Scribd
Upload
4 views

commands

The document provides a comprehensive guide on configuring network devices, including commands for managing router and switch settings, enabling security features, and setting up routing protocols. It covers various topics such as interface configuration, VLANs, OSPF, EIGRP, HSRP, and NTP, along with examples of command usage. Additionally, it discusses the use of access control lists (ACLs) and device discovery protocols like CDP and LLDP.

Uploaded by

getthismsg11
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
4 views

commands

The document provides a comprehensive guide on configuring network devices, including commands for managing router and switch settings, enabling security features, and setting up routing protocols. It covers various topics such as interface configuration, VLANs, OSPF, EIGRP, HSRP, and NTP, along with examples of command usage. Additionally, it discusses the use of access control lists (ACLs) and device discovery protocols like CDP and LLDP.

Uploaded by

getthismsg11
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 19

show running-config

(the default)

enable password CCNA

show startup-config

++++++++++++++++++++++++++++++++++++++++++++++++++++++++
saves the configuration
_________________
Router(config)#write
Router(config)#write memory

Router(config)#copy running-config startup-config


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Router(config)# service passord-encryption

enable password 7 [the number 7 shows the type of incription]

cisco type 7 password cracker

Router(config)# enable secret Cisco


Router (config)#service password-encryption //encrypts the enable password (and
other passwords)

Router (config) #enable secret password //configures a more secure, always-


encrypted enable password
Router (config)#no command //removes the command
Router (config)#show running-config //displays the current, active configuration
file
Router (config) # show startup-config //displays the saved configuration file which
will be loaded if the device is restarted

===================================================================================
=================================================

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++

router(conf)#show interface //shows all the interfaces and their error, properties
and all the available info

Switch#show mac address-table dynamic


Vlan Mac Address Type Ports
---- ----------- -------- -----

router# show ip interface brief


Interface IP-Address OK? Method Status Protocol
--------- --------- --- ----- ----- --------

Switch#show interface status [Invalid input in Routers]


Port Name(means descrioption) Status Vlan Duplex Speed Type
---- ------------------------ ------ ---- ----- ---- ----

SW2(config)# interface g0/0


SW2(config-if)#switchport trunk encapsulation dot1q
SW2(config-if)#switchport mode trunk
SW2(config-if)#switchport trunk allowed vlan 10,30
SW2(config-if)#switchport trunk native vlan 1001
SW2(config-if)#do show interfaces trunk // [different than 'show vlan brief']
Port Mode Encapsulation Status Native vlan
Gi0/0 on 802.1q trunking 1001
Port Vlans allowed on trunk
Gi0/0 10,30
Port Vlans allowed and active in management domain
Gi0/0 10,30
Port Vlans in spanning tree forwarding state and not pruned
Gi0/0 10,30

R1(config)#interface g0/0
R1(config-if)#no shutdown

R1(config-if)#interface g0/0.10
R1(config-subif)#encapsulation dot1q 10
R1(config-subif)#ip address 192.168.1.62 255.255.255.192
R1(config-subif)#interface g0/0.20
R1(config-subif)#encapsulation dot1q 20
R1(config-subif)#ip address 192.168.1.126 255.255.255.192
R1(config-subif)#interface g0/0.30
R1(config-subif)#encapsulation dot1q 30
R1(config-subif)#ip address 192.168.1.190 255.255.255.192
R1(config-subif)#

switch1(config-if)#switchport trunk native vlan 1001

R1(config)#no interface g0/0.10


R1(config)#no interface g0/0.20
R1(config)#no interface g0/0.30
R1(config)#default interface g0/0
Interface GigabitEthernet0/0 set to default configuration
R1(config)#do show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES NVRAM up up
GigabitEthernet0/0.10 unassigned YES manual deleted down
GigabitEthernet0/0.20 unassigned YES manual deleted down
GigabitEthernet0/0.30 unassigned YES manual deleted down
GigabitEthernet0/1 unassigned YES NVRAM administratively down down
GigabitEthernet0/2 unassigned YES NVRAM administratively down down
GigabitEthernet0/3 unassigned YES NVRAM administratively down down

SW2(config)#default interface g0/1 // Interface GigabitEthernet0/1 set to default


configuration
SW2(config)# ip routing
SW2(config)# interface g0/1
SW2(config-if)#no switchport
SW2(config-if)#ip address 192.168.1.193 255.255.255.252
SW2(config-if)#do show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES unset up up
GigabitEthernet0/2 unassigned YES unset up up
GigabitEthernet0/3 unassigned YES unset up up
GigabitEthernet0/1 192.168.1.193 YES manual up up
GigabitEthernet1/0 unassigned YES unset up up
GigabitEthernet1/1 unassigned YES unset up up
GigabitEthernet1/2 unassigned YES unset up up
GigabitEthernet1/3 unassigned YES unset up 99999 up
GigabitEthernet2/0 unassigned YES unset up up
Gigabit Ethernet2/1 unassigned YES unset up up
GigabitEthernet2/2 unassigned YES unset up up
Gigabit Ethernet2/3 unassigned YES unset up up

SVI creation // switch virtual interface, it is the default gateway for each
subnet, i/e, vlan

--------------
SW2(config)#interface vlan10
SW2(config-if)#ip address 192.168.1.62 255.255.255.192
SW2(config-if)#no shutdown
SW2(config-if)#interface vlan20
SW2(config-if)#ip address 192.168.1.126 255.255.255.192
SW2(config-if)#no shutdown
SW2(config-if)#interface vlan30
SW2(config-if)#ip address 192.168.1.190 255.255.255.192
SW2(config-if)#no shutdown

SW1#show interfaces g0/0 switchport


Name: Gi0/0
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: trunk

===================================================================================
=================================================

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++

R1#show ip protocol

R1(config)##router RIP
R1(config)##router EIGRP 1 // the 1 is the autonomosy system (AS) number

R1(config)#distance 85 // to set the Administrative distance

R1(config)#passive-interface g0/1
R1(config)#no auto-summary

R1(config)#network 10.0.0.0 // the network RIP will advertise


R1(config)#network 172.16.1.4 0.0.0.15 // the wildcard mask, states that the ip on
the router interface and the command should match (the zeros in the
wildcard mask tell how many digits both should
match, 28 in this example case)
// the easiest way to get wildcard mask is to
sumbtract the sumbnet mask of the interface from 255 fr

R1(config-router)# default-information originate // to advertize R1's default route


to its neighbours
R1(config)# ip route 0.0.0.0 0.0.0.0 10.0.12.1

===================================================================================
=================================================

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++

R1#show etherchannel summary


R1(config)#port-channel load-balance src-dst-ip //port-channel load-balance method
SW1(config)# do show etherchannel load-balance

SW1(config-if-range)#channel-protocol lacp
SW1(config-if-range)#channel-group 1 mode active

SW1(config-if-range)#interface port-channel 1
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport mode trunk

SW1(config)#interface range
SW1(config-if-range)#no switchport
SW1(config-if-range)#channel-group 2 mode on
SW1(config-if)#interface po2 // port channel 2
SW1(config-if)#ip address 10.0.0.2 255.255.255.252

SW1(config)#ip routing
SW1(config)# do show ip route

===================================================================================
=================================================

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++
do show ip eigrp neighbors
do show ip eigrp topology

router-id 1.1.1.1 // how is router id selected? 1) manual 2) highest loopback ip 3)


highest ip of physical interface

show ip ospf interface g0/0

R1(config-router)# auto-cost reference-bandwidth 100000 [it is in Mbps]

R1(cobfig)# interface g0/0


R1(config-if)# ip ospf cost 10000 [it is in Mbps]

show ip ospf interface brief

R1(config)# interface g0/0


R1(config-if)# ip ospf 1 area 0 // this enables ospf on the interface, with out the
need for the network command

R1(config-if)# router ospf 1


R1(config-router)# passive-interface default // makes all interfaces passive
R1(config-router)# no passive-interface g0/0 // makes the interface g0/0 active

R1(config-router)# do show ip ospf neighbors


R1(config-router)#router-id 192.168.1.1
R1(config-router)#no router-id

R1(config)#interface g0/0
R1(config-if)# ip ospf priority 255// <0-255> , if set to 0, the router can not be
either DR/BDR

R1# clear ip ospf process // to reset the router, it starts learning all ospf
routes again
R1# reload

R1#show controllers interface-id // to view which of the serieal connections is a


DCE(Digital communication Equipment), which is empowered to set the clock rate
// and which is the DTE(Digital Termination
Equipment)

R1(config-if)# ip ospf authentication-key jeremy


R1(config-if)# ip ospf authentication

R1(config-if)# ip ospf hello-interval time_in_seconds //


R1(config-if)# ip ospf dead-interval time_in_seconds//

R1(config-if)# no ip ospf dead-interval // to disable we don't need to specify the


time
R1(config-if)# no ip ospf hello-interval //

R1(config-if)# ip ospf 1
R1(config-router)# shutdown // shuts down the ospf process 1

R1(config-router)#no shutdown // to reinstate the process

R1(config-if)# ip mtu 1400 //<68-1500 bytes>


R1(config-if)# no ip mtu // without the value, then the default value is returned
which is 1500 bytes

R1# show ip ospf database


R1(config-router)# do show ip route

R3(config-if)#no ip ospf network point-to-point // to change the point-to-point


network type to broadcast, which is the default

R1# show running-config | section ospf // to show if the default-information


originate is enabled on the router

configuring HSRP //(hot standby routing protocol which is atype of first hop
redudency protocol)
R1(config)# interface g0/0
R1(config-if)# standby ? //
<0-255> // by default HSRP version 1 is used, which has small
group numbers, version 1 has 2 hexadecimal values allocated for group, i.e
(0000.0c07.acxx)

R1(config-if)# standby version 2 // to change the version to version 2


R1(config-if)# standby ?
<0-4095> // version 2 has 3 hexadecimal values allocated for group,
i.e (0000.0c9f.fxxx)
R1(config-if)# standby 1 // the 1 is the group number, it is good practice to make
sure the group number and vlan number match, as it makes configuring easiear
R1(config-if)# standby 1 ip 172.16.0.254
R1(config-if)# standby 1 ip priority ?
<0-255>
R1(config-if)# standby 1 ip priority 200 // the active router with highest
priority becomes the default gateway, the default priority is 100. the second
identifier is the ip, the one with the highest ip becomes default gateway
R1(config-if)# standby 1 ip preempt

R1#show standby

R1(config)# ipv6 unicast-routing // allows the router to perform IPV6 routing


R1(config)# interface g0/0
R1(config-if)#ipv6 address 2001:db8:0:0::1/64
R1(config-if)#no shutdown

R1# show ipv6 interface brief

R1(config)# interface g0/0


R1(config-if)#ipv6 address 2001:db8::/64 eui-64
R1(config-if)#no shutdown

R1#show interfaces g0/0 // to display information regarding the mac addresses and
others
R1(config)#ipv6 route 2001:db8:0:1::/64 g0/0
R1(config-if)#ipv6 enable // to enable IPv6 without explicitly configuring an Ipv6
address

R1(config-if)# ipv6 address autoconfig // to configure SLAAC (stateless address


auto-configiuration)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$ACL

R1(config)# access-list number {deny | permit} ip wildcard-mask

R1(config)# access-list number 1 deny 1.1.1.1 // the following 3 methods are the
same, just used only for configuring ACL for a host
R1(config)# access-list number 1 deny
R1(config)# access-list number 1 deny host 1.1.1.1

R1(config)# access-list number 1 deny any


R1(config)# access-list number 1 deny 0.0.0.0 255.255.255.255

R1(config)# access-list number 1 remark ## Block

R1(config)# do show running-config | include access-list // includes the remarks

R1(config-if)# ip access-group number {in | out} // to apply to an interface

R1(config)# ip access-list standard acl-name // to configure standard named access


control list
R1(config)# ip access-list standard Block_BoB // to configure standard named access
control list
R1(config-std-nacl)#[entry-number] {deny | permit} ip wildcard-mask
R1(config-std-nacl)#interface g0/0
R1(config-if)# ip access-group Block_BoB {in | out} // to apply to an interface

R1(config)# do show running-config | section access-list // to see the access


control entries (ACE)

R1(config)# ip access-list resequence ACL_number first_number increment_by

===================================================================================
================================================================================

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$CDP $LLDP

R1(config)# no cdp run // to globally disable cdp (cisco descovery protocol) on the
whole network device
R1(config-if)#no cdp enable // to disable cdp in a particular interface

R1# show cdp neighbor detail // shows all the necessary details a cisco device is
connected to , ip, capability , local and neighbor interface, duplex , etc
R1# show cdp neighbor // shows interfaces, and capabilities
R1# show cdp interface // shows all the interfaces and the neighbour interface they
are connected to

SW3(config)#lldp run // to run lldp on the whole device


SW3(config-if)#lldp receive // to enable reception in a particular interface
SW3(config-if)#lldp transmit // to enable transmission in a aparticular interface
===================================================================================
=======================================================

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$NTP

R1# clock set 12:00:00 30 dec 2020

R1#show clock
12:0:16.704 UTC Wed Dec 30 2020
R1#show clock detail
12:0:26.56 UTC Wed Dec 30 2020
Time source is user configuration

R1(config)#clock timezone TigrayTimezone -3 30

R1(config)#ntp server 132.12.12.25


R1(config)#ntp server 132.12.13.25
R1(config)#ntp server 132.12.14.25
R1(config)#ntp server 132.12.16.25

R1#show ntp associations // shows all the ntp servers configured, shows the stratum
of the ntp server that R1 is syched to
R1#show ntp status // shows the stratus of the R1

R1(config)#ntp update-calendar // configures the router to update the hardware


clock (calendar) with the time learned via NTP

R1(config)# interface loopback0


R1(config-if)# ip address 10.0.0.1 255.255.255.255
R1(config-if)# exit
R1(config-if)# ntp source loopback0 // telling R1 to use the loopback interface for
ntp related messages, this is for convenence

on R2
R2(config)#ntp server 10.0.0.1

what if there is no ntp server to synchronize to, what can the routers do? it is
possible to manually configure one server as the master, which will have stratum of
7 by default,
and other network devices can synchronize to it

R1(config)#ntp master

R2(config)#ntp peer 10.0.0.2 // if 10.0.0.2 is the address of R3, then R2 and R3


will have same stratum

-----------------------------------------------------------------------------------
----------------------
R1 has an address of 1.1.1.1 , in this example

R1(config)#ntp authenticate // to enable NTP authentication


R1(config)#ntp authentication-key 3 md5 password // create the NPT authentication
key(s)
R1(config)#ntp trusted-key 3 // specifing which key(s) are trusted

R2(config)#ntp authenticate
R2(config)#ntp authentication-key 3 md5 password
R2(config)#ntp trusted-key 3
R2(config)#ntp server 1.1.1.1 key 3 // specifing which key to use for each server,
in this case for server 1.1.1.1, this command is not needed on R1, the ntp server
it self (on the master, or the source)
R2(config)#ntp peer 10.0.0.2 key 3

R3(config)#ntp authenticate
R3(config)#ntp authentication-key 3 md5 password
R3(config)#ntp trusted-key 3
R3(config)#ntp server 1.1.1.1 key 3 // specifing which key to use for each server,
in this case for server 1.1.1.1, this command is not needed on the ntp server it
self (on the master, or the source)
R3(config)#ntp peer 10.0.0.2 key 3
-----------------------------------------------------------------------------------
------------
===================================================================================
==========================================================================

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$dhcp

R1(config)#ip dhcp excluede-address 192.168.1.1 192.168.1.10 // range of addresses


not to be assigned
R1(config)#ip dhcp pool Lab_Pool // create pool of ip addresses to be assigned by
the dhcp server, i.e, R1
R1(dhcp-conifg)# network 192.168.1.0 /24 // putting the network address to be
allocated to devices, along its subnet mask
R1(dhcp-conifg)#dns-server 8.8.8.8
R1(dhcp-conifg)#domain-name jeremysitlab.com
R1(dhcp-conifg)#default-router 192.168.1.1
R1(dhcp-conifg)#lease 0 5 30 // for 0 days 5 hours and 30 minutes , or it can be
set as 'infinite'

R1#show ip dhcp binding // shows all the device clients that are currently assigned
ip address by the dhcp server
R1#show ip dhcp pool
---------------------------------------------------------------------
$dhcp_relay

R1(config)#interface g0/1 // the interface connected to the end user device


requesting ip, i.e, sending dhcp discover messages
R1(config-if)#ip helper-address 192.168.10.10 // the address of the actual dhcp
server, not the relay server is put here

------------------------------------------------------------------------

-------------------------------------------------------------------------
$dhcp_client

a router can become a dhcp client, i.e, its interfaces send dhcp descover messages,
and get ip addresses from dhcp server, this is not good option tho

R1(config)#interface g0/2
R1(conifg-if)#ip address dhcp // use the ip address assigned by dhcp

on pc
C:\Users\user> ipconfig /release
C:\Users\user> ipconfig /renew

------------------------------------------------------------------------

===================================================================================
==========================================================================
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$SNMP

R1(config)# snmp-server contact [email protected] //optional information


R1(config)# snmp-server location jeremy's House

R1(config)# snmp-server community Jeremy1 ro // community strigs are basically


passwords, the ro stands for read only

R1(config)# snmp-server community Jeremy2 rw // community strigs are basically


passwords, the rw stands for read and write
// the default community strings are
public for ro, and private for rw

R1(config)# snmp-server host 192.168.1.1 version 2c Jeremy1 // the address of the


NMS server, the managing server, the version of snmp used and the password
// this means that the
managing device can only read from R1 not able to write
R1(config)# snmp-server enable traps snmp linkdown linkup // traps that show a
link is down and up will be sent
R1(config)# snmp-server enable traps config // a trap will be changed
if a configuration has changeds

===================================================================================
==============================================================================

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$telnet

R1(config)#line consol 0 // only one user at a time can connect and configure the
router
R1(config-line)#password ccna // configure a password
R1(config-line)#login //request the user for password when logging in via the
access consol port

R1(config)#username jeremy secret ccnp // create a username and a secret level


password
R1(config)#line consol 0 // only one user at a time can connect and configure the
router
R1(config-line)#login local // requires a username, and password

to remotely telnet or ssh switches, you need to have an ip address, which can be
assigned using an svi

SW1(config)#interface vlan1
SW1(config-if)#ip address 192.168.1.253 255.255.255.0
SW1(config-if)#no shutdown
SW1(config-if)# exit

SW1(config)#ip default-gateway 192.168.1.254


===================================================================================
==============================================================================

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

$SSH

SW1(config)#enable secret ccna // if an enable password/secret isn't configured,


you won't be able to access privilaeged exec mode when connecting via telnet
SW1(config)#username jeremy secret ccna
SW1(config)# access-list 1 permit host 192.168.2.1
SW1(config)#line vty 0 15 // telnet and ssh access are connected via the
vty(virtual teleType) lines, there are 16 lines available, hence up to 16[from 0 up
to 15] users can be connected via vty at onece
SW1(config-line)#login local //enables username and password requirements when
logging in
SW1(config-line)#exec-timeout 5 0 // the expiration of the session, if inactive
after 5 minutes and 0 seconds , it will terminate
SW1(config-line)#transport input telnet
SW1(config-line)#access-class 1 in
to check if ssh is supproted
Switch#show version // in the Cisco Ios if it shows k9, it means it supports ssh
Switch#show ip ssh // revieals if ssh is enabled or disabled, and if the version is
1.99, it means it supports both v-1 and v-2

Switch(config)#hostname SW1 // configure the hostname, which is needed to generate


the RSA
SW1(config)#ip domain name jeremysitelab.com // the FQDN(fully qulified domain name
= host name + domain name , i.e SW1.jeremysitelab.com) of the device is used to
name the RSA keys.
SW1(config)#crypto key generate rsa
SW1(config)#crypto key generate rsa modules 2048 // the number after modules is the
length of the key, and should be at least 768 bits for RSA version 2

SW1(config)#do show ip ssh

to enable ssh,

SW1(config)#enable secret ccna // if an enable password/secret isn't configured,


you won't be able to access privilaeged exec mode when connecting via telnet
SW1(config)#username jeremy secret ccna
SW1(config)# access-list 1 permit host 192.168.2.1

SW1(config)# ip ssh version 2 // to enable version 2 ssh


SW1(config)#line vty 0 15 // telnet and ssh access are connected via the
vty(virtual teleType) lines, there are 16 lines available, hence up to 16[from 0 up
to 15] users can be connected via vty at onece
SW1(config-line)#login local //enables username and password requirements when
logging in
SW1(config-line)#exec-timeout 5 0 // the expiration of the session, if inactive
after 5 minutes and 0 seconds , it will terminate
SW1(config-line)#transport input ssh // best practice to limit vty to connections
to ssh only
SW1(config-line)#access-class 1 in // optional but recommended , apply the acl to
restrict vty line connections

to connect from a pc
ssh -l username ip-address //
ssh username@ip-address

===================================================================================
===================================================================================
==============

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++
$TFTP $FTP

R1#show file system


R1#show version
R1#show flash
R1#copy tftp: flash:
192.168.1.1
c2900-universalk9-mz.SPA.155-3.M4a.bin
R1#show flash

R1(config)#boot system flash:c2900-universalk9-mz.SPA.155-3.M4a.bin


R1(config)#exit

R1#write memory
R1#reload

R1#show version

R1#delete flash:c2900-universalk9-mz.SPA.155-3.M4a.bin

R1(config)#ip ftp username cisco


R1(config)#ip ftp password cisco
R1(config)#exit
R1#copy ftp: flash:
192.168.1.1
c2900-universalk9-mz.SPA.155-3.M4a.bin
R1#show flash
===================================================================================
=========================================================
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$NAT Static NAT configuration

R1(config)# int g0/1


R1(config-if)#ip nat inside // define the inside local, the interface connected
tothe internal network

R1(config-if)#int g0/0
R1(config-if)#ip nat outside
R1(config-if)# exit

R1(config)#ip nat inside source static 192.168.0.167 100.0.0.1 // translating from


inside local to inside global
R1(config)#ip nat inside source static 192.168.0.168 100.0.0.2 // the 100.0.0.1 and
100.0.0.2 are public Ip addresses which must be woned
R1(config)# exit

R1# show ip nat translations

R1# clear ip nat translation * // clears the dynamic nat translation entries, not
the static entries
R1(config)#no ip nat inside source static 192.168.0.167 100.0.0.1 // the only way
to remove the static entries

R1# show ip nat statistics


-----------------------------------------------------------------------------------
--------------------------------------------
$NAT dynamic NAT configuration

R1(config)# int g0/1


R1(config-if)#ip nat inside // define the inside local, the interface connected
tothe internal network

R1(config-if)#int g0/0
R1(config-if)#ip nat outside // define the inside global, looking from inside the
network globally, what would the ip address be
R1(config-if)# exit

R1(config)# access-list 1 permit192.168.0.0 0.0.0.255 // define the inside local


traffic permitted to betranslated
R1(config)# ip nat pool POOL1 100.0.0.0 10.0.0.255 prefix-length 24 // define the
inside global pool, address of the available global addresses
R1(config)# ip nat pool POOL1 100.0.0.0 10.0.0.255 netmask 255.255.255.0 // same as
the prefix-length-24

R1(config)#ip nat inside source list 1 pool POOL1 // translating from inside local
to inside global dynamically

R1# show ip nat translations


R1# show ip nat statistics
-----------------------------------------------------------------------------------
---------------------------------------------------------------
-----------------------------------------------------------------------------------
---------------------------------------------------------------
PAT (aka NAT Overload) translates both the IP and port number (it configuration is
the same as the dynamic NAT except the key word overload is added at the end of nat
translation command)

dynamic NAT configuration

R1(config)# int g0/1


R1(config-if)#ip nat inside // define the inside local, the interface connected
tothe internal network

R1(config-if)#int g0/0
R1(config-if)#ip nat outside // define the inside global, looking from inside the
network globally, what would the ip address be
R1(config-if)# exit

R1(config)# access-list 1 permit192.168.0.0 0.0.0.255 // define the inside local


traffic permitted to betranslated

R1(config)# ip nat pool POOL1 100.0.0.0 10.0.0.3 prefix-length 24 // define the


inside global pool, address of the available global addresses, small amount of
global ip addresses
R1(config)# ip nat pool POOL1 100.0.0.0 10.0.0.255 255.255.255.0 // same as the
prefix-length-24

R1(config)#ip nat inside source list 1 pool POOL1 overload // translating from
inside local to inside global with the port number
-----------------------------------------------------------------------------------
---------------------------------------------

or without specifiying the pool one can ask the outer to use its outside interface
as the address for translation

R1(config)#ip nat inside source list 1 interface g0/1 overload // configure PAT by
mapping the acl to the interface and enabling overload

R1# show ip nat translations


R1# show ip nat statistics

===================================================================================
===================================

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++
$VoIp $QoS Voice over Ip, QoS
SW1(config)# interface g0/0
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 10
SW1(config-if)#switchport voice vlan 11 // SW1 will use CDP to tell phone1 to tag
its message in vlan 11, the voice over ip message will use separate vlan from the
PC using untagged (as it is using access port) vlan 10.

SW1#show interfaces g0/0 switchport

SW1#show interfaces trunk // this command won't show any result in this case,
because even if 2 vlans, (vlan 10, and vlan 11) exist , the intergace g0/0 is not a
trunk port, it is an access port.

SW1#show interfaces g0/0 trunk // this command in turn will show "status : not
trunking"

----------------------------------------------
supplying power over the ethernet (PoE)

SW1(config-if)# power inline police // to prevent the powered devices(PD) from


taking too much power from the power souring equipment (PSE)

SW1(config-if)# power inline police action err-disable // (this action is the


default) disables the interface that is taking too much power, which can be enabled
by 'shutdown' followed by 'no shutdown' , command
SW1(config-if)# power inline police action log // it restarts the interface instead
of shutting it down.

SW1# show power inline police g0/0

===================================================================================
=============================================================================
SW1(config)#vlan 10
SW1(config-vlan)#name Data_Vlan
SW1(config-vlan)#vlan 50
SW1(config-vlan)#name Voice_Vlan

SW1(config)# interface range g0/1-2


SW1(config-if-range)#switchport mode access
SW1(config-if-range)#switchport access vlan 10 // to be used for the data
SW1(config-if-range)#switchport voice vlan 50 // to use for the voice
SW1(config-if-range)#exit

SW1(config)#interface g0/3
SW1(config-if)#switchport mode trunk
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport trunk allowed vlan 1,10,50
SW1(config-if)#exit
SW1(config)# do write

R1(config)# interface g0/0


R1(config)# no shutdown // first turn on the interface

R1(config)# service dhcp


R1(dhcp-config)# ip dhcp pool data_pool
R1(dhcp-config)# network 192.168.1.0 255.255.255.0
R1(dhcp-config)# default-router 192.168.1.1
R1(dhcp-config)# exit

R1(config)# ip dhcp pool voice_pool // configering the voice pool, set of ip


addresses that are going to be used for voice transmission
R1(dhcp-config)#network 192.168.2.0 255.255.255.0
R1(dhcp-config)#default-router 192.168.2.1
R1(dhcp-config)# option 150 ip 192.168.2.1 // port 150 is used for sending the
quiry numbers, i.e, dial number

R1(config)#interface g0/0.10 // the router interface connected to the trunk port of


the switch, need to have router on a stick, or inter vlan routing capabiliy, hence
we need to
// to have virtual interfaces for every vlan in the
trunk, and we need to assign ip address for each sub interface as well

R1(config-subif)#encapsulation dot1q 10 // the 10 is the vlan number


R1(config-subif)#ip address 192.168.1.1 255.255.255.0 // the default-router address
for the data_Vlan

R1(config)#interface g0/0.50
R1(config-subif)#encapsulation dot1q 50 // the 50 is the vlan number

R1(config-subif)#ip address 192.168.2.1 255.255.255.0 // the default-router address


for the voice_Vlan

R1(config)#do write //

R1(config)# telephony-service
R1(config-telephony)#max-dn 2 // maximum directory numbers, we have 2 here
R1(config-telephony)#max-ephones 2 // maximum phone numbers, we have 2 here
R1(config-telephony)#ip source-address 192.168.2.1 port 2000 //
R1(config-telephony)#auto assign 1 to 2
R1(config-telephony)#exit

R1(config)#ephone-dn 1
R1(config-telephony-dn)#number 2001
R1(config-telephony-dn)#exit
R1(config)#ephone-dn 2
R1(config-telephony-dn)#number 2002
R1(config-telephony-dn)#exit
R1(config)#do write
===================================================================================
===================================

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++

R1#show ip dhcp binding


R1#show ip dhcp pool

SW1(config)#interface g0/0
SW1(config-if)#switchport port-security
command rejected: interface is a dynamic port // port-security can only be
configured on trunk and access modes, not on dynamic auto and dynamic desirable
SW1(config-if)#do show interface g0/0 switchport // shows what administrative mode
the switch is on
SW1(config-if)#switchport mode access // changes the mode of the interface in to
access
SW1(config-if)#switchport port-security // now port security is enabled on this
command with default setting,
SW1(config-if)#do show port-security interface g0/0 // to show what the setting
are, which shows the default setting now

if a unauthorized device is connected, the interface will change in to err-disable


mode, which shuts down the interface, and to solve this
one need to disconnect the unauthorized device first, then issue shutdown, followed
by no shutdown command on the interface. This procedura however, erases the mac
address learned befor the unauthorized device was connected

SW1(config)#interface g0/0
SW1(config-if)#shutdown
SW1(config-if)#no shutdown

another way to enable errdisabled port is


SW1# show errdisable recovery // to see the status of ports that went to errdisable
mode, there are tones of reasons why
SW1(config)#errdisable recovery cause psecure-violation // enable the port that
went in to error disabled mode due to port security violation reasons
SW1(config)#errdisable recovery interval 180 // make the recovery time 180 seconds,
by default it is 300 seconds(5 minutes)

SW1(config-if)#switchport port-security // enabling port security on the interface


SW1(config-if)#switchport port-security mac-address 000a.000a.000a. // manually
configuring the allowed mac address
SW1(config-if)#switchport port-security maximum 4 // to allow 4 mac addresses to be
connected
SW1(config-if)#switchport port-security violation restric // the restrict violation
mode don't disable the interface when unauthorized device is connected,
// insetead, it drops the
packets from unauthorized device, and generate syslog and snmp message, and
increments the violation counter

SW1(config-if)#switchport port-security violation protect // the protect violation


mode doesn't generate sys or snmp messages, doesn't increment the violation count ,
it just silently discards the packets from the unauthorized device

SW1(config-if)#switchport port-security aging time 5 //if the secure mac was


learned dynamically, it will age after 5minues

SW1(config-if)#switchport port-security aging type {absolute | inactivity} //


absolue aging expires the MAC even if it keeps receiving packets from that source
MAC , inactivity tho doesnt expire as long as it receives

SW1(config-if)#switchport port-security aging static // to age statically


configured MAC

SW1#show port-security // to see overview


SW1#show port-security interface g0/0

SW1(config-if)#switchport port-security mac-address sticky // it is a way to


configure static mac addresses with out typing them, if this command is applied,
// dynamic or static mac
address will be converted to stick, and are saved to running config. hence need to
be save to startup config
// if not saved, up on
restart, there wont be any sticky, instead the sticky will be changed back to
dynamic
// sticky mac addresses
doesn't age
// sticky is disabled by
default
SW1#show mac address-table secure // to see the mac address tables

SVI = switched virtual interface , if SVI is configured on a switch (assigning the


a vlan with Ip address In a switch), and if the switch pings another switch,
the source mac address used in the ping message is going to be the mac address of
the virtual Vlan interface. This mac address of the virtual interface , if not had
been learned
by the another switch, might triger violations in case port-security measures are
applied.
===================================================================================
========

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
$dhcp_snooping

SW1(config)#ip dhcp snooping // enables dhcp snooping, enabling it globally


SW1(config)#ip dhcp snooping vlan 1 // enables dhcp snooping on vlan 1 , // for
each vlan it is appropriate to enable it
both the above commands are necessary, and must
be done, they are not repeatetion , just a must
SW1(config)#no ip dhcp snooping information option // option 82, it is critical
SW1(config)#interface g0/0
SW1(config-if)#ip dhcp snooping trust // configuring the interface as trusted, by
default all ports are untrusted

SW1(config)#do show ip dhcp snooping binding // to show the dhcp snooping table,
which shows the devices that obtained dhcp service

SW1(config)# interface range g0/1-3


SW1(config-if-range)# ip dhcp snooping limit rate 1 // rate limiting is disabled by
default in all interfaces (trusted and untrusted)
SW1(config)#errdisable recovery casuse dhcp-rate-limit // to protect dhcp
exhaustion attacks

===================================================================================
=========================

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++

$DAI $Dynamic_ARP_Inspectioin

SW1(config)#ip arp inspection vlan 1 // to enable DAI ,


SW1(config)#interface range g0/0-1
SW1(config-range-if)# ip arp inspectrion trust // configure the trusted ports

SW1#ip arp inspection interfaces // rate limiting on untrusted ports is set to 15


packets per second by default, while it is disabled in trusted ports

SW1(config-range-if)# ip arp inspectio nlimit rate 25 burst interval 2 // 25


packets per 2 seconds
SW1(config)# errdisable recovery cause arp-inspection
SW1(config)#do show errdisable recovery

SW1(config)#ip arp inspection validate dst-mac


SW1(config)#ip arp inspection validate ip
SW1(config)#ip arp inspection validate src-mac

NB: if configured these 3 commands in order(although the order is not important),


the 'ip' overwrites the 'dst-mac' , while the 'src-mac' also overides the 'ip'
command.
in the end the only command in effect will be the 'src-mac'. To enable all 3
of the commands at the same time

SW1(config)#ip arp inspection validate ip src-mac dst-mac

------------------------------------------------------------
$ARP_ACL // when a static Ip address is configured on a host, it might not be
inserted in the dhcp snooping binding table, which the DAI uses, and hence the
legitmate request from this host will be dropped
// to resolve this problem, ARP_ACL should specify about this host ,

SW1(config)#arp access-list ARP_ACL_1 // name of the access list ARP_ACL_1


SW1(config-arp-nacl)#permit ip host 192.168.1.100 mac host 000a.000a.000a //
creates the ACL, which needs to be applied
SW1(config-arp-nacl)#ip arp inspection filter APR_ACL_1 vlan 1 // applying the ACL
to take effect , now although the host doesnot have an entry in the snooping
binding table, the switch will permit its request to ARP go on by looking to the
ARP_ACL
------------------------------------------------------------

SW1# show ip arp inspection // shows summary of the arp inspection


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++
$VPN

1)configure ISAKMP policy to establish the IKE(internet key exchange) tunnel, phase
1 of the VPN
R1(config)#crypto isakmp enable

R1(config)#crypto isakmp policy 20


R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption 3des //AES is the latest encryption used
R1(config-isakmp)#hash md5 // another hashing algorithm better than md5
exists
R1(config-isakmp)#group 1
R1(config-isakmp)#lifetime 3600
R1(config-isakmp)#exit

R1(config)#crypto isakmp key cisco123 address 11.11.11.1

2)define IPsec transform set


R1(config)#crypto ipsec transform-set myset esp-3des esp-md5-hmac

3)create accesslist
R1(config)#access-list 100 permit ip 172.16.1.0 0.0.0.255 192.168.10.0
0.0.0.255
4) create crypto map for the IPsec
R1(config)#crypto map mymap 20 ipsec-isakmp
R1(config-crypto-map)# set peer 11.11.11.1
R1(config-crypto-map)#set transform-set myset
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#exit

5)Apply the crypto map to the outgoing itnerface of the VPN device
R1(config)#interface s0/0/0
R1(config)# crypto map mymap

6)test and verify VPN


R1#show crypto isakm sa // show crypto encryption mecchanisms used to make
the phase 1 of the VPN tunnel, internet security associate key map (isakm) of the
security associate (sa)
R1#show crypto IPsec sa // show the phase 2 of the VPN tunnel, IPsec, is the
secuity for the set of Ip addresses
R1#show crypto engine connections active//
R1#show crypto map // to get birds view
R1#show crypto isakmp policy

===================================================================================
=========================================
virtualoization port channel

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++
$VRF //virtual routing and forwarding

SPR1(config)# ip vrf Customer1 // service provider router 1, a vrf is created


SPR1(config-vrf)# ip vrf Customer2 // another vrf is created

SPR1(config-vrf)#do show ip vrf

SPR1(config-vrf)# interface g0/0


SPR1(config-vrf)# ip vrf forwarding Customer1 // the interface is now part of the
customer1 vrf
// this command removes
preconfigured interface ip addresses
SPR1(config-vrf)# ip address 192.168.1.1 255.255.255.252

SPR1# show ip route // wont display information about the vrfs, it will just
display routes recorded in the global configuration mode
SPR1# show ip route vrf customer1

SPR1# ping 192.168.1.1 // the result wont work, as the ping is looking in the
global configuration not in the vrf
SPR1# ping vrf customer1 192.168.1.1 // will work

===================================================================================
=========================================

You might also like