Basic Switch/Router Configuration & Security (Ref Chapter 9 - ICND1)

Setting console password, synchronous and timeout

Cisco2610-1(config)#line con 0
Cisco2610-1(config-line)#login
Cisco2610-1(config-line)#password cisco
Cisco2610-1(config-line)#logging synchronous
Cisco2610-1(config-line)#exec-timeout 30 0

Setting Auxillary password, synchronous and timeout (Router Only)

Cisco2610-1(config)#line aux 0
Cisco2610-1(config-line)#login
Cisco2610-1(config-line)#password cisco
Cisco2610-1(config-line)#logging synchronous
Cisco2610-1(config-line)#exec-timeout 30 0

Setting Telnet password, synchronous and timeout

Cisco2610-1(config-line)#line vty 0 4 (set to 15 if newer router)

Cisco2610-1(config-line)#login
Cisco2610-1(config-line)#password cisco
Cisco2610-1(config-line)#logging synchronous
Cisco2610-1(config-line)#exec-timeout 30 0

Enable password

Cisco2610-1(config)#enable password cisco

Enable secret password

Cisco2610-1(config)#enable secret cisco

Disable secret password

Cisco2610-1(config)#no enable secret

Encrypting Passwords

R1(config)#service password-encryption

Set the History size for Telnet sessions

Cisco2610-1(config-line)#line vty 0 4
Cisco2610-1(config-line)#history size 20

Set the History size for the session your in

R1#terminal history size 20 (10 by default)

See the commands listed in the history buffer

R1#show history
Local User Database

Adding a user to the local database for Telnet that goes straight into privilege exec mode
Cisco2610-1(config)#line vty 0 4
Cisco2610-1(config-line)#login local
Cisco2610-1(config-line)#username test privilege 15 password test

Removing a user from the local database

Cisco2610-1(config)#line vty 0 4
Cisco2610-1(config-line)#lno username test

Configuring SSH for Telnet Sessions

R1(config)#line vty 0 4line

R1(config-line)#login
R1(config-line)#password cisco
R1(config-line)#transport input telnet ssh
R1(config-line)#exit

OR

R1(config)#line vty 0 4
R1(config-line)#login local
R1(config-line)#transport input telnet ssh
R1(config-line)#exit
R1(config)#username cisco password cisco

Then

R1(config)#ip domain-name test.com

R1(config)#crypto key generate rsa
The name for the keys will be: R1.test.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R1(config)#
*Mar 1 00:04:14.335: %SSH-5-ENABLED: SSH 1.99 has been enabled

Additional SSH Commands

Set the SSH Negotiation phase timeout interval (in seconds)

MyRouter(config)# ip ssh time-out 120

Set the Maximum retry attempts

MyRouter(config)# ip ssh authetication-retries 3

To change the default port for SSH (default is 22) connection

MyRouter(config)# ip ssh port 3536

Showing the encryption key

R1#show crypto key

or
R1#show crypto key mypubkey rsa

Check SSH Verison

R1#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3

Check Connections
R1#show ssh

Disable Telnet so SSH is only connection option available

R1(config)#line vty 0 4
R1(config-line)#transport input ssh

Disable SSH
R1(config)#crypto key zeroize rsa
% All RSA keys will be removed.
% All router certs issued using these keys will
will also be removed.
Do you really want to remove these keys? [yes/no]: yes
Connecting to a Router using SSH

Using a Cisco Packet Tracer Client

ssh –l username 172.0.0.100

Using Putty

In this example I'm using an application called Putty.

1. Open Putty
2. Enter the IP address of the router
3. Select SSH
4. Enter a name for the connection
5. Click on the Save button
6. Click on SSH
7. If your using an older router select Preferred SSH protocol version 1 for newer devices select 2
8. Click on Session and Click on the save button again
9. Click on the Open button
10. Click on Yes to accept the public key from the router
11. Enter the username and password you configured earlier

Add a banner to the router

Message of the Day Banner (shown before login)

Cisco2610-1>enable
Password:
Cisco2610-1#config t
Enter configuration commands, one per line. End with CNTL/Z.
Cisco2610-1(config)#banner motd #
Enter TEXT message. End with the character '#'.
*************************************************************
This is Cisco test router 1 for my CCNA Lab
This router has security enabled
*************************************************************
#

Login Banner (Shown at login)

Cisco2610-1(config)#banner login #
Enter TEXT message. End with the character '#'.
Test Login Banner
#

Exec Banner (Shown after login)

Cisco2610-1(config)#banner exec #
Enter TEXT message. End with the character '#'.
Test exec Banner
#
Assigning an IP address and default Gateway to a Switch/Router

Configure IP address

Cisco2610-1>enable
Password:
Cisco2610-1#configure t
Enter configuration commands, one per line. End with CNTL/Z.
Cisco2610-1(config)#interface s0/1
Cisco2610-1(config-if)#ip address 172.10.0.100 255.255.0.0
Cisco2610-1(config-if)#no shutdown

Adding a secondary address to a router

router(config)#interface s0/1
router(config-if)#172.20.0.100 255.255.0.0 secondary

Setting a default gateway

switch#
switch#config t
Enter configuration commands, one per line. End with CNTL/Z
switch(config)#ip default-gateway 172.16.0.200
switch(config)#

Configuring an Interface to use DHCP (remove the default gateway if set)

Cisco2610-1(config)#interface vlan1
Cisco2610-1(config-if)#ip address dhcp
Cisco2610-1(config-if)#no shutdown

Note: Some older switches/routers do not support being configured as a DHCP client
Configuring Switch Interfaces/Ports
Setting the Speed, Duplex and adding a description

switch(config)#interface fa0/1
switch(config-if)#speed 100
switch(config-if)#duplex full
switch(config-if)#description Connection to voice router
switch(config-if)#exit

Applying a description to a range of ports

switch(config)#interface range fa/01 - 10

switch(config-if)#description Connections for IP Phones

Checking the status of a port or ports

switch#show interfaces fa0/1

or
switch#show interfaces (to display info for all ports)

Checking the status for all ports (not available on older switches/firmware)
switch#show interfaces status

Checking the status of an individual interface

switch#show interfaces fa0/1 status

Configuring Port Security (commands differ on older switches)

switch(config)#interface fa0/5
switch(config-if)#switchport mode access
switch(config-if)#switchport port-security
switch(config-if)#switchport port-security maximum 10
switch(config-if)#switchport port-security violation shutdown
switch(config-if)#switchport port-security mac-address sticky

Configuring Port Security to Allow a single MAC Address

(The order is important, you can get duplicate Mac address if you do it in the wrong order)

Switch(config)#interface fa0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security mac-address 0000.0C06.705D
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#exit

Checking port-security
switch#show port-security

Checking port security for an interface

switch#show port-security interface fa0/1

Disabling a Port
switch(config)#interface fa0/5
switch(config-if)#shutdown
Enabling a Port that has been shutdown by port security

Check the status of the port

Switch#show interfaces f0/13

FastEthernet0/13 is down, line protocol is down (err-disabled)
Hardware is Fast Ethernet, address is 0013.c412.0f0d (bia 0013.c412.0f0d)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set

Switch#show port-security interface f0/13

Port Security : Enabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0

Enabing the port after a violation

switch(config)#interface fa0/5
switch(config-if)#shutdown
switch(config-if)#no shutdown

Renaming your router

Cisco2610(config)#hostname Cisco2610-1

Disable IP Domain Lookup (stops it searching when you make a typo)

Cisco2610-1(config)#no ip domain-lookup
Setting up VLANS

Creating VLAN on older routers using the VLAN Database

S2950-1#vlan database
S2950-1(vlan)#vlan 10 name VOICE
VLAN 10 modified:
Name: VOICE
S2950-1(vlan)#vlan 50 name DATA
VLAN 20 added:
Name: DATA

Creating and naming the VLANS

switch#config t
Enter configuration commands, one per line. End with CNTL/Z
switch(config)#vlan 2
switch(config-vlan)#name sales
switch(config-vlan)#
switch#

switch#
switch#config t
Enter configuration commands, one per line. End with CNTL/Z
switch(config)#vlan 3
switch(config-vlan)#name marketing
switch(config-vlan)#
switch#show vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Gi0/1
2 sales active
3 marketing active

Assigning an IP address to a VLAN

Site4Swith(config-if)#ip address 192.0.1.30 255.255.255.128

Assigning Ports to the VLANS

switch#
switch#config t
Enter configuration commands, one per line. End with CNTL/Z
switch(config)#interface fastethernet0/1
switch(config-if)#switchport access vlan 2
switch(config-if)#
switch#config t
Enter configuration commands, one per line. End with CNTL/Z
switch(config)#interface fastethernet0/4
switch(config-if)#switchport access vlan 3

Assigning a range of ports

Switch(config)#interface range fa0/16-24
Switch(config-if-range)#switchport access vlan 2
Configuring A Router to use Subinterfaces for separate VLANS

Router(config)#interface fa0/0
Router(config-if)#no shutdown

Router(config)#interface fa0/0.1
Router(config-subif)#ip address 10.1.1.1 255.255.255.0
Router(config-subif)#encapsulation dot1q 1

Router(config)#interface fa0/0.2
Router(config-subif)#ip address 10.1.2.1 255.255.255.0
Router(config-subif)#encapsulation dot1q 2

Router(config)#interface fa0/0.3
Router(config-subif)#ip address 10.1.3.1 255.255.255.0
Router(config-subif)#encapsulation dot1q 3

Configure the Switches interface connected to the router

Switch(config)#interface fa0/24
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk encapsulation dot1q

Set a VLAN to use trunking but not to encapsulate the VLAN ID in a trunking header
Router(config)#interface fa0/0.1
Router(config-subif)#encapsulation dot1q 1 native
Configuring Trunking between Switches

Changing an Interface to become a Trunk (set this on only one interface between two switches)
Switch(config)#interface fa0/3
Switch(config-if)#switchport mode trunk
or
Switch(config-if)#switchport mode dynamic desirable

Checking which interface is being used for trunking

Switch#show interface trunk

Checking the switchport status of interfaces

Switch#show interface switchport
or
Switch#show interface fa0/3 switchport

Removing a VLAN from a trunk (this will need doing on each switch)
AccessLayerSwitch2(config)#interface range g1/1-2
AccessLayerSwitch2(config-if-range)#switchport trunk allowed vlan remove 4

AccessLayerSwitch2#show interface trunk

Port Mode Encapsulation Status Native vlan
Gig1/1 on 802.1q trunking 1
Gig1/2 on 802.1q trunking 1

Port Vlans allowed on trunk

Gig1/1 1-3,5-1005
Gig1/2 1-3,5-1005

Disabling trunking on an interface

switch#interface fa0/1
switch#switchport mode access
or
switch#switchport nonegotiate

Changing the encapsulation a trunk uses(most switches only support 802.1q so dont support these commands)
Switch(config-if)#switchport trunk encapsulation isl
or
Switch(config-if)#switchport trunk encapsulation negotiate
Configuring VTP between two Switches

Switch1 - Server Mode Configuration

Switch1(config)#vtp mode server
Switch1(config)#vtp domain test
Switch1(config)#vtp password test
Switch1(config)#vtp version 2

Switch2 - Client Mode Configuration

Switch2(config)#vtp mode client
Switch2(config)#vtp domain test
Switch2(config)#vtp password test
Switch1(config)#vtp version 2

Switch3 - Transparant Mode Configuration

Switch3(config)#vtp mode transparent

Enabling VTP Priuning

Switch(config)#vtp pruning

Checking a Switches VTP status

Switch#show vtp status

Checking vtp password

switch#show vtp password

Resetting the revision number of a switch before adding it to a VTP domain

(this will prevent the VLAN database on other switches being overwritten if the new switches revision number is higher)
Switch(config)#vtp mode transparent
Switch(config)#vtp mode server
Spanning Tree Protocol
Debug Spanning Tree
SW1#debug spanning-tree events

Displaying spanning tree information for all VLANs

SW1#show spanning-tree

Displaying spanning tree information for a VLAN

SW1#show spanning-tree vlan 3

Changing the cost of an interface

SW1(config)#interface Fa0/17
SW1(config-if)#spanning-tree cost 2

Changing the cost of an interface for a specific VLAN only

SW1(config)#interface Fa0/17
SW1(config-if)#spanning-tree vlan 3 cost 2

Changing the primary root switch

SW1(config)#spanning-tree root primary

Changing the primary root switch for a specific VLAN only

SW1(config)#spanning-tree vlan 3 root primary

Configuring a switch to become a secondary root switch

SW1(config)#spanning-tree root secondary

Configuring a VLAN to become a secondary root switch for that VLAN only
SW1(config)#spanning-tree vlan 3 root secondary

Configuring the priority of a switch to make it the root switch

SW1(config)#spanning-tree priority 1000

Configuring the priority of a switch to make it the root switch for a VLAN only
SW1(config)#spanning-tree vlan 3 priority 1000

Display VLAN Root switch information

SW1#show spanning-tree root

Display the Bridge ID for VLANs on a switch

SW1# show spanning-tree vlan 3 bridge id

Enabling Portfast on a range of interfaces

SW1(config)#interface range fa0/1-2
SW1(config-if-range)#spanning-tree portfast

Enabling BPDU Guard on an Interface

SW1(config)#interface range fa0/1-2
SW1(config-if-range)#spanning-tree bpduguard enable
Checking Portfast and BPDU configuration on an interface
SW1#show running-config
Enabling EtherChannel
(configure on both switches, can use on, on both switches or auto on one switch and desirable on another)
Switch(config)#interface gi3/1
Switch(config-if)#channel-group 1 mode on
Switch(config-if)#exit
Switch(config)#interface gi4/1
Switch(config-if)#channel-group 1 mode on
Show EtherChannel Information
Switch#show etherchannel summary

Enabling RSTP (this automatically enables PVST)

SW1(config)#spanning-tree mode rapid-pvst

Enabling PVST
SW1(config)#spanning-tree mode pvst

Enabling MIST
SW1(config)#spanning-tree mode mst

Copying Config Between Devices

Copying from another device

1. Do a show run command on the source device

2. Highlight the config you want to copy
3. Select copy
4. Go to the destination device
5. Enter the global configuration mode
6. Right click and select paste

Copying from notepad

7. Highlight the text you want to copy

8. Select copy
9. Go to the destination device
10.Enter the global configuration mode
11.Right click and select paste
 12. Troubleshooting (Chapter 10)

Cisco Discovery Protocol (CDP)

Enable CDP
switch(config)#cdp run

Disable CDP on the switch (Enabled by default)

Switch(config)#no cdp run

Disable CDP on an Interface

Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface fa0/1
Switch(config-if)#no cdp enable

Changing the timer and holdtime values

Switch(config)#cdp timer 90
Switch(config)#cdp holdtime 240

List a 1 summary line for each neighbor

Switch#show cdp neighbors

List detailed information on each neighbor

Switch#show cdp neighbors detail

List detailed information for a single device

Switch#show cdp entry switchname

Show if CDP is enabled and timer values

Switch#show cdp

Shows if CDP is enabled on each interface

Switch#show cdp interface

List CDP stats

Switch#show cdp traffic

Show Commands for the Interfaces

Displays information on status, speed and duplex

Switch#show interfaces status

Displays basic information

Switch#show ip interface brief

Show the interface details and description details

Switch#show interface description

Displays info on the VLAN’s and which interfaces have been assigned to them
Switch#show Vlan
MAC Address Table Commands

switch#show mac-address-table

switch#show mac-address-table static (displays only static addresses)

switch#show mac-address-table dynamic (Displays on dynamically learned addresses)

S3500XL-1#show mac-address-table
Dynamic Address Count: 2
Secure Address Count: 0
Static Address (User-defined) Count: 0
System Self Address Count: 51
Total MAC addresses: 53
Maximum MAC addresses: 8192
Non-static Address Table:
Destination Address Address Type VLAN Destination Port
------------------- ------------ ---- --------------------
0004.277f.0000 Dynamic 1 FastEthernet0/6
0007.e918.d07b Dynamic 1 FastEthernet0/12

Enabling Debug Messages

See available list of debug messages

Router#debug ?

Enabling Debug for IP Packets

Router#debug ip packet

Enabling Debug for ICMP

Router#debug ip icmp

Enabling Debug for NAT

Router#debug ip nat

Enabling Debug for RIP

Router#debug ip rip

Enable Debug for Routing Table

Router#debug ip routing

Disabling Debug for IP Packets

Router#no debug ip packet
Operating Cisco Routers (Chapter 13)

Display routing information

router#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
U - per-user static route, o - ODR, P - periodic downloaded static route
T - traffic engineered route

Gateway of last resort is 10.1.100.252 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks

S 10.1.2.0/24 [1/0] via 10.1.128.252
R 10.1.129.0/24 [120/1] via 10.1.130.252, 00:00:15, Serial0/1/0
S 10.1.3.0/24 [1/0] via 10.1.130.252
R 10.2.1.0/24 [120/1] via 10.1.130.252, 00:00:15, Serial0/1/0
C 10.1.1.0/24 is directly connected, FastEthernet0/0
C 10.1.100.0/24 is directly connected, FastEthernet0/1
R 10.1.4.0/24 [120/1] via 10.1.100.252, 00:00:15, FastEthernet0/1
S 10.1.1.0/8 [1/1] via 10.1.129.253
C 10.1.130.0/24 is directly connected, Serial0/1/0
C 10.1.128.0/24 is directly connected, Serial0/0/1
S* 0.0.0.0 [1/0] via 10.1.100.252

Displaying link and protocol status commands

router#show ip interface brief

Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.1.251 YES manual up up
FastEthernet0/1 10.1.100.251 YES manual up up
Serial0/0/0 unassigned YES unset administratively down down
Serial0/0/1 10.1.128.251 YES manual up up
Serial0/1/0 10.1.130.251 YES manual up up
Serial0/1/1 unassigned YES unset administratively down down

router#show protocols
Global values:
Internet protocol routing is enabled
Serial0/0/0 is administratively down, line protocol is down
Serial0/0/1 is up, line protocol is up
Internet address is 10.1.128.251/24
Serial0/1/0 is up, line protocol is up
Internet address is 10.1.130.251/24
Serial0/1/1 is administratively down, line protocol is down
FastEthernet0/0 is up, line protocol is up
Internet address is 10.1.1.251/24
FastEthernet0/1 is up, line protocol is up
Internet address is 10.1.100.251/24
Albuquerque#show protocols fa0/0
% Incomplete command.

router#show protocols fa0/0

router#show interfaces

FastEthernet0/0 is up, line protocol is up

Hardware is AmdFE, address is 00b0.94e0.7388 (bia 00b0.94e0.7388)
Internet address is 10.1.1.251/24
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliablility 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10)
Full -duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:50, output 00:00:04, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 1000 bits/sec, 0 packets/sec
588 packets input, 74628 bytes
Received 588 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast
0 input packets with dribble condition detected
231 packets output, 53712 bytes, 0 underruns
--More--

Clock and Bandwidth Commands

router>enable
router#config t
Enter configuration commands, one per line. End with CNTL/Z
router(config)#interface serial0/0/1
router(config-if)#clock rate 128000
router(config-if)#bandwidth 64

Displaying Clock Rate and Bandwidth Settings

router#show controllers serial0/0/1

Interface Serial0/0/1
Hardware is GT96K
DCE V.35 clock rate 128000
idb at 0x454E69C8, driver data structure at 0x454EE0EC

router#show running-config

interface Serial0/0/1
bandwidth 64
ip address 10.1.128.251 255.255.255.0
no ip directed-broadcast
Backing up and Restoring IOS and configuration files Image

Backup IOS Image

Switch#copy flash tftp
Source filename []? c2960-lanbase-mz.122-25.FX.bin
Address or name of remote host []? 10.0.0.1
Destination filename [c2960-lanbase-mz.122-25.FX.bin]? Router-A-IOS

Backing up Startup Configuration

Switch#copy startup-config tftp
Address or name of remote host []? 10.0.0.1
Destination filename [Switch-confg]? Router-A-Startup-Config

Restoring or Updating IOS version

Router#copy tftp flash
Address or name of remote host []? 10.0.0.1
Source filename []? c4500-d-mz.120-5.bin
Destination filename [c4500-d-mz.120-5.bin]?

Restoring Startup Configuration

Switch#copy tftp startup-config
Address or name of remote host []? 10.0.0.5
Source filename []? Router-A-Startup-Config
Destination filename [startup-config]?

Deleting a Flash Image

Switch#delete flash:c2960-lanbase-mz.122-25.FX.bin
Delete filename [c2960-lanbase-mz.122-25.FX.bin]?y
Delete flash:/y? [confirm]y

Display the file in Flash Memory

Switch#dir flash:

Checking the current IOS version and flash memory status

Router#show flash
-#- --length-- -----date/time------ path
1 36232088 Feb 13 2007 23:15:58 +00:00 c2800nm-advipservicesk9-mz.124-12.bin

18468864 bytes available (45547520 bytes used)

Setting the Configuration Register to load router in ROMMON mode

router(config)#config-register 0x2100

Setting the Configuration Register to load first image in flash

router(config)#config-register 0x2101

Setting the Configuration Register to load using image specified in boot system command
router(config)#config-register 0x2102 (Default Setting)
or
router(config)#config-register 0x210F

Boot System Commands - Load first file from flash

router(config)#boot system flash

Boot System Commands - IOS with the name filename is loaded from flash memory
router(config)#boot system flash filename

Boot System Commands - IOS with the name filename is loaded from tftp server
router(config)#boot system flash filename 10.0.0.1
Routing Protocols (Chapter 14)

Enabling rip v2
router(config)#router rip
router(config-router)#version 2
router(config-router)#network 10.0.0.0
router(config-router)#network 172.1.0.0

Display routes learnt by rip

router#show ip route rip

Display information about rip plus ip addresses of neighbouring rip routers

router#show ip protocols

Display the mask in decimal rather than prefix when using show ip route command
router#terminal ip netmask-format decimal

Adding a Static Route using IP address for next hop

router(config)#ip route 172.16.30.1 255.255.255.0 10.1.128.251

Adding a Static Route using the interface as the outgoing port

router(config)#ip route 192.168.30.1 255.255.255.0 serial0/1/0

Extended Ping Command (enter Y when prompted for extended commands)

router#ping
Protocol [ip]:
Target IP address: 172.1.0.150
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.0.0.1

Exiting out of a ping or traceroute command

press shift+F6

Adding a Default Route

router(config)#ip route 0.0.0.0 0.0.0.0 10.2.128.1
or
router(config)#ip default-network 10.0.0.0

Removing a Default Route

router(config)#no ip route 0.0.0.0 0.0.0.0 10.2.128.1

Setting rip to debug

router#debug ip rip

Disabling rip debug

router#undebug all

Show process to check CPU usage

router#show process

Adding timestamps to debug messages

router(config)#service timestamps debug

Adding timestamps to log messages

router(config)#service timestamps log

Enabling Classful Routing (use to test behaviour of default route)

router(config)#no ip classless
Configuring Manual Summarization
router(config)#interface s0/0
router(config-if)#ip summary-address eigrp 1 172.0.0.0 255.255.0.0

Disable Autosummarisation (can only do on classless routing protocols and can't do it on OSPF)
router(config)#router rip
router(config-router)#no auto-summary
Troubleshooting IP Routing (Chapter 15)
Display a routers ARP cache
router#show ip arp

Display routes for connected interfaces

router#show ip route connected

Telnet and Suspend

Telnet to first router
Then telnet from first router to second
Press ctrl+Shift+6 then x to switch between routers

Show sessions or where displays a list of available sessions

Resume 1 will take you to session 1 or just type 1 then press enter
Resume will take you the most recently suspended session. This will be the session the has an * next to it when using the
show session or where command
Disconnect 1 will disconnect session number 1

Additional Commands
Configuring DCHP Pool

BGRouter(config)#ip dhcp pool SalesNetwork

BGRouter(dhcp-config)#Network 10.0.0.0 255.255.0.0
BGRouter(dhcp-config)#default-router 10.0.0.1
BGRouter(dhcp-config)#dns-server 172.16.0.2
BGRouter(dhcp-config)#exit
BGRouter(config)#ip dhcp excluded-address 10.0.0.1 10.0.0.10

Show Information about leased DHCP addresses

BGRouter#show ip dhcp binding

Configuring DHCP Pools for multiple VLANS

Create 2 VLANs on the Switch

Give each VLAN an IP Address
Connect the router to the switch using two cables one for each VLAN
Give each router interfaces an IP address
Assign each interface to a separate VLAN

BGRouter2(config)#ip dhcp pool Sales

BGRouter2(dhcp-config)#network 192.0.1.1 255.255.255.224
BGRouter2(dhcp-config)#default-router 192.0.1.29
BGRouter2(dhcp-config)#dns-server 192.168.1.30
BGRouter2(dhcp-config)#exit
BGRouter2(config)#ip dhcp excluded-address 192.168.1.61
BGRouter2(config)#ip dhcp excluded-address 192.168.1.62

BGRouter2(config)#ip dhcp pool Marketing

BGRouter2(dhcp-config)#network 192.0.1.33 255.255.255.224
BGRouter2(dhcp-config)#default-router 192.0.1.62
BGRouter2(dhcp-config)#dns-server 192.168.1.2
BGRouter2(dhcp-config)#exit
BGRouter2(config)#ip dhcp excluded-address 192.168.1.61
BGRouter2(config)#ip dhcp excluded-address 192.168.1.62
Configuring NAT/PAT (configure dynamic routing on all routers)

BGRouter(config)#interface fa0/0
BGRouter(config-if)#ip nat inside
BGRouter(config-if)#exit
BGRouter(config)#interface s0/0
BGRouter(config-if)#ip nat outside
BGRouter(config-if)#exit
BGRouter(config)#access-list 1 permit 10.0.0.11
BGRouter(config)#access-list 1 permit 10.0.0.12
BGRouter(config)#ip nat pool SalesPool 198.18.194.73 198.18.194.78 netmask 255.255.255.248
BGRouter(config)#ip nat inside source list 1 pool SalesPool overload
BGRouter(config)#exit

You’ll need to add a route back to the 198.18.194.0 address range from the ISP router

ISP(config)#ip route 198.18.194.0 255.255.255.0 172.16.0.2

Configuring NAT to Allow Any Address in the 192 Range to use NAT
router(config)#access-list 1 permit 192.0.1.0 0.255.255.255

NAT Show Commands

BGRouter#show ip nat statistics

Total translations: 2 (0 static, 2 dynamic, 2 extended)
Outside Interfaces: Serial0/0
Inside Interfaces: FastEthernet0/0
Hits: 17 Misses: 1025
Expired translations: 7
Dynamic mappings:
-- Inside Source
access-list 1 pool SalesPool refCount 2
pool SalesPool: netmask 255.255.255.248
start 198.18.194.73 end 198.18.194.78
type generic, total addresses 6 , allocated 1 (16%), misses 0

BGRouter#show ip nat translations

Pro Inside global Inside local Outside local Outside global
icmp 198.18.194.73:21 10.0.0.11:21 192.168.0.2:21 192.168.0.2:21
icmp 198.18.194.73:22 10.0.0.11:22 192.168.0.2:22 192.168.0.2:22
icmp 198.18.194.73:23 10.0.0.11:23 192.168.0.2:23 192.168.0.2:23
icmp 198.18.194.73:24 10.0.0.11:24 192.168.0.2:24 192.168.0.2:24
icmp 198.18.194.73:5 10.0.0.12:5 192.168.0.2:5 192.168.0.2:5
icmp 198.18.194.73:6 10.0.0.12:6 192.168.0.2:6 192.168.0.2:6
icmp 198.18.194.73:7 10.0.0.12:7 192.168.0.2:7 192.168.0.2:7
icmp 198.18.194.73:8 10.0.0.12:8 192.168.0.2:8 192.168.0.2:8
udp 198.18.194.73:1036 10.0.0.11:1036 192.168.0.2:53 192.168.0.2:53
udp 198.18.194.73:1026 10.0.0.12:1026 192.168.0.2:53 192.168.0.2:53
udp 198.18.194.73:1027 10.0.0.12:1027 192.168.0.2:53 192.168.0.2:53
tcp 198.18.194.73:1025 10.0.0.11:1025 192.168.0.2:80 192.168.0.2:80
tcp 198.18.194.73:1024 10.0.0.12:1025 192.168.0.2:80 192.168.0.2:80
Configuring MTU Size

Sets MTU size for all layer 3 protocols

Router1(config)#interface s0/0
Router1(config-if)#mtu 1280
or
Sets MTU size for IP only
Router1(config)#interface s0/0
WANRouter1(config-if)#ip mtu 1280

Removing MTU settings

Router1(config-if)#no mtu
Standard Access Control Lists (ACLs)
Display all ACLs on a router
R1#show access-lists

Display a specific ACL by number

R1#show access-lists 1

Display a specific ACL by name

R1#show access-lists Test

Block inbound traffic based on an IP address

R1(config)#interface s0/0
R1(config-if)#ip access-group 1 in
R1(config-if)#exit
R1(config)#access-list 1 remark stop all inbound traffic from source IP 10.1.1.2
R1(config)#access-list 1 deny 10.1.1.2 0.0.0.0
R1(config)#access-list 1 permit 0.0.0.0 255.255.255.255
or
R1(config)#interface fa0/0
R1(config-if)#ip access-group 1 in
R1(config-if)#exit
R1(config)#access-list 1 deny 10.1.1.2
R1(config)#access-list 1 permit any
or
R1(config)#interface fa0/0
R1(config-if)#ip access-group 1 in
R1(config-if)#exit
R1(config)#ip access-list standard 1
R1(config-std-nacl)#deny 10.1.1.2
R1(config-std-nacl)#permit any

Block outbound traffic based on an IP address

R2(config)#interface fa0/0
R2(config-if)#ip access-group 1 out
R2(config-if)#exit
R2(config)#access-list 1 remark stop all inbound traffic from source IP 10.1.3.2
R2(config)#access-list 1 deny 10.1.3.2 0.0.0.0
R2(config)#access-list 1 permit 0.0.0.0 255.255.255.255

Extended ACLs

Block any IP packet from any source address to destination IP address 10.1.4.4
R3(config-if)#ip access-group 100 out
R3(config-if)#exit
R3(config)#access-list 100 deny ip any host 10.1.4.4
R3(config)#access-list 100 permit ip any 0.0.0.0 255.255.255.255

Block IP packets from 10.1.1.2 to destination address 10.1.4.4

R3(config)#access-list 100 deny ip host 10.1.1.2 host 10.1.4.4
R3(config)#access-list 100 permit ip any 0.0.0.0 255.255.255.255

Block tcp packets for destination IP 10.1.3.4 and destination port 21

R3(config)#access-list 100 deny ip any host 10.1.4.3 eq 21
R3(config)#access-list 100 permit ip any 0.0.0.0 255.255.255.255
or
R3(config)#access-list 100 deny ip any host 10.1.4.3 eq ftp
R3(config)#access-list 100 permit ip any 0.0.0.0 255.255.255.255

Block tcp packets with a source greater than 1023 and a source IP 10.1.4.1 and port of 21
R3(config)#access-list 100 deny tcp any gt 1023 host 10.1.4.3 eq 21
R3(config)#access-list 100 permit ip any 0.0.0.0 255.255.255.255

Allow tcp packets from 10.1.1.0 network to connect to destination 10.1.4.3 on port 21
R3(config)# access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 10.1.4.3 eq 21

Multiple ACL entries (Routers read ACLs in order entered if the last one was entered first the others would not be
applied as this one allows all traffic. same goes for the first one if that was applied after the third one it would not
work)
R3(config)# access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 10.1.4.3 eq 21
R3(config)#access-list 100 deny ip any host 10.1.4.4
R3(config)#access-list 100 deny tcp any host 10.1.4.3 eq ftp
R3(config)#access-list 100 permit ip any any

Named ACLs (these can be used for standard and extended ACLs)

Block inbound IP packets from 10.1.1.2 to destination address 10.1.1.1

R1(config)#ip access-list extended BlockInbound1
R1(config-ext-nacl)#deny ip host 10.1.2.1 host 10.1.1.1
R1(config-ext-nacl)#premit ip any any
R1(config)#exit
R1(config)#interface fa0/0
R1(config-if)#ip access-group BlockInbound1 out

Block all outbound traffic from 10.1.1.3 out one interface on a router
R1(config)#ip access-list extended BlockOutbound1
R1(config-ext-nacl)#deny ip host 10.1.1.3 any
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#exit
R1(config)#interface s0/1
R1(config-if)#ip access-group BlockOutbound1 out

Block all inbound traffic to 10.1.4.4 & block all ftp traffic to 10.1.4.3 apart from devices on the 10.1.1.0 network
R3(config)#ip access-list extended BlockInbound1
R3(config-ext-nacl)#deny ip any host 10.1.4.4
R3(config-ext-nacl)#permit tcp 10.1.1.0 0.0.0.255 host 10.1.4.3 eq ftp
R3(config-ext-nacl)#deny tcp any host 10.1.4.3 eq ftp
R3(config-ext-nacl)#permit ip any any
R3(config-ext-nacl)#exit
R3(config)#interface fa1/0
R3(config-if)#ip access-group BlockInbound1 out
Manipulating ACLs Using Sequence Numbers
(works on IOS 12.3 or later and doesn't work in Packet Tracer)

Create Access List (notice sequence numbers using the show command)
R1(config)#ip access-list standard 1
R1(config-std-nacl)#deny 10.1.2.0 0.0.255.255
R1(config-std-nacl)#deny 10.2.3.0 0.0.255.255
R1(config-std-nacl)#permit any
R1(config-std-nacl)#exit
R1(config)#do show access-list 1
Standard IP access list 1
10 deny 10.1.0.0, wildcard bits 0.0.255.255
20 deny 10.2.0.0, wildcard bits 0.0.255.255
30 permit any

Adding a new entry between sequence number 20 & 30

R1(config)#ip access-list standard 1
R1(config-std-nacl)#25 deny 10.3.0.0 0.0.255.255
R1(config-std-nacl)#do show access-list
Standard IP access list 1
10 deny 10.1.0.0, wildcard bits 0.0.255.255
20 deny 10.2.0.0, wildcard bits 0.0.255.255
25 deny 10.3.0.0, wildcard bits 0.0.255.255
30 permit any

Removing an entry
R1(config-std-nacl)#no 20
R1(config-std-nacl)#do show access-list
Standard IP access list 1
10 deny 10.1.0.0, wildcard bits 0.0.255.255
25 deny 10.3.0.0, wildcard bits 0.0.255.255
30 permit any

Stopping Access to VTY Lines (telnet, ssh)

R2(config)#line vty 0 15
R2(config-line)#access-class in
R2(config)#exit
R2(config)#access-list 3 deny any