Date post: | 24-Mar-2015 |
Category: |
Documents |
Upload: | kevin-sleight |
View: | 437 times |
Download: | 5 times |
Basic Switch/Router Configuration & Security (Ref Chapter 9 - ICND1)
Setting console password, synchronous and timeout
Cisco2610-1(config)#line con 0Cisco2610-1(config-line)#loginCisco2610-1(config-line)#password ciscoCisco2610-1(config-line)#logging synchronousCisco2610-1(config-line)#exec-timeout 30 0
Setting Auxillary password, synchronous and timeout (Router Only)
Cisco2610-1(config)#line aux 0Cisco2610-1(config-line)#loginCisco2610-1(config-line)#password ciscoCisco2610-1(config-line)#logging synchronousCisco2610-1(config-line)#exec-timeout 30 0
Setting Telnet password, synchronous and timeout
Cisco2610-1(config-line)#line vty 0 4 (set to 15 if newer router)Cisco2610-1(config-line)#loginCisco2610-1(config-line)#password ciscoCisco2610-1(config-line)#logging synchronousCisco2610-1(config-line)#exec-timeout 30 0
Enable password
Cisco2610-1(config)#enable password cisco
Enable secret password
Cisco2610-1(config)#enable secret cisco
Disable secret password
Cisco2610-1(config)#no enable secret
Encrypting Passwords
R1(config)#service password-encryption
Set the History size for Telnet sessions
Cisco2610-1(config-line)#line vty 0 4Cisco2610-1(config-line)#history size 20
Set the History size for the session your in
R1#terminal history size 20 (10 by default)
See the commands listed in the history buffer
R1#show history
Local User Database
Adding a user to the local database for Telnet that goes straight into privilege exec modeCisco2610-1(config)#line vty 0 4Cisco2610-1(config-line)#login localCisco2610-1(config-line)#username test privilege 15 password test
Removing a user from the local databaseCisco2610-1(config)#line vty 0 4Cisco2610-1(config-line)#lno username test
Configuring SSH for Telnet Sessions
R1(config)#line vty 0 4lineR1(config-line)#loginR1(config-line)#password ciscoR1(config-line)#transport input telnet sshR1(config-line)#exit
OR
R1(config)#line vty 0 4R1(config-line)#login localR1(config-line)#transport input telnet sshR1(config-line)#exitR1(config)#username cisco password cisco
Then
R1(config)#ip domain-name test.comR1(config)#crypto key generate rsaThe name for the keys will be: R1.test.comChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: 1024% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]R1(config)#*Mar 1 00:04:14.335: %SSH-5-ENABLED: SSH 1.99 has been enabled
Additional SSH Commands
Set the SSH Negotiation phase timeout interval (in seconds)
MyRouter(config)# ip ssh time-out 120
Set the Maximum retry attempts
MyRouter(config)# ip ssh authetication-retries 3
To change the default port for SSH (default is 22) connection
MyRouter(config)# ip ssh port 3536
Showing the encryption key
R1#show crypto keyor
R1#show crypto key mypubkey rsa
Check SSH VerisonR1#show ip sshSSH Enabled - version 1.99Authentication timeout: 120 secs; Authentication retries: 3
Check ConnectionsR1#show ssh
Disable Telnet so SSH is only connection option available
R1(config)#line vty 0 4R1(config-line)#transport input ssh
Disable SSHR1(config)#crypto key zeroize rsa
% All RSA keys will be removed.% All router certs issued using these keys willwill also be removed.Do you really want to remove these keys? [yes/no]: yes
Connecting to a Router using SSH
Using a Cisco Packet Tracer Client
ssh –l username 172.0.0.100
Using Putty
In this example I'm using an application called Putty.
1. Open Putty
2. Enter the IP address of the router
3. Select SSH
4. Enter a name for the connection
5. Click on the Save button
6. Click on SSH
7. If your using an older router select Preferred SSH protocol version 1 for newer devices select 2
8. Click on Session and Click on the save button again
9. Click on the Open button
10. Click on Yes to accept the public key from the router
11. Enter the username and password you configured earlier
Add a banner to the router
Message of the Day Banner (shown before login)
Cisco2610-1>enablePassword:Cisco2610-1#config tEnter configuration commands, one per line. End with CNTL/Z.Cisco2610-1(config)#banner motd #Enter TEXT message. End with the character '#'.*************************************************************This is Cisco test router 1 for my CCNA LabThis router has security enabled*************************************************************#
Login Banner (Shown at login)
Cisco2610-1(config)#banner login #Enter TEXT message. End with the character '#'.Test Login Banner#
Exec Banner (Shown after login)
Cisco2610-1(config)#banner exec #Enter TEXT message. End with the character '#'.Test exec Banner#
Assigning an IP address and default Gateway to a Switch/Router
Configure IP address
Cisco2610-1>enablePassword:Cisco2610-1#configure tEnter configuration commands, one per line. End with CNTL/Z.Cisco2610-1(config)#interface s0/1Cisco2610-1(config-if)#ip address 172.10.0.100 255.255.0.0Cisco2610-1(config-if)#no shutdown
Adding a secondary address to a routerrouter(config)#interface s0/1router(config-if)#172.20.0.100 255.255.0.0 secondary
Setting a default gateway
switch#switch#config tEnter configuration commands, one per line. End with CNTL/Zswitch(config)#ip default-gateway 172.16.0.200switch(config)#
Configuring an Interface to use DHCP (remove the default gateway if set)
Cisco2610-1(config)#interface vlan1Cisco2610-1(config-if)#ip address dhcpCisco2610-1(config-if)#no shutdown
Note: Some older switches/routers do not support being configured as a DHCP client
Configuring Switch Interfaces/Ports
Setting the Speed, Duplex and adding a description
switch(config)#interface fa0/1switch(config-if)#speed 100switch(config-if)#duplex fullswitch(config-if)#description Connection to voice routerswitch(config-if)#exit
Applying a description to a range of ports
switch(config)#interface range fa/01 - 10switch(config-if)#description Connections for IP Phones
Checking the status of a port or ports
switch#show interfaces fa0/1
or
switch#show interfaces (to display info for all ports)
Checking the status for all ports (not available on older switches/firmware)switch#show interfaces status
Checking the status of an individual interfaceswitch#show interfaces fa0/1 status
Configuring Port Security (commands differ on older switches)switch(config)#interface fa0/5switch(config-if)#switchport mode accessswitch(config-if)#switchport port-securityswitch(config-if)#switchport port-security maximum 10switch(config-if)#switchport port-security violation shutdownswitch(config-if)#switchport port-security mac-address sticky
Configuring Port Security to Allow a single MAC Address (The order is important, you can get duplicate Mac address if you do it in the wrong order)
Switch(config)#interface fa0/1Switch(config-if)#switchport mode accessSwitch(config-if)#switchport port-security mac-address 0000.0C06.705DSwitch(config-if)#switchport port-securitySwitch(config-if)#switchport port-security maximum 1Switch(config-if)#switchport port-security violation shutdownSwitch(config-if)#exit
Checking port-securityswitch#show port-security
Checking port security for an interfaceswitch#show port-security interface fa0/1
Disabling a Port switch(config)#interface fa0/5switch(config-if)#shutdown
Enabling a Port that has been shutdown by port security
Check the status of the port
Switch#show interfaces f0/13FastEthernet0/13 is down, line protocol is down (err-disabled) Hardware is Fast Ethernet, address is 0013.c412.0f0d (bia 0013.c412.0f0d) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set
Switch#show port-security interface f0/13Port Security : EnabledPort Status : Secure-downViolation Mode : ShutdownAging Time : 0 minsAging Type : AbsoluteSecureStatic Address Aging : DisabledMaximum MAC Addresses : 1Total MAC Addresses : 0Configured MAC Addresses : 0Sticky MAC Addresses : 0Last Source Address:Vlan : 0000.0000.0000:0Security Violation Count : 0
Enabing the port after a violation
switch(config)#interface fa0/5switch(config-if)#shutdownswitch(config-if)#no shutdown
Renaming your routerCisco2610(config)#hostname Cisco2610-1
Disable IP Domain Lookup (stops it searching when you make a typo)Cisco2610-1(config)#no ip domain-lookup
Setting up VLANS
Creating VLAN on older routers using the VLAN Database
S2950-1#vlan databaseS2950-1(vlan)#vlan 10 name VOICEVLAN 10 modified: Name: VOICES2950-1(vlan)#vlan 50 name DATAVLAN 20 added: Name: DATA
Creating and naming the VLANS
switch#config tEnter configuration commands, one per line. End with CNTL/Zswitch(config)#vlan 2switch(config-vlan)#name salesswitch(config-vlan)#switch#
switch#switch#config tEnter configuration commands, one per line. End with CNTL/Zswitch(config)#vlan 3switch(config-vlan)#name marketingswitch(config-vlan)#switch#show vlan
VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Gi0/12 sales active 3 marketing active
Assigning an IP address to a VLANSite4Swith(config-if)#ip address 192.0.1.30 255.255.255.128
Assigning Ports to the VLANS
switch#switch#config tEnter configuration commands, one per line. End with CNTL/Zswitch(config)#interface fastethernet0/1switch(config-if)#switchport access vlan 2switch(config-if)#switch#config tEnter configuration commands, one per line. End with CNTL/Zswitch(config)#interface fastethernet0/4switch(config-if)#switchport access vlan 3
Assigning a range of portsSwitch(config)#interface range fa0/16-24Switch(config-if-range)#switchport access vlan 2
Configuring A Router to use Subinterfaces for separate VLANS
Router(config)#interface fa0/0Router(config-if)#no shutdown
Router(config)#interface fa0/0.1Router(config-subif)#ip address 10.1.1.1 255.255.255.0Router(config-subif)#encapsulation dot1q 1
Router(config)#interface fa0/0.2Router(config-subif)#ip address 10.1.2.1 255.255.255.0Router(config-subif)#encapsulation dot1q 2
Router(config)#interface fa0/0.3Router(config-subif)#ip address 10.1.3.1 255.255.255.0Router(config-subif)#encapsulation dot1q 3
Configure the Switches interface connected to the routerSwitch(config)#interface fa0/24Switch(config-if)#switchport mode trunkSwitch(config-if)#switchport trunk encapsulation dot1q
Set a VLAN to use trunking but not to encapsulate the VLAN ID in a trunking headerRouter(config)#interface fa0/0.1Router(config-subif)#encapsulation dot1q 1 native
Configuring Trunking between Switches
Changing an Interface to become a Trunk (set this on only one interface between two switches)Switch(config)#interface fa0/3Switch(config-if)#switchport mode trunkorSwitch(config-if)#switchport mode dynamic desirable
Checking which interface is being used for trunkingSwitch#show interface trunk
Checking the switchport status of interfacesSwitch#show interface switchport
or
Switch#show interface fa0/3 switchport
Removing a VLAN from a trunk (this will need doing on each switch)AccessLayerSwitch2(config)#interface range g1/1-2AccessLayerSwitch2(config-if-range)#switchport trunk allowed vlan remove 4
AccessLayerSwitch2#show interface trunkPort Mode Encapsulation Status Native vlanGig1/1 on 802.1q trunking 1Gig1/2 on 802.1q trunking 1
Port Vlans allowed on trunkGig1/1 1-3,5-1005Gig1/2 1-3,5-1005
Disabling trunking on an interface switch#interface fa0/1switch#switchport mode access
or
switch#switchport nonegotiate
Changing the encapsulation a trunk uses(most switches only support 802.1q so dont support these commands)Switch(config-if)#switchport trunk encapsulation isl
or
Switch(config-if)#switchport trunk encapsulation negotiate
Configuring VTP between two Switches
Switch1 - Server Mode ConfigurationSwitch1(config)#vtp mode serverSwitch1(config)#vtp domain testSwitch1(config)#vtp password testSwitch1(config)#vtp version 2
Switch2 - Client Mode ConfigurationSwitch2(config)#vtp mode clientSwitch2(config)#vtp domain testSwitch2(config)#vtp password testSwitch1(config)#vtp version 2
Switch3 - Transparant Mode ConfigurationSwitch3(config)#vtp mode transparent
Enabling VTP PriuningSwitch(config)#vtp pruning
Checking a Switches VTP statusSwitch#show vtp status
Checking vtp passwordswitch#show vtp password
Resetting the revision number of a switch before adding it to a VTP domain (this will prevent the VLAN database on other switches being overwritten if the new switches revision number is higher)Switch(config)#vtp mode transparentSwitch(config)#vtp mode server
Spanning Tree Protocol
Debug Spanning TreeSW1#debug spanning-tree events
Displaying spanning tree information for all VLANsSW1#show spanning-tree
Displaying spanning tree information for a VLANSW1#show spanning-tree vlan 3
Changing the cost of an interface SW1(config)#interface Fa0/17SW1(config-if)#spanning-tree cost 2
Changing the cost of an interface for a specific VLAN onlySW1(config)#interface Fa0/17SW1(config-if)#spanning-tree vlan 3 cost 2
Changing the primary root switchSW1(config)#spanning-tree root primary
Changing the primary root switch for a specific VLAN onlySW1(config)#spanning-tree vlan 3 root primary
Configuring a switch to become a secondary root switchSW1(config)#spanning-tree root secondary
Configuring a VLAN to become a secondary root switch for that VLAN onlySW1(config)#spanning-tree vlan 3 root secondary
Configuring the priority of a switch to make it the root switchSW1(config)#spanning-tree priority 1000
Configuring the priority of a switch to make it the root switch for a VLAN onlySW1(config)#spanning-tree vlan 3 priority 1000
Display VLAN Root switch informationSW1#show spanning-tree root
Display the Bridge ID for VLANs on a switchSW1# show spanning-tree vlan 3 bridge id
Enabling Portfast on a range of interfacesSW1(config)#interface range fa0/1-2SW1(config-if-range)#spanning-tree portfast
Enabling BPDU Guard on an InterfaceSW1(config)#interface range fa0/1-2SW1(config-if-range)#spanning-tree bpduguard enable
Checking Portfast and BPDU configuration on an interfaceSW1#show running-config
Enabling EtherChannel (configure on both switches, can use on, on both switches or auto on one switch and desirable on another)Switch(config)#interface gi3/1Switch(config-if)#channel-group 1 mode onSwitch(config-if)#exitSwitch(config)#interface gi4/1Switch(config-if)#channel-group 1 mode on
Show EtherChannel Information
Switch#show etherchannel summary
Enabling RSTP (this automatically enables PVST)SW1(config)#spanning-tree mode rapid-pvst
Enabling PVSTSW1(config)#spanning-tree mode pvst
Enabling MISTSW1(config)#spanning-tree mode mst
Copying Config Between Devices
Copying from another device
1. Do a show run command on the source device2. Highlight the config you want to copy3. Select copy4. Go to the destination device5. Enter the global configuration mode6. Right click and select paste
Copying from notepad
7. Highlight the text you want to copy8. Select copy9. Go to the destination device10.Enter the global configuration mode11.Right click and select paste
12. Troubleshooting (Chapter 10)
Cisco Discovery Protocol (CDP)
Enable CDPswitch(config)#cdp run
Disable CDP on the switch (Enabled by default)Switch(config)#no cdp run
Disable CDP on an InterfaceSwitch#config tEnter configuration commands, one per line. End with CNTL/Z.Switch(config)#interface fa0/1Switch(config-if)#no cdp enable
Changing the timer and holdtime values
Switch(config)#cdp timer 90Switch(config)#cdp holdtime 240
List a 1 summary line for each neighbor Switch#show cdp neighbors
List detailed information on each neighborSwitch#show cdp neighbors detail
List detailed information for a single deviceSwitch#show cdp entry switchname
Show if CDP is enabled and timer valuesSwitch#show cdp
Shows if CDP is enabled on each interfaceSwitch#show cdp interface
List CDP stats Switch#show cdp traffic
Show Commands for the Interfaces
Displays information on status, speed and duplexSwitch#show interfaces status
Displays basic informationSwitch#show ip interface brief
Show the interface details and description detailsSwitch#show interface description
Displays info on the VLAN’s and which interfaces have been assigned to themSwitch#show Vlan
MAC Address Table Commands
switch#show mac-address-table
switch#show mac-address-table static (displays only static addresses)
switch#show mac-address-table dynamic (Displays on dynamically learned addresses)
S3500XL-1#show mac-address-tableDynamic Address Count: 2Secure Address Count: 0Static Address (User-defined) Count: 0System Self Address Count: 51Total MAC addresses: 53Maximum MAC addresses: 8192Non-static Address Table:Destination Address Address Type VLAN Destination Port------------------- ------------ ---- --------------------0004.277f.0000 Dynamic 1 FastEthernet0/60007.e918.d07b Dynamic 1 FastEthernet0/12
Enabling Debug Messages
See available list of debug messagesRouter#debug ?
Enabling Debug for IP PacketsRouter#debug ip packet
Enabling Debug for ICMPRouter#debug ip icmp
Enabling Debug for NATRouter#debug ip nat
Enabling Debug for RIPRouter#debug ip rip
Enable Debug for Routing TableRouter#debug ip routing
Disabling Debug for IP PacketsRouter#no debug ip packet
Operating Cisco Routers (Chapter 13)
Display routing information
router#show ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR, P - periodic downloaded static route T - traffic engineered route
Gateway of last resort is 10.1.100.252 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 10 subnets, 2 masksS 10.1.2.0/24 [1/0] via 10.1.128.252R 10.1.129.0/24 [120/1] via 10.1.130.252, 00:00:15, Serial0/1/0S 10.1.3.0/24 [1/0] via 10.1.130.252R 10.2.1.0/24 [120/1] via 10.1.130.252, 00:00:15, Serial0/1/0C 10.1.1.0/24 is directly connected, FastEthernet0/0C 10.1.100.0/24 is directly connected, FastEthernet0/1R 10.1.4.0/24 [120/1] via 10.1.100.252, 00:00:15, FastEthernet0/1S 10.1.1.0/8 [1/1] via 10.1.129.253C 10.1.130.0/24 is directly connected, Serial0/1/0C 10.1.128.0/24 is directly connected, Serial0/0/1S* 0.0.0.0 [1/0] via 10.1.100.252
Displaying link and protocol status commands
router#show ip interface briefInterface IP-Address OK? Method Status ProtocolFastEthernet0/0 10.1.1.251 YES manual up upFastEthernet0/1 10.1.100.251 YES manual up upSerial0/0/0 unassigned YES unset administratively down downSerial0/0/1 10.1.128.251 YES manual up upSerial0/1/0 10.1.130.251 YES manual up upSerial0/1/1 unassigned YES unset administratively down down
router#show protocols Global values: Internet protocol routing is enabledSerial0/0/0 is administratively down, line protocol is downSerial0/0/1 is up, line protocol is up Internet address is 10.1.128.251/24Serial0/1/0 is up, line protocol is up Internet address is 10.1.130.251/24Serial0/1/1 is administratively down, line protocol is downFastEthernet0/0 is up, line protocol is up Internet address is 10.1.1.251/24FastEthernet0/1 is up, line protocol is up Internet address is 10.1.100.251/24Albuquerque#show protocols fa0/0% Incomplete command.
router#show protocols fa0/0
router#show interfaces
FastEthernet0/0 is up, line protocol is up Hardware is AmdFE, address is 00b0.94e0.7388 (bia 00b0.94e0.7388) Internet address is 10.1.1.251/24 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliablility 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10) Full -duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:50, output 00:00:04, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1000 bits/sec, 0 packets/sec 588 packets input, 74628 bytes Received 588 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast 0 input packets with dribble condition detected 231 packets output, 53712 bytes, 0 underruns--More--
Clock and Bandwidth Commands
router>enablerouter#config tEnter configuration commands, one per line. End with CNTL/Zrouter(config)#interface serial0/0/1router(config-if)#clock rate 128000router(config-if)#bandwidth 64
Displaying Clock Rate and Bandwidth Settingsrouter#show controllers serial0/0/1
Interface Serial0/0/1Hardware is GT96KDCE V.35 clock rate 128000idb at 0x454E69C8, driver data structure at 0x454EE0EC
router#show running-config
interface Serial0/0/1bandwidth 64ip address 10.1.128.251 255.255.255.0no ip directed-broadcast
Backing up and Restoring IOS and configuration files Image
Backup IOS ImageSwitch#copy flash tftpSource filename []? c2960-lanbase-mz.122-25.FX.binAddress or name of remote host []? 10.0.0.1Destination filename [c2960-lanbase-mz.122-25.FX.bin]? Router-A-IOS
Backing up Startup ConfigurationSwitch#copy startup-config tftpAddress or name of remote host []? 10.0.0.1Destination filename [Switch-confg]? Router-A-Startup-Config
Restoring or Updating IOS versionRouter#copy tftp flashAddress or name of remote host []? 10.0.0.1Source filename []? c4500-d-mz.120-5.binDestination filename [c4500-d-mz.120-5.bin]?
Restoring Startup ConfigurationSwitch#copy tftp startup-config Address or name of remote host []? 10.0.0.5Source filename []? Router-A-Startup-ConfigDestination filename [startup-config]?
Deleting a Flash ImageSwitch#delete flash:c2960-lanbase-mz.122-25.FX.binDelete filename [c2960-lanbase-mz.122-25.FX.bin]?yDelete flash:/y? [confirm]y
Display the file in Flash MemorySwitch#dir flash:
Checking the current IOS version and flash memory statusRouter#show flash-#- --length-- -----date/time------ path1 36232088 Feb 13 2007 23:15:58 +00:00 c2800nm-advipservicesk9-mz.124-12.bin
18468864 bytes available (45547520 bytes used)
Setting the Configuration Register to load router in ROMMON moderouter(config)#config-register 0x2100
Setting the Configuration Register to load first image in flashrouter(config)#config-register 0x2101
Setting the Configuration Register to load using image specified in boot system commandrouter(config)#config-register 0x2102 (Default Setting)orrouter(config)#config-register 0x210F
Boot System Commands - Load first file from flashrouter(config)#boot system flash
Boot System Commands - IOS with the name filename is loaded from flash memoryrouter(config)#boot system flash filename
Boot System Commands - IOS with the name filename is loaded from tftp serverrouter(config)#boot system flash filename 10.0.0.1
Routing Protocols (Chapter 14)
Enabling rip v2router(config)#router riprouter(config-router)#version 2router(config-router)#network 10.0.0.0router(config-router)#network 172.1.0.0
Display routes learnt by riprouter#show ip route rip
Display information about rip plus ip addresses of neighbouring rip routersrouter#show ip protocols
Display the mask in decimal rather than prefix when using show ip route commandrouter#terminal ip netmask-format decimal
Adding a Static Route using IP address for next hoprouter(config)#ip route 172.16.30.1 255.255.255.0 10.1.128.251
Adding a Static Route using the interface as the outgoing portrouter(config)#ip route 192.168.30.1 255.255.255.0 serial0/1/0
Extended Ping Command (enter Y when prompted for extended commands)router#pingProtocol [ip]:Target IP address: 172.1.0.150Repeat count [5]:Datagram size [100]:Timeout in seconds [2]:Extended commands [n]: ySource address or interface: 10.0.0.1
Exiting out of a ping or traceroute commandpress shift+F6
Adding a Default Routerouter(config)#ip route 0.0.0.0 0.0.0.0 10.2.128.1
or
router(config)#ip default-network 10.0.0.0
Removing a Default Routerouter(config)#no ip route 0.0.0.0 0.0.0.0 10.2.128.1
Setting rip to debugrouter#debug ip rip
Disabling rip debugrouter#undebug all
Show process to check CPU usagerouter#show process
Adding timestamps to debug messagesrouter(config)#service timestamps debug
Adding timestamps to log messagesrouter(config)#service timestamps log
Enabling Classful Routing (use to test behaviour of default route)router(config)#no ip classless
Configuring Manual Summarizationrouter(config)#interface s0/0router(config-if)#ip summary-address eigrp 1 172.0.0.0 255.255.0.0
Disable Autosummarisation (can only do on classless routing protocols and can't do it on OSPF)router(config)#router riprouter(config-router)#no auto-summary
Troubleshooting IP Routing (Chapter 15)
Display a routers ARP cacherouter#show ip arp
Display routes for connected interfacesrouter#show ip route connected
Telnet and SuspendTelnet to first routerThen telnet from first router to secondPress ctrl+Shift+6 then x to switch between routers
Show sessions or where displays a list of available sessionsResume 1 will take you to session 1 or just type 1 then press enterResume will take you the most recently suspended session. This will be the session the has an * next to it when using the show session or where commandDisconnect 1 will disconnect session number 1
Additional Commands
Configuring DCHP Pool
BGRouter(config)#ip dhcp pool SalesNetworkBGRouter(dhcp-config)#Network 10.0.0.0 255.255.0.0BGRouter(dhcp-config)#default-router 10.0.0.1BGRouter(dhcp-config)#dns-server 172.16.0.2BGRouter(dhcp-config)#exitBGRouter(config)#ip dhcp excluded-address 10.0.0.1 10.0.0.10
Show Information about leased DHCP addressesBGRouter#show ip dhcp binding
Configuring DHCP Pools for multiple VLANS
Create 2 VLANs on the SwitchGive each VLAN an IP AddressConnect the router to the switch using two cables one for each VLANGive each router interfaces an IP addressAssign each interface to a separate VLAN
BGRouter2(config)#ip dhcp pool SalesBGRouter2(dhcp-config)#network 192.0.1.1 255.255.255.224BGRouter2(dhcp-config)#default-router 192.0.1.29BGRouter2(dhcp-config)#dns-server 192.168.1.30BGRouter2(dhcp-config)#exitBGRouter2(config)#ip dhcp excluded-address 192.168.1.61BGRouter2(config)#ip dhcp excluded-address 192.168.1.62
BGRouter2(config)#ip dhcp pool MarketingBGRouter2(dhcp-config)#network 192.0.1.33 255.255.255.224BGRouter2(dhcp-config)#default-router 192.0.1.62BGRouter2(dhcp-config)#dns-server 192.168.1.2BGRouter2(dhcp-config)#exitBGRouter2(config)#ip dhcp excluded-address 192.168.1.61BGRouter2(config)#ip dhcp excluded-address 192.168.1.62
Configuring NAT/PAT (configure dynamic routing on all routers)
BGRouter(config)#interface fa0/0BGRouter(config-if)#ip nat insideBGRouter(config-if)#exitBGRouter(config)#interface s0/0BGRouter(config-if)#ip nat outsideBGRouter(config-if)#exitBGRouter(config)#access-list 1 permit 10.0.0.11BGRouter(config)#access-list 1 permit 10.0.0.12BGRouter(config)#ip nat pool SalesPool 198.18.194.73 198.18.194.78 netmask 255.255.255.248BGRouter(config)#ip nat inside source list 1 pool SalesPool overloadBGRouter(config)#exit
You’ll need to add a route back to the 198.18.194.0 address range from the ISP router
ISP(config)#ip route 198.18.194.0 255.255.255.0 172.16.0.2
Configuring NAT to Allow Any Address in the 192 Range to use NATrouter(config)#access-list 1 permit 192.0.1.0 0.255.255.255
NAT Show Commands
BGRouter#show ip nat statisticsTotal translations: 2 (0 static, 2 dynamic, 2 extended)Outside Interfaces: Serial0/0Inside Interfaces: FastEthernet0/0Hits: 17 Misses: 1025Expired translations: 7Dynamic mappings:-- Inside Sourceaccess-list 1 pool SalesPool refCount 2 pool SalesPool: netmask 255.255.255.248 start 198.18.194.73 end 198.18.194.78 type generic, total addresses 6 , allocated 1 (16%), misses 0
BGRouter#show ip nat translationsPro Inside global Inside local Outside local Outside globalicmp 198.18.194.73:21 10.0.0.11:21 192.168.0.2:21 192.168.0.2:21icmp 198.18.194.73:22 10.0.0.11:22 192.168.0.2:22 192.168.0.2:22icmp 198.18.194.73:23 10.0.0.11:23 192.168.0.2:23 192.168.0.2:23icmp 198.18.194.73:24 10.0.0.11:24 192.168.0.2:24 192.168.0.2:24icmp 198.18.194.73:5 10.0.0.12:5 192.168.0.2:5 192.168.0.2:5icmp 198.18.194.73:6 10.0.0.12:6 192.168.0.2:6 192.168.0.2:6icmp 198.18.194.73:7 10.0.0.12:7 192.168.0.2:7 192.168.0.2:7icmp 198.18.194.73:8 10.0.0.12:8 192.168.0.2:8 192.168.0.2:8udp 198.18.194.73:1036 10.0.0.11:1036 192.168.0.2:53 192.168.0.2:53udp 198.18.194.73:1026 10.0.0.12:1026 192.168.0.2:53 192.168.0.2:53udp 198.18.194.73:1027 10.0.0.12:1027 192.168.0.2:53 192.168.0.2:53tcp 198.18.194.73:1025 10.0.0.11:1025 192.168.0.2:80 192.168.0.2:80tcp 198.18.194.73:1024 10.0.0.12:1025 192.168.0.2:80 192.168.0.2:80
Configuring MTU Size
Sets MTU size for all layer 3 protocolsRouter1(config)#interface s0/0Router1(config-if)#mtu 1280
or
Sets MTU size for IP onlyRouter1(config)#interface s0/0WANRouter1(config-if)#ip mtu 1280
Removing MTU settingsRouter1(config-if)#no mtu
Standard Access Control Lists (ACLs)
Display all ACLs on a routerR1#show access-lists
Display a specific ACL by number R1#show access-lists 1
Display a specific ACL by nameR1#show access-lists Test
Block inbound traffic based on an IP addressR1(config)#interface s0/0R1(config-if)#ip access-group 1 inR1(config-if)#exitR1(config)#access-list 1 remark stop all inbound traffic from source IP 10.1.1.2R1(config)#access-list 1 deny 10.1.1.2 0.0.0.0R1(config)#access-list 1 permit 0.0.0.0 255.255.255.255
or
R1(config)#interface fa0/0R1(config-if)#ip access-group 1 inR1(config-if)#exitR1(config)#access-list 1 deny 10.1.1.2R1(config)#access-list 1 permit any
or
R1(config)#interface fa0/0R1(config-if)#ip access-group 1 inR1(config-if)#exitR1(config)#ip access-list standard 1R1(config-std-nacl)#deny 10.1.1.2R1(config-std-nacl)#permit any
Block outbound traffic based on an IP addressR2(config)#interface fa0/0R2(config-if)#ip access-group 1 outR2(config-if)#exitR2(config)#access-list 1 remark stop all inbound traffic from source IP 10.1.3.2R2(config)#access-list 1 deny 10.1.3.2 0.0.0.0R2(config)#access-list 1 permit 0.0.0.0 255.255.255.255
Extended ACLs
Block any IP packet from any source address to destination IP address 10.1.4.4R3(config-if)#ip access-group 100 outR3(config-if)#exitR3(config)#access-list 100 deny ip any host 10.1.4.4R3(config)#access-list 100 permit ip any 0.0.0.0 255.255.255.255
Block IP packets from 10.1.1.2 to destination address 10.1.4.4R3(config)#access-list 100 deny ip host 10.1.1.2 host 10.1.4.4R3(config)#access-list 100 permit ip any 0.0.0.0 255.255.255.255
Block tcp packets for destination IP 10.1.3.4 and destination port 21R3(config)#access-list 100 deny ip any host 10.1.4.3 eq 21R3(config)#access-list 100 permit ip any 0.0.0.0 255.255.255.255orR3(config)#access-list 100 deny ip any host 10.1.4.3 eq ftpR3(config)#access-list 100 permit ip any 0.0.0.0 255.255.255.255
Block tcp packets with a source greater than 1023 and a source IP 10.1.4.1 and port of 21
R3(config)#access-list 100 deny tcp any gt 1023 host 10.1.4.3 eq 21R3(config)#access-list 100 permit ip any 0.0.0.0 255.255.255.255
Allow tcp packets from 10.1.1.0 network to connect to destination 10.1.4.3 on port 21R3(config)# access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 10.1.4.3 eq 21
Multiple ACL entries (Routers read ACLs in order entered if the last one was entered first the others would not be applied as this one allows all traffic. same goes for the first one if that was applied after the third one it would not work)R3(config)# access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 10.1.4.3 eq 21R3(config)#access-list 100 deny ip any host 10.1.4.4R3(config)#access-list 100 deny tcp any host 10.1.4.3 eq ftpR3(config)#access-list 100 permit ip any any
Named ACLs (these can be used for standard and extended ACLs)
Block inbound IP packets from 10.1.1.2 to destination address 10.1.1.1R1(config)#ip access-list extended BlockInbound1R1(config-ext-nacl)#deny ip host 10.1.2.1 host 10.1.1.1R1(config-ext-nacl)#premit ip any anyR1(config)#exitR1(config)#interface fa0/0R1(config-if)#ip access-group BlockInbound1 out
Block all outbound traffic from 10.1.1.3 out one interface on a routerR1(config)#ip access-list extended BlockOutbound1R1(config-ext-nacl)#deny ip host 10.1.1.3 anyR1(config-ext-nacl)#permit ip any anyR1(config-ext-nacl)#exitR1(config)#interface s0/1R1(config-if)#ip access-group BlockOutbound1 out
Block all inbound traffic to 10.1.4.4 & block all ftp traffic to 10.1.4.3 apart from devices on the 10.1.1.0 networkR3(config)#ip access-list extended BlockInbound1R3(config-ext-nacl)#deny ip any host 10.1.4.4R3(config-ext-nacl)#permit tcp 10.1.1.0 0.0.0.255 host 10.1.4.3 eq ftpR3(config-ext-nacl)#deny tcp any host 10.1.4.3 eq ftpR3(config-ext-nacl)#permit ip any anyR3(config-ext-nacl)#exitR3(config)#interface fa1/0R3(config-if)#ip access-group BlockInbound1 out
Manipulating ACLs Using Sequence Numbers (works on IOS 12.3 or later and doesn't work in Packet Tracer)
Create Access List (notice sequence numbers using the show command)R1(config)#ip access-list standard 1R1(config-std-nacl)#deny 10.1.2.0 0.0.255.255R1(config-std-nacl)#deny 10.2.3.0 0.0.255.255R1(config-std-nacl)#permit anyR1(config-std-nacl)#exitR1(config)#do show access-list 1Standard IP access list 1 10 deny 10.1.0.0, wildcard bits 0.0.255.255 20 deny 10.2.0.0, wildcard bits 0.0.255.255 30 permit any
Adding a new entry between sequence number 20 & 30R1(config)#ip access-list standard 1R1(config-std-nacl)#25 deny 10.3.0.0 0.0.255.255R1(config-std-nacl)#do show access-listStandard IP access list 1 10 deny 10.1.0.0, wildcard bits 0.0.255.255 20 deny 10.2.0.0, wildcard bits 0.0.255.255 25 deny 10.3.0.0, wildcard bits 0.0.255.255 30 permit any
Removing an entryR1(config-std-nacl)#no 20R1(config-std-nacl)#do show access-listStandard IP access list 1 10 deny 10.1.0.0, wildcard bits 0.0.255.255 25 deny 10.3.0.0, wildcard bits 0.0.255.255 30 permit any
Stopping Access to VTY Lines (telnet, ssh)
R2(config)#line vty 0 15R2(config-line)#access-class inR2(config)#exitR2(config)#access-list 3 deny any