Basic Switch/Router Configuration & Security (Ref Chapter 9 - ICND1)

Basic Switch/Router Configuration & Security (Ref Chapter 9 - ICND1)
Setting console password, synchronous and timeout
Cisco2610-1(config)#line con 0
Cisco2610-1(config-line)#login
Cisco2610-1(config-line)#password cisco
Cisco2610-1(config-line)#logging synchronous
Cisco2610-1(config-line)#exec-timeout 30 0
Setting Auxillary password, synchronous and timeout (Router Only)
Cisco2610-1(config)#line aux 0
Setting Telnet password, synchronous and timeout
Cisco2610-1(config-line)#line vty 0 4 (set to 15 if newer router)

Enable password
Cisco2610-1(config)#enable password cisco
Enable secret password
Cisco2610-1(config)#enable secret cisco
Disable secret password
Cisco2610-1(config)#no enable secret
Encrypting Passwords
R1(config)#service password-encryption
Set the History size for Telnet sessions
Cisco2610-1(config-line)#line vty 0 4
Cisco2610-1(config-line)#history size 20
Set the History size for the session your in
R1#terminal history size 20 (10 by default)
See the commands listed in the history buffer
R1#show history
Local User Database
Adding a user to the local database for Telnet that goes straight into privilege exec mode
Cisco2610-1(config)#line vty 0 4
Cisco2610-1(config-line)#login local
Cisco2610-1(config-line)#username test privilege 15 password test
Removing a user from the local database

Cisco2610-1(config)#line vty 0 4
Cisco2610-1(config-line)#lno username test
Configuring SSH for Telnet Sessions
R1(config)#line vty 0 4line

R1(config-line)#login
R1(config-line)#password cisco
R1(config-line)#transport input telnet ssh
R1(config-line)#exit
OR
R1(config)#line vty 0 4
R1(config-line)#login local
R1(config-line)#transport input telnet ssh
R1(config-line)#exit
R1(config)#username cisco password cisco
Then
R1(config)#ip domain-name test.com

R1(config)#crypto key generate rsa
The name for the keys will be: R1.test.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R1(config)#
*Mar 1 00:04:14.335: %SSH-5-ENABLED: SSH 1.99 has been enabled
Additional SSH Commands
Set the SSH Negotiation phase timeout interval (in seconds)
MyRouter(config)# ip ssh time-out 120
Set the Maximum retry attempts
MyRouter(config)# ip ssh authetication-retries 3
To change the default port for SSH (default is 22) connection
MyRouter(config)# ip ssh port 3536

Showing the encryption key
R1#show crypto key

or
R1#show crypto key mypubkey rsa
Check SSH Verison

R1#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
Check Connections
R1#show ssh
Disable Telnet so SSH is only connection option available
R1(config-line)#transport input ssh
Disable SSH
R1(config)#crypto key zeroize rsa
% All RSA keys will be removed.
% All router certs issued using these keys will
will also be removed.
Do you really want to remove these keys? [yes/no]: yes
Connecting to a Router using SSH
Using a Cisco Packet Tracer Client
ssh –l username 172.0.0.100
Using Putty
In this example I'm using an application called Putty.
1. Open Putty
2. Enter the IP address of the router
3. Select SSH
4. Enter a name for the connection
5. Click on the Save button
6. Click on SSH
7. If your using an older router select Preferred SSH protocol version 1 for newer devices select 2
8. Click on Session and Click on the save button again
9. Click on the Open button
10. Click on Yes to accept the public key from the router
11. Enter the username and password you configured earlier
Add a banner to the router
Message of the Day Banner (shown before login)
Cisco2610-1>enable
Password:
Cisco2610-1#config t
Enter configuration commands, one per line. End with CNTL/Z.
Cisco2610-1(config)#banner motd #
Enter TEXT message. End with the character '#'.
*************************************************************
This is Cisco test router 1 for my CCNA Lab
This router has security enabled
*************************************************************
#
Login Banner (Shown at login)
Cisco2610-1(config)#banner login #
Test Login Banner
#
Exec Banner (Shown after login)
Cisco2610-1(config)#banner exec #
Test exec Banner
#
Assigning an IP address and default Gateway to a Switch/Router
Configure IP address
Cisco2610-1>enable
Password:
Cisco2610-1#configure t
Cisco2610-1(config)#interface s0/1
Cisco2610-1(config-if)#ip address 172.10.0.100 255.255.0.0
Cisco2610-1(config-if)#no shutdown
Adding a secondary address to a router

router(config)#interface s0/1
router(config-if)#172.20.0.100 255.255.0.0 secondary
Setting a default gateway
switch#
switch#config t
Enter configuration commands, one per line. End with CNTL/Z
switch(config)#ip default-gateway 172.16.0.200
switch(config)#
Configuring an Interface to use DHCP (remove the default gateway if set)
Cisco2610-1(config)#interface vlan1
Cisco2610-1(config-if)#ip address dhcp
Cisco2610-1(config-if)#no shutdown
Note: Some older switches/routers do not support being configured as a DHCP client
Configuring Switch Interfaces/Ports
Setting the Speed, Duplex and adding a description
switch(config)#interface fa0/1
switch(config-if)#speed 100
switch(config-if)#duplex full
switch(config-if)#description Connection to voice router
switch(config-if)#exit
Applying a description to a range of ports
switch(config)#interface range fa/01 - 10

switch(config-if)#description Connections for IP Phones
Checking the status of a port or ports
switch#show interfaces fa0/1

or
switch#show interfaces (to display info for all ports)
Checking the status for all ports (not available on older switches/firmware)
switch#show interfaces status
Checking the status of an individual interface

switch#show interfaces fa0/1 status
Configuring Port Security (commands differ on older switches)

switch(config-if)#switchport mode access
switch(config-if)#switchport port-security
switch(config-if)#switchport port-security maximum 10
switch(config-if)#switchport port-security violation shutdown
switch(config-if)#switchport port-security mac-address sticky
Configuring Port Security to Allow a single MAC Address

(The order is important, you can get duplicate Mac address if you do it in the wrong order)
Switch(config)#interface fa0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security mac-address 0000.0C06.705D
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#exit
Checking port-security
switch#show port-security
Checking port security for an interface

switch#show port-security interface fa0/1
Disabling a Port
switch(config-if)#shutdown
Enabling a Port that has been shutdown by port security
Check the status of the port
Switch#show interfaces f0/13

FastEthernet0/13 is down, line protocol is down (err-disabled)
Hardware is Fast Ethernet, address is 0013.c412.0f0d (bia 0013.c412.0f0d)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Switch#show port-security interface f0/13

Port Security : Enabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
Enabing the port after a violation
switch(config-if)#shutdown
switch(config-if)#no shutdown
Renaming your router

Cisco2610(config)#hostname Cisco2610-1
Disable IP Domain Lookup (stops it searching when you make a typo)

Cisco2610-1(config)#no ip domain-lookup
Setting up VLANS
Creating VLAN on older routers using the VLAN Database
S2950-1#vlan database
S2950-1(vlan)#vlan 10 name VOICE
VLAN 10 modified:
Name: VOICE
S2950-1(vlan)#vlan 50 name DATA
VLAN 20 added:
Name: DATA
Creating and naming the VLANS
switch#config t
switch(config)#vlan 2
switch(config-vlan)#name sales
switch(config-vlan)#
switch#
switch#
switch#config t
switch(config)#vlan 3
switch(config-vlan)#name marketing
switch(config-vlan)#
switch#show vlan
VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Gi0/1
2 sales active
3 marketing active
Assigning an IP address to a VLAN

Site4Swith(config-if)#ip address 192.0.1.30 255.255.255.128
Assigning Ports to the VLANS
switch#
switch#config t
switch(config)#interface fastethernet0/1
switch(config-if)#switchport access vlan 2
switch(config-if)#
switch#config t
switch(config)#interface fastethernet0/4
switch(config-if)#switchport access vlan 3
Assigning a range of ports

Switch(config)#interface range fa0/16-24
Switch(config-if-range)#switchport access vlan 2
Configuring A Router to use Subinterfaces for separate VLANS
Router(config)#interface fa0/0
Router(config-if)#no shutdown
Router(config)#interface fa0/0.1
Router(config-subif)#ip address 10.1.1.1 255.255.255.0
Router(config-subif)#encapsulation dot1q 1
Configure the Switches interface connected to the router

Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk encapsulation dot1q
Set a VLAN to use trunking but not to encapsulate the VLAN ID in a trunking header
Router(config-subif)#encapsulation dot1q 1 native
Configuring Trunking between Switches
Changing an Interface to become a Trunk (set this on only one interface between two switches)
Switch(config-if)#switchport mode trunk
or
Switch(config-if)#switchport mode dynamic desirable
Checking which interface is being used for trunking

Switch#show interface trunk
Checking the switchport status of interfaces

Switch#show interface switchport
or
Switch#show interface fa0/3 switchport
Removing a VLAN from a trunk (this will need doing on each switch)
AccessLayerSwitch2(config)#interface range g1/1-2
AccessLayerSwitch2(config-if-range)#switchport trunk allowed vlan remove 4
AccessLayerSwitch2#show interface trunk

Port Mode Encapsulation Status Native vlan
Gig1/1 on 802.1q trunking 1
Gig1/2 on 802.1q trunking 1
Port Vlans allowed on trunk

Gig1/1 1-3,5-1005
Gig1/2 1-3,5-1005
Disabling trunking on an interface

switch#interface fa0/1
switch#switchport mode access
or
switch#switchport nonegotiate
Changing the encapsulation a trunk uses(most switches only support 802.1q so dont support these commands)
Switch(config-if)#switchport trunk encapsulation isl
or
Switch(config-if)#switchport trunk encapsulation negotiate
Configuring VTP between two Switches
Switch1 - Server Mode Configuration

Switch1(config)#vtp mode server
Switch1(config)#vtp domain test
Switch1(config)#vtp password test
Switch1(config)#vtp version 2
Switch2 - Client Mode Configuration

Switch2(config)#vtp mode client
Switch2(config)#vtp domain test
Switch2(config)#vtp password test
Switch1(config)#vtp version 2
Switch3 - Transparant Mode Configuration

Switch3(config)#vtp mode transparent
Enabling VTP Priuning

Switch(config)#vtp pruning
Checking a Switches VTP status

Switch#show vtp status
Checking vtp password

switch#show vtp password
Resetting the revision number of a switch before adding it to a VTP domain

(this will prevent the VLAN database on other switches being overwritten if the new switches revision number is higher)
Switch(config)#vtp mode transparent
Switch(config)#vtp mode server
Spanning Tree Protocol
Debug Spanning Tree
SW1#debug spanning-tree events
Displaying spanning tree information for all VLANs

SW1#show spanning-tree
Displaying spanning tree information for a VLAN

SW1#show spanning-tree vlan 3
Changing the cost of an interface

SW1(config)#interface Fa0/17
SW1(config-if)#spanning-tree cost 2
Changing the cost of an interface for a specific VLAN only

SW1(config)#interface Fa0/17
SW1(config-if)#spanning-tree vlan 3 cost 2
Changing the primary root switch

SW1(config)#spanning-tree root primary
Changing the primary root switch for a specific VLAN only

SW1(config)#spanning-tree vlan 3 root primary
Configuring a switch to become a secondary root switch

SW1(config)#spanning-tree root secondary
Configuring a VLAN to become a secondary root switch for that VLAN only
SW1(config)#spanning-tree vlan 3 root secondary
Configuring the priority of a switch to make it the root switch

SW1(config)#spanning-tree priority 1000
Configuring the priority of a switch to make it the root switch for a VLAN only
SW1(config)#spanning-tree vlan 3 priority 1000
Display VLAN Root switch information

SW1#show spanning-tree root
Display the Bridge ID for VLANs on a switch

SW1# show spanning-tree vlan 3 bridge id
Enabling Portfast on a range of interfaces

SW1(config)#interface range fa0/1-2
SW1(config-if-range)#spanning-tree portfast
Enabling BPDU Guard on an Interface

SW1(config)#interface range fa0/1-2
SW1(config-if-range)#spanning-tree bpduguard enable
Checking Portfast and BPDU configuration on an interface
SW1#show running-config
Enabling EtherChannel
(configure on both switches, can use on, on both switches or auto on one switch and desirable on another)
Switch(config)#interface gi3/1
Switch(config-if)#channel-group 1 mode on
Switch(config-if)#exit
Switch(config)#interface gi4/1
Switch(config-if)#channel-group 1 mode on
Show EtherChannel Information
Switch#show etherchannel summary
Enabling RSTP (this automatically enables PVST)

SW1(config)#spanning-tree mode rapid-pvst
Enabling PVST
SW1(config)#spanning-tree mode pvst
Enabling MIST
SW1(config)#spanning-tree mode mst
Copying Config Between Devices
Copying from another device
1. Do a show run command on the source device

2. Highlight the config you want to copy
3. Select copy
4. Go to the destination device
5. Enter the global configuration mode
6. Right click and select paste
Copying from notepad
7. Highlight the text you want to copy

8. Select copy
9. Go to the destination device
10.Enter the global configuration mode
11.Right click and select paste
12. Troubleshooting (Chapter 10)
Cisco Discovery Protocol (CDP)
Enable CDP
switch(config)#cdp run
Disable CDP on the switch (Enabled by default)

Switch(config)#no cdp run
Disable CDP on an Interface

Switch#config t
Switch(config-if)#no cdp enable
Changing the timer and holdtime values
Switch(config)#cdp timer 90
Switch(config)#cdp holdtime 240
List a 1 summary line for each neighbor

Switch#show cdp neighbors
List detailed information on each neighbor

Switch#show cdp neighbors detail
List detailed information for a single device

Switch#show cdp entry switchname
Show if CDP is enabled and timer values

Switch#show cdp
Shows if CDP is enabled on each interface

Switch#show cdp interface
List CDP stats

Switch#show cdp traffic
Show Commands for the Interfaces
Displays information on status, speed and duplex

Switch#show interfaces status
Displays basic information

Switch#show ip interface brief
Show the interface details and description details

Switch#show interface description
Displays info on the VLAN’s and which interfaces have been assigned to them
Switch#show Vlan
MAC Address Table Commands
switch#show mac-address-table
switch#show mac-address-table static (displays only static addresses)
switch#show mac-address-table dynamic (Displays on dynamically learned addresses)
S3500XL-1#show mac-address-table
Dynamic Address Count: 2
Secure Address Count: 0
Static Address (User-defined) Count: 0
System Self Address Count: 51
Total MAC addresses: 53
Maximum MAC addresses: 8192
Non-static Address Table:
Destination Address Address Type VLAN Destination Port
------------------- ------------ ---- --------------------
0004.277f.0000 Dynamic 1 FastEthernet0/6
0007.e918.d07b Dynamic 1 FastEthernet0/12
Enabling Debug Messages
See available list of debug messages

Router#debug ?
Enabling Debug for IP Packets

Router#debug ip packet
Enabling Debug for ICMP

Router#debug ip icmp
Enabling Debug for NAT

Router#debug ip nat
Enabling Debug for RIP

Router#debug ip rip
Enable Debug for Routing Table

Router#debug ip routing
Disabling Debug for IP Packets

Router#no debug ip packet
Operating Cisco Routers (Chapter 13)
Display routing information
router#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
U - per-user static route, o - ODR, P - periodic downloaded static route
T - traffic engineered route
Gateway of last resort is 10.1.100.252 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks

S 10.1.2.0/24 [1/0] via 10.1.128.252
R 10.1.129.0/24 [120/1] via 10.1.130.252, 00:00:15, Serial0/1/0
S 10.1.3.0/24 [1/0] via 10.1.130.252
R 10.2.1.0/24 [120/1] via 10.1.130.252, 00:00:15, Serial0/1/0
C 10.1.1.0/24 is directly connected, FastEthernet0/0
C 10.1.100.0/24 is directly connected, FastEthernet0/1
R 10.1.4.0/24 [120/1] via 10.1.100.252, 00:00:15, FastEthernet0/1
S 10.1.1.0/8 [1/1] via 10.1.129.253
C 10.1.130.0/24 is directly connected, Serial0/1/0
C 10.1.128.0/24 is directly connected, Serial0/0/1
S* 0.0.0.0 [1/0] via 10.1.100.252
Displaying link and protocol status commands
router#show ip interface brief

Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.1.251 YES manual up up
FastEthernet0/1 10.1.100.251 YES manual up up
Serial0/0/0 unassigned YES unset administratively down down
Serial0/0/1 10.1.128.251 YES manual up up
Serial0/1/0 10.1.130.251 YES manual up up
Serial0/1/1 unassigned YES unset administratively down down
router#show protocols
Global values:
Internet protocol routing is enabled
Serial0/0/0 is administratively down, line protocol is down
Serial0/0/1 is up, line protocol is up
Internet address is 10.1.128.251/24
Serial0/1/0 is up, line protocol is up
Serial0/1/1 is administratively down, line protocol is down
FastEthernet0/0 is up, line protocol is up
Albuquerque#show protocols fa0/0
% Incomplete command.
router#show protocols fa0/0

router#show interfaces

Hardware is AmdFE, address is 00b0.94e0.7388 (bia 00b0.94e0.7388)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliablility 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10)
Full -duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:50, output 00:00:04, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 1000 bits/sec, 0 packets/sec
588 packets input, 74628 bytes
Received 588 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast
0 input packets with dribble condition detected
231 packets output, 53712 bytes, 0 underruns
--More--
Clock and Bandwidth Commands
router>enable
router#config t
router(config)#interface serial0/0/1
router(config-if)#clock rate 128000
router(config-if)#bandwidth 64
Displaying Clock Rate and Bandwidth Settings

router#show controllers serial0/0/1
Interface Serial0/0/1
Hardware is GT96K
DCE V.35 clock rate 128000
idb at 0x454E69C8, driver data structure at 0x454EE0EC
router#show running-config
interface Serial0/0/1
bandwidth 64
ip address 10.1.128.251 255.255.255.0
no ip directed-broadcast
Backing up and Restoring IOS and configuration files Image
Backup IOS Image

Switch#copy flash tftp
Source filename []? c2960-lanbase-mz.122-25.FX.bin
Address or name of remote host []? 10.0.0.1
Destination filename [c2960-lanbase-mz.122-25.FX.bin]? Router-A-IOS
Backing up Startup Configuration

Switch#copy startup-config tftp
Destination filename [Switch-confg]? Router-A-Startup-Config
Restoring or Updating IOS version

Router#copy tftp flash
Source filename []? c4500-d-mz.120-5.bin
Destination filename [c4500-d-mz.120-5.bin]?
Restoring Startup Configuration

Switch#copy tftp startup-config
Source filename []? Router-A-Startup-Config
Destination filename [startup-config]?
Deleting a Flash Image

Switch#delete flash:c2960-lanbase-mz.122-25.FX.bin
Delete filename [c2960-lanbase-mz.122-25.FX.bin]?y
Delete flash:/y? [confirm]y
Display the file in Flash Memory

Switch#dir flash:
Checking the current IOS version and flash memory status

Router#show flash
-#- --length-- -----date/time------ path
1 36232088 Feb 13 2007 23:15:58 +00:00 c2800nm-advipservicesk9-mz.124-12.bin
18468864 bytes available (45547520 bytes used)
Setting the Configuration Register to load router in ROMMON mode

router(config)#config-register 0x2100
Setting the Configuration Register to load first image in flash

router(config)#config-register 0x2101
Setting the Configuration Register to load using image specified in boot system command
router(config)#config-register 0x2102 (Default Setting)
or
router(config)#config-register 0x210F
Boot System Commands - Load first file from flash

router(config)#boot system flash
Boot System Commands - IOS with the name filename is loaded from flash memory
router(config)#boot system flash filename
Boot System Commands - IOS with the name filename is loaded from tftp server
router(config)#boot system flash filename 10.0.0.1
Routing Protocols (Chapter 14)
Enabling rip v2
router(config)#router rip
router(config-router)#version 2
router(config-router)#network 10.0.0.0
router(config-router)#network 172.1.0.0
Display routes learnt by rip

router#show ip route rip
Display information about rip plus ip addresses of neighbouring rip routers

router#show ip protocols
Display the mask in decimal rather than prefix when using show ip route command
router#terminal ip netmask-format decimal
Adding a Static Route using IP address for next hop

router(config)#ip route 172.16.30.1 255.255.255.0 10.1.128.251
Adding a Static Route using the interface as the outgoing port

router(config)#ip route 192.168.30.1 255.255.255.0 serial0/1/0
Extended Ping Command (enter Y when prompted for extended commands)

router#ping
Protocol [ip]:
Target IP address: 172.1.0.150
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.0.0.1
Exiting out of a ping or traceroute command

press shift+F6
Adding a Default Route

router(config)#ip route 0.0.0.0 0.0.0.0 10.2.128.1
or
router(config)#ip default-network 10.0.0.0
Removing a Default Route

router(config)#no ip route 0.0.0.0 0.0.0.0 10.2.128.1
Setting rip to debug

router#debug ip rip
Disabling rip debug

router#undebug all
Show process to check CPU usage

router#show process
Adding timestamps to debug messages

router(config)#service timestamps debug
Adding timestamps to log messages

router(config)#service timestamps log
Enabling Classful Routing (use to test behaviour of default route)

router(config)#no ip classless
Configuring Manual Summarization
router(config)#interface s0/0
router(config-if)#ip summary-address eigrp 1 172.0.0.0 255.255.0.0
Disable Autosummarisation (can only do on classless routing protocols and can't do it on OSPF)
router(config)#router rip
router(config-router)#no auto-summary
Troubleshooting IP Routing (Chapter 15)
Display a routers ARP cache
router#show ip arp
Display routes for connected interfaces

router#show ip route connected
Telnet and Suspend

Telnet to first router
Then telnet from first router to second
Press ctrl+Shift+6 then x to switch between routers
Show sessions or where displays a list of available sessions

Resume 1 will take you to session 1 or just type 1 then press enter
Resume will take you the most recently suspended session. This will be the session the has an * next to it when using the
show session or where command
Disconnect 1 will disconnect session number 1
Additional Commands
Configuring DCHP Pool
BGRouter(config)#ip dhcp pool SalesNetwork

BGRouter(dhcp-config)#Network 10.0.0.0 255.255.0.0
BGRouter(dhcp-config)#default-router 10.0.0.1
BGRouter(dhcp-config)#dns-server 172.16.0.2
BGRouter(dhcp-config)#exit
BGRouter(config)#ip dhcp excluded-address 10.0.0.1 10.0.0.10
Show Information about leased DHCP addresses

BGRouter#show ip dhcp binding
Configuring DHCP Pools for multiple VLANS
Create 2 VLANs on the Switch

Give each VLAN an IP Address
Connect the router to the switch using two cables one for each VLAN
Give each router interfaces an IP address
Assign each interface to a separate VLAN
BGRouter2(config)#ip dhcp pool Sales

BGRouter2(dhcp-config)#network 192.0.1.1 255.255.255.224
BGRouter2(dhcp-config)#default-router 192.0.1.29
BGRouter2(dhcp-config)#dns-server 192.168.1.30
BGRouter2(dhcp-config)#exit
BGRouter2(config)#ip dhcp excluded-address 192.168.1.61
BGRouter2(config)#ip dhcp pool Marketing

BGRouter2(dhcp-config)#network 192.0.1.33 255.255.255.224
BGRouter2(dhcp-config)#default-router 192.0.1.62
BGRouter2(dhcp-config)#dns-server 192.168.1.2
BGRouter2(dhcp-config)#exit
Configuring NAT/PAT (configure dynamic routing on all routers)
BGRouter(config)#interface fa0/0
BGRouter(config-if)#ip nat inside
BGRouter(config-if)#exit
BGRouter(config)#interface s0/0
BGRouter(config-if)#ip nat outside
BGRouter(config-if)#exit
BGRouter(config)#access-list 1 permit 10.0.0.11
BGRouter(config)#access-list 1 permit 10.0.0.12
BGRouter(config)#ip nat pool SalesPool 198.18.194.73 198.18.194.78 netmask 255.255.255.248
BGRouter(config)#ip nat inside source list 1 pool SalesPool overload
BGRouter(config)#exit
You’ll need to add a route back to the 198.18.194.0 address range from the ISP router
ISP(config)#ip route 198.18.194.0 255.255.255.0 172.16.0.2
Configuring NAT to Allow Any Address in the 192 Range to use NAT
router(config)#access-list 1 permit 192.0.1.0 0.255.255.255
NAT Show Commands
BGRouter#show ip nat statistics

Total translations: 2 (0 static, 2 dynamic, 2 extended)
Outside Interfaces: Serial0/0
Inside Interfaces: FastEthernet0/0
Hits: 17 Misses: 1025
Expired translations: 7
Dynamic mappings:
-- Inside Source
access-list 1 pool SalesPool refCount 2
pool SalesPool: netmask 255.255.255.248
start 198.18.194.73 end 198.18.194.78
type generic, total addresses 6 , allocated 1 (16%), misses 0
BGRouter#show ip nat translations

Pro Inside global Inside local Outside local Outside global
icmp 198.18.194.73:21 10.0.0.11:21 192.168.0.2:21 192.168.0.2:21
icmp 198.18.194.73:22 10.0.0.11:22 192.168.0.2:22 192.168.0.2:22
icmp 198.18.194.73:23 10.0.0.11:23 192.168.0.2:23 192.168.0.2:23
icmp 198.18.194.73:24 10.0.0.11:24 192.168.0.2:24 192.168.0.2:24
icmp 198.18.194.73:5 10.0.0.12:5 192.168.0.2:5 192.168.0.2:5
icmp 198.18.194.73:6 10.0.0.12:6 192.168.0.2:6 192.168.0.2:6
icmp 198.18.194.73:7 10.0.0.12:7 192.168.0.2:7 192.168.0.2:7
icmp 198.18.194.73:8 10.0.0.12:8 192.168.0.2:8 192.168.0.2:8
udp 198.18.194.73:1036 10.0.0.11:1036 192.168.0.2:53 192.168.0.2:53
udp 198.18.194.73:1026 10.0.0.12:1026 192.168.0.2:53 192.168.0.2:53
udp 198.18.194.73:1027 10.0.0.12:1027 192.168.0.2:53 192.168.0.2:53
tcp 198.18.194.73:1025 10.0.0.11:1025 192.168.0.2:80 192.168.0.2:80
tcp 198.18.194.73:1024 10.0.0.12:1025 192.168.0.2:80 192.168.0.2:80
Configuring MTU Size
Sets MTU size for all layer 3 protocols

Router1(config)#interface s0/0
Router1(config-if)#mtu 1280
or
Sets MTU size for IP only
Router1(config)#interface s0/0
WANRouter1(config-if)#ip mtu 1280
Removing MTU settings

Router1(config-if)#no mtu
Standard Access Control Lists (ACLs)
Display all ACLs on a router
R1#show access-lists
Display a specific ACL by number

R1#show access-lists 1
Display a specific ACL by name

R1#show access-lists Test
Block inbound traffic based on an IP address

R1(config)#interface s0/0
R1(config-if)#ip access-group 1 in
R1(config-if)#exit
R1(config)#access-list 1 remark stop all inbound traffic from source IP 10.1.1.2
R1(config)#access-list 1 deny 10.1.1.2 0.0.0.0
R1(config)#access-list 1 permit 0.0.0.0 255.255.255.255
or
R1(config)#interface fa0/0
R1(config-if)#exit
R1(config)#access-list 1 deny 10.1.1.2
R1(config)#access-list 1 permit any
or
R1(config-if)#exit
R1(config)#ip access-list standard 1
R1(config-std-nacl)#deny 10.1.1.2
R1(config-std-nacl)#permit any
Block outbound traffic based on an IP address

R2(config-if)#ip access-group 1 out
R2(config-if)#exit
R2(config)#access-list 1 remark stop all inbound traffic from source IP 10.1.3.2
R2(config)#access-list 1 deny 10.1.3.2 0.0.0.0
R2(config)#access-list 1 permit 0.0.0.0 255.255.255.255
Extended ACLs
Block any IP packet from any source address to destination IP address 10.1.4.4
R3(config-if)#ip access-group 100 out
R3(config-if)#exit
R3(config)#access-list 100 deny ip any host 10.1.4.4
R3(config)#access-list 100 permit ip any 0.0.0.0 255.255.255.255
Block IP packets from 10.1.1.2 to destination address 10.1.4.4

R3(config)#access-list 100 deny ip host 10.1.1.2 host 10.1.4.4
Block tcp packets for destination IP 10.1.3.4 and destination port 21

R3(config)#access-list 100 deny ip any host 10.1.4.3 eq 21
or
R3(config)#access-list 100 deny ip any host 10.1.4.3 eq ftp
Block tcp packets with a source greater than 1023 and a source IP 10.1.4.1 and port of 21
R3(config)#access-list 100 deny tcp any gt 1023 host 10.1.4.3 eq 21
Allow tcp packets from 10.1.1.0 network to connect to destination 10.1.4.3 on port 21
R3(config)# access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 10.1.4.3 eq 21
Multiple ACL entries (Routers read ACLs in order entered if the last one was entered first the others would not be
applied as this one allows all traffic. same goes for the first one if that was applied after the third one it would not
work)
R3(config)# access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 10.1.4.3 eq 21
R3(config)#access-list 100 deny ip any host 10.1.4.4
R3(config)#access-list 100 deny tcp any host 10.1.4.3 eq ftp
R3(config)#access-list 100 permit ip any any
Named ACLs (these can be used for standard and extended ACLs)
Block inbound IP packets from 10.1.1.2 to destination address 10.1.1.1

R1(config)#ip access-list extended BlockInbound1
R1(config-ext-nacl)#deny ip host 10.1.2.1 host 10.1.1.1
R1(config-ext-nacl)#premit ip any any
R1(config)#exit
R1(config-if)#ip access-group BlockInbound1 out
Block all outbound traffic from 10.1.1.3 out one interface on a router
R1(config)#ip access-list extended BlockOutbound1
R1(config-ext-nacl)#deny ip host 10.1.1.3 any
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#exit
R1(config)#interface s0/1
R1(config-if)#ip access-group BlockOutbound1 out
Block all inbound traffic to 10.1.4.4 & block all ftp traffic to 10.1.4.3 apart from devices on the 10.1.1.0 network
R3(config)#ip access-list extended BlockInbound1
R3(config-ext-nacl)#deny ip any host 10.1.4.4
R3(config-ext-nacl)#permit tcp 10.1.1.0 0.0.0.255 host 10.1.4.3 eq ftp
R3(config-ext-nacl)#deny tcp any host 10.1.4.3 eq ftp
R3(config-ext-nacl)#permit ip any any
R3(config-ext-nacl)#exit
R3(config-if)#ip access-group BlockInbound1 out
Manipulating ACLs Using Sequence Numbers
(works on IOS 12.3 or later and doesn't work in Packet Tracer)
Create Access List (notice sequence numbers using the show command)
R1(config-std-nacl)#deny 10.1.2.0 0.0.255.255
R1(config-std-nacl)#deny 10.2.3.0 0.0.255.255
R1(config-std-nacl)#permit any
R1(config-std-nacl)#exit
R1(config)#do show access-list 1
Standard IP access list 1
10 deny 10.1.0.0, wildcard bits 0.0.255.255
30 permit any
Adding a new entry between sequence number 20 & 30

R1(config-std-nacl)#25 deny 10.3.0.0 0.0.255.255
R1(config-std-nacl)#do show access-list
30 permit any
Removing an entry
R1(config-std-nacl)#no 20
R1(config-std-nacl)#do show access-list
30 permit any
Stopping Access to VTY Lines (telnet, ssh)
R2(config-line)#access-class in
R2(config)#exit
R2(config)#access-list 3 deny any

Basic Switch/Router Configuration & Security (Ref Chapter 9 - ICND1)

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Basic Switch/Router Configuration & Security (Ref Chapter 9 - ICND1)

Загружено:

Авторское право:

Доступные форматы

Basic Switch/Router Configuration & Security (Ref Chapter 9 - ICND1)

Setting console password, synchronous and timeout

Setting Auxillary password, synchronous and timeout (Router Only)

Setting Telnet password, synchronous and timeout

Cisco2610-1(config-line)#line vty 0 4 (set to 15 if newer router)

Cisco2610-1(config)#enable password cisco

Enable secret password

Cisco2610-1(config)#enable secret cisco

Disable secret password

Cisco2610-1(config)#no enable secret

Set the History size for Telnet sessions

Set the History size for the session your in

R1#terminal history size 20 (10 by default)

See the commands listed in the history buffer

Removing a user from the local database

Configuring SSH for Telnet Sessions

R1(config)#line vty 0 4line

R1(config)#ip domain-name test.com

How many bits in the modulus [512]: 1024

Additional SSH Commands

Set the SSH Negotiation phase timeout interval (in seconds)

MyRouter(config)# ip ssh time-out 120

Set the Maximum retry attempts

MyRouter(config)# ip ssh authetication-retries 3

To change the default port for SSH (default is 22) connection

MyRouter(config)# ip ssh port 3536

R1#show crypto key

Check SSH Verison

Disable Telnet so SSH is only connection option available

Using a Cisco Packet Tracer Client

ssh –l username 172.0.0.100

In this example I'm using an application called Putty.

Add a banner to the router

Message of the Day Banner (shown before login)

Login Banner (Shown at login)

Exec Banner (Shown after login)

Adding a secondary address to a router

Setting a default gateway

Configuring an Interface to use DHCP (remove the default gateway if set)

Applying a description to a range of ports

switch(config)#interface range fa/01 - 10

Checking the status of a port or ports

switch#show interfaces fa0/1

Checking the status of an individual interface

Configuring Port Security (commands differ on older switches)

Configuring Port Security to Allow a single MAC Address

Checking port security for an interface

Check the status of the port

Switch#show interfaces f0/13

Switch#show port-security interface f0/13

Enabing the port after a violation

Renaming your router

Disable IP Domain Lookup (stops it searching when you make a typo)

Creating VLAN on older routers using the VLAN Database

Creating and naming the VLANS

VLAN Name Status Ports

Assigning an IP address to a VLAN

Assigning Ports to the VLANS

Assigning a range of ports

Configure the Switches interface connected to the router

Checking which interface is being used for trunking

Checking the switchport status of interfaces