 commands)
S1(vlan)#exit
S1#show vlan-switch brief
Switch VTP Setup (Client)
S1#vlan database
S1(vlan)#vtp client
S1(vlan)#vtp domain Lab4 (Optional)
S1(vlan)#vtp password cisco
S1(vlan)#vtp pruning (Optional - must be enabled locally on every switch not supported by PT)
S1(vlan)#exit
Switch VTP Setup (Transparent)
S1#vlan database
S1(vlan)#vtp transparent
S1(vlan)#vtp domain Lab4 (Mandatory)
S1(vlan)#vtp password cisco
S1(vlan)#vtp pruning (Optional - must be enabled locally on every switch not supported by PT)
S1(vlan)#exit

NOTE: VLANS must be created manually if the VTP is configured in

Transparent Mode

Switch Spanning-Tree Setup

Switch3(config)#spanning-tree vlan 99 priority 4096 (lowests possible
priority =root bridge)
or
Switch2(config)#spanning-tree vlan 30 root primary / secondary (Sets
switch as root bridge)
Switch2#show spanning-tree blockedports (determine what vlans are going
on what trunk)
Switch2(config)#spanning-tree mode rapid-pvst
Router Sub-interfaces Setup
Router1(config)#interface e1/0
Router1(config-if)#description Connected to Trunk
Router1(config-if)#no shutdown
Router1(config-if)#interface e1/0.20
Router1(config-subif)#encapsulation dot1q 20
Router1(config-subif)#ip address 172.17.20.1 255.255.255.0
Router1(config-subif)#interface e1/0.99
Router1(config-subif)#encapsulation dot1Q 99 native
Router1(config-subif)#ip add 172.17.99.1 255.255.255.0
Router1(config-subif)#exit
Router1#show ip interface brief
Router#show protocols
Router#show ip route
Switch Port Security
S1# configure terminal
S1(config)#interface fastethernet 0/18
S1(config-if)#switchport mode access
S1(config-if)#switchport port-security
S1(config-if)#switchport port-security maximum 1 / 2 / n
S1(config-if)#switchport port-security mac-address sticky
S1(config-if)#switchport port-security violation protect / restrict / shutdown
S1(config-if)#end
S1#show port-security

Switch SSH Setup

S1(config)#ip domain-name mydomain.com
S1(config)#crypto key generate rsa
S1(config)#ip ssh version 2
S1(config)#line vty 0 15
S1(config-line)#transport input ssh
S1(config-line)#login
Switch Mac Address Table
To create a static mapping in the MAC address table:
mac-address-table static <MAC address> vlan {1-4096, ALL} interface
interface-id command
To remove a static mapping in the MAC address table:
no mac-address-table static <MAC address> vlan {1-4096, ALL} interface
interface-id command.
S1(config)#show mac-address-table dynamic / static
S1(config)#clear mac-address-table dynamic / static
Switch HTTP server
S1(config)#ip http server

Router RIP
R1(config)#ip classless / no ip classless
#no ip classless =
classful
R1(config)#router rip / no router rip
R1(config-router)#version 2 / version 1 / no version
#no version = default =
version 1
R1(config-router)#network 192.168.1.0
#For RIPv1 specify the directlyconnected-classful-ntw
R1(config-router)#passive-interface fastethernet 0/0 #no send advertisement
on this link
R1(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/1
#default static route
R1(config-router)#default-information originate
#propagates default
routes
R1(config-router)#redistribute static
# sends static route
through RIP updates
R1(config-if)#no ip split-horizon
#disable split-horizon for
RIP
Securing RIP Updates
Add the following to all routers that will receive RIP updates
R1(config)#key chain RIP_KEY
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string cisco
R1(config)#int s0/0/0
R1(config-if)#ip rip authentication mode md5
R1(config-if)#ip rip authentication key-chain RIP_KEY

Router EIGRP
R1(config)#ip classless / no ip classless
#no ip classless =
classful
R1(config)#router eigrp 1
#1=autonomous-system
number
R1(config-router)#no auto-summary
#disables auto-summary
R1(config-router)#network 0.0.0.0
#sends/listens on all interfaces
R1(config-router)#network 10.10.10.0
#sends/listens on
10.x.x.x interfaces
R1(config-router)#network 172.16.10.0
#sends/listens on
172.16.x.x interfaces
R1(config-router)#network ntw-address [wildcard-mask] #advertises specific
subnet only
R1(config-router)#network 172.16.10.0 0.0.0.255 #sends/listens on 172.16.10.x
interfaces
R1(config-router)#network 192.168.10.8 0.0.0.3
#sends/listens on
192.168.10.8 interfaces
R1(config-router)#redistribute connected
AD=170 (external)
R1(config-router)#redistribute static
through EIGRP updates

#redistribute connected with

#sends static route

R1(config-router)#passive-interface <int-name>
on specific interface
or
R1(config-router)#passive-interface default
passive
R1(config-router)#no passive-interface <int-name>
specific interface

#enable passive
#set all interfaces to

R1(config-router)#eigrp router-id <IP>

#Set router-id

#disable passive on

R1(config-router)#neighbor <neighbor-IP> <int-name> #static neighbor on

routers at both ends
R1(config-router)#maximum-paths
allowed on the RT
R1(config-router)#variance <value>
the RT

#max # paths for a subnet

#multiplies FD to allow FS into

R1(config-if)#delay <tens of microseconds>

microseconds
R1(config-if)#bandwidth <kilobits per seconds>

#2500 = 25000
#

R1(config-router)#metric weights tos k1 k2 k3 k4 k5

#change metric
values K1 - K5
R1(config-router)#timers active-time <time-in-minutes> #set Stuck in Active
Retry timer
R1(config-if)#no ip split-horizon eigrp <as#>
interface eigrp

#disable split-horizon on

R1(config-if)#bandwidth <value>
#eigrp messages will use 50%
by default
R1(config-if)#ip bandwidth-percent eigrp <as#> <percentage> #set
bandwidth for eigrp messages
R1(config-if)#ip hello interval eigrp <as#> <interval>
hello frequency
R1(config-if)#ip hold-time eigrp <as#> <interval>
long to wait to consider R1 dead
R1#show ip protocol
interfaces, variance, filtering
R1#show ip eigrp interface detail f0/0
dead intervals
R1#show ip eigrp neighbors
intervals
R1#show ip eigrp neighbor detail
R1#show ip interface <int-name>
R1#show ip eigrp topology
feasible successors
R1#show ip eigrp topology x.x.x.x/y
for a subnet
R1#show ip eigrp topology all-links

#will apply to R1
# tells R2 how

#K values, passive
#shows hello /
#shows hello / dead
#see static neighbor
#see split-horizon settings
#FD / RD for successors and
#see Feasible Distance
#

EIGRP Stub
R1(config-router)#eigrp stub
#advertises by default
connected and summary
R1(config-router)#eigrp stub connected summary static redistributed
#advertise the options given
R1(config-router)#eigrp stub receive-only
#does not advertise anything
EIGRP Offset-List
R1(config)#access-list 1 permit 1.1.1.0 0.0.0.255
#offset access list
R1(config)#router eigrp 10
R1(config-router)# offset-list {access-list-# | access-list-name} {in | out}
<offset value> [int-type int-#]
R1(config-router)#offset-list 1 in <offset value>
#affects local router +
advertised routes + all int
R1(config-router)#offset-list 1 out <offset value> #affects advertised routes
metric only
EIGRP Authentication
R1(config)#key chain <key-chain name>
#name does not need to
match
R1(config-keychain)#key <key#>
#pair key# + password in same
order
R1(config-keycain-key)#key-string <string (password)>
#passwords must
match exactly on both ends
R1(config-keycain-key)#accept-lifetime / send-lifetime <hh:mm:ss>
#requires times in synced
R1(config-if)#ip authentication mode eigrp <as#> md5
R1(config-if)#ip authentication key-chain eigrp <as#> <key-chain name>
#all keys will be evaluated
R1#show key chain <key-chain name>
#time
must match

EIGRP Summarization
R1(config)#router eigrp 10
R1(config-router)# auto-summary
#classful network autosummarization
R1(config-if)#ip summary-address eigrp asn <subnet prefix> <mask>
#manual summarization on int.
R1(config-if)#ip summary-address eigrp 100 1.1.0.0 255.255.0.0
#multiple
summary addresses
R1(config-if)#ip summary-address eigrp 100 2.2.0.0 255.255.0.0
#are
allowed
R1#show ip route
#to see summarized
routes
R1#show ip route x.x.x.x/y
#to see summarized routes
R1#show ip eigrp topology x.x.x.x/y
#to see summarized
routes
EIGRP Default Route
R1(config)#ip route 0.0.0.0 0.0.0.0 <next-hop-ip> <out-int>
#default route
R1(config)#router eigrp 10
#
R1(config-router)#redistribute static
or
R1(config)#ip route 0.0.0.0 0.0.0.0 null0
#creates a directly
connected default route
R1(config)#router eigrp 10
R1(config-router)#network 0.0.0.0
#will advertised the default
route to neighbors
or
R1(config)#ip default-network <default classful ntw>
#default classful network
to be advertised
R1(config)#router eigrp 10
R1(config-router)#network <default classful ntw> #classful ntw must be directed
connected to R1
R1(config-router)#network 4.0.0.0
#in order to be advertised as
default route to
or
R1(config-if)#ip summary-address eigrp as# 0.0.0.0 0.0.0.0 #thats it this is
all is required
EIGRP Distribute list w/ACLs
#EIGRP Filtering
R1(config)#access-list 1 deny 1.1.1.0 0.0.0.255
#Standard ACL to be
used with EIGRP
R1(config)#router eigrp 10
#filters based on subnet
prefixes
R1(config-router)#distribute-list {ACL} {in | out} {interface}
R1(config-router)# distribute-list 1 in
#int is optional
R1(config)#access-list 101 deny ip host 2.2.2.2 1.1.1.0 0.0.0.255 #Extended
ACL filters based on
R1(config)#router eigrp 10
#subnet prefixes (1.1.1.x) and
specific
R1(config-router)# distribute-list 101 in
#neighbor (2.2.2.2)
EIGRP Distribute list w/Prefix-List
#EIGRP Filtering
R1(config)#ip prefix-list <name> seq <#> permit 1.1.1.0/24
#Prefix-list
R1(config)#ip prefix-list INE seq 10 permit 1.1.1.0/24 # exactly this subnet

R1(config)#ip prefix-list INE seq 20 deny 2.2.2.0/16

deny all at the end

#There is an implicit

R1(config)#ip prefix-list cisco seq 10 deny 1.1.1.0/24 #denies any updates on

the range 1.1.1.0/24
R1(config)#ip prefix-list cisco seq 20 deny 1.1.1.0/24 ge 25 le 30 #to 1.1.1.0 /
30
R1(config)#ip prefix-list DEFAULT_ROUTE seq 10 deny 0.0.0.0/0
#matches
default route update
R1(config)#ip prefix-list ALL_PREFIXES seq 100 permit 0.0.0.0/0 le 32
#permit everything through
# used to avoid the
implicit deny
R1(config)#router eigrp 10
#filters based on subnet
prefixes and lengths
R1(config-router)#distribute-list prefix-list {prefix-list-name} {in|out} {int
type int#}
R1(config-router)# distribute-list prefix-list <name> in/out #int is optional
EIGRP Distribute w/Route-Maps
#EIGRP filtering based on more
than just IPs
R1(config)#route-map <name> <permit|deny> <seq#>
R1(config)#route-map cisco deny / permit 10
R1(config-route-map)#match ip address prefix-list <ACL|prefix-list-name>
#requires an ACL or P-List
R1(config)#router eigrp 10
#filters based on subnet
prefixes and lengths
R1(config-router)#distribute-list route-map {route-map-name} {in|out} {int
type int#}
R1(config-router)# distribute-list route-map cisco in #int is optional
EIGRP Named Mode
router(config)#access-list 1 deny 20.0.0.0 0.255.255.255
router(config)#access-list 1 permit any
router(config)#router eigrp INE
(config-router)#address-family ipv4 unicast autonomous-system 100
(config-router-af)#network 1.1.1.0 0.0.0.255
(config-router-af)#af-interface f0/0
(config-router-af-interface)#summary-address 10.10.10.0 255.255.0.0
(config-router-af)#topology base
(config-router-af-topology)#no auto-summary
(config-router-af-topology)#distribute-list 1 in
#filter route 20.0.0.0

Router OSPF
R1(config)#ip classless / no ip classless
#no ip classless =
classful
R1(config)#router ospf 1
#1=ospf process does not need
to match
R1(config-router)#no auto-summary
#disables auto-summary
R1(config-router)#network ntw-address [wildcard-mask] [area #] #advertises
specific subnet only
R1(config-router)#network 1.0.0.0 0.255.255.255 area 0 #
R1(config-router)#network 10.10.10.10 0.0.0.0 area 1
#OSPF will take
the subnet from this int ip
or
R1(config)#interface f0/0
R1(config-if)#ip ospf 1 area 1
#OSPF enabled at the interface
level
R1(config-if)#ip ospf hello-interval <interval>
#will apply to R1 hello
frequency (default =10s)
R1(config-if)#ip ospf dead-interval <interval>
#tells R2 how long
to wait to consider R1 dead
R1(config-if)#ip ospf dead-interval minimal hello-multiplier <value> # subsecond hellos (hello < 1sec)
R1#show ip ospf interface <int>
#see intervals
R1#show ip ospf database
R1#show ip ospf database router
R1#show ip ospf database router <router-id>
particular router
R1#show ip ospf database summary x.x.x.x
advertised by ABR

#shows lsa summary

#shows lsa for all routers
#shows lsa for a
#summary ospf routes

OSPF Simple Authentication (type 1):

For an entire area (enables authentication for all the interfaces in a
specific area):
R1(config)#router ospf 1
R1(config-router)#area 0 authentication
R1(config-router)#interface S0/0/0
R1(config-if)#ip ospf authentication-key cisco123
#type 1 authentication
For a single interface:
R2(config)#interface S0/0/0
R2(config-if)#ip ospf authentication
R2(config-if)#ip ospf authentication-key cisco123
R1#show ip ospf interface int-type int-#
R1#debug ip ospf hello
R1#debug ip ospf adj
OSPF MD5 Authentication (type 2):

For an entire area (enables authentication for all the interfaces in a

specific area):
R3(config)#router ospf 1
R3(config-router)#area 0 authentication message-digest
#type 2
authentication
R3(config-router)#interface S0/0/1
R3(config-if)#ip ospf message-digest-key 1 md5 cisco123
For a single interface:
R2(config)#interface S0/0/1
R2(config-if)#ip ospf authentication message-digest
R2(config-if)#ip ospf message-digest-key 1 md5 cisco123
R1#show ip ospf interface int-type int-#
R1#debug ip ospf hello
R1#debug ip ospf adj

Router Basic OSPF Configuration

R1(config)#router ospf 1
R1(config-router)#network 172.16.1.16 0.0.0.15 area 0
to display router ID
show ip protocols
show ip ospf
show ip ospf interface
configure loopback
R1(config)#interface loopback 0
R1(config-if)#ip address 10.1.1.1 255.255.255.255
show ip ospf neighbors
R1(config-router)#router-id 10.4.4.4
Reload or R1# clear ip ospf process
configure OSPF cost (and bandwidth)
(config)#interface serial0/0/0
(config-if)#bandwidth 64
or
(config)#interface serial0/0/0
(config-if)#ip ospf cost 1500
R1(config-router)#auto-cost reference-bandwidth 10000 (probably won't be used)
show ip ospf interface
Default Route
R1(config)#interface loopback1
R1(config-if)#ip address 172.30.1.1 255.255.255.252
R1(config)#router ospf 1
R1(config-router)#default-information originate
hello and dead interval (have to be the same on both routers)
R1(config)#interface serial0/0/0
R1(config-if)#ip ospf hello-interval 5
R1(config-if)#ip ospf dead-interval 20

R1#show ip ospf interface serial0/0/0

debug ip ospf events (to see changes)
Configure OSPF on a Multi-access Network
on 16 port switch:
router(config)# no ip routing
router (config)# int range f0/0 , f0/1 ,f0/2
router(config-int-range) speed 100
router(config-int-range) duplex auto
router(config-int-range) no shutdown <<< otherwise they will be down
router(config-int-range)exit
router# show interfaces status
Configure ospf
R3(config)#router ospf 1
R3(config-router)#network 192.168.1.0 0.0.0.255 area 0
To show DR BDR DROTHER
#show ip ospf interface
#show ip ospf neighbor
Use the OSPF Priority to Determine the DR and BDR (255 max, lowest 0)
R1(config)#interface fastEthernet0/0
R1(config-if)#ip ospf priority 255
R1(config-if)#shutdown (on all)
R1(config-if)#no shutdown (on all)
Disable OSPF updates on an interface
R1(config)#router ospf 1
R1(config-if)#passive-interface f0/0
or
R1(config-router)#passive-interface default (puts all interfaces on passive mode)
R1(config-router)#no passive-interface s0/0/0 (enable only those interfaces that you
want to send & receive updates)
Quick view of Interfaces Ips & statuses
#show ip interface brief
Display encapsulation and interface and line status
#show interface serial s0/0/1
Display DCE or DTE and the Clock Rate
#show controllers s0/0/1
PPP / HDLC encapsulation (Only on Serial Interfaces)
R1(config-if)#encapsulation hdlc / ppp
PPP Authentication PAP or CHAP(Only on Serial Interfaces)
Router R1:
R1(config)#username R2 password cisco
R1(config-if)#encapsulation ppp
R1(config-if)#ppp authentication pap / chap
R1(config-if)#ppp pap sent-username R1 password cisco (only for pap)
Router R2:

R1(config)#username R1 password cisco

R1(config-if)#encapsulation ppp
R1(config-if)#ppp authentication pap / chap
R1(config-if)#ppp pap sent-username R2 password cisco (only for pap)
Frame-Relay
R1(config)#interface serial0/0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#encapsulation frame-relay (Cisco encapsulation)
Or
R1(config-if)#encapsulation frame-relay ietf (IETF encapsulation)
R1(config-if)#no shutdown
R1(config-if)#frame-relay map ip 10.10.10.2 102 broadcast (To reach router R2, use
DLCI 102 located at IP address 10.10.10.2)
R1(config-if)#frame-relay map ip 10.10.10.3 103 broadcast (To reach router R3, use
DLCI 103 located at IP address 10.10.10.3)
R1(config-if)#frame-relay lmi-type ansi (Configures the LMI Type to ansi)
Frame-Relay Sub-Interfaces
R1(config)#interface s0/0/0
R1(config-if)#no ip address
R1(config-if)#encapsulation frame-relay (Cisco encapsulation)
Or
R1(config-if)#encapsulation frame-relay ietf (IETF encapsulation)
R1(config-if)#frame-relay lmi-type ansi (Configures the LMI Type to ansi)
R1(config-if)#no shutdown
R1(config-if)#Exit
R1(config)#interface s0/0/0.102 point-to-point (102 is the DLCI number)
R1(config-if)#ip address 10.1.1.1 255.255.255.252
R1(config-if)#bandwidth 64
R1(config-if)#frame-relay interface-dlci 102
R1(config-if)#exit
R1(config)#interface s0/0/0.103 point-to-point (103 is the DLCI number)
R1(config)#ip address 10.1.1.5 255.255.255.252
R1(config)#bandwidth 64
R1(config)#frame-relay interface-dlci 103
R1(config)#exit
Then create static routes to the distant networks
Using the remote ip addresses - example:
R1(config)#ip route 192.168.2.0 255.255.255.0 10.1.1.2 255.255.255.252
R1(config)#ip route 192.168.4.0 255.255.255.0 10.1.1.6 255.255.255.252
Logging Activity
R1(config)#logging 192.168.10.10 (ip address of the syslog server)
R1(config)#logging trap keyword (keywords = emergencies / alerts / critical /
errors / warnings / notifications / informational / debugging)
ACLs
Key Questions:
Use a standard or extended ACL?
Configure the ACL on which router?
Apply the ACL to which interface?
Apply the ACL in which direction?
Standard Numbered ACLs
R1(config)#access-list 10 deny 192.168.10.0 0.0.0.255

R1(config)#access-list 10 permit any

R1(config)#interface fa0/1
R1(config-if)#ip access-group 10 out
Standard Named ACLs
R3(config)#ip access-list standard NO_ACCESS
R3(config-std-nacl)#deny host 192.168.30.128
R3(config-std-nacl)#permit any
R3(config)#interface fa0/0
R3(config-if)#ip access-group NO_ACCESS in
Extended Numbered ACLs
R1(config)#access-list 110 deny tcp 192.168.10.0 0.0.0.255 any eq telnet
R1(config)#access-list 110 deny udp 192.168.10.0 0.0.0.255 host 192.168.20.254
eq tftp
R1(config)#access-list 110 permit ip any any
R1(config)#interface fa0/0
R1(config-if)#ip access-group 110 in
R3(config)#access-list 130 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
R3(config)#access-list 130 permit ip 192.168.30.0 0.0.0.127 any
R3(config)#access-list 130 permit ip 192.168.30.128 0.0.0.127 192.168.10.0
0.0.0.255
R3(config)#access-list 130 permit ip 192.168.30.128 0.0.0.127 192.168.11.0
0.0.0.255
R3(config)#access-list 130 permit tcp 192.168.30.128 0.0.0.127 any eq www
R3(config)#access-list 130 permit icmp 192.168.30.128 0.0.0.127 any
R3(config)#access-list 130 deny ip any any
R3(config)#interface fa0/0
R3(config-if)#ip access-group 130 in
Example: Hosts 10.1.50.1 through 10.1.50.63 are not allowed web access to
Intranet server at 10.1.80.16:
HQ(config)#access-list 101 deny tcp 10.1.50.0 0.0.0.63 host 10.1.80.16 eq www
HQ(config)#access-list 101 permit ip any any
Extended Named ACLs
R2(config)#ip access-list extended FIREWALL
R2(config-ext-nacl)#permit tcp any host 192.168.20.254 eq www
R2(config-ext-nacl)#permit tcp any any established
R2(config-ext-nacl)#permit icmp any any echo-reply
R2(config-ext-nacl)#deny ip any any
R3(config)#interface s0/1/0
R3(config-if)#ip access-group FIREWALL in
R1(config)#ip access-list extended extend-1
R1(config-ext-nacl)#deny ip 192.168.10.0 0.0.0.255 host 209.165.200.225
R1(config-ext-nacl)#permit ip any any
R1(config)#interface serial 0/0/0
R1(config-if)#ip access-group extend-1 out
Control VTY lines with an ACL
R2(config)#ip access-list standard Task-4
R2(config-std-nacl)#permit 10.2.2.0 0.0.0.3
R2(config-std-nacl)#permit 192.168.30.0 0.0.0.255
R2(config)#line vty 0 4

R2(config-line)#access-class Task-4 in
Verify ACLs
R1#show access-lists
Extended IP access list 110
deny tcp 192.168.10.0 0.0.0.255 any eq telnet
deny udp 192.168.10.0 0.0.0.255 host 192.168.20.254 eq tftp
permit ip any any
Extended IP access list 111
permit tcp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq www
permit udp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq tftp
deny ip 192.168.11.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip any any