Important Cisco IOS commands needed to pass the CCNA exam (plus a few other practical ones, marked with “FYI”). Author: Herbert Haas, Version: 0x01. Get the latest version from http://www.perihel.at/dcom
Basic IOS Commands Initial Commands ! Enter enable mode (in Unix terms: “gain root access”) # enable ! Check IOS version, HW resources, and configuration register # show version ! Enter global config mode for nearly all configuration commands ! that affect the router or switch as a whole. The short form is: # conf t ! Set session timeout (in minutes and seconds; ‘0 0’ means never ! time out). As example for the console port: (config)# line console 0 (config-line)# exec-timeout 0 0 ! Disable syslog interferences: (config)# line console 0 (config-line)# logging synchronous ! If you hate syslog messages on the console: (config)# no logging console ! If you even want syslog on the vty’s (config)# terminal monitor ! It is recommended to use a login banner: (config)# banner login % *********************************** * Go away – every move is logged! * *********************************** % ! Disable DNS lookups (config)# no ip domain-lookup ! Configure “local” usernames and passwords (config)# username wolfgang password aMaDeUs ! The same with “type-5” (MD-5) passwords (config)# username carl secret p.EmAnUeL99 ! Encrypt passwords in running config ! Note: weak “type-7” algorithm, can be cracked!!! ! Prefer “secret” passwords, using “type-5” (MD-5) algorithm (config)# service password-encryption
! Save configuration (new and old style; old style is more safe) # copy run start # write mem ! If serial interfaces are available, check DTE/DCE # show controllers ! Configure bandwidth (= used for metric calculation) ! and clock rate (=physical data rate; only on DCE) (config-if)# bandwidth 64 (config-if)# clock rate 64000 ! date and time (use “?” for parameters) # clock ... ! Enable timestamps in syslog and debug messages: (config)# service timestamps log datetime (config)# service timestamps debug datetime
CDP ! Which neighbors have been detected? # show cdp neighbors [detail] ! Examine detailed neighbour parameters (* means all neighbors) ! (E. g. all IP addresses of neighbor’s interfaces seen) # show cdp entry * ! Verify statistics and parameters about CDP itself # show cdp interface
Switching Commands Basics ! VLAN 1 always exists and is also used as management VLAN. For ! example the switch’s own IP address must be in VLAN 1. ! Additionally you might provide a default gateway to reach other ! networks. (config)# interface vlan 1 (config-if)# ip address 10.1.1.1 255.255.0.0 (config)# ip default-gateway 10.1.9.9 ! Let’s examine the bridging table # show mac-address-table ! FYI: Change the switching mode: (config)# switching-mode {store-and-forward| fragment-free} ! Enter a static mac address in the table (remains only in RAM but ! does not age)
(config)# mac-address-table static 000C.1111.2222 vlan 1 interface fastethernet 0/2
Port Security ! port must not be in dynamic or trunk mode (config-if)# switchport mode access ! enable port security (necessary) (config-if)# switchport port-security ! specify max number of secure MAC addresses ! these are dynamically learned (config-if)# switchport port-security maximum 5 ! optionally specify some secure MAC addresses manually (config-if)# switchport port-security mac-address AAAA.BBBB.CCCC ! specify violation measures (shutdown is often a default and ! the only mode which shuts down the port, also SNMP trap is ! generated) (config-if)# switchport port-security violation {shutdown | protect | restrict} ! FYI: sticky learning – addresses are copied in running-config ! (then can be explicitly saved via copy run start) (config-if)# switchport port-security mac-address sticky ! Verify port-security settings (is it enabled?) # show port security address interface fa0/1 ! Verify various counters per port (MaxAddr, CurrAddr, violations) ! and actions # show port security ! Which MAC addresses have been learned/configured for security? !(also their ages) # show port security address
Spanning Tree ! Since STP configures automatically, verification commands are ! most important # show spanning-tree ! FYI: Enable (or disable with ‘no’) a particular STP (config)# [no] spanning-tree vlan 200 ! FYI: Change the default priority (for the BID) (config)# spanning-tree vlan 200 priority 500
! FYI: Disable STP on access ports where only hosts reside ! (omit listening state) (config-if)# spanning tree portfast
VLANS ! First create ! Note: vlan 1 ! ports reside (config)# vlan (config-vlan)#
some VLANs on this switch is always preconfigured (name “default”) and all in VLAN 1 initially. A name is optionally. 2 name Engineers
! Then assign some ports to each VLAN (config-if)# switchport access vlan 2 ! Configure VLAN trunks on inter-switch connections ! (Alternatively, mode “dynamic auto” or “dynamic desirable” will ! negotiate trunk or no trunk with neighbor switch.) ! If required change default encapsulation type (e. g. on Cat4000) (config-if)# switchport mode trunk (config-if)# switchport trunk encapsulation isl ! Check configured VLANs # show vlan ! ! # #
Check trunks: “switchport” shows operational details, “trunk” shows similar information but also active and allowed vlans. show interfaces fa0/11 switchport show interfaces fa0/11 trunk
! Optionally utilize the VTP service to administrate many VLANs ! more easily. Per default, switches are in vtp server mode (this ! is a good idea in most cases). It is important to put all ! switches in the same VTP domain, otherwise they won’t ! synchronize. (config)# vtp {server | client | transparent} (config)# vtp domain Lumpi ! If VTP is used there are also some optional commands. Pruning ! allows switches to block traffic for specific VLANs when they ! have no ports in these VLANs (this is a good idea to reduce ! unwanted broadcast traffic in the network). (config)# vtp pruning (config)# vtp password mySecret ! Check VTP configuration # show vtp status
Routing Commands Basics ! Quickly check whether all interfaces are up # show ip interfaces brief ! Verify detailed information about any IP routing protocol # show ip protocol ! ! # #
For any link-state or hybrid routing protocol, check whether adjacencies could be established show ip eigrp neighbors show ip ospf neighbors
! For any link-state or hybrid routing protocol, check the ! topology database # show ip ospf database ! Observe routing updates and events # debug ip igrp transactions # debug ip rip events
Router on a Stick ! It is recommended to configure duplex and speed manually because ! Ethernet capabilities autonegotiation falls back to half duplex ! mode when the other side is configured manually – but VLAN ! trunking demands for full duplex !!! ! Since dot1Q does not tag VLAN 1 the corresponding IP address can ! be specified at the physical interface level. Only subinterfaces ! support the encapsulation command. When ISL trunking is used ALL ! IP addresses (for each VLAN) must be configured at subinterface ! level (because also VLAN 1 is tagged). (config)# interface fa 0/0 (config-if)# ip address 10.1.9.9 255.255.0.0 (config-if)# duplex full (config-if)# speed 100 (config-if)# interface fa 0/0.2 (config-subif)# encapsulation dot1Q 2 (config-subif)# ip address 10.2.9.9 255.255.0.0 (config-subif)# interface fa 0/0.3 (config-subif)# encapsulation dot1Q 3 (config-subif)# ip address 10.3.9.9 255.255.0.0 ....
RIP ! The configuration scheme is always the same with each routing ! protocol: 1) Enable routing process and 2) include local ! interfaces via the network command. (config)# router rip (config-router)# network 10.0.0.0
(config-router)# network 172.16.0.0 ! Upon discontiguous subnetting, RIP version 2 is needed. But also ! don’t forget to disable auto-summarization (RIPv2 is backwards ! compatible to RIPv1 and does summarization per default). (config-router)# version 2 (config-router)# no auto-summary
IGRP ! Same scheme as with any other routing protocol, but... ! You must specify an AS number (only significant for IGRP) (config)# router igrp 100 (config-router)# network 172.16.0.0 ! Optionally allow load balancing by configuring a variance ! parameter (worst metric must be less or equal variance times ! best_metric) ! Note #1: fast switched and CEF routers will perform session! based load balancing. ! Note #2: Per default, equal cost load balancing is configured (config-router)# variance 3 ! Optionally follow the least cost routing paradigm (config-router)# traffic-share min
EIGRP ! As with IGRP you must specify an “AS-Number” for each process ! EIGRP uses the same “compound-metric” but left-shifted 8 bits. ! Wildcard or subnet masks are optional (config)# router eigrp 100 (config-router)# network 10.0.0.0 (config-router)# network 192.168.1.0 0.0.0.255 ! show commands as usual: neighbors, topology, etc.
OSPF ! Upon configuring the router process a process number must be ! specified. This number has only local significance and is not ! carried in routing traffic. ! The network command must contain a wildcard mask and the area ! ID. It is recommended to specify interface per interface to ! prevent unwanted interfaces from being included. ! Note: OSPF is VERY complex – For the CCNA only a simple single! area configuration is required. (config)# router ospf 100 (config-router)# network 10.1.1.1 0.0.0.0 area 0 (config-router)# network 10.1.2.1 0.0.0.0 area 0 ! show commands as usual: neighbors, topology, etc.
Access Lists ! ! ! ! ! ! ! ! !
Basic Rules for all ACLs: 1) ACL is executed top-down 2) ACL exits as soon as an entry matches 3) Therefore place most specific statements first 4) Use wildcard mask instead of subnet masks (=complement) 5) Optional keyword “any” means 0.0.0.0 255.255.255.255 6) Optional keyword “host” means wildcard mask 0.0.0.0 7) Three choices: standard, extended, and named ACLs 8) Three actions: permit | deny | remark
! Standard ACL (1-99 and 1300-1999, only SA is checked) ! Default wildcard mask is 0.0.0.0 (config)# access-list 1 permit 192.168.10.1 0.0.0.0 (config)# access-list 1 deny any ! Extended ACL (100-199 and 2000-2699, all can be checked) ! Parameter order is: protocol SA SA_wildcard [operator S-port] ! DA DA_wildcard [operator D-port] [established] [log] ! Keyword “established” verifies ACK=0 ! Keyword “log enables” a hit count for this entry (config)# access-list 102 deny tcp 1.1.1.0 0.0.0.255 any eq 21 (config)# access-list 102 permit ip any any ! Named ACL: Also deleting of entries possible! (config)# ip access-list extended myACL1 (config-ext-nacl)# permit 192.168.10.0 0.0.0.255 ! FYI: Newer IOS (since 12.2) also allows resequencing and ! inserting entries with sequence numbers. First parameter is ! start value, second parameter step value. (config)# ip access-list extended 102 resequence 10 10 (config-ext-nacl)# 5 permit tcp 1.1.1.1 0.0.0.0 20.0.0.0 0.255.255.255 eq http ! Attach ACL ! Note: Only (config-if)# (config-if)#
on interface (same command for all types of ACLs) one ACL per interface per direction (per protocol) ip access-group 1 in ip access-group 102 out
! keyword “remark” (for both numbered and named ACLs) (config-std-nacl)# remark Paranoid Perimeter Solution (config-std-nacl)# remark Filter anything except Emule ! Attach ACL on vty’s (normal ACLs don’t check locally originated ! traffic) (config)# line vty 0 4 (config-line)# access-class 1 in ! Verifcation of ACL – various possibilities: # show access-list # show ip access-list
# show access-list 102 ! Check if ACLs are set on an interface # show ip interface fa0/1 ! Clear interface (log) counters # clear counters ! Watch all packets that are matched by ACL 101 # debug ip packet 101 ! ! ! ! !
Changing ACLs: 1) Define new ACL in global config mode 2) On interface simply use access-group command with new ACL – there is no need to remove the old one with “no access-group” (its immediately changed)
! Delete entries and resequence the ACL (config-ext-nacl)# no 5 (config)# ip access-list resequence MY_ACL_OUT 10 20
NAT and PAT ! Any NAT/PAT configuration requires specifying which interface is ! inside and which is outside (config-ig)# ip nat {inside|outside} ! Simple static translation (config)# ip nat inside source static 10.0.0.1 2.2.2.2 ! Dynamic translation using a pool of inside global addresses ! Also specify allowed traffic via an ACL (config)# ip nat pool myPool 2.0.0.1 2.0.0.5 netmask 255.0.0.0 (config)# access-list 1 permit 10.0.0.0 0.0.0.255 (config)# ip nat inside source list 1 pool myPool ! Now with overloading (PAT). Usually an address pool is not ! needed because the port number space is large enough. Therefore ! a single address, usually the router’s outside interface is ! enough. (config)# ip nat inside source list 1 interface s0 overload ! Verify translation table, check statistics (misses!) # show ip nat translations # show ip nat statistics ! ! ! ! #
Using the debug command you can observe how packets are translated. Two output parameters which are often not explained: [32434] ... the IP identification number NAT* ... packets are fast switched (never the 1st of a packet) debug ip nat
PAP and CHAP Authentication ! Unidirectional PAP – Host configuration Host(config)# int serial 0 Host(config-if)# ip address 10.1.1.1 255.255.255.0 Host(config-if)# encapsulation ppp Host(config-if)# ppp authentication pap calin Host(config-if)# ppp pap sent-username PAPUSER password CiScO ! Unidirectional PAP – Server configuration Server(config)# username PAPUSER password CiScO Server(config)# int serial 0 Server(config-if)# ip address 10.2.2.2 255.255.255.0 Server(config-if)# encapsulation ppp Server(config-if)# ppp authentication pap ! Standard CHAP authentication: each host uses its hostname as ! username to login to the other side ! Configuration for Host LEFT: (config)# hostname LEFT LEFT(config)# username RIGHT password SAME LEFT(config)# int serial 0 LEFT(config-if)# ip address 10.1.1.1 255.255.255.0 LEFT(config-if)# encapsulation ppp LEFT(config-if)# ppp authentication chap ! Configuration for Host RIGHT: (config)# hostname RIGHT RIGHT(config)# username LEFT password SAME RIGHT(config)# int serial 0 RIGHT(config)# ip address 10.2.2.2 255.255.255.0 RIGHT(config)# encapsulation ppp RIGHT(config)# ppp authenticaion chap
Frame Relay ! Rules : ! * P2P subinterfaces have their own subnets and therefore ! resolve split horizon issues ! * Each multipoint sub-if has its own IP subnet (incl all DLCIs) ! * Multipoint sub-if are NBMA and cannot resolve split horizon ! * LMI is always enabled – DLCIs learned by SP ! * Router must be rebooted when sub-if type is changed ! (Better migrate to another sub-if => no outage) ! * If sub-if used, don’t assign an IP address to physical ! interface (routing problems)!!! ! Practically usable DLCI range: 16 – 992 (assigned by SP) (config-if)# encapsulation frame-relay ! LMI is always enabled (autodetection)
! Cisco supports three LMI standards: ! "Cisco" uses DLCI 1023 ! ANSI T1.617 or Annex D (USA) uses DLCI 0 ! ITU-T Q.933 or Annex A (Europe) uses DLCI 0 (config)# frame-relay lmi-type [ansi | cisco | q933a] ! Inverse arp alternative: statical mapping ! keyword “broadcast” allows broadcast services ! Not needed on P2P sub-interfaces but recommended (stable) (config-sub-if)# frame-relay map ip 20.2.2.2 110 broadcast ! Define sub-if DLCI (router learns DLCIs by LMI but doesn’t know ! which sub-if should be assigned which DLCI (per default all ! DLCIs are assigned to physical interface). ! This command also enabled inverse-arp on multipoint sub-if ! which is required when the frame-relay map ip command is not ! used. (config-subif)# frame-relay interface-dlci 120 ! Check encapsulation and LMI type # show interfaces s0 ! ! ! #
Active state: L2 and L3 ok Inactive state: remote router cannot reach its switch Deleted state: local router connectivity problems (LMI not seen) show frame-relay pvc 100
! Check encapsulation and LMI Type # show interfaces s0 ! Check static and dynamic mapping # show frame-relay map ! Check LMI statistics # show frame-relay lmi ! Reset the mapping table (delete information learned by inverse ! arp) # clear frame-relay-inarp
ISDN ! PRI Configuration ! First define which timeslots should be used by the PRI-group ! Then configure the switch-type on the D channel: the interface ! with timeslot 15 (in Europe) ! Optionally specify framing and coding type. ! It is recommended to disable periodic protocols such as CDP. (config)#controller E1 3/0 (config-controller)# framing crc4 (config-controller)# linecode hdb3 (config-controller)# pri-group timeslots 1-31
(config-controller)#interface Serial3/0:15 (config-if)# isdn switch-type primary-net5 (config-if)# no cdp enable ! Legacy DDR – Spoke ! 1) Create static route (avoid periodic routing updates) ! 2) Define interesting traffic (dialer-list command) ! 3) Assign remote IP, telephone number, and remote name to an ! interface (dialer-map command) ! 4) Bind interesting traffic to this interface (dialer-group ! command) ! 5) Optional parameters: idle-timeout, load-threshold, ... (config)# ip route 10.100.0.0 255.255.0.0 10.5.0.2 (config)# ip route 10.200.0.0 255.255.0.0 10.5.0.2 (config)# dialer-list 1 protocol ip permit (config)# hostname myRouter (config)# isdn switch-type basic-5ess (config)# username otherRouter password cisco (config)# interface BRI0 (config-if)# ip address 10.5.0.1 255.255.255.0 (config-if)# encapsulation ppp (config-if)# dialer idle-timeout 180 (config-if)# dialer map ip 10.5.0.2 name otherRouter 080031415 (config-if)# dialer-group 1 (config-if)# ppp authentication chap ! The above configuration allows any IP packet to open the ISDN ! session. Better configure an ACL this way: (config)# dialer-list 1 protocol ip list 101 (config)# access-list 101 deny tcp any any eq telnet (config)# access-list 101 permit ip any any ! DDR with Dialer Profiles ! Goal: Support various different spoke-profiles and dynamically ! select interfaces from a pool. This is practical for hub devices ! which must terminate multiple session on the same physical ! interface. ! Concept: ! 1) Define profiles in “dialer interfaces” (instead of a ! physical interface as before) and assign them to a dialer ! pool. ! 2) Assign one or multiple physical interfaces to this pool ! So each dialer profile looks similar as the following: (config)# interface dialer1 (config-if)# ip address 10.5.0.2 255.255.255.0 (config-if)# encapsulation ppp (config-if)# dialer remote-name SomeRouter777 (config-if)# dialer string 141421356 (config-if)# dialer idle-timer 180 (config-if)# dialer pool 1 (config-if)# dialer-group 1 (config-if)# ppp authentication chap
! For simplicity we omit details already described above such as ! CHAP details or the specification of interesting traffic etc. (config)# interface bri0 (config-if)# dialer pool-member 1
