Ccna - Ios Commands

Basic Switch/Router Configuration & Security (Ref Chapter 9 - ICND1)

Setting console password, synchronous and timeout

Cisco2610-1(config)#line con 0Cisco2610-1(config-line)#loginCisco2610-1(config-line)#password ciscoCisco2610-1(config-line)#logging synchronousCisco2610-1(config-line)#exec-timeout 30 0

Setting Auxillary password, synchronous and timeout (Router Only)

Cisco2610-1(config)#line aux 0Cisco2610-1(config-line)#loginCisco2610-1(config-line)#password ciscoCisco2610-1(config-line)#logging synchronousCisco2610-1(config-line)#exec-timeout 30 0

Setting Telnet password, synchronous and timeout

Cisco2610-1(config-line)#line vty 0 4 (set to 15 if newer router)Cisco2610-1(config-line)#loginCisco2610-1(config-line)#password ciscoCisco2610-1(config-line)#logging synchronousCisco2610-1(config-line)#exec-timeout 30 0

Enable password

Cisco2610-1(config)#enable password cisco

Enable secret password

Cisco2610-1(config)#enable secret cisco

Disable secret password

Cisco2610-1(config)#no enable secret

Encrypting Passwords

R1(config)#service password-encryption

Set the History size for Telnet sessions

Cisco2610-1(config-line)#line vty 0 4Cisco2610-1(config-line)#history size 20

Set the History size for the session your in

R1#terminal history size 20 (10 by default)

See the commands listed in the history buffer

R1#show history

Local User Database

Adding a user to the local database for Telnet that goes straight into privilege exec modeCisco2610-1(config)#line vty 0 4Cisco2610-1(config-line)#login localCisco2610-1(config-line)#username test privilege 15 password test

Removing a user from the local databaseCisco2610-1(config)#line vty 0 4Cisco2610-1(config-line)#lno username test

Configuring SSH for Telnet Sessions

R1(config)#line vty 0 4lineR1(config-line)#loginR1(config-line)#password ciscoR1(config-line)#transport input telnet sshR1(config-line)#exit

OR

R1(config)#line vty 0 4R1(config-line)#login localR1(config-line)#transport input telnet sshR1(config-line)#exitR1(config)#username cisco password cisco

Then

R1(config)#ip domain-name test.comR1(config)#crypto key generate rsaThe name for the keys will be: R1.test.comChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]: 1024% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]R1(config)#*Mar 1 00:04:14.335: %SSH-5-ENABLED: SSH 1.99 has been enabled

Additional SSH Commands

Set the SSH Negotiation phase timeout interval (in seconds)

MyRouter(config)# ip ssh time-out 120

Set the Maximum retry attempts

MyRouter(config)# ip ssh authetication-retries 3

To change the default port for SSH (default is 22) connection

MyRouter(config)# ip ssh port 3536

Showing the encryption key

R1#show crypto keyor

R1#show crypto key mypubkey rsa

Check SSH VerisonR1#show ip sshSSH Enabled - version 1.99Authentication timeout: 120 secs; Authentication retries: 3

Check ConnectionsR1#show ssh

Disable Telnet so SSH is only connection option available

R1(config)#line vty 0 4R1(config-line)#transport input ssh

Disable SSHR1(config)#crypto key zeroize rsa

% All RSA keys will be removed.% All router certs issued using these keys willwill also be removed.Do you really want to remove these keys? [yes/no]: yes

Connecting to a Router using SSH

Using a Cisco Packet Tracer Client

ssh –l username 172.0.0.100

Using Putty

In this example I'm using an application called Putty.

1. Open Putty

2. Enter the IP address of the router

3. Select SSH

4. Enter a name for the connection

5. Click on the Save button

6. Click on SSH

7. If your using an older router select Preferred SSH protocol version 1 for newer devices select 2

8. Click on Session and Click on the save button again

9. Click on the Open button

10. Click on Yes to accept the public key from the router

11. Enter the username and password you configured earlier

Add a banner to the router

Message of the Day Banner (shown before login)

Cisco2610-1>enablePassword:Cisco2610-1#config tEnter configuration commands, one per line. End with CNTL/Z.Cisco2610-1(config)#banner motd #Enter TEXT message. End with the character '#'.*************************************************************This is Cisco test router 1 for my CCNA LabThis router has security enabled*************************************************************#

Login Banner (Shown at login)

Cisco2610-1(config)#banner login #Enter TEXT message. End with the character '#'.Test Login Banner#

Exec Banner (Shown after login)

Cisco2610-1(config)#banner exec #Enter TEXT message. End with the character '#'.Test exec Banner#

Assigning an IP address and default Gateway to a Switch/Router

Configure IP address

Cisco2610-1>enablePassword:Cisco2610-1#configure tEnter configuration commands, one per line. End with CNTL/Z.Cisco2610-1(config)#interface s0/1Cisco2610-1(config-if)#ip address 172.10.0.100 255.255.0.0Cisco2610-1(config-if)#no shutdown

Adding a secondary address to a routerrouter(config)#interface s0/1router(config-if)#172.20.0.100 255.255.0.0 secondary

Setting a default gateway

switch#switch#config tEnter configuration commands, one per line. End with CNTL/Zswitch(config)#ip default-gateway 172.16.0.200switch(config)#

Configuring an Interface to use DHCP (remove the default gateway if set)

Cisco2610-1(config)#interface vlan1Cisco2610-1(config-if)#ip address dhcpCisco2610-1(config-if)#no shutdown

Note: Some older switches/routers do not support being configured as a DHCP client

Configuring Switch Interfaces/Ports

Setting the Speed, Duplex and adding a description

switch(config)#interface fa0/1switch(config-if)#speed 100switch(config-if)#duplex fullswitch(config-if)#description Connection to voice routerswitch(config-if)#exit

Applying a description to a range of ports

switch(config)#interface range fa/01 - 10switch(config-if)#description Connections for IP Phones

Checking the status of a port or ports

switch#show interfaces fa0/1

or

switch#show interfaces (to display info for all ports)

Checking the status for all ports (not available on older switches/firmware)switch#show interfaces status

Checking the status of an individual interfaceswitch#show interfaces fa0/1 status

Configuring Port Security (commands differ on older switches)switch(config)#interface fa0/5switch(config-if)#switchport mode accessswitch(config-if)#switchport port-securityswitch(config-if)#switchport port-security maximum 10switch(config-if)#switchport port-security violation shutdownswitch(config-if)#switchport port-security mac-address sticky

Configuring Port Security to Allow a single MAC Address (The order is important, you can get duplicate Mac address if you do it in the wrong order)

Switch(config)#interface fa0/1Switch(config-if)#switchport mode accessSwitch(config-if)#switchport port-security mac-address 0000.0C06.705DSwitch(config-if)#switchport port-securitySwitch(config-if)#switchport port-security maximum 1Switch(config-if)#switchport port-security violation shutdownSwitch(config-if)#exit

Checking port-securityswitch#show port-security

Checking port security for an interfaceswitch#show port-security interface fa0/1

Disabling a Port switch(config)#interface fa0/5switch(config-if)#shutdown

Enabling a Port that has been shutdown by port security

Check the status of the port

Switch#show interfaces f0/13FastEthernet0/13 is down, line protocol is down (err-disabled) Hardware is Fast Ethernet, address is 0013.c412.0f0d (bia 0013.c412.0f0d) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set

Switch#show port-security interface f0/13Port Security : EnabledPort Status : Secure-downViolation Mode : ShutdownAging Time : 0 minsAging Type : AbsoluteSecureStatic Address Aging : DisabledMaximum MAC Addresses : 1Total MAC Addresses : 0Configured MAC Addresses : 0Sticky MAC Addresses : 0Last Source Address:Vlan : 0000.0000.0000:0Security Violation Count : 0

Enabing the port after a violation

switch(config)#interface fa0/5switch(config-if)#shutdownswitch(config-if)#no shutdown

Renaming your routerCisco2610(config)#hostname Cisco2610-1

Disable IP Domain Lookup (stops it searching when you make a typo)Cisco2610-1(config)#no ip domain-lookup

Setting up VLANS

Creating VLAN on older routers using the VLAN Database

S2950-1#vlan databaseS2950-1(vlan)#vlan 10 name VOICEVLAN 10 modified: Name: VOICES2950-1(vlan)#vlan 50 name DATAVLAN 20 added: Name: DATA

Creating and naming the VLANS

switch#config tEnter configuration commands, one per line. End with CNTL/Zswitch(config)#vlan 2switch(config-vlan)#name salesswitch(config-vlan)#switch#

switch#switch#config tEnter configuration commands, one per line. End with CNTL/Zswitch(config)#vlan 3switch(config-vlan)#name marketingswitch(config-vlan)#switch#show vlan

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Gi0/12 sales active 3 marketing active

Assigning an IP address to a VLANSite4Swith(config-if)#ip address 192.0.1.30 255.255.255.128

Assigning Ports to the VLANS

switch#switch#config tEnter configuration commands, one per line. End with CNTL/Zswitch(config)#interface fastethernet0/1switch(config-if)#switchport access vlan 2switch(config-if)#switch#config tEnter configuration commands, one per line. End with CNTL/Zswitch(config)#interface fastethernet0/4switch(config-if)#switchport access vlan 3

Assigning a range of portsSwitch(config)#interface range fa0/16-24Switch(config-if-range)#switchport access vlan 2

Configuring A Router to use Subinterfaces for separate VLANS

Router(config)#interface fa0/0Router(config-if)#no shutdown

Router(config)#interface fa0/0.1Router(config-subif)#ip address 10.1.1.1 255.255.255.0Router(config-subif)#encapsulation dot1q 1



Configure the Switches interface connected to the routerSwitch(config)#interface fa0/24Switch(config-if)#switchport mode trunkSwitch(config-if)#switchport trunk encapsulation dot1q

Set a VLAN to use trunking but not to encapsulate the VLAN ID in a trunking headerRouter(config)#interface fa0/0.1Router(config-subif)#encapsulation dot1q 1 native

Configuring Trunking between Switches

Changing an Interface to become a Trunk (set this on only one interface between two switches)Switch(config)#interface fa0/3Switch(config-if)#switchport mode trunkorSwitch(config-if)#switchport mode dynamic desirable

Checking which interface is being used for trunkingSwitch#show interface trunk

Checking the switchport status of interfacesSwitch#show interface switchport

or

Switch#show interface fa0/3 switchport

Removing a VLAN from a trunk (this will need doing on each switch)AccessLayerSwitch2(config)#interface range g1/1-2AccessLayerSwitch2(config-if-range)#switchport trunk allowed vlan remove 4

AccessLayerSwitch2#show interface trunkPort Mode Encapsulation Status Native vlanGig1/1 on 802.1q trunking 1Gig1/2 on 802.1q trunking 1

Port Vlans allowed on trunkGig1/1 1-3,5-1005Gig1/2 1-3,5-1005

Disabling trunking on an interface switch#interface fa0/1switch#switchport mode access

or

switch#switchport nonegotiate

Changing the encapsulation a trunk uses(most switches only support 802.1q so dont support these commands)Switch(config-if)#switchport trunk encapsulation isl

or

Switch(config-if)#switchport trunk encapsulation negotiate

Configuring VTP between two Switches

Switch1 - Server Mode ConfigurationSwitch1(config)#vtp mode serverSwitch1(config)#vtp domain testSwitch1(config)#vtp password testSwitch1(config)#vtp version 2

Switch2 - Client Mode ConfigurationSwitch2(config)#vtp mode clientSwitch2(config)#vtp domain testSwitch2(config)#vtp password testSwitch1(config)#vtp version 2

Switch3 - Transparant Mode ConfigurationSwitch3(config)#vtp mode transparent

Enabling VTP PriuningSwitch(config)#vtp pruning

Checking a Switches VTP statusSwitch#show vtp status

Checking vtp passwordswitch#show vtp password

Resetting the revision number of a switch before adding it to a VTP domain (this will prevent the VLAN database on other switches being overwritten if the new switches revision number is higher)Switch(config)#vtp mode transparentSwitch(config)#vtp mode server

Spanning Tree Protocol

Debug Spanning TreeSW1#debug spanning-tree events

Displaying spanning tree information for all VLANsSW1#show spanning-tree

Displaying spanning tree information for a VLANSW1#show spanning-tree vlan 3

Changing the cost of an interface SW1(config)#interface Fa0/17SW1(config-if)#spanning-tree cost 2

Changing the cost of an interface for a specific VLAN onlySW1(config)#interface Fa0/17SW1(config-if)#spanning-tree vlan 3 cost 2

Changing the primary root switchSW1(config)#spanning-tree root primary

Changing the primary root switch for a specific VLAN onlySW1(config)#spanning-tree vlan 3 root primary

Configuring a switch to become a secondary root switchSW1(config)#spanning-tree root secondary

Configuring a VLAN to become a secondary root switch for that VLAN onlySW1(config)#spanning-tree vlan 3 root secondary

Configuring the priority of a switch to make it the root switchSW1(config)#spanning-tree priority 1000

Configuring the priority of a switch to make it the root switch for a VLAN onlySW1(config)#spanning-tree vlan 3 priority 1000

Display VLAN Root switch informationSW1#show spanning-tree root

Display the Bridge ID for VLANs on a switchSW1# show spanning-tree vlan 3 bridge id

Enabling Portfast on a range of interfacesSW1(config)#interface range fa0/1-2SW1(config-if-range)#spanning-tree portfast

Enabling BPDU Guard on an InterfaceSW1(config)#interface range fa0/1-2SW1(config-if-range)#spanning-tree bpduguard enable

Checking Portfast and BPDU configuration on an interfaceSW1#show running-config

Enabling EtherChannel (configure on both switches, can use on, on both switches or auto on one switch and desirable on another)Switch(config)#interface gi3/1Switch(config-if)#channel-group 1 mode onSwitch(config-if)#exitSwitch(config)#interface gi4/1Switch(config-if)#channel-group 1 mode on

Show EtherChannel Information

Switch#show etherchannel summary

Enabling RSTP (this automatically enables PVST)SW1(config)#spanning-tree mode rapid-pvst

Enabling PVSTSW1(config)#spanning-tree mode pvst

Enabling MISTSW1(config)#spanning-tree mode mst

Copying Config Between Devices

Copying from another device

1. Do a show run command on the source device2. Highlight the config you want to copy3. Select copy4. Go to the destination device5. Enter the global configuration mode6. Right click and select paste

Copying from notepad

7. Highlight the text you want to copy8. Select copy9. Go to the destination device10.Enter the global configuration mode11.Right click and select paste

12. Troubleshooting (Chapter 10)

Cisco Discovery Protocol (CDP)

Enable CDPswitch(config)#cdp run

Disable CDP on the switch (Enabled by default)Switch(config)#no cdp run

Disable CDP on an InterfaceSwitch#config tEnter configuration commands, one per line. End with CNTL/Z.Switch(config)#interface fa0/1Switch(config-if)#no cdp enable

Changing the timer and holdtime values

Switch(config)#cdp timer 90Switch(config)#cdp holdtime 240

List a 1 summary line for each neighbor Switch#show cdp neighbors

List detailed information on each neighborSwitch#show cdp neighbors detail

List detailed information for a single deviceSwitch#show cdp entry switchname

Show if CDP is enabled and timer valuesSwitch#show cdp

Shows if CDP is enabled on each interfaceSwitch#show cdp interface

List CDP stats Switch#show cdp traffic

Show Commands for the Interfaces

Displays information on status, speed and duplexSwitch#show interfaces status

Displays basic informationSwitch#show ip interface brief

Show the interface details and description detailsSwitch#show interface description

Displays info on the VLAN’s and which interfaces have been assigned to themSwitch#show Vlan

MAC Address Table Commands

switch#show mac-address-table

switch#show mac-address-table static (displays only static addresses)

switch#show mac-address-table dynamic (Displays on dynamically learned addresses)

S3500XL-1#show mac-address-tableDynamic Address Count: 2Secure Address Count: 0Static Address (User-defined) Count: 0System Self Address Count: 51Total MAC addresses: 53Maximum MAC addresses: 8192Non-static Address Table:Destination Address Address Type VLAN Destination Port------------------- ------------ ---- --------------------0004.277f.0000 Dynamic 1 FastEthernet0/60007.e918.d07b Dynamic 1 FastEthernet0/12

Enabling Debug Messages

See available list of debug messagesRouter#debug ?

Enabling Debug for IP PacketsRouter#debug ip packet

Enabling Debug for ICMPRouter#debug ip icmp

Enabling Debug for NATRouter#debug ip nat

Enabling Debug for RIPRouter#debug ip rip

Enable Debug for Routing TableRouter#debug ip routing

Disabling Debug for IP PacketsRouter#no debug ip packet

Operating Cisco Routers (Chapter 13)

Display routing information

router#show ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR, P - periodic downloaded static route T - traffic engineered route

Gateway of last resort is 10.1.100.252 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 10 subnets, 2 masksS 10.1.2.0/24 [1/0] via 10.1.128.252R 10.1.129.0/24 [120/1] via 10.1.130.252, 00:00:15, Serial0/1/0S 10.1.3.0/24 [1/0] via 10.1.130.252R 10.2.1.0/24 [120/1] via 10.1.130.252, 00:00:15, Serial0/1/0C 10.1.1.0/24 is directly connected, FastEthernet0/0C 10.1.100.0/24 is directly connected, FastEthernet0/1R 10.1.4.0/24 [120/1] via 10.1.100.252, 00:00:15, FastEthernet0/1S 10.1.1.0/8 [1/1] via 10.1.129.253C 10.1.130.0/24 is directly connected, Serial0/1/0C 10.1.128.0/24 is directly connected, Serial0/0/1S* 0.0.0.0 [1/0] via 10.1.100.252

Displaying link and protocol status commands

router#show ip interface briefInterface IP-Address OK? Method Status ProtocolFastEthernet0/0 10.1.1.251 YES manual up upFastEthernet0/1 10.1.100.251 YES manual up upSerial0/0/0 unassigned YES unset administratively down downSerial0/0/1 10.1.128.251 YES manual up upSerial0/1/0 10.1.130.251 YES manual up upSerial0/1/1 unassigned YES unset administratively down down

router#show protocols Global values: Internet protocol routing is enabledSerial0/0/0 is administratively down, line protocol is downSerial0/0/1 is up, line protocol is up Internet address is 10.1.128.251/24Serial0/1/0 is up, line protocol is up Internet address is 10.1.130.251/24Serial0/1/1 is administratively down, line protocol is downFastEthernet0/0 is up, line protocol is up Internet address is 10.1.1.251/24FastEthernet0/1 is up, line protocol is up Internet address is 10.1.100.251/24Albuquerque#show protocols fa0/0% Incomplete command.

router#show protocols fa0/0

router#show interfaces

FastEthernet0/0 is up, line protocol is up Hardware is AmdFE, address is 00b0.94e0.7388 (bia 00b0.94e0.7388) Internet address is 10.1.1.251/24 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliablility 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10) Full -duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:50, output 00:00:04, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1000 bits/sec, 0 packets/sec 588 packets input, 74628 bytes Received 588 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast 0 input packets with dribble condition detected 231 packets output, 53712 bytes, 0 underruns--More--

Clock and Bandwidth Commands

router>enablerouter#config tEnter configuration commands, one per line. End with CNTL/Zrouter(config)#interface serial0/0/1router(config-if)#clock rate 128000router(config-if)#bandwidth 64

Displaying Clock Rate and Bandwidth Settingsrouter#show controllers serial0/0/1

Interface Serial0/0/1Hardware is GT96KDCE V.35 clock rate 128000idb at 0x454E69C8, driver data structure at 0x454EE0EC

router#show running-config

interface Serial0/0/1bandwidth 64ip address 10.1.128.251 255.255.255.0no ip directed-broadcast

Backing up and Restoring IOS and configuration files Image

Backup IOS ImageSwitch#copy flash tftpSource filename []? c2960-lanbase-mz.122-25.FX.binAddress or name of remote host []? 10.0.0.1Destination filename [c2960-lanbase-mz.122-25.FX.bin]? Router-A-IOS

Backing up Startup ConfigurationSwitch#copy startup-config tftpAddress or name of remote host []? 10.0.0.1Destination filename [Switch-confg]? Router-A-Startup-Config

Restoring or Updating IOS versionRouter#copy tftp flashAddress or name of remote host []? 10.0.0.1Source filename []? c4500-d-mz.120-5.binDestination filename [c4500-d-mz.120-5.bin]?

Restoring Startup ConfigurationSwitch#copy tftp startup-config Address or name of remote host []? 10.0.0.5Source filename []? Router-A-Startup-ConfigDestination filename [startup-config]?

Deleting a Flash ImageSwitch#delete flash:c2960-lanbase-mz.122-25.FX.binDelete filename [c2960-lanbase-mz.122-25.FX.bin]?yDelete flash:/y? [confirm]y

Display the file in Flash MemorySwitch#dir flash:

Checking the current IOS version and flash memory statusRouter#show flash-#- --length-- -----date/time------ path1 36232088 Feb 13 2007 23:15:58 +00:00 c2800nm-advipservicesk9-mz.124-12.bin

18468864 bytes available (45547520 bytes used)

Setting the Configuration Register to load router in ROMMON moderouter(config)#config-register 0x2100

Setting the Configuration Register to load first image in flashrouter(config)#config-register 0x2101

Setting the Configuration Register to load using image specified in boot system commandrouter(config)#config-register 0x2102 (Default Setting)orrouter(config)#config-register 0x210F

Boot System Commands - Load first file from flashrouter(config)#boot system flash

Boot System Commands - IOS with the name filename is loaded from flash memoryrouter(config)#boot system flash filename

Boot System Commands - IOS with the name filename is loaded from tftp serverrouter(config)#boot system flash filename 10.0.0.1

Routing Protocols (Chapter 14)

Enabling rip v2router(config)#router riprouter(config-router)#version 2router(config-router)#network 10.0.0.0router(config-router)#network 172.1.0.0

Display routes learnt by riprouter#show ip route rip

Display information about rip plus ip addresses of neighbouring rip routersrouter#show ip protocols

Display the mask in decimal rather than prefix when using show ip route commandrouter#terminal ip netmask-format decimal

Adding a Static Route using IP address for next hoprouter(config)#ip route 172.16.30.1 255.255.255.0 10.1.128.251

Adding a Static Route using the interface as the outgoing portrouter(config)#ip route 192.168.30.1 255.255.255.0 serial0/1/0

Extended Ping Command (enter Y when prompted for extended commands)router#pingProtocol [ip]:Target IP address: 172.1.0.150Repeat count [5]:Datagram size [100]:Timeout in seconds [2]:Extended commands [n]: ySource address or interface: 10.0.0.1

Exiting out of a ping or traceroute commandpress shift+F6

Adding a Default Routerouter(config)#ip route 0.0.0.0 0.0.0.0 10.2.128.1

or

router(config)#ip default-network 10.0.0.0

Removing a Default Routerouter(config)#no ip route 0.0.0.0 0.0.0.0 10.2.128.1

Setting rip to debugrouter#debug ip rip

Disabling rip debugrouter#undebug all

Show process to check CPU usagerouter#show process

Adding timestamps to debug messagesrouter(config)#service timestamps debug

Adding timestamps to log messagesrouter(config)#service timestamps log

Enabling Classful Routing (use to test behaviour of default route)router(config)#no ip classless

Configuring Manual Summarizationrouter(config)#interface s0/0router(config-if)#ip summary-address eigrp 1 172.0.0.0 255.255.0.0

Disable Autosummarisation (can only do on classless routing protocols and can't do it on OSPF)router(config)#router riprouter(config-router)#no auto-summary

Troubleshooting IP Routing (Chapter 15)

Display a routers ARP cacherouter#show ip arp

Display routes for connected interfacesrouter#show ip route connected

Telnet and SuspendTelnet to first routerThen telnet from first router to secondPress ctrl+Shift+6 then x to switch between routers

Show sessions or where displays a list of available sessionsResume 1 will take you to session 1 or just type 1 then press enterResume will take you the most recently suspended session. This will be the session the has an * next to it when using the show session or where commandDisconnect 1 will disconnect session number 1

Additional Commands

Configuring DCHP Pool

BGRouter(config)#ip dhcp pool SalesNetworkBGRouter(dhcp-config)#Network 10.0.0.0 255.255.0.0BGRouter(dhcp-config)#default-router 10.0.0.1BGRouter(dhcp-config)#dns-server 172.16.0.2BGRouter(dhcp-config)#exitBGRouter(config)#ip dhcp excluded-address 10.0.0.1 10.0.0.10

Show Information about leased DHCP addressesBGRouter#show ip dhcp binding

Configuring DHCP Pools for multiple VLANS

Create 2 VLANs on the SwitchGive each VLAN an IP AddressConnect the router to the switch using two cables one for each VLANGive each router interfaces an IP addressAssign each interface to a separate VLAN

BGRouter2(config)#ip dhcp pool SalesBGRouter2(dhcp-config)#network 192.0.1.1 255.255.255.224BGRouter2(dhcp-config)#default-router 192.0.1.29BGRouter2(dhcp-config)#dns-server 192.168.1.30BGRouter2(dhcp-config)#exitBGRouter2(config)#ip dhcp excluded-address 192.168.1.61BGRouter2(config)#ip dhcp excluded-address 192.168.1.62

BGRouter2(config)#ip dhcp pool MarketingBGRouter2(dhcp-config)#network 192.0.1.33 255.255.255.224BGRouter2(dhcp-config)#default-router 192.0.1.62BGRouter2(dhcp-config)#dns-server 192.168.1.2BGRouter2(dhcp-config)#exitBGRouter2(config)#ip dhcp excluded-address 192.168.1.61BGRouter2(config)#ip dhcp excluded-address 192.168.1.62

Configuring NAT/PAT (configure dynamic routing on all routers)

BGRouter(config)#interface fa0/0BGRouter(config-if)#ip nat insideBGRouter(config-if)#exitBGRouter(config)#interface s0/0BGRouter(config-if)#ip nat outsideBGRouter(config-if)#exitBGRouter(config)#access-list 1 permit 10.0.0.11BGRouter(config)#access-list 1 permit 10.0.0.12BGRouter(config)#ip nat pool SalesPool 198.18.194.73 198.18.194.78 netmask 255.255.255.248BGRouter(config)#ip nat inside source list 1 pool SalesPool overloadBGRouter(config)#exit

You’ll need to add a route back to the 198.18.194.0 address range from the ISP router

ISP(config)#ip route 198.18.194.0 255.255.255.0 172.16.0.2

Configuring NAT to Allow Any Address in the 192 Range to use NATrouter(config)#access-list 1 permit 192.0.1.0 0.255.255.255

NAT Show Commands

BGRouter#show ip nat statisticsTotal translations: 2 (0 static, 2 dynamic, 2 extended)Outside Interfaces: Serial0/0Inside Interfaces: FastEthernet0/0Hits: 17 Misses: 1025Expired translations: 7Dynamic mappings:-- Inside Sourceaccess-list 1 pool SalesPool refCount 2 pool SalesPool: netmask 255.255.255.248 start 198.18.194.73 end 198.18.194.78 type generic, total addresses 6 , allocated 1 (16%), misses 0

BGRouter#show ip nat translationsPro Inside global Inside local Outside local Outside globalicmp 198.18.194.73:21 10.0.0.11:21 192.168.0.2:21 192.168.0.2:21icmp 198.18.194.73:22 10.0.0.11:22 192.168.0.2:22 192.168.0.2:22icmp 198.18.194.73:23 10.0.0.11:23 192.168.0.2:23 192.168.0.2:23icmp 198.18.194.73:24 10.0.0.11:24 192.168.0.2:24 192.168.0.2:24icmp 198.18.194.73:5 10.0.0.12:5 192.168.0.2:5 192.168.0.2:5icmp 198.18.194.73:6 10.0.0.12:6 192.168.0.2:6 192.168.0.2:6icmp 198.18.194.73:7 10.0.0.12:7 192.168.0.2:7 192.168.0.2:7icmp 198.18.194.73:8 10.0.0.12:8 192.168.0.2:8 192.168.0.2:8udp 198.18.194.73:1036 10.0.0.11:1036 192.168.0.2:53 192.168.0.2:53udp 198.18.194.73:1026 10.0.0.12:1026 192.168.0.2:53 192.168.0.2:53udp 198.18.194.73:1027 10.0.0.12:1027 192.168.0.2:53 192.168.0.2:53tcp 198.18.194.73:1025 10.0.0.11:1025 192.168.0.2:80 192.168.0.2:80tcp 198.18.194.73:1024 10.0.0.12:1025 192.168.0.2:80 192.168.0.2:80

Configuring MTU Size

Sets MTU size for all layer 3 protocolsRouter1(config)#interface s0/0Router1(config-if)#mtu 1280

or

Sets MTU size for IP onlyRouter1(config)#interface s0/0WANRouter1(config-if)#ip mtu 1280

Removing MTU settingsRouter1(config-if)#no mtu

Standard Access Control Lists (ACLs)

Display all ACLs on a routerR1#show access-lists

Display a specific ACL by number R1#show access-lists 1

Display a specific ACL by nameR1#show access-lists Test

Block inbound traffic based on an IP addressR1(config)#interface s0/0R1(config-if)#ip access-group 1 inR1(config-if)#exitR1(config)#access-list 1 remark stop all inbound traffic from source IP 10.1.1.2R1(config)#access-list 1 deny 10.1.1.2 0.0.0.0R1(config)#access-list 1 permit 0.0.0.0 255.255.255.255

or

R1(config)#interface fa0/0R1(config-if)#ip access-group 1 inR1(config-if)#exitR1(config)#access-list 1 deny 10.1.1.2R1(config)#access-list 1 permit any

or

R1(config)#interface fa0/0R1(config-if)#ip access-group 1 inR1(config-if)#exitR1(config)#ip access-list standard 1R1(config-std-nacl)#deny 10.1.1.2R1(config-std-nacl)#permit any

Block outbound traffic based on an IP addressR2(config)#interface fa0/0R2(config-if)#ip access-group 1 outR2(config-if)#exitR2(config)#access-list 1 remark stop all inbound traffic from source IP 10.1.3.2R2(config)#access-list 1 deny 10.1.3.2 0.0.0.0R2(config)#access-list 1 permit 0.0.0.0 255.255.255.255

Extended ACLs

Block any IP packet from any source address to destination IP address 10.1.4.4R3(config-if)#ip access-group 100 outR3(config-if)#exitR3(config)#access-list 100 deny ip any host 10.1.4.4R3(config)#access-list 100 permit ip any 0.0.0.0 255.255.255.255

Block IP packets from 10.1.1.2 to destination address 10.1.4.4R3(config)#access-list 100 deny ip host 10.1.1.2 host 10.1.4.4R3(config)#access-list 100 permit ip any 0.0.0.0 255.255.255.255

Block tcp packets for destination IP 10.1.3.4 and destination port 21R3(config)#access-list 100 deny ip any host 10.1.4.3 eq 21R3(config)#access-list 100 permit ip any 0.0.0.0 255.255.255.255orR3(config)#access-list 100 deny ip any host 10.1.4.3 eq ftpR3(config)#access-list 100 permit ip any 0.0.0.0 255.255.255.255

Block tcp packets with a source greater than 1023 and a source IP 10.1.4.1 and port of 21

R3(config)#access-list 100 deny tcp any gt 1023 host 10.1.4.3 eq 21R3(config)#access-list 100 permit ip any 0.0.0.0 255.255.255.255

Allow tcp packets from 10.1.1.0 network to connect to destination 10.1.4.3 on port 21R3(config)# access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 10.1.4.3 eq 21

Multiple ACL entries (Routers read ACLs in order entered if the last one was entered first the others would not be applied as this one allows all traffic. same goes for the first one if that was applied after the third one it would not work)R3(config)# access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 10.1.4.3 eq 21R3(config)#access-list 100 deny ip any host 10.1.4.4R3(config)#access-list 100 deny tcp any host 10.1.4.3 eq ftpR3(config)#access-list 100 permit ip any any

Named ACLs (these can be used for standard and extended ACLs)

Block inbound IP packets from 10.1.1.2 to destination address 10.1.1.1R1(config)#ip access-list extended BlockInbound1R1(config-ext-nacl)#deny ip host 10.1.2.1 host 10.1.1.1R1(config-ext-nacl)#premit ip any anyR1(config)#exitR1(config)#interface fa0/0R1(config-if)#ip access-group BlockInbound1 out

Block all outbound traffic from 10.1.1.3 out one interface on a routerR1(config)#ip access-list extended BlockOutbound1R1(config-ext-nacl)#deny ip host 10.1.1.3 anyR1(config-ext-nacl)#permit ip any anyR1(config-ext-nacl)#exitR1(config)#interface s0/1R1(config-if)#ip access-group BlockOutbound1 out

Block all inbound traffic to 10.1.4.4 & block all ftp traffic to 10.1.4.3 apart from devices on the 10.1.1.0 networkR3(config)#ip access-list extended BlockInbound1R3(config-ext-nacl)#deny ip any host 10.1.4.4R3(config-ext-nacl)#permit tcp 10.1.1.0 0.0.0.255 host 10.1.4.3 eq ftpR3(config-ext-nacl)#deny tcp any host 10.1.4.3 eq ftpR3(config-ext-nacl)#permit ip any anyR3(config-ext-nacl)#exitR3(config)#interface fa1/0R3(config-if)#ip access-group BlockInbound1 out

Manipulating ACLs Using Sequence Numbers (works on IOS 12.3 or later and doesn't work in Packet Tracer)

Create Access List (notice sequence numbers using the show command)R1(config)#ip access-list standard 1R1(config-std-nacl)#deny 10.1.2.0 0.0.255.255R1(config-std-nacl)#deny 10.2.3.0 0.0.255.255R1(config-std-nacl)#permit anyR1(config-std-nacl)#exitR1(config)#do show access-list 1Standard IP access list 1 10 deny 10.1.0.0, wildcard bits 0.0.255.255 20 deny 10.2.0.0, wildcard bits 0.0.255.255 30 permit any

Adding a new entry between sequence number 20 & 30R1(config)#ip access-list standard 1R1(config-std-nacl)#25 deny 10.3.0.0 0.0.255.255R1(config-std-nacl)#do show access-listStandard IP access list 1 10 deny 10.1.0.0, wildcard bits 0.0.255.255 20 deny 10.2.0.0, wildcard bits 0.0.255.255 25 deny 10.3.0.0, wildcard bits 0.0.255.255 30 permit any

Removing an entryR1(config-std-nacl)#no 20R1(config-std-nacl)#do show access-listStandard IP access list 1 10 deny 10.1.0.0, wildcard bits 0.0.255.255 25 deny 10.3.0.0, wildcard bits 0.0.255.255 30 permit any

Stopping Access to VTY Lines (telnet, ssh)

R2(config)#line vty 0 15R2(config-line)#access-class inR2(config)#exitR2(config)#access-list 3 deny any

Ccna - Ios Commands

Documents