Академический Документы
Профессиональный Документы
Культура Документы
V1.3.0 5/11/2007
Unless otherwise noted, all commands are likely to work on switches as much as on routers.
Commands can be abbrieviated, such as "sh run" or "show run" instead of "show running-config" as long as they are not ambiguous.
Recommended book: CCNA Portable Command Guide by Scott Empson
Annoyances
(config)#line con 0
(config-line)#logging sync
(config-line)#exec-timeout 0 0
(config)#[CONTROL+SHIFT+6]
Step 1/2: Make the router or switch not interrupt your commands with informative notices.
Step 2/2: If you don't do this, you can always use CONTROL+R if your device interrupts.
Console will never logout. Don't do this. Tremendous security risk.
Same as Control+C/Break.
(config)#no ip domain-lookup
Turns off DNS queries so that spelling mistakes will not cause lookups.
IOS Modes
Switch/Router>User Mode
Switch/Router#Privileged mode
Switch/Router(config)#Global configuration mode
Switch/Router(config-if)#Interface mode
Switch/Router(config-subif)#Subinterface mode
Switch/Router(config-line)#Line mode
Switch/Router(config-router)#Router configuration mode
Show Commands
#show ?
#show access-lists
#show arp
Router#show clock
Router#show controllers serial 0
#show flash
#show history
Router#show hosts
#show interface serial 0
#show interfaces
Router#show ip dhcp binding
Router#show ip dhcp server statistics
Debug information
(config)#no debug all or u all (short for undebug)
(config)#terminal monitor
Configure Commands
>en
#config t
(config)#hostname Office
Security Hardening
#no cdp run
If your not ahead of the threat, then your only reacting to it.
CDP unnecessarily reveals information about your Cisco device. Information leak.
Portfast reduces waiting time, and BPDU Guard disables any port that sends STP CG p113
Disables webserver that runs on all interfaces. Frees up resources and prevents attacks.
~Do not put any users in VLAN 1. Use VLAN 2, 10, or 11 as the first VLAN. VLAN 1 should not carry any data traffic.
#set port dot1q-all-tagged all enable
~Use '802.1q-all-tagged' mode (Begins tagging native VLAN packets), or if that is not possible, clear the native VLAN (VLAN 1) from all trunk links.
~Shutdown all unused ports and put them in an unused VLAN. Block unauthorized access through fundamental physical and logical barriers.
~Don't use VTP. A new switch with a higher VTP revision, or a simple admin mistake can wipe out the entire VTP domain across all switches.
Use out-of-band management. Create a new VLAN, and do administration only through ports in this new VLAN.
Enable Password
(config)#enable password matrix
(config)#enable secret matrix
Don't do this. Sets enable password (insecurely, use enable secret instead).
Sets enable secret password. Password is now encrypted/encoded as seen in "show run".
Console Password
(config)#line con 0
(config-line)#password matrix
(config-line)#login
This is easier using Cisco Device Manager, put your router IP into a web browser;
leave the username blank, and the password is your enable password.
Turns DHCP service off (default is on)
Turns DHCP service on
Creates a DHCP pool called 'public'
Range of addresses to be leased
Network's router address.
DNS server address.
NetBIOS server
Defines the "domain name" for the client.
Lease time is 0 days, 8 hours, and 1 minute.
This makes NAT'ed networks invisible, otherwise you must run a routing protocol.
Range of addresses that will not be given out. You may or may not need to exclude router
addresses.
Creates a DHCP pool called 'admin.network'
Range of addresses to be leased
Network's router address.
DNS server address.
Using wildcard mask, defines network addresses the router will perform NAT for.
Using wildcard mask, defines network addresses the router will perform NAT for.
Allows IPs in access-list 1 to NAT onto overloaded WAN interface eth0/0
Goto interface FastEthernet 0/0
Define this as the outside
Go back to global config.
Goto interface FastEthernet 0/1
Define this as the inside
Go back to global config.
Enable RIP
Router(config)#router rip
Router(config)#version 2
Router(config-router)#no auto-summary
Router(config-router)#network 192.168.1.0
Router(config-router)#network 192.168.2.0
Enable OSPF
Router(config)#router ospf 100
Router(config)#network 192.168.1.0 0.0.0.255 area 0
EIGRP Commands
Router(config)#router eigrp 102
Router(config-router)#network 192.168.10.0
Router(config-router)#no eigrp 102
Saving Configurations
#copy run start
#erase start
#reload
TFTP
#copy startup tftp
#copy running tftp
#copy tftp startup
#copy tftp running
VTP Configuration
Default VTP mode is server mode. If you are adding a switch to an existing VTP domain, you should first set it to VTP client mode, then wait for
it to receive the latest VTP update. After it has been updated by the existing VTP domain, change it to a VTP client or back to VTP server mode.
1900 Series Switch
(config)#vtp client
Sync, forward, but no VLAN modification allowed. Loses VLAN names at poweroff.
(config)#vtp server
Sync, forward, VLAN modification allowed.
(config)#vtp transparent
Forwards any received VTP, but does not send. Can make independent VLAN names.
(config)#vtp domain MESH
Sets name of VTP management domain to MESH
(config)#vtp password matrix
Sets VTP password to matrix
2900 Series Switch
#vlan database
(vlan)#vtp client
(vlan)#vtp server
(vlan)#vtp transparent
(vlan)#vtp domain MESH
(vlan)#vtp password matrix
(vlan)#vtp v2-mode
(vlan)#vtp pruning
(vlan)#exit
2950 Series Switch
#config t
(config)#vtp mode client
(config)#vtp mode server
(config)#vtp mode transparent
(config)#vtp domain MESH
(config)#vtp password matrix
(config)#vtp v2-mode
(config)#vtp pruning
View VTP Configuration
1900 Series Switch
#show vtp
2900/2950 Series Switch
Sync, forward, but no VLAN modification allowed. Loses VLAN names at poweroff.
Sync, forward, VLAN modification allowed.
Forwards any received VTP, but does not send. Can make independent VLAN names.
Sync, forward, but no VLAN modification allowed. Loses VLAN names at poweroff.
Sync, forward, VLAN modification allowed.
Forwards any received VTP, but does not send. Can make independent VLAN names.
Verify Trunking
2900/2950Switch#show int fa0/1 switchport
2900/2950Switch#show interface trunk
ISDN Info
ISDN BRI Configuring
router(config)#isdn switch-type basic-ni1
router(config)#int bri 0
router(config-ifg)#isdn switch-type basic-ni1
ISDN BRI Configuring: Setting SPIDs
router(config)#interface bri 0/0/0
router(config-if)#ip address 192.168.12.1 255.255.255.0
router(config-if)#isdn spid1 904.555120110101 5551201
router(config-if)#isdn spid2 904.555120120101 5551202
#show isdn status
#show idsn active
Page 9
ISDN Info
Global switch type
Interface switch type can be different than global.
Page 10