Escolar Documentos
Profissional Documentos
Cultura Documentos
! Save configuration (new and old style; old style is more safe)
# copy run start
# write mem
! If serial interfaces are available, check DTE/DCE
# show controllers
! Configure bandwidth (= used for metric calculation)
! and clock rate (=physical data rate; only on DCE)
(config-if)# bandwidth 64
(config-if)# clock rate 64000
! date and time (use ? for parameters)
# clock ...
! Enable timestamps in syslog and debug messages:
(config)# service timestamps log datetime
(config)# service timestamps debug datetime
CDP
! Which neighbors have been detected?
# show cdp neighbors [detail]
! Examine detailed neighbour parameters (* means all neighbors)
! (E. g. all IP addresses of neighbors interfaces seen)
# show cdp entry *
! Verify statistics and parameters about CDP itself
# show cdp interface
Switching Commands
Basics
! VLAN 1 always exists and is also used as management VLAN. For
! example the switchs own IP address must be in VLAN 1.
! Additionally you might provide a default gateway to reach other
! networks.
(config)# interface vlan 1
(config-if)# ip address 10.1.1.1 255.255.0.0
(config)# ip default-gateway 10.1.9.9
! Lets examine the bridging table
# show mac-address-table
! FYI: Change the switching mode:
(config)# switching-mode {store-and-forward| fragment-free}
! Enter a static mac address in the table (remains only in RAM but
! does not age)
Port Security
! port must not be in dynamic or trunk mode
(config-if)# switchport mode access
! enable port security (necessary)
(config-if)# switchport port-security
! specify max number of secure MAC addresses
! these are dynamically learned
(config-if)# switchport port-security maximum 5
! optionally specify some secure MAC addresses manually
(config-if)# switchport port-security mac-address AAAA.BBBB.CCCC
! specify violation measures (shutdown is often a default and
! the only mode which shuts down the port, also SNMP trap is
! generated)
(config-if)# switchport port-security violation {shutdown |
protect | restrict}
! FYI: sticky learning addresses are copied in running-config
! (then can be explicitly saved via copy run start)
(config-if)# switchport port-security mac-address sticky
! Verify port-security settings (is it enabled?)
# show port security address interface fa0/1
! Verify various counters per port (MaxAddr, CurrAddr, violations)
! and actions
# show port security
! Which MAC addresses have been learned/configured for security?
!(also their ages)
# show port security address
Spanning Tree
! Since STP configures automatically, verification commands are
! most important
# show spanning-tree
! FYI: Enable (or disable with no) a particular STP
(config)# [no] spanning-tree vlan 200
! FYI: Change the default priority (for the BID)
(config)# spanning-tree vlan 200 priority 500
VLANS
! First create
! Note: vlan 1
! ports reside
(config)# vlan
(config-vlan)#
Routing Commands
Basics
! Quickly check whether all interfaces are up
# show ip interfaces brief
! Verify detailed information about any IP routing protocol
# show ip protocol
!
!
#
#
Router on a Stick
! It is recommended to configure duplex and speed manually because
! Ethernet capabilities autonegotiation falls back to half duplex
! mode when the other side is configured manually but VLAN
! trunking demands for full duplex !!!
! Since dot1Q does not tag VLAN 1 the corresponding IP address can
! be specified at the physical interface level. Only subinterfaces
! support the encapsulation command. When ISL trunking is used ALL
! IP addresses (for each VLAN) must be configured at subinterface
! level (because also VLAN 1 is tagged).
(config)# interface fa 0/0
(config-if)# ip address 10.1.9.9 255.255.0.0
(config-if)# duplex full
(config-if)# speed 100
(config-if)# interface fa 0/0.2
(config-subif)# encapsulation dot1Q 2
(config-subif)# ip address 10.2.9.9 255.255.0.0
(config-subif)# interface fa 0/0.3
(config-subif)# encapsulation dot1Q 3
(config-subif)# ip address 10.3.9.9 255.255.0.0
....
RIP
! The configuration scheme is always the same with each routing
! protocol: 1) Enable routing process and 2) include local
! interfaces via the network command.
(config)# router rip
(config-router)# network 10.0.0.0
IGRP
! Same scheme as with any other routing protocol, but...
! You must specify an AS number (only significant for IGRP)
(config)# router igrp 100
(config-router)# network 172.16.0.0
! Optionally allow load balancing by configuring a variance
! parameter (worst metric must be less or equal variance times
! best_metric)
! Note #1: fast switched and CEF routers will perform session! based load balancing.
! Note #2: Per default, equal cost load balancing is configured
(config-router)# variance 3
! Optionally follow the least cost routing paradigm
(config-router)# traffic-share min
EIGRP
! As with IGRP you must specify an AS-Number for each process
! EIGRP uses the same compound-metric but left-shifted 8 bits.
! Wildcard or subnet masks are optional
(config)# router eigrp 100
(config-router)# network 10.0.0.0
(config-router)# network 192.168.1.0 0.0.0.255
! show commands as usual: neighbors, topology, etc.
OSPF
! Upon configuring the router process a process number must be
! specified. This number has only local significance and is not
! carried in routing traffic.
! The network command must contain a wildcard mask and the area
! ID. It is recommended to specify interface per interface to
! prevent unwanted interfaces from being included.
! Note: OSPF is VERY complex For the CCNA only a simple single! area configuration is required.
(config)# router ospf 100
(config-router)# network 10.1.1.1 0.0.0.0 area 0
(config-router)# network 10.1.2.1 0.0.0.0 area 0
! show commands as usual: neighbors, topology, etc.
Access Lists
!
!
!
!
!
!
!
!
!
Changing ACLs:
1) Define new ACL in global config mode
2) On interface simply use access-group command with new ACL
there is no need to remove the old one with no access-group
(its immediately changed)
Using the debug command you can observe how packets are
translated. Two output parameters which are often not explained:
[32434] ... the IP identification number
NAT* ... packets are fast switched (never the 1st of a packet)
debug ip nat
Frame Relay
! Rules :
! * P2P subinterfaces have their own subnets and therefore
!
resolve split horizon issues
! * Each multipoint sub-if has its own IP subnet (incl all DLCIs)
! * Multipoint sub-if are NBMA and cannot resolve split horizon
! * LMI is always enabled DLCIs learned by SP
! * Router must be rebooted when sub-if type is changed
!
(Better migrate to another sub-if => no outage)
! * If sub-if used, dont assign an IP address to physical
!
interface (routing problems)!!!
! Practically usable DLCI range: 16 992 (assigned by SP)
(config-if)# encapsulation frame-relay
! LMI is always enabled (autodetection)
ISDN
! PRI Configuration
! First define which timeslots should be used by the PRI-group
! Then configure the switch-type on the D channel: the interface
! with timeslot 15 (in Europe)
! Optionally specify framing and coding type.
! It is recommended to disable periodic protocols such as CDP.
(config)#controller E1 3/0
(config-controller)# framing crc4
(config-controller)# linecode hdb3
(config-controller)# pri-group timeslots 1-31
(config-controller)#interface Serial3/0:15
(config-if)# isdn switch-type primary-net5
(config-if)# no cdp enable
! Legacy DDR Spoke
! 1) Create static route (avoid periodic routing updates)
! 2) Define interesting traffic (dialer-list command)
! 3) Assign remote IP, telephone number, and remote name to an
!
interface (dialer-map command)
! 4) Bind interesting traffic to this interface (dialer-group
!
command)
! 5) Optional parameters: idle-timeout, load-threshold, ...
(config)# ip route 10.100.0.0 255.255.0.0 10.5.0.2
(config)# ip route 10.200.0.0 255.255.0.0 10.5.0.2
(config)# dialer-list 1 protocol ip permit
(config)# hostname myRouter
(config)# isdn switch-type basic-5ess
(config)# username otherRouter password cisco
(config)# interface BRI0
(config-if)# ip address 10.5.0.1 255.255.255.0
(config-if)# encapsulation ppp
(config-if)# dialer idle-timeout 180
(config-if)# dialer map ip 10.5.0.2 name otherRouter 080031415
(config-if)# dialer-group 1
(config-if)# ppp authentication chap
! The above configuration allows any IP packet to open the ISDN
! session. Better configure an ACL this way:
(config)# dialer-list 1 protocol ip list 101
(config)# access-list 101 deny tcp any any eq telnet
(config)# access-list 101 permit ip any any
! DDR with Dialer Profiles
! Goal: Support various different spoke-profiles and dynamically
! select interfaces from a pool. This is practical for hub devices
! which must terminate multiple session on the same physical
! interface.
! Concept:
!
1) Define profiles in dialer interfaces (instead of a
!
physical interface as before) and assign them to a dialer
!
pool.
!
2) Assign one or multiple physical interfaces to this pool
! So each dialer profile looks similar as the following:
(config)# interface dialer1
(config-if)# ip address 10.5.0.2 255.255.255.0
(config-if)# encapsulation ppp
(config-if)# dialer remote-name SomeRouter777
(config-if)# dialer string 141421356
(config-if)# dialer idle-timer 180
(config-if)# dialer pool 1
(config-if)# dialer-group 1
(config-if)# ppp authentication chap