· 6 years ago · Aug 27, 2019, 01:50 PM
1pkgmgr /iu:”TelnetClent” enable telnet in windows (can also enable through Windows Features)
2
3https://www.cisco.com/c/en/us/tech/index.html
4https://www.cisco.com/c/en/us/support/all-products.html
5
6Cisco CLI
7ROMMON mode:
8#reload
9*Ctrl-Break within 60 sec of “Reload”
10 #send break may work on some terminals, check “standard break key sequence”
11
12#undebug all
13#u all
14
15(Delete vlan.dat – erase startup-config – reload)
16>enable User mode to Privileged Exec mode
17#clock set xx:xx:xx xx Xxx xxxx hr:min:sec day Month(not case sensitive) year
18#conf term move from Privilege Exec mode to Global Config mode
19(config)#hostname Name
20(config)#no ip domain-lookup
21(config)#service password-encryption *Cisco proprietary, not MD5 ->enable secret
22(config)#security passwords min-length xx 1 - 16
23(config)#enable (algorithm-type md5/sha256/scrypt) password/secret XXXXX Privilege/Exec mode password *MD5 hashing default (IOS 15.5)
24(config)#banner motd #XXXXX# displays BEFORE login prompt *#, $ - delimiting char
25(config)#banner login #XXXXX# displays before login prompt (but after MOTD)
26(config)#clock timezone Xxx (??) check +/- x(hours) for timezone
27(config)#line console 0
28 (config-line)#password Password1 Console password
29 (config-line)#login require Line password at login
30 (config-line)exec-timeout x x min sec, 0 0 never times out
31 (config-line)#logging synchronous prevents interruptions by system information
32(config)#line vty 0 4/15
33 (config-line)#password Password1
34 (config-line)#login
35 (config-line)exec-timeout x x
36(config)#int Xx/x
37 (config-if)description XXXXX
38 (config-if)#ip address x.x.x.x x.x.x.x
39 *(config-if)#ipv6 address x:x:x:x::x/xx
40 (config-if)#no shut
41*(config)ipv6 unicast-routing
42Switch:
43S(config)#interface vlan x
44 (config-if)#ip address x.x.x.x x.x.x.x
45 (config-if)#no shut
46S(config)#exit
47S(config)#interface Xx/x
48 (config-if)#switchport mode access
49 (config-if)#switchport port-security
50 (config-if)switchport access vlan xx
51(config)#exit
52**L3 switch
53S(config)#ip routing
54S(config)#int Xx/x
55 (config-if)#no switchport
56 (config-if)#ip address x.x.x.x x.x.x.x
57 (config-if)#no shut
58**
59S(config)#ip default-gateway x.x.x.x needed in addition to SVI for telnet/management
60(config)#exit
61#copy run start
62*****************************
63#write erase erases both running-config and startup-config (factory reset)
64#reload
65
66Directory commands:
67#archive tar /xtract flash:XxxXxxx.tar flash:/ extract .tar file source, destination
68
69(config)#boot system (flash:/tftp/..etc) set boot environment variable – file location-name, can enter several
70 config)#boot system flash0://c1900-universalk9-mz.SPA.152-4.M3bin
71(config)#boot loader format flash/reinstall OS/password recover
72 switch:dir flash: view contents of flash for IOS name
73 switch:boot flash:Xxxx-XxXXX-XX.xxx-xx…. use IOS name from above step
74#cd nvram:/flash:/usbflashx:
75 #dir/pwd/show file systems *just like Linux commands
76#confreg
77#copy (run start / run tftp: / tftp: run / run usbflash0:/f) source, destination \ indicates root dir
78 *follow prompts for file name, IP address, etc.
79 *Run the following prior:
80 #show usb (port/tree) *verify usb “name” for source/destination
81 #show version/flash *verify file name/size
82 #pwd/dir
83 #rename XXX XXX
84#copy file scp:\\x.x.x.x/xxx.xxxxx.xxx IP addr/URL SSH copy
85 *ssh, scp server(?), and aaa must be configured
86
87Ctrl + A move to beginning of line
88Crtl + B back one char
89Ctrl + C cancels/interrupts command and exits config mode
90Ctrl + E move to end of line
91Ctrl + F forward one char
92Ctrl + U erase complete line
93Ctrl + Z exits and returns directly to privilege exec mode
94Ctrl + Shft + 6 interrupts any running process
95 Ctrl + Shft + 6 then x alternate between remote session prompts like Linux
96 press enter on blank line to return to session
97Ctrl + R redisplay line (i.e. if interrupted)
98Ctrl +P/N cycle through commands (also Up/Down arrow keys)
99#delete flash:vlan.dat erase Normal Range VLANs (Extended stored in Running Config on Extended Image software)
100#delete vlan.dat
101#dir (flash:/nvram:/usbflash0:/all) displays directory contents
102 #show file systems shows all, use #dir XxXx to view individual
103 also #show (flash/usbflash/…)
104config…)#end return to Privileged Exec mode (host#)
105 (ctrl z) same as above
106 exit back one level/exit console session (bypasses user exec)
107 disable return to user exec mode
108#erase start/run/nvram file to erase i.e. NVRAM:startup-config/startup-config
109 *erasing NVRAM resets router to default
110 #erase flash !!!erases IOS!!!
111 #copy source flash install IOS
112#more displays contents of a file
113 #more flash:running-config *save to new file to view i.e. #copy run flash:Myconfig.txt
114 #more flash:Myconfig.txt
115#pwd displays present working directory
116#ssh -l Admin x.x.x.x/Hostname ssh to device (-logon, username, ip addr/hostname)
117#telnet x.x.x.x/Hostname ip addr/hostname
118#traceroute prompts/enter for default value
119
120Alphabetical/Groupings:
121#auto secure implements security measures *IOS dependent??
122
123nfig-if)#bandwidth xx set bandwidth metric in kilobits on an interface #no
124
125(config)#cdp run enable globally -Cisco L2 auto config proto *enabled by default
126nfig-if)#cdp enable/disable enable for interface #no cdp enable see also lldp
127
128#clear ip route (*) clears routing table (all)
129
130nfig-if)#clock rate 128000 serial DClockE interface
131
132(config)#crypto key generate rsa (general-keys/usage-key) modulus xxxx 1024/2048
133(config)#crypto key zeroize rsa clears key *disables SSH server
134
135#debug ip routing see also specific routing protos *EIGRP/OSPF/etc
136
137nfig-if)#description Xxxx name an interface
138
139nfig-router)#distance xx manually set AD for routing protocol (works on RIP, EIGRP, OSPF)
140
141nfig-if)#duplex full default - recommended is auto (for MDIX)
142
143(config)#enable password/secret Password Privilege Exec mode/”Enable” password *MD5 hashing
144(config)#enable (algorithm-type md5/scrypt/sha256) secret Password MD5 is default, sha256 – Type 8, scrypt – Type 9 (IOS 15.5)
145(config)#enable (algorithm-type md5/scrypt/sha256) secret level x Password associate a Privilege level (2-14) to a Password
146
147#erase XXXXXX delete file
148 #erase startup-config erase from NVRAM
149
150(config)#errdisable recovery cause bpduguard switch automatically brings int out of err-disable, many more
151(config)#errdisable recovery interval 30 set errdisable timeout to 30 seconds
152#show errdisable recovery error list, timer interval, configured interfaces
153
154(config-line Xxx)#exec-timeout xx xx minutes seconds (def 10 min 0 sec) 0 0 – never expire
155
156(config)#hw-module usb disable disables usb ports, #no re-enables
157 #show usb (port/tree) *will return “invalid input…” if disabled
158 *can also verify usb with #show filesystems
159
160(config)#interface loopback/lo x
161 nfig-if)#ip address x.x.x.x x.x.x.x creates any number of loopbacks
162 nfig-if)#ip address x.x.x.x 255.255.255.255 host route to be used as Router ID in OSPF
163
164(config)#interface range Xx/x–x f0/1–4 / g0/1–2 *no space between hyphen
165
166nfig-if)#ipv6 address x:x:x:x:x:x:x:x/xx config ipv6 unicast address
167nfig-if)#ipv6 address FE80::x link-local manually config link local address (otherwise EUI-64 is def)
168nfig-if)#ipv6 address x:x:x:x:x:x:x:x link-local/eui-64 create static link-local/global unicast eui-64
169nfig-if)#ipv6 enable auto creates address (modified EUI-64)
170
171(config)#ip arp inspection (vlan x/x-xx) Enable dynamic arp inspection (specified vlan) *DHCP snooping must be enabled
172 nfig-if)#ip arp inspection trust conf int as Trusted DAI interface, connected to another switch/Trunk NOT User/Access port
173 #show ip arp inspection interfaces
174 #show ip arp inspection vlan x
175
176(config)ip default-gateway x.x.x.x should only be used on switch or when IP Routing is disabled on a router
177(config)#ip default-network x.x.x.x set gateway of last resort on router with IP Routing enabled *Classful
178
179(config)#ip dhcp snooping allows DHCP snooping enable globally
180(config)#ip dhcp snooping vlan x(-xx) (specific vlan) *conf trust port first
181nfig-if)#ip dhcp snooping trust define switch port as trusted (interface connected to DHCP server), creates database
182nfig-if)#ip dhcp snooping limit rate x limits switch port rate of requests /sec ?
183(config)#ip source binding x.x.x.x XxXx.XxXx.XxXx vlan xx int Xx/x create static IP source entry for L2 interface *requires DHCP snooping (db)
184(config)#ip dhcp snooping database tftp://x.x.x.x/directory/file configure DHCP Snooping binding db
185(config)#ip dhcp snooping information option replace replaces info with Option 82 *can be used on interfaces (config-if) too #no
186(config)#ip dhcp snooping information option allow-untrusted
187(config)#ip dhcp snooping track host
188 (config)#clear ip dhcp snooping track host (statistics)
189
190(config)#ip domain-name XXXX used in conjunction with SSH, DHCP, routing proto
191
192(config)#ip(v6) host XXX x.x.x.x assign a name to an/multiple ip addresses (telnet/ping XXX) not case sensitive *DNS
193 *#show hosts
194
195(config)#ip http server enable server role for both ip and ipv6 #no
196 (config)#no ip http server disable HTTP Server (so only HTTPS is used)
197(config)#ip http secure-server
198(config)#ip http authentication local/enable/aaa HTTP service uses local user database/enable password/aaa
199*aaa requires #aaa new-model and login-authentication listname. May also include: command/exec-authorization listnames *See AAA
200
201nfig-if)#ip(v6) mtu xxx change MTU size on interface
202
203(config)#ip name-server x.x.x.x ip addr of DNS server/DNS lookup
204 (config)#ip domain-lookup used with #ip name-server, *DNS
205
206(config)#ip route 0.0.0.0 0.0.0.0 x.x.x.x / Xx/x (next hop ip/exit int) (default static route)
207(config)#ipv6 route ::/0 x:x:x:x::x / Xx/x (next hop ip/exit int)
208(config)#ip route x.x.x.x x.x.x.x x.x.x.x (net ip, subnet mask, next hop ip) (next hop)
209(config)#ipv6 route x:x:x:x::/x x:x:x:x::x (net ip/net prefix, next hop ip)
210(config)#ip route x.x.x.x x.x.x.x Xx/x (net ip, subnet mask, exit int) (dir conn)
211(config)#ipv6 route x:x:x:x::/x Xx/x (net ip/net prefix, int)
212(config)#ip route x.x.x.x x.x.x.x Xx/x x.x.x.x (net ip, subnet mask, int, next hop ip) (fully spec)
213(config)#ipv6 route x:x:x:x::/x Xx/x FE80::1 (net ip/net prefix, int, link-local addr)
214(config)#ip route x.x.x.x x.x.x.x x.x.x.x / Xx/x permanent/xxx (floating static route) static route persists in table if int goes down/manually configure AD
215(config)#no ip(v6) route …
216(config)#no ip routing disables routing
217#show ip(v6) route (static/network) (| begin/exclude…)
218#show running-config | section ip(v6) route
219 *also useful: #show ip int brief, cdp neighbors detail
220
221Switch(Config)#ip routing allows layer 3 switch to be conf with routing protocols *enabled by default on routers
222 nfig-if)no switchport routed port - enables int to be conf as layer 3/router *3560 switch
223(config)#ipv6 unicast-routing enables forwarding of IPv6 (ICMPv6 RS/RA messages)
224
225(config)#license boot module c2900 technology-package securityk9 boot a new software license
226(config)#license install XXXX:XXXx-Xxxx-XXXxxx… directory: license name (flash:seck9-c1900-etc…)
227 config)#license accept end user agreement config one time acceptance
228 config)#license boot module XXX technology-package XXX activate Evaluation RTU pckg (module – pckg names)
229 #reload
230 *remove package:
231 config)#license boot module XXX technology-package XXX disable
232 #reload
233 #license clear XXXX feature name
234 config)#no license boot module XXX technology-package XXX disable
235#license save XXXX: XXXx-Xxxx-XXXxxx… save backup copy license, directory: license-name
236
237(config)#lldp run enable globally
238nfig-if)#lldp enable/disable enable for interface #no lldp enable see also cdp
239
240(config)#logging variable various logging *enabled at (config)#, -line)#, and -if)#
241https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/esm/command/esm-cr-book/esm-cr-a1.html
242 nfig-line vty/console/aux)#logging synchronous
243 config)# logging buffered 7
244
245(config)#login block-for xxx attempts x within xx can apply to privilege and line pw (seconds, tries, seconds)
246
247(config)#mac address-table static XxXx.XxXx.XxXx vlan xx interface Xx/x create static map of port to host MAC addr - #no
248nfig-if)#mac-address XxXx.XxXx.XxXx edit/assign MAC addr to interface
249
250MDIX – when using auto MDIX, duplex and speed must be set to auto *Switch
251 config-if)#duplex auto
252 config-if)#speed auto
253 config-if)#mdix auto device detects cable type
254 S#show controllers Ethernet-controller Xx/x phy | include auto-MDIX examine MDIX setting
255
256Objects Used in EXTENDED ACLs, not STANDARD/IPsec. *doesn’t work in PT, does work on 3560,
257 **IOS sub-config has: “config-network/service-group” for both, ASA has “config-network/service-object” and “config-network/service-object-group”
258(config)#object service Name
259 -service-group)#tcp/udp/tcp-udp/group-object… same as object-group service
260(config)#object network Name
261 -network-group)#x.x.x.x /xx/x.x.x.x Identify subnet CIDR/mask
262 -network-group)#host x.x.x.x/Host.name IP address/hostname
263 -network-group)#range x.x.x.x x.x.x.x Range (low-high) IP addresses
264 -network-group)#group-object Nested Object Group
265(config)#object-group network/service pg 117 SecPCG see also ASA config
266(config)#object-group network Name
267 -network-group)# #description DescriptionUpTo200char
268 -network-group)#x.x.x.x /xx/x.x.x.x Identify subnet CIDR/mask
269 -network-group)#host x.x.x.x/Host.name IP address/hostname
270 -network-group)#range x.x.x.x x.x.x.x Range (low-high) IP addresses
271 -network-group)#any Any IP address
272 -network-group)#group-object Nested Object Group
273(config)#object-group service Name
274 -service-group)#description DescriptionUpTo200char
275 -service-group)#tcp/udp/tcp-udp (source (eq/lt/gt) Port# / range Port1 Port2…
276 -service-group)#icmp type
277 -service-group)#group-object Nested Object Group
278*(config)#ip access-list extended ObjectExample
279 -nacl)#permit/deny object-group OGService object-group OGNetworkSrc object-group OGNetworkDest
280
281#ping x.x.x.x (source x.x.x.x / Xx/x) *prompts/enter for default value, same command for IPv6
282#ping extended/interactive mode – follow prompts
283(pipe) | filter command
284 #show command | begin/exclude/include/section expression
285
286#router ? show routing protocols supported by OS
287
288Switch(config)#sdm prefer (lanbase-routing) switch db manager – optimize Switch for specific features/roles (Routing/VLAN/Default/Access) *SNMP
289 (config)#do reload
290 #show sdm prefer
291
292(config)#secure boot-image secure IOS image/ensure IOS image resilience (Primary Bootset/Resilient Config)
293(config)#secure boot-config secure Startup-config (snapshot Running-config)
294 #show secure bootset verify bootset *secured images above can only be viewed in ROMMON
295 Restore a Primary Bootset:
296 *enter ROMMON mode: #reload -> ctrl-break within 60 sec
297 rommon 1 >dir flash: displays bootset files
298 rommon 2 > boot c2900-universalk9.mz.SPA.153-3.M5.bin boot router using image
299 (config)#secure boot-config restore flash0:.runcfg-20151025-180642.ar restore secure config to archive in flash
300
301(config)#security passwords min-length xx 1 – 16
302(config)#no service password-recovery disables ROMMON password recovery feature
303
304#show arp IP to MAC resolution (show mac-address-table for L2 mappings)
305 Proto (IP), Address, Age (min), Hardware Addr, Type, Interface
306S?#show bootvar/boot boot path list, config files (flash memory) ??? Switch only/<12.0???
307 #show/dir flash
308#show cdp packets time, hold time, advertisements
309#show cdp interface all interfaces cdp status – encapsulation, send time, hold time
310#show cdp neighbors (detail) ID, local int, hold time, device type, platform, remote port ID(int)
311 #show cdp neighbors (detail/line/file systems) IP addr, software version, Native VLAN
312#show clock (detail) time set on device
313#show controller/s (Xx/x) state of interfaces/cables connected, clock rate, DTE/DCE *FRAMES transmitted/received
314 S#show controllers ethernet-controller Xx/x phy ( | include auto-mdix/clock rate/clocksource) (examine MDIX)
315#show dtp interface Xx/x int trunk status/stats
316#show file systems verify available file systems, memory flash/nvram, usb attached
317#show flash/flash: dir layout/contents - IOS, config.text, (vlan.dat – switch)
318 #dir flash:
319 #dir nvram: startup-config (router/switch)
320#show history history of commands entered
321#show hosts local host-IP address cache (names and addr of hosts reachable) *DNS Hosts file
322 #show ip host-list ? lots of options – Vlan, Port-channel, summary, etc.
323#show interface(s) detailed all int with line proto status, bw, delay, reliability, encap, duplex, I/O stats *statistics
324 #show interfaces Xx/x switchport Admin/Operation Modes, Trunking/Trunk Encapsulation, Native
325 #show interface(s) (Xx/x / switchport / vlan xx)
326 #show interfaces trunk VLANs allowed, encapsulation method, interfaces, native VLAN, administrative mode (to form)
327#show inventory “chassis info” - name, description, PID, VID, SN (including Interface Cards)
328#show ip(v6) access-lists contents of all ACLs
329 *OCG show ip access-lists - IPv4 ACLs only show access-lists – ALL ACLs
330#show ip dhcp server statistics pool stats and message activity
331#show ip(?) dhcp snooping configuration
332 #show ip dhcp snooping binding MAC to IP addr, lease, VLAN, int
333 #show ip dhcp snooping track host (statistics) contents of DHCP host tracking cache
334#show ip(v6) dhcp conflict
335#show ip(v6) dhcp pool (XXX) pool settings
336 #show run | section dhcp DHCP config
337#show ip(v6) dhcp binding address leases
338#show ipv6 dhcp interface Xx/x *ipv6 only
339#show ip(v6) eigrp interfaces (Xx/x / xx / detail) int enabled for EIGRP (specific int / AS process ID)
340#show ip(v6) eigrp neighbors (xx / detail) neighbor table (verifies if a neighbor is a stub router)
341#show ip(v6) eigrp topology (all-links) “all-links” includes successors, feasible successors, and backup
342#show ip(v6) eigrp traffic number and type of packets sent/received
343#show ip http server status non-secure web int enabled by default
344#show ip(v6) interface protocols – int info, proto status, IP addr, helper addr, ACL
345 #show ip int brief all int with status/proto, IP addressing info
346 #show ip(v6) interface (Xx/x / vlan xx) (specific/ vlan x)
347#show ip(v6) ospf process ID, router ID, area info, timers
348 #show ip(v6) route (ospf) routing table *forward db
349#show ip(v6) ospf database topology (LSDB)
350#show ip(v6) ospf interface detailed list of every OSPF enabled interface
351 - verify current OSPF cost, proc ID, router ID, net type, timers
352 #show ip(v6) ospf interface (Xx/x/x / brief ) (| include BW) (specific int / summary)
353#show ip(v6) ospf neighbor neighbor table/adj db router ID, priority, state(DR/BDR/Full), IP addr, int
354#show ip(v6) ospf topology-info
355#show ip(v6) protocols (| begin default) IP/L3 (routing) protocols currently configured
356#show ip(v6) route routing table – routing codes(learned/static/def), known nets, AD/metric, next hop
357#show ip(v6) route (| begin Gateway) gateway of last resort
358 #show ip(v6) route ospf shows OSPFv3 routes (v6)specifically
359 #show ip(v6) route rip/static/x.x.x.x(x:x:x:x::)/connected (| begin gateway)
360#show ip ssh verify ssh version and config
361 #show ssh active ssh connections
362#show license (all) list all licenses
363 #show license feature/udi view tech and feature licenses/Unique Device Ident (PID, SN, hardware version)
364 #show version
365#show line view console/vty/aux ports
366*handy trick: ctrl+shift+6 allows switching between multiple sessions. Use #show line to see which lines are active and enter the line number at #
367#show mac address-table (dynamic/address xxxx.xxxx.xxxx) L2 mapping - VLAN, MAC addr, Type, Port (#show arp for L3 to L2 mapping)
368#show memory
369??#show module display available source address (MAC) ranges (control pane/EPROM) ??? Deprecated ???
370??#show post verify POST, shows Begin/End Tests
371#show port/port-security MAC addr configured
372 #show port-security interface Xx/x status, violation mode/count, aging time/type, MAC addresses(max/sticky, etc), last source addr/vlan
373 #show port-security address all secured MAC address configured
374#show processes (cpu)
375#show protocols status of interfaces
376#show running-config configuration in RAM
377#show sdm prefer switch database manager, details on routes/traffic/”aces”
378#show sessions telnet connections
379 #show users
380#show software authenticity file flash:c2900-universalk9.mz.SPA.153-3.M5.bin IOS version > 15.???, must include “SPA”???
381#show software authenticity running
382#show span/spanning-tree VLAN (per) : root/bridge ID, prio, addr, cost(to root), port, hello time
383 interfaces: role, status, cost, prio, number, type
384 #show span summary mode, role, parameter states, ports states
385#show startup-config configuration in NVRAM
386#show tech-support executes multiple show commands
387#show users all connected users
388 #show sessions
389#show version software version, IOS image, summary license list/state(show license?)
390#show vlan (brief / id xx / name XXX / summary)
391#show vlans *routers too (ios subint)???
392nfig-if)#speed xxx (10/100/1000) default is auto, manual config is recommended
393#tclsh enter Tool Command Language #tclquit
394 #tclsh XXX.XXX run file (default location flash:)
395#terminal length xx specify number of lines to be displayed *0 prevents pausing
396#terminal history size xx increase/decrease buffer size *show history
397#terminal monitor enable to see debug (log messages) over telnet/SSH (IP connection)
398 *#show logging configuration – Syslog/Console/Monitor/Buffer, more
399 (config)#username Name (privilege xx) (algorithm-type md5/sha256/scrypt) password/secret Password1 privilege 1 – 15 (algo-type IOS 15.5)
400(config)#verify /md5 flash:c2900-universalk9.mz.SPA.153-3.M5.bin verify IOS MD5 checksum
401 *SPA – indicates digitally signed image (U.S. Gov FIPS)
402
403IPv6 Configuration
404R1(config)# interface Xx/x
405R1(config-if)#ipv6 address 2001:db8:acad:X::X/64 subnet:host/mask i.e. 1::1
406R1(config-if)#ipv6 address fe80::x link-local
407R1(config-if)#no shut
408R1(config-if)#exit
409R1(config)#ipv6 unicast-routing
410
411Routing
412RIP:
413Config)#router rip enable/rip config mode #no
414 nfig-router)#version 2 enables version 2 *RIP #no
415 nfig-router)#no version returns router to version 1 (still listens for v2 updates)
416 nfig-router)#network x.x.x.x (x.x.x.x) advertise on interfaces related to network (classless- v2)
417 nfig-router)#passive-interface Xx/x / default prevent routing updates out interface / all #no
418 nfig-router)#no auto-summary *a-s is enabled by default in RIPv2/no effect on RIPv1
419 *auto-summary creates problems with discontiguous nets/summarizes classful addr
420 nfig-router)#default-information originate propagate static routes
421 nfig-router)#distance xx manually set an AD
422(config)#key chain KeyChainName
423nfig-keychain)#key 1
424 -key)#key-string Cisco123
425nfig-if)#ip rip authentication mode md5
426nfig-if)#ip rip authentication key-chain KeyChainName
427
428#show key-chain
429
430RIPng (IPv6):
431config)#ipv6 unicast-routing
432config)#ip domain-name XXXXX set a domain name for router
433 config-if)#ipv6 rip XXXXX enable enter domain/process names to route
434 *nfig-if)#ipv6 rip XXXXX default-information originate propagate ipv6 static routes, X=domain
435
436#debug ip rip *undebug all (#debug rip – older IOS versions)
437#show ip(v6) protocols routing protocol, networks, auto-summ
438#show ip(v6) route (rip) (RIP only entries in routing table)
439
440EIGRP:
441Config)#router eigrp x autonomous system/process ID (16 bit 1 – 65535) #no
442 nfig-router)#(eigrp) router-id x.x.x.x some IOS versions will accept w/o “eigrp” entered
443 nfig-router)#network x.x.x.x classful net address – no wildcard
444 nfig-router)#network x.x.x.x x.x.x.x classless subnet – wildcard
445 nfig-router)#network x.x.x.x 0.0.0.0 Int IP address
446 nfig-router)#passive-interface Xx/x / default
447 nifg-router)#no auto-summary *for IOS prior to release 15, disabled by default IOS >15
448 nfig-router)#no eigrp log-neighbor-changes neighbor changes displayed *enabled by default
449 nfig-router)#distance xx manually set AD ???IPv6
450config)#key chain KeyChainName name of Key Chain (MD5 auth) *Locally significant
451 config-keychain)#key 1 Key ID (0 - 2,147,483,647) must match peer
452 -key)#key-string Cisco123 password/alphanumeric up to 80 char (first char can’t be a number), must match peer
453 *-key)#accept-lifetime xxx… start-time, infinite/end-time/duration seconds
454 *-key)#send-lifetime xxx…
455config-if)#ip(v6) authentication mode eigrp x md5 AS#
456config-if)#ip(v6) authentication key-chain eigrp x XXXX AS#, name of key chain (above)
457
458config)#ipv6 unicast-routing
459config)#ipv6 router eigrp x AS/process ID
460 nfig-router)#(eigrp) router-id x.x.x.x
461 nfig-router)#no shutdown *by def, EIGRP for IPv6 is in shutdown state
462 nfig-router)#passive-interface Xx/x / default
463 nfig-if)#ipv6 eigrp x AS/process ID EIGRP for IPv6 is enable per int similar to OSPF IPv6
464
465nfig-router)#redistribute static propagate static route/IPv6 too ???#default-information originate
466nfig-router)#maximum-paths x load balancing among equal cost/parallel paths, def 4, 1 = disabled, max 32
467nfig-router)#traffic-share balanced control traffic distribution with different cost routes, #no
468nfig-router)#variance x allows unequal cost load balancing, x = 1-128, 1 = equal cost
469 *include routes with a metric <= n x minimum metric route for that destination
470nfig-router)#metric weights tos k1 k2 k3 k4 k5 change default K values
471config-if)#bandwidth xx set bandwidth metric in kb/s *
472config-if)#ip(v6) summary-address eigrp x x.x.x.x x.x.x.x (xx) AS#, summarized IP, subnet mask, (AD)
473config-if)#ip(v6) bandwidth-percent eigrp x xx sets aside resources for EIGRP - AS#, percent *limits to use no more than xx percent
474config-if)#ip(v6) hello-interval eigrp x xx AS#, seconds #no
475config-if)#ip(v6) hold-time eigrp x xx AS#, seconds #no
476 *Hello-Interval and Hold-Time DO NOT have to match between neighbors to form adjacencies, unlike OSPF – must match
477 **K values must match in EIGRP
478
479#show interface Xx/x verify BW/delay values
480#show ip(v6) protocols same as for OSPF (metric weights, passive interfaces, redistribute, summarization)
481#show ip(v6) route (eigrp)
482#show ip(v6) eigrp interfaces (Xx/x / xx / detail) int enabled for EIGRP (specific int / AS process ID)
483 ??? Xx/x/x and detail doesn’t work with all ios versions or just PT ????
484#show ip(v6) eigrp neighbors (AS#/detail) neighbor table (verifies if a neighbor is a stub router)
485#show ip(v6) eigrp topology (all-links) successors, feasible successors, and backup (all routes whether they satisfy FC or not)
486#show ip(v6) eigrp traffic number and type of packets sent/received
487#show key-chain
488#debug eigrp fsm/packet/neighbor examine DUAL(feasible successor)/packets/neighbors #undebug all #u all
489#debug ip eigrp (neighbor/notifications)
490
491OSPF:
492(config)#interface lox loopback# *used for router-id if not configured
493 *preferred method for router id on older OS’s which don’t recognize #router-id command
494 config-if)#ip address x.x.x.x 255.255.255.255 (use a loopback for router id)
495(config-if)#ip(v6) ospf priority xx 0 – never DR/BDR, 1-255 ^ - DR/BDR
496 *if configured after OSPF is enabled, OSPF must be restarted to force election #clear ip(v6) ospf process
497(config)#router ospf x process id - 1-65535 selected by admin
498 nfig-router)#router-id x.x.x.x x assigned by admin
499 *router must be reloaded/OSPF cleared if entered after OSPF is running
500 nfig-router)#network x.x.x.x x.x.x.x area x network/summarized, wildcard mask, area #
501 nfig-router)#network x.x.x.x 0.0.0.0 area x int IP addr in place of network, area #
502 nfig-router)#auto-cost reference-bandwidth xx adjusts ref bandwidth in Mb/s, 100(Fast Ether) is def
503 * cost = ref bw/int bw in bps
504 nfig-router)#distance xx manually set AD for routing protocol
505*nfig-if)#ip ospf x area xx place int into area and process (in place of “network” command)
506Authentication:
507- Plain text
508 nfig-router)#area x authentication enable Plain Text authentication in OSPF config
509 nfig-if)#ip ospf authentication-key c1$c0 no hash/encryption, sent in clear
510- Message Digest (MD5):
511 *nfig-router)#area x authentication message-digest enables/forces MD5 auth on ALL interfaces
512 *nfig-if)#ip ospf authentication message-digest enables/forces MD5 PER int (< either ^ or)
513 nfig-if)#ip ospf message-digest-key x md5 Xxx Key ID, password (both must match on Peers) *always entered per int
514- Key Chain: standard Key Chain config then enabled on interface - DOESN’T work with all versions
515(config)#key chain KeyChainName define Key Chain, name is only locally significant
516 nfig-keychain)#key 1 Key ID, has to match peer
517 -key)#key-string Cisco123 Password, must match on Peers
518 *-key)#cryptographic-algorithm md5 specify MD5, *”Send” and “Accept” lifetimes can also be configured, default is forever
519 *-key)#cryptographic-algorithm hmac-sha-256 use SHA256 instead of MD5
520 nfig-if)#ip ospf authentication key-chain KeyChainName apply to int, *KeyChainName doesn’t have to match between Peers
521
522nfig-router)#area x range x.x.x.x x.x.x.x ABR interarea route summarization – summary net, netmask *IPv4 and IPv6
523nfig-router)#summary-address x.x.x.x x.x.x.x ASBR external route summarization – summary IP, netmask
524
525(config)#ipv6 router ospf x assign process id
526 nfig-rtr)#router-id x.x.x.x x assigned by admin *clear ipv6 ospf process
527 nfig-rtr)#auto-cost reference-bandwidth xx adjusts ref bandwidth in Mbs, 100(fast Ether) is def
528 nfig-rtr)#area x range x:x:x:x::/xx interarea route summarization
529 nfig-if)#ipv6 ospf x area 0 process id – area id, config/enable OSPFv3 (on int instead of “network” in IPv4)
530 nfig-if)#ipv6 ospf network point-to-point
531 nfig-if)#ipv6 ospf authentication ipsec spi ??????
532*both v2 & v3 and or most routing protos:
533nfig-router)#passive-interface Xx/x / default prevents sending Hello packets – prevents adjacency from being formed (non-router ports)
534nfig-router)#default-information originate (always) sets the default route (0.0.0.0/0) to be propagated to all OSPF routers
535nfig-router)#redistribute static subnets redistribute all static routes (ip route …) except for static default route *turns router into ASBR
536nfig-router)#no auto-summary *disabled by default for OSPF
537config-if)#bandwidth xx set bandwidth (both sides of link) metric in Kbs #no
538config-if)#ip ospf cost xxxxx overrides bw calculation at the int - manually set cost
539 *def cost calculation is ref bandwidth(10^8 bps)/interface bandwidth in bps
540config-if)#ip(v6) ospf hello-interval x default is 10s, #no… to reset def
541config-if)#ip(v6) ospf dead-interval x default is 40s, #no… to reset def OSPF auto sets to 4x Hello, though explicit config is best practice
542 *Hello/Dead timers must match between neighbors
543config-if)#ip(v6) mtu xx sets MTU in bytes, #no
544
545#clear ip(v6) ospf (process id) process renegotiate adjacencies – after changing ID/priority
546
547#debug ip ospf adj #undebug all
548#show ip(v6) route (| include x.x.x.x / x.x.x.x) routing table (fwd db), OSPF metric (single line / more detailed)
549#show ip(v6) route ospf accumulated cost
550#show ip(v6) protocols routing proto, process ID, router ID, areas, networks, passive int, AD/
551#show ip(v6) ospf process ID, router ID, area info, timers
552#show ip(v6) ospf interface (brief) detailed (summary) list of every OSPF enabled interface - verify current
553 OSPF cost, proc ID, router ID, net type, timers, role of router
554#show ip(v6) ospf interface Xx/x/x detailed, verify active OSPF int, verify authentication (MD5)
555#show ip(v6) ospf interface Xx/x/x | include timer timer intervals – hello, dead, wait, retrans
556#show ip(v6) ospf neighbor verify adjacencies - neighbor table/adj db router ID, priority, state(DR/BDR/Full/2way), IP addr, int
557#show ip(v6) ospf database topology(LSDB)
558#show interface Xx/x MTU, bandwidth, delay, packets
559#show interfaces Xx/x/x (|include BW) verify int bandwidth
560
561BGP: md5 digest created using portions of IP/TCP headers, TCP payload, and Secret Key
562(config)#router bgp 65000 AS #
563 -router)#network 192.168.15.0
564 -router)#neighbor 192.168.10.2 remote-as 65100
565 -router)#neighbor 192.168.10.2 password CCNA-SECURITY password option on “neighbor” config
566#show ip bgp neighbors | include option flags
567
568SSH Configuration
569(config)#hostname Name required for SSH
570(config)#ip domain-name Domain.com domain name of the network
571(config)#crypto key generate rsa (usage-key/general-keys) modulus xxxx 1024, 2048, etc
572(config)#username Name (privilege xx) password/secret Password1 local db username entry
573 *(config)#username Name (privilege xx) (algorithm-type md5/sha256/scrypt) password/secret Password1
574(config)#login block-for x attempts x within x seconds, tries, seconds
575(config)#login on-failure log
576(config)#ip ssh version 2 specify only version to use *default is compatibility mode – both versions are supported, #no
577(config)#ip ssh timeout xx 1 – 120 seconds, default 120
578(config)#ip ssh authentication-retries xx default is 3
579(config)#line vty 0 4/15 4/15 – depends on how many VTY lines the switch has
580 -line)#transport input (telnet/ssh/all) telnet is default, ssh disables telnet, all allows both
581 -line)#login local use local db (run-config)
582 -line)#access-class Name in apply nACL to VTY **only numbered???
583 *aaa instead of login local:
584 (config)# aaa new-model
585 (config)# aaa authentication login MyListName local *also – default Method List which is applied by default
586 (config)# line vty 0 4
587 -line)# login authentication MyListName
588
589(config)#ip ssh/telnet source-interface Xx/x specify interface to use as source address when connecting to another device
590
591(config)#ip scp server enable configure Secure Copy (SCP), provides “copy” using SSH
592 #copy file scp:\\x.x.x.x/xxx.xxxxx.xxx IP addr/URL SSH copy
593
594#show ip ssh version and configuration
595#show ssh current SSH connections
596
597Switchport/VLAN config
598Switch(Config)#ip routing allows layer 3 switch to be conf with routing protocols
599 nfig-if)no switchport routed port - enables int to be conf as layer 3/router *3560 switch
600
601(config)#interface vlan xx
602 nfig-if)#ip address x.x.x.x x.x.x.x
603
604(config)#vlan xx / xx, xx / xx, xx, xx-xx create vlan/multiple vlans #no
605 nfig-vlan)#name XXX name the vlan
606(config)#interface Xx/x *use ”interface range” prior to assign multiple int, can reassign int w/o first removing prev vlan
607 nfig-if)#switchport mode access supports only one VLAN (+voice), turns off DTP
608 nfig-if)#switchport port-security sets port/int to access mode/removes trunk
609 (see port-security below – configured before vlan info)
610 nfig-if)#switchport access vlan xx assigns vlan to int/creates vlan xx if it doesn’t exist #no
611 nfig-if)#switchport voice vlan xx assign voice vlan to int
612 nfig-if)#no shutdown
613(config)ip default-gateway x.x.x.x first layer 3 device on the same Management VLAN to which switch connects *sub-int
614 *needed in addition to SVI for telnet/management **management vlan IP addr when using subnets
615
616#show interfaces (trunk / Xx/x / vlan xx) (switchport) trunk to check native vlan
617#show vlan (brief / id xx / name XxXx / summary)
618#show mac-address-table check which addresses were learned on a port (port to MAC address binding, NOT ARP)
619
620nfig-if)#switchport port-security sets port security (not used on trunks)
621 *default – max 1 MAC addr/violation “shutdown”
622 nfig-if)#switchport port-security maximum x (vlan type) max # of secure addr allowed, def 1, (access/voice)
623 nfig-if)#switchport port-security mac-address xxxx.xxxx.xxxx statically assign mac address allowed
624 nfig-if)#switchport port-security mac-address sticky all dynamically learned MAC addr placed in Running-Config,
625 *copy run start to save to Startup-Config
626 *nfig-if)#switchport port-security mac-address sticky xxxx.xxxx.xxxx sets both
627 nfig-if)#switchport port-security violation (protect/restrict/shutdown)
628 protect – after limit reached, packets with unknown source are dropped – no notification
629 restrict – after limit reached, unknown source are dropped – SNMP Trap/Syslog message, inc violation count
630 shutdown (default) – after limit…source are dropped – SNMP Trap/Syslog message, inc violation count, shutdown
631 nfig-if)#switchport port-security aging time xxx seconds??
632nfig-if)#switchport protected enables PVLAN Edge on Switch int (doesn’t forward any traffic to any other protected port unless via L3)
633
634#show port-security (int Xx/x) port-sec settings (per int)
635#show port-security address display all MAC addr learned
636
637nfig-if)#switchport trunk encapsulation dot1q/isl changes mode if switch supports more than one mode (Inter-Switch Link) #no
638nfig-if)#switchport mode trunk permanent trunking/doesn’t generate DTP frames – connecting to non-Cisco Switch
639 nfig-if)#switchport trunk native vlan xx re-assign native vlan from VLAN1 *Ideally, Native VLAN should be cleared from Trunk
640 nfig-if)#no switchport trunk native vlan resets to VLAN1
641 nfig-if)#switchport trunk allowed vlan xx,xx,xx-xx vlans allowed (include native if necessary), use “add/remove” below to edit
642 nfig-if)#no switchport trunk allowed vlan resets to default
643 *nfig-if)#switchport trunk allowed vlan add/remove x,x-x alternate config
644nfig-if)#switchport nonegotiate prevents int from gen DTP frames, disables DTP – always used as best practice
645nfig-if)#switchport mode dynamic auto default, able to convert to trunk if neighbor set to trunk/desirable
646nfig-if)#switchport mode dynamic desirable actively attempt to convert to trunk if neighbor set to trunk/desirable/auto
647
648#show dtp interface (Xx/x) current DTP mode
649#show interfaces trunk Port, Mode (DTP), Encapsulation, Status, Native VLAN
650#show interfaces Xx/x switchport interface DTP mode
651
652Legacy Inter – VLAN Routing:
653 S(config)#vlan xx
654 S(config-vlan)#name XXX
655 S(config-vlan)#interface Xx/x
656 S(config-if)#switchport mode access
657 S(config-if)#switchport access vlan xx
658
659 R(config)#interface Xx/x
660 R(config-if)#ip address x.x.x.x x.x.x.x
661 R(config-if)#no shutdown
662
663RoaS Inter-VLAN:
664 S(config)#vlan xx
665 S(config-vlan)#name XXX
666 S(config)#interface Xx/x *int connected to router
667 S(config-if)#switchport mode trunk
668 S(config-if)#switchport trunk native vlan xx
669 S(config-if)#switchport trunk allowed vlan x,x,xx
670#show interfaces Xx/x switchport verify Administrative Mode/Access Mode VLAN
671
672 R(config)#interface Xx/x.xx creates subint - .xx usually reflects vlan/subnet # i.e. .10
673 R(config-subif)#encapsulation dot1q xx (native) xx actual vlan, should match .xx and subnet i.e. 10, (specifies as native VLAN)
674 *shows up as VLAN under #show vlans
675 R(config-subif)#ip address x.x.x.x x.x.x.x *address needs to match subnet
676 R(config-subif)#interface Xx/x switch to parent int
677 R(config-if)#no shutdown ***subint are enabled by default
678
679#show interfaces verify encapsulation, VLAN ID
680#show ip interface verify int/subint conf
681
682VTP
683(config)#vtp version 1/2/3 *2/3 disabled by default
684 *when 2 is enabled, every version 2 capable switch auto enables. Version 3 must be manual configured
685(config)#vtp domain Xxxxx only needed for server, clients learn from server
686 *only command needed to add switch as client – verify version # is lower than server’s #show vtp status
687 **also used to reset switch version # - create new domain, rejoin previous domain
688(config)#vtp mode client/server/transparent/off (vlan/mst/unkown) (specify database location)
689(config)#vtp password Password01 *8-64 char – if assigned, must be conf on each switch in domain
690*version 3
691(config)#vtp password Password01 (hidden/secret) hidden – saves generated key in vlan.dat, secret – directly conf 32 hex characters
692(config)#vtp primary (vlan/mst) (force) change switch from secondary server (db location) (force overwrite)
693nfig-if)#vtp enable VTP on a single interface (trunk)
694(config)#vtp pruning disabled by default, only needs to be enabled on one server
695
696#show vlan
697#show vtp status config info
698#show vtp password depends on “hidden” command/encryption
699#show vtp counters vtp messages sent/received
700#show vtp devices (conflict) info for version 3 devices (version 3 devices with conflicting pri servers)
701#show vtp interface (Xx/x) vtp status for interfaces/specified int
702
703PVLAN
704*Supporting VLANs – Primary, Secondary (Isolated/Community)
705**PVLAN Ports – Promiscuous, Host (Isolated/Community) *(PVLAN ports are associated with Supporting VLANs)
706(config)#vtp mode transparent
707configure Supporting VLANS (Primary, Isolated, Community):
708(config)#vlan 100
709 -vlan)#private-vlan primary sets VLAN 100 as Primary VLAN (carries traffic between all Ports)
710 -vlan)#private-vlan association 101,102 associates Isolated and Community VLANs with Primary VLAN *Supporting VLANs
711(config)#vlan 101
712 -vlan)#private-vlan isolated sets VLAN 101 as Isolated VLAN (traffic between Isolated and Promiscuous)
713(config)#vlan 102
714 -vlan)#private-vlan community sets VLAN 102 as Community VLAN (traffic between Community and Promiscuous)
715configure PVLAN ports (Primary, Isolated, Community)
716TRUNK interface: for Promiscuous Port
717 nfig-if)#switchport trunk encapsulation dot1q
718 nfig-if)#switchport mode trunk
719 nfig-if)#switchport mode private-vlan promiscuous configured as Promiscous PVLAN port
720 nfig-if)#switchport private-vlan mapping 100 add 101,102 Promiscuous uses “mapping” – Primary, Isolated, Community PVLANs
721ACCESS interface (or range): for Isolated Port
722 nfig-if)#switchport mode access
723 nfig-if)#switchport mode private-vlan host configured as Host (Isolated/Community) port
724 nfig-if)#switchport private-vlan host-association 100 101 Primary, Isolated PVLANs *Supporting VLAN determines Isolated/Community
725ACCESS interface (or range): for Community Port
726 nfig-if)#switchport mode access
727 nfig-if)#switchport mode private-vlan host configured as Host (Isolated/Community) port
728 nfig-if)#switchport private-vlan host-association 100 102 Primary, Community PVLANs *Supporting VLAN determines Isolated/Community
729
730#show vlan private-vlan
731#show interface switchport
732#show int Xx/x switchport (| include private-vlan)
733
734ACL (Standard Numbered/Named, Extended Numbered/Named)
735Standard Numbered: 1 – 99 Expanded: 1300 – 1999
736Extended Numbered: 100 – 199 Expanded: 2000 – 2699
737Standard/Extended Named: CAPITAL LETTERS
738
739(config)#access-list 1 permit/deny/remark x.x.x.x x.x.x.x (log) create standard #ACL source – wildcard, # 1-99/1300-1999, (logging of info/matches)
740 *(config)#logging console
741(config)#access-list 100 p/d/r (proto)(src)(operator)(port)(dest)(operator)(port)(log) extended #ACL, # 100-199/2000-2999
742 *”established” can replace op+port
743 src/dest = x.x.x.x x.x.x.x ip & wildcard, other variations:
744 *(config)#access-list x permit 0.0.0.0 255.255.255.255 / any match all/any
745 *(config)#access-list x permit x.x.x.x / x.x.x.x 0.0.0.0 / host x.x.x.x must match exact wildcard *ip addr can be used alone for “host” match
746 *(config)#access-list x deny any any automatic, explicitly adding causes count to be added to show output
747 *(config)#access-list x permit any (any) *if not added, all other are denied due to implicit deny
748(config)#ip access-list standard xx edit standard #ACL (1-99) sequence OR create nACL – below
749 -nacl)#no xx xx = sequence to delete (#show access-lists x to find seq number)
750 -nacl)# xx permit/deny x.x.x.x x.x.x.x replace above seq ACE
751(config)#ip access-list standard/extended xx/XXX switch to/create/edit a NAMED ACL *CAPS recommended #no
752 *numbers can be used in NAMED ACLs but follow stnd/ext range
753 -nacl)#permit/deny/remark x.x.x.x x.x.x.x (log) create standard nACL entry, source –wildcard (log ACL entry matches, *logging console)
754 -nacl)#p/d/r (proto)(src)(dest)(operator)(port) create extended nACL entry
755 -nacl)#x permit/deny x.x.x.x x.x.x.x add a seq line between two lines, x = place in seq i.e. 15: 10, 20
756 -nacl)#no x delete sequence in nACL
757 -nacl)#(x) deny ip any any (log) denies all and forces log entry (x – insert at seq #) (logs ALL matches)
758nfig-if)#ip access-group x/XXX in/out applies ACL(all – Name/Number) to int – inbound/outbound
759 nfig-if)#no ip access-group
760(config)#no access-list (xx/XXX) deletes access list – all (by #/name)
761(config)#ip access-list resequence xx/XXX x x change number sequence/increment, start#, increment#
762
763(config)#ipv6 access-list XXX create ipv6 ACL *ext Named ACLs only/doesn’t use “extended” #no
764 -acl)p/d/r (proto)(src)(operator)(port) (dest)(operator)(port)(log-file)
765 ::/xx – IPV6 prefix length instead of wildcard, ”any” in place of /0, “host” in place of /128
766 -acl)p/d/r tcp xxxx:xxxx:xxxx::x/xx any eq telnet
767 -acl)p/d/r tcp host xxxx:xxxx:xxxx::x any
768*already included by default (implicit):
769 -acl)#permit icmp any any nd-ns *required for Neighbor Discovery
770 -acl)#permit icmp any any nd-na
771 -acl)#deny ipv6 any any **if adding to enable logging deny matches be sure to include permit nd-ns/na above
772
773nfig-if)#ipv6 traffic-filter XXX in/out applies nACL to int – inbound/outbound
774 nfig-if)#no ipv6 traffic-filter
775
776(config)#access-list x set up numbered ACL for VTY IPv4 and IPv6
777(config)#line vty 0 4/15
778 -line)#(ipv6)access-class x in(vrf-also)/out config line (VTY) with ACL (only numbered ACLs) IPv4 & (IPv6)
779 *lab 9.2.3.4 used std named ACL – IOS version difference?
780
781#show ip(v6) int Xx/x used to verify ACL on an interface
782#show access-lists/list (x/XXX) show all / specific x/XXX* list *numbered or named with seq numbers, displays statistics (matches) for ACLs
783#show ip access-lists/list (x/XXX) ^ ???
784#show running-config | include access-list (xx)
785#clear access-list counters (xx/XXX) clears counter, used alone or with specific #/named ACL
786#reload IOS re-sequence/hash host statements *standard ACL only
787
788Switch ACLs: Port ACL (inbound IP/MAC layer 2 interface), VLAN ACL (VLAN Map – all packets, not defined by direction), IOS ACL (std/ext/name/#)
789PACL – IP (IPv4/IPv6 on layer 2 port), MAC (filters packets that are of an unsupported type, only NAMED)
790S(config)#mac access-list extended MAC-ACL MAC PACL *same as reg ACL but with “mac” and Named ACL only
791 -macl)#permit host xxxx.xxxx.xxxx any
792 nfig-if)#mac access-group MAC-ACL in *PACL (switch) is inbound only, only one per interface
793
794S(config)#ip access-list extended IP-ACL IP PACL, same as reg ACL but can only be applied inbound
795 -nacl)#permit ip host x.x.x.x any
796 nfig-if)#ip access-group IP-ACL in *PACL (switch) is inbound only, only one per interface
797
798#show ip interface
799#show mac access-group interface
800
801VACL (VLAN Map) – apply to ALL traffic on VLAN, no direction – include an ACL to filter traffic in specific direction. Forward/Drop/Redirect (default is Drop)
802 *Packet is matched against one or more IP Standard/Extended or MAC (non-IP packets) Named ACLs
803S(config)#access-list 101 permit ip any host x.x.x.x *”permit” is used to pass packets TO the VLAN Map (like CoPP)
804S(config)#vlan access-map MyMap 10 name VLAN Map *10 - ACE order
805 -map)#match ip address 101 ref IP PACL for matching
806 -map)#action drop “drop” is applied to packets “permitted” by ACL 101 *Forward/Drop/Redirect
807 S(config)#vlan access-map MyMap 20 *comes after 10 – ACE order
808 -map)#action forward all other packets are permitted *IN and OUT of the VLAN, otherwise ALL would be dropped?
809S(config)#vlan filter MyMap vlan-list 200 applies Access Map to VLAN 200
810S#show vlan access-map
811
812MQC (Modular QoS CLI) *CoPP/CPPr
813#show ip cef Cisco Express Forwarding table * ”receive” (Receive Adjacency Traffic) listing will hit Control Pane/CPU
814NOTE When constructing Access Control Lists (ACL) to be used for CoPP, traffic that is “permitted” translates to traffic that will be inspected by CoPP, and traffic that is “denied” translates to traffic that CoPP bypasses. Please refer to this white paper on CoPP: http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html. Excerpt from the section, “Access List Construction”:
815“There are several caveats and key points to keep in mind when constructing your access lists.
816- The log or log-input keywords must never be used in access-lists that are used within MQC policies for CoPP. The use of these keywords may cause unexpected result in the functionality of CoPP.
817- The use of the deny rule in access lists used in MQC is somewhat different to regular interface ACLs. Packets that match a deny rule are excluded from that class and cascade to the next class (if one exists) for classification. This is in contrast to packets matching a permit rule, which are then included in that class and no further comparisons are performed.”
818access-list 101 permit icmp any 10.1.1.0 0.0.0.255 echo “permit” = traffic to be passed on to CoPP, “deny” = traffic allowed to bypass
819
820access-list 101 permit icmp any 10.1.1.0 0.0.0.255 echo-reply
821access-list 101 permit icmp any 10.1.1.0 0.0.0.255 time-exceeded
822access-list 101 permit icmp any 10.1.1.0 0.0.0.255 ttl-exceeded
823
824access-list 123 deny tcp 192.168.1.0 0.0.0.255 any eq telnet
825access-list 123 deny udp 192.168.1.0 0.0.0.255 any eq domain
826access-list 123 permit tcp any any eq telnet
827access-list 123 permit udp any any eq domain
828access-list 123 deny ip any any
829
830class-map match-all ICMP
831 match access-group 101 “permitted” traffic assigned to “ICMP” Class Map
832class-map match-all UNDESIRABLE-TRAFFIC
833 match access-group 123 “permitted” traffic assigned to “UNDESIRABLE-TRAFFIC” Class Map
834policy-map COPP-INPUT-POLICY
835 class UNDESIRABLE-TRAFFIC Class Map applied to “COPP-INPUT-POLICY” Policy Map and traffic “dropped”
836 drop
837 class ICMP Class Map applied to “COPP-INPUT-POLICY” Policy Map and “rate limited”
838 police 50000 5000 5000 conform-action transmit exceed-action drop
839
840control-plane Enter Control Plane config mode *CoPP
841 service-policy input COPP-INPUT-POLICY Service Policy applied to Control Plane
842*control-plane host/transit/cef-exception Enter Control Plane config mode *CPPr
843
844#show policy-map control-plane Control Plane Policy
845
846DHCP
847(config)#ip dhcp excluded-address x.x.x.x (x.x.x.x) single (or low high addresses)
848(config)#ip dhcp pool Name creates pool/enter pool mode DHCPv4
849 dhcp-config)#network x.x.x.x x.x.x.x net, subnet mask
850 *dhcp-config)#class Name can create range of addr to be assigned
851 -class)#address range x.x.x.x x.x.x.x start IP, end IP
852 dhcp-config)#default-router x.x.x.x IP addr of closest router (up to 8 addr) default gateway
853 dhcp-config)#dns-server x.x.x.x
854 dhcp-config)#domain-name Name.org defines domain name
855 dhcp-config)#lease xx xx xx/infinite duration of DHCP lease *optional
856nfig-if)#ip address dhcp config int as DHCP client (no shut…)
857#debug ip packets xx verify router is receiving DHCP requests - first create ACL, xx = access list #
858 (config)#access-list 100 permit udp any any eq 67 repeat for port 68 *has to be extended to filter by port
859#debug ip dhcp server events
860(config)#no service dhcp enabled by default
861DHCPv6 server:
862(config)#ipv6 unicast-routing
863(config)#ipv6 dhcp pool XXX pool name
864 *nfig-dhcpv6)#address prefix x:x:x:x:x:x/x (lifetime xx/infinite) *stateful only
865 nfig-dhcpv6)#dns-server x:x:x:x:x:x optional Stateless DHCPv6
866 nfig-dhcpv6)#domain-name XXX optional Stateless DHCPv6
867nfig-if)#ipv6 dhcp server XXX binds pool to intf
868SLAAC (O = 0, M = 0): default option on Cisco routers, client uses RA message exclusively
869 nfig-if)#no ipv6 nd managed-config-flag
870 nfig-if)#no ipv6 nd other-config-flag
871 Stateless DHCPv6 (O = 1, M = 0): client uses RA, additional info available from DHCPv6 server – provides parameters/not addresses
872 *nfig-if)#ipv6 nd other-config-flag
873 *nfig-if)#no ipv6 nd managed-config-flag
874Stateful DHCPv6 (O = 0, M = 1): client obtains ALL addressing info from DHCPv6 server, maintains state info
875 nfig-if)#no ipv6 nd other-config-flag
876 nfig-if)#ipv6 nd managed-config-flag
877
878DHCPv6 client(router):
879nfig-if)#ipv6 enable
880 nfig-if)#ipv6 address autoconfig SLAAC/stateless DHCPv6
881 nfig-if)#ipv6 address dhcp stateful DHCPv6
882#debug ipv6 dhcp detail
883
884nfig-if)#ip helper-address x.x.x.x addr of dhcp server, placed on closest int to clients
885nfig-if)#ipv6 dhcp relay destination x:x:x:x:x:x similar to ipv4 helper addr
886
887#show ipv6 dhcp interface Xx/x *ipv6 only
888#show ip(v6) dhcp binding address leases
889#show ip dhcp server statistics pool stats and message activity
890#show ip(v6) dhcp conflict
891#show ip(v6) dhcp pool (XXX) pool settings
892#show run | section dhcp verify DNS (| dhcp config)
893#show run int Xx/x relay configuration
894
895NAT inside local/inside global – outside global/outside local
896(config)#ip nat inside source static x.x.x.x x.x.x.x static – local, global ip’s
897(config)#ip nat inside source static tcp/udp x.x.x.x xx x.x.x.x xx (extendable) port forwarding – local ip/port, global ip/port (enabled by def)
898 *extendable allows multiple mappings of the same local ip to different global ip address (kind of opposite of Dynamic NAT)
899
900(config)#access-list x permit x.x.x.x x.x.x.x net – wildcard of addresses to be translated *can use named ACL instead of # ACL (config)#ip nat pool PoolName x.x.x.x x.x.x.x netmask x.x.x.x/prefix-length xx dynamic/PAT – start-stop global ip
901 (config)#ip nat inside source list x pool PoolName (overload) bind ACL and NAT pool (PAT)
902
903(config)#access-list x permit x.x.x.x x.x.x.x single PAT – ACL #, ip addr, wildcard
904 (config)#ip nat inside source list x interface Xx/x overload ACL#, Outside Interface
905
906*static, dynamic, PAT, single PAT, and port forwarding all require:
907nfig-if)#ip nat inside inside int
908nfig-if)#ip nat outside outside int
909
910#ip nat translation timeout xx seconds – default is 24 hours
911#clear ip nat translation (*/forced) only dynamic entries (more parameters)
912#clear ip nat statistics
913#show ip nat translations (verbose) verify NAT operations/active translations
914#show ip nat statistics
915#debug ip nat (detailed) *also use #show access-lists for troubleshooting
916
917STP
918(config)#spanning-tree mode (rapid-pvst/pvst/mst) *pvst (Cisco) enabled by default
919nfig-if)spanning-tree link-type (point-to-point/shared) overrides auto detect, P2P full duplex, Shared half duplex (outdated)
920nfig-if)#spanning-tree cost xx port cost of int 1-200,000,000 #no
921 *using Root Bridge as ref point, path selection based on LOWEST: port Cost, BID, port Priority (+ port Number) in that order
922(config)#spanning-tree vlan xx root primary ensure switch has lowest bridge priority – def 24576 or 4096 less than lowest detected bridge priority
923(config)#spanning-tree vlan xx root secondary ensure secondary bridge priority (per vlan) def 28672
924(config)#spanning-tree vlan xx priority xxxx increments of 4096 between 0 and 61440 (lowest becomes Root) default is 32768
925nfig-if)#spanning-tree vlan xx port-priority xx increments of 16, *default 128 + int number, used as tie breaker (lowest wins) in path cost
926(config)#spanning-tree portfast default enables portfast for all non-trunk int – transitions from Blocking to Forwarding
927nfig-if)spanning-tree portfast specifies int as Edgeport (not connected to other switches)
928(config)#spanning-tree portfast bpduguard default enables BPDU guard on all PortFast enabled ports
929nfig-if)#spanning-tree bpduguard enable enables BPDU guard on int - port enters error disabled if BPDU received *Portfast configured or not
930(config)#spanning-tree loopguard default enables Loopguard on all int – ensures Non-Designated ports don’t transition to Forwarding State
931nfig-if)#spanning-tree guard loop enables Loopguard on int
932nfig-if)#spanning-tree guard root port transitions to Root-Inconsistent State if it receives BPDUs that are superior to current Root
933
934#clear spanning-tree detected-protocols (int Xx/x) reset/re-converge STP on all interfaces (per int)
935
936#show running-config | include span/spanning-tree (mode)
937#show spanning-tree/span (detail) VLAN (per) : root/bridge ID, prio, addr, cost(to root), port, hello time
938 interfaces: role, state, cost, prio, number, type
939 #show span summary mode, role, parameter states, ports in states (Blocking, Listening, Learning…)
940 *Portfast, BPDU guard, Loopguard, EtherChannel, Uplink Fast, Backbone Fast
941 #show span active active interfaces only
942 #show span vlan x info for specified VLAN
943#debug spanning-tree events #no
944
945More Layer 2 – Securing
946(config)#errdisable recovery cause bpduguard switch automatically brings int out of err-disable
947(config)#errdisable recovery interval 30 set errdisable timeout to 30 seconds
948#show errdisable recovery error list, timer interval, configured interfaces
949
950(config)#no cdp/lldp run disable globally
951nfig-if)#no cdp/lldp enable disable on int
952#show cdp/lldp
953#show cdp neighbors (detail) discover layer 2 topology (IPv4 address)
954
955DHCP Snooping
956(config)#ip dhcp snooping enable globally
957(config)#ip dhcp snooping vlan x(-xx) apply to vlan(s)
958(config)#ip dhcp snooping database tftp://x.x.x.x/dir/file conf DHCP Snooping database agent, stores bindings
959nfig-if)#ip dhcp snooping trust ports over which DHCP Server is reachable (not Users) *can apply to range of ports
960 *untrusted ports aren’t explicitly configured (ports connected to Users)
961nfig-if)#ip dhcp snooping limit rate x prevents flooding of DHCP requests, applied on ports connected to Users
962#show ip dhcp snooping configuration
963#show ip dhcp snooping binding MAC to IP addr, lease, VLAN, int
964
965DAI
966(config)#ip arp inspection (vlan x/x-xx) Enable dynamic arp inspection (on specified vlan/s) *DHCP snooping must be enabled
967nfig-if)#ip arp inspection trust conf int as Trusted DAI interface, connected to another switch not User port
968#show ip arp inspection (interfaces)
969#show ip arp inspection vlan x
970IP Source Guard
971 nfig-if)#ip verify source configure IPSG for source IP addr filtering
972 nfig-if)#ip verify source port-security configure IPSG for source IP AND MAC addr filtering
973#show ip verify source verify both above
974
975FHRP
976nfig-if)#ip address x.x.x.x x.x.x.x configure actual ip addr
977nfig-if)#standby 1 ip x.x.x.x specify grp and ip addr for HSRP (on inbound interface/attached to switch), repeat on adj router
978nfig-if)#standby 1 priority xxx def is 100, router with highest becomes active router
979*nfig-if)#standby 1 preempt necessary for desired router to be designated router
980nfig-if)#no standby 1 deletes grp/settings
981#show standby (brief) verify FHRP/HSRP active/standby routers (HSRP status)
982
983nfig-if)#ip address x.x.x.x x.x.x.x configure actual ip addr
984nfig-if)#glbp 1 ip x.x.x.x specify grp and ip addr for GLBP (on inbound interface/attached to switch)
985nfig-if)#glbp 1 priority xxx def is 100, router with highest becomes active router
986*nifg-if)#glbp 1 preempt necessary for desired router to be designated router
987nfig-if)#glbp 1 load-balancing round-robin provide path redundancy
988#show glbp (brief) first hop redundancy/gateway load balance protocol
989
990nfig-if)#ip address x.x.x.x x.x.x.x config actual ip addr
991nfig-if)#vrrp 10 description Xxxxx description
992nfig-if)#vrrp 10 priority xxx def 100
993nfig-if)#vrrp 10 preempt (delay minimum xxx) def 0 seconds, router that is the IP address owner will preempt this command
994nfig-if)#vrrp 10 timers advertise (sec) xx def 1 second *ALL routers in Group must use SAME value
995nfig-if)#vrrp 10 timers learn configures back up router to learn timer
996#show vrrp (brief)
997#show vrrp interface Xx/x
998 **be sure to update new default gateway on connected devices i.e. switches/computers for either HSRP/GLBP
999HSRP/GLBP – Cisco proprietary, VRRP(v2/v3) is nonproprietary
1000Can be enabled on sub-interface i.e. int g0/0.10
1001
1002EtherChannel
1003(config)#interface range Xx/x-xx configure EtherChannel (specify ports)
1004*All int must be in same VLAN or configured as a trunk with same allowed VLANs
1005 on a Layer 3 EC, the IP address is configured on the port-channel
1006**ensure ports are in shut state before configuration
1007 nfig-if-range)#channel-group x mode on/auto/desirable / on/passive/active creates EChannel – PagP(Cisco)/LACP
1008 *”on” forces channel w/o PaGP/LACP negotiation/packets
1009 nfig-if-range)#interface port-channel x configures ports as EC
1010 nfig-if)#switchport mode trunk can be entered on each int, as a range, or port-
1011 nfig-if)#switchport trunk native vlan xx chan, but both sides must match
1012 nfig-if)#switchport trunk allowed vlan x,x,xx
1013(config)#no int pox remove port channel
1014
1015#show interface port-channel x general status
1016#show interfaces Xx/x etherchannel
1017#show etherchannel summary one line of info per port-chan
1018#show etherchannel port-channel more detailed than summary
1019#show interfaces trunk
1020#show run | begin interface Port-channel
1021
1022PPP
1023nfig-if)#ip address x.x.x.x x.x.x.x start with configuring IP/IPv6 address *serial - duh
1024nfig-if)#encapsulation hdlc/ppp HDLC is default, PPP to connect to non-Cisco router
1025nfig-if)#compress (predictor/stac) specify predictor or stacker compression algo *optional
1026nfig-if)#ppp quality xx percentage – 1-100, min quality to meet o/w shuts down *no to disable LQM
1027#show interface serial x/x/x check encapsulation, int state (up/up, etc)
1028#show controllers serial x/x/x check standard (RS-232, V.35) *unknown indicates improperly connected cable/card issue
1029#show run verify compress, quality, and multilink
1030
1031Nfig)#interface multilink x create a multilink - #, #shut then #no… to delete
1032 nfig-if)#ip address x.x.x.x x.x.x.x assign ip(or ipv6) and subnet mask to multilink
1033 nfig-if)#ppp multilink enable int for multilink PPP
1034 nfig-if)#ppp multilink group x assign group #
1035 nfig)#int Xx/x *change interface to assign multilink
1036 nfig-if)#no ip address
1037 nfig-if)#encapsulation ppp
1038 nfig-if)#ppp multilink
1039 nfig-if)#ppp multilink group x bound group # created above
1040#show ppp multilink
1041
1042PAP/CHAP
1043nfig)#username Xxxx password/secret Xxxx create local db entry for connecting peer, PAP – hostname of peer must match configured username
1044*CHAP – passwords must be identical i.e. R1(config)#username R2 password/secret class
1045 R2(config)#username R1 password/secret class
1046*PAP – passwords don’t have to match i.e. R1(config)#username R2 password/secret cisco
1047 R2(config)#username R1 password/secret ocsic
1048nfig)#int Xx/x
1049 nfig-if)#encapsulation ppp
1050 Nfig-if)#ppp authentication chap/pap/chap pap/pap chap (list-name/default)(callin)
1051 *using both enables both and auth in order entered
1052
1053*PAP- nfig-if)#ppp pap sent-username Xx password XXXX from router user/pass created above on adj router
1054 i.e. R1(config-if)#ppp sent-username R1 password ocsic
1055 R2(config-if)#ppp sent-username R2 password cisco
1056Nfig-if)#ppp callback accept/request
1057
1058#debug ppp (packet/negotiation/error/authentication/compression/cbcp) #undebug/u all
1059
1060#show controllers serial x/x / (cbus) (Cisco 7000 series router cbus controller card)
1061#show ppp multilink
1062#show interfaces (serial x/x) verify config/encapsulation
1063
1064PPPoE
1065nfig)#username chapName password chapPword local database username/password
1066nfig)#ip local pool Name x.x.x.x x.x.x.x name pool, ip address range
1067ISP
1068 nfig)#interface virtual-template x create and assign template # 1-200
1069 nfig-if)#ip address x.x.x.x x.x.x.x nothing special
1070 nfig-if)#mtu 1492 def is 1500, needs 1492 because of PPPoE header
1071 nfig-if)#peer default ip address pool Name assign pool created above
1072 nfig-if)#ppp authentication chap callin
1073 nfig-if)#exit
1074nfig)#bba-group pppoe global/bbaName assign/create bba group/global
1075 nfig-bba-group)#virtual-template x assign template to bba group
1076 nfig-bba-group)#no shut exit/switch to appropriate interface
1077 nfig)#int Xx/x
1078 nfig-if)#pppoe enable group global/bbaName associate bba-group to interface
1079 nfig-if)#no shut
1080CUST
1081nfig)#int Xx/x
1082 nfig-if)#pppoe enable interface connected to ISP
1083 nfig-if)#ppoe-client dial-pool-number x x matches “dialer pool” below
1084 nfig)#interface dialer x associates dialer int with interface
1085 nfig-if)#mtu 1492
1086 nfig-if)#ip address negotiated
1087 nfig-if)#encapsulation ppp
1088 nfig-if)#dialer pool x matches dial-pool-number above
1089 nfig-if)#ppp authentication chap callin
1090 nfig-if)#ppp chap hostname chapName hostname matches username created above
1091 nfig-if)#ppp chap password chapPword password matches created above
1092nfig)#ip route 0.0.0.0 0.0.0.0 dialer x default route pointing to dialer x
1093
1094#show pppoe session
1095#debug ppp authentication
1096#debug pppoe events
1097
1098Frame Relay
1099Frame Relay Switch:
1100nfig)#frame-relay switching allows frame forwarding based on incoming DLCI (no IP addresses)
1101nfig)#int Xx/x
1102 nfig-if)#encapsulation frame-relay (cisco/ietf) cisco is default/ietf for non-Cisco routers
1103 nfig-if)#frame-relay intf-type dte/dce allows dce interface to act as dte for Frame Relay and vice versa
1104 nfig-if)#frame-relay route xxx int Xx/x/x xxx forwards traffic on Xx/x/x from xxx(DLCI) to xxx(DLCI)
1105 *repeat configs on adjacent interface
1106
1107Basic Frame Relay:
1108nfig)#int Xx/x
1109 nfig-if)#ip address x.x.x.x x.x.x.x
1110 nfig-if)#encapsulation frame-relay (cisco/ietf) cisco is default/ietf for non-Cisco routers
1111 nfig-if)#frame-relay interface-dlci xxx repeat for multiple dlci’s, applies dlci to subint
1112
1113Basic Frame Relay: (static map)
1114nfig)#int Xx/x
1115 nfig-if)#ip address x.x.x.x x.x.x.x
1116 nfig-if)#encapsulation frame-relay (cisco/ietf) cisco is default/ietf for non-Cisco routers
1117 nfig-if)#no frame-relay inverse-arp enabled by default, enter before other configs to prevent issues
1118 nfig-if)#frame-relay map ip(v6) x.x.x.x xxx (broadcast) (cisco/ietf) dest ip(v6) addr/source dlci, only link-local requires broadcast for IPv6
1119 *repeat for multiple VCs on same int, create additional entry using local IP addr to be able to ping self
1120 *(cisco/ietf) encapsulation can be configured on a per VC basis (ietf when connected to non cisco routers)
1121
1122Subinterfaces:
1123nfig)#int Xx/x
1124 nfig-if)#no ip address
1125 nfig-if)#encapsulation frame-relay only on physical int when configuring for subinterfaces
1126nfig)#interface Xx/x/x.xxx point-to-point *.xxx – subint number 1-4294967293(may match dlci) single DLCI/own subnet
1127 nfig-subif)#ip(v6) address x.x.x.x x.x.x.x *normally use 255.255.255.252 / /30 mask
1128 nfig-subif)#frame-relay interface-dlci xxx assigns dlci to subint
1129 nfig-subif)#bandwidth xx
1130nfig)#interface Xx/x/x.xxx point-to-multipoint *.xxx – subint number 1-4294967293(matches dlci) multiple VCs on same subnet
1131 nfig-subif)#ip(v6) address x.x.x.x x.x.x.x
1132 nfig-subif)#frame-relay interface-dlci xxx Used in multipoint assigns dlci to subint
1133 nfig-subif)#bandwidth xx
1134nfig)#interface Xx/x/x.xxx multipoint *.xxx – subint number 1-4294967293(matches dlci) all routers in same subnet
1135 nfig-subif)#ip(v6) address x.x.x.x x.x.x.x
1136 nfig-subif)#frame-relay map ip(v6) x.x.x.x xxx broadcast
1137**LOTS of variations to configs, see links Frame Relay (more) even more
1138Nfig-if)#frame-relay lmi-type cisco/ansi/q933a *applied to root int when subint are used i.e Xx/x/x not .xxx
1139* keepalive ??? *this is used in a number of ways in different modes. Here is an example list.
1140
1141#show interfaces Xx/x/x encapsulation, LMI type
1142#show frame-relay route layer 2 route used by FR
1143#show frame-relay map IP addr, DLCI (dec, hex, & wire values), broadcast/multicast, LMI type, PVC status, encapsulation
1144#show frame-realy pvc (interface Xx/x/x)(xxx) PVC traffic/statistics (BECN/FECN)
1145#show frame-relay lmi LMI types, counters, status messages
1146
1147#clear counters resets statistics
1148#clear frame-relay inarp (interface Xx/x/x dlci xxx) clear frame relay maps of dynamic entries
1149
1150#debug frame-relay lmi *undebug all/u all
1151#debug ip icmp
1152
1153GRE Tunnel (router int IP addr must be configured first)
1154(config)#interface tunnel 0 config tunnel
1155 nfig-if)#ip address 192.168.2.1 255.255.255.0 config tunnel ip address/subnet mask like any other int
1156 nfig-if)#tunnel source 209.165.201.1 / S0/0/0 source router ip addr/name of actual physical int
1157 nfig-if)#tunnel destination 198.133.219.87 dest router ip add of actual/phys int
1158 nfig-if)#tunnel mode gre ip specifies GRE as mode
1159 *input tunnel ip addr(network) into routing protocol: -router)#network 192.168.2.0 0.0.0.255 area 0
1160
1161#show interface tunnel x verify state of GRE tunnel
1162#show ip interface brief | include up
1163#show ip ospf neighbor
1164
1165VPNs/IPsec
1166#show version/license (feature) *check for Sec Tech Pckg “security – security K9”
1167nfig)#license boot module c2900 technology-package securityk9 activates security pckg
1168 nfig)#end
1169 #copy running-config startup-config
1170 #reload after reload, verify again with #show version
1171
1172Certificates (VPN using cert - #authentication rsa) *config/verify “ip domain name” and “ntp”
1173Creating keys and enrolling new SCEP capable CA:
1174(config)# crypto key generate rsa label MyKeyPair modulus 2048 (noconfirm) generate Public/Private key pair My-Key-Pair
1175(config)# crypto ca trustpoint NewCAToUse authenticate and enroll a new CA (with SCEP???)
1176 nfig-co-trustpoint)# keypair MyKeyPair specify key pair to be used, created above
1177 nfig-co-trustpoint)# id-usage ssl-ipsec specify what the key will be used for
1178 nfig-co-trustpoint)# no fqdn specify whether FQDN will be required *fqdn - CiscoASA.cisco.com
1179 nfig-co-trustpoint)# subject-name CN=ciscoasa specify CN (X.500) *name of CA, can also include OU, etc.
1180 nfig-co-trustpoint)# enrollment URL http://x.x.x.x specify where CA can be reached (HTTP must be running on CA server)
1181(config)# crypto ca authenticate NewCAToUse (nointeractive) retrieve/install root certificate (created above), nointeractive – no prompts
1182(config)# crypto ca enroll NewCAToUse (noconfirm) request/install identity certificate (from the CA)
1183PKI:
1184(config)#crypto key generate rsa modulus 1024
1185(config)#crypto pki trustpoint CA *prompts to accept
1186 (ca-trustpoint)#enrollment URL http://x.x.x.x
1187(config)#crypto pki authenticate CA
1188(config)#crypto pki enroll CA *prompts for challenge password **additional optional prompts: serial number, subject name, CA certificate
1189
1190IPsec VPN:
1191(config)#crypto isakmp policy x Phase 1/ISAKMP SA, x - priority 1 – 10,000 IKE Proposal/SA
1192 -isakmp)#hash md5/sha sha , sha256/384/512, md5 *HMAC variants
1193 -isakmp)#authentication pre-share/rsa pre-share *PSK, rsa-sig/encr
1194 -isakmp)#group x DH – 1 is default: 1, 2, 5, 14/24, 15, 16, 19/20/21 *ECDH
1195 -isakmp)#lifetime 3600 60 – 86400 sec, def 86,400 (24 hours)
1196 -isakmp)#encryption des/3des/aes (256) des, 3des, aes, aes 192/256
1197*if using “pre-share”/PSK:
1198(config)#crypto isakmp key (0/6) Password hostname/address x.x.x.x IP addr of Peer Router Int *PSK – identical on both Peers *IKEv2 allows asymmetric keys
1199**if using “rsa” see “creating keys/PKI” above
1200(config)#crypto ipsec transform-set MYSET esp-sha-hmac esp-aes 256 Phase 2/IPsec SA, encaps + encryption hashing Transform Set
1201 *May specify up to 4 transforms: esp-des/3des/aes/seal, esp/ah-md5/sha/sha256/sha384/sha512-hmac **no encryption with AH
1202 -crypto-trans)#mode tunnel/transport ESP/AH modes – tunnel default, protects entire original IP packet
1203
1204(config)#access-list 100 permit ip x.x.x.x x.x.x.x x.x.x.x x.x.x.x ACL for Crypto Map, source/dest Host IP addr *WILDCARD MASK
1205(config)#crypto map MYMAP 1 ipsec-isakmp create Crypto Map, Name, sequence #
1206 nfig-crypto-map)#description XXXXXX same as an interface
1207 -crypto-map)#match address 100 bind ACL to Crypto Map
1208 -crypto-map)#set transform-set MYSET bind Transform Set to Crypto Map
1209 -crypto-map)#set peer x.x.x.x IP addr of Peer Router Int
1210 -crypto-map)#set security-association lifetime seconds 3600 *Optional, match/transform/peer are Required
1211 -crypto-map)#set pfs group2 rerun DH for Phase 2, doesn’t have to match DH from Phase 1, DOES have to match Peer
1212(config)#int Xx/x
1213 -if)#crypto map MYMAP bind Crypto Map to interface
1214Mirror config on Peer Router
1215
1216ACLs to permit IPsec traffic:
1217access-list 101 permit ahp host 209.165.200.2 host 209.165.200.1
1218access-list 101 permit esp host 209.165.200.2 host 209.165.200.1
1219access-list 101 permit udp host 209.165.200.2 host 209.165.200.1 eq isakmp
1220access-list 101 permit udp host 209.165.200.2 host 209.165.200.1 eq non500-isakmp *UDP port 4500/NAT-T
1221
1222#clear crypto sa clear SA db – force a change in settings to be applied
1223#show crypto isakmp *phase 1 info, version IKE version 1/2 transactions
1224#show crypto isakmp policy config – encryption algo, hash, authentication, DH grp, lifetime, PHASE 1
1225#show crypto isakmp key list PSKs
1226#show crypto isakmp sa (detail) status/settings Phase 1 tunnel (version 1 & 2) – dest, src, state, conn status
1227#show crypto map details, where applied, Transform sets, ACLs, current peer, SA lifetime
1228#show crypto ipsec sa (detail) Phase 2 tunnel details – also SPI, PFS, ESP, runtime SA db, encryption
1229#show crypto ipsec transform-set
1230#show crypto stats IKEv1/2 transactions
1231#show crypto engine connections active connections
1232#debug crypto isakmp
1233#debug crypto ipsec (sa)
1234
1235NTP
1236#clock set xx:xx:xx xx XXXXX xxxx hr:min:sec, day month year
1237(config)#clock timezone XXX +/- xx xx timezone, +/- diff from UTC i.e. CDT -5
1238Client:
1239(config)#ntp authentication-key 1 MD5 xxxxxx x shared secret/keyed hash 1
1240(config)#ntp authenticate
1241(config)#ntp trusted-key 1 reference keyed hash
1242(config)#ntp server x.x.x.x key 1 prefer source Xx/x
1243 (config)#ntp update-calendar periodic update when synchronized to outside time source
1244Server:
1245(config)#ntp authentication-key 1 MD5 xxxxxx x shared secret/keyed hash 1
1246(config)#ntp authenticate enable authentication
1247(config)#ntp trusted-key 1 identify trusted key on master
1248(config)#ntp source (loopback x) sets source interface, loopback means it’s self/NTP server
1249(config)#ntp master (x) designate as Master (stratum, # hops 0-15 to authoritative time source)
1250
1251#show ntp status status of NTP service
1252#show ntp assocications IP of synchronized peer devices, statically conf peers, and stratum number
1253#show clock
1254#show run | include timestamp verify timestamp service
1255
1256Logging
1257(config)#service timestamps log datetime (localtime show-timezone) msec add LOG timestamps to Syslog messages
1258(config)#service timestamps debug datetime (localtime show-timezone) msec add DEBUG timestamps to Syslog messages
1259(config)#service timestamps log uptime time since last boot
1260(config)#service sequence-numbers stamps log messages with seq num
1261
1262Syslog:
1263(config)#logging (host) x.x.x.x (port x) dest hostname or ip addr of Syslog server (port 514 is def for syslog)
1264 (config)#logging host x.x.x.x transport tcp port xx change from def port 514
1265(config)#logging trap XXXX/x name/number of level, (EACEWNID / 7-0)
1266(config)#logging source-interface Xx/x optional, specify an interface addr to include in log packet
1267(config)#logging buffered 4096 debugging Buffer size and level (EACEWNID) sent to Buffer
1268(config)#logging on *on by default
1269(config)#logging console (x) send all log messages to console (set level 0-7 of message to log)
1270(config)#no logging (console) turns off logs to: console/IP addr/buffered/host/trap/more…
1271(config)#logging buffered (x) buffers log messages (set level 0-7 of message to log)
1272*see also #terminal monitor
1273
1274#show logging (| include Xxxx xxx xxxx) (which messages to be displayed)
1275
1276SNMP: *90 SNMP traps vs 6000 Syslog*
1277#show sdm prefer verify IOS template/switch db manager
1278 nfig)#sdm prefer routing/lanbase-routing change IOS db manager *3560 (prevents switch from generating warning message when saving config)
1279 nfig)#end
1280 #reload
1281
1282(config)#ip access-list standard ACL create nACL for community
1283 nfig-std-nacl)#permit x.x.x.x
1284(config)#snmp-server community Name ro/rw (ACL) community string, nACL optional
1285 optional:
1286 nfig)#snmp-server location XXX_XXX device location
1287 nfig)#snmp-server contact XXX_XXX
1288 nfig)#snmp-server enable traps (XXXX) notification-types, if not specified then all are sent
1289 nfig)#snmp-server host x.x.x.x version 1/2c/3 (v3 - auth/noauth/priv) XXXX ip addr, community string (above)
1290
1291 v3 variants:
1292Security OCG: *See also Security PCG pg 55 (variants…)
1293(config)#access-list xx permit x.x.x.x /24 ACL *can use standard named
1294(config)#snmp-server community Name ro/rw ACL# String Name, read only/read write, ACL (std/ext/nACL)
1295(config)#snmp-server group NameGroup v3 noauth create Group, (auth/noauth/priv)
1296(config)#snmp-server user NameUser NameGroup v3 config User that resides in Group
1297(config)#snmp-server trap-source Xx/x interface to be used for Traps
1298(config)#snmp-server host x.x.x.x version 3 noauth NameUser SNMP server that will be allowed SNMP access (auth/noauth/priv)
1299
130031 days: (doesn’t use community, does use engineID and view) – “Cisco SNMP Object Navigator” for OID/MIB
1301(config)#ip access-list standard ACLName create std nACL
1302 -std-acl)#permit host x.x.x.x
1303(config)#snmp-server engineID local xxxxxxxxxxxx configure Engine ID – unique value representing the managed device (IP addr without . )
1304(config)#snmp-server view MyView MIB-2 included View to define and “include/exclude” User access to OID/MIB tree (branch “MIB-2”)
1305(config)#snmp-server view MyView cisco included
1306(config)#snmp-server group GroupName v3 priv write MyView access ACLname group, version, crypto policy,ACL
1307(config)#snmp-server user UserName GroupName v3 auth sha Password priv aes 128 SharedSecret User, Group, Authentication, Encryption
1308(config)#snmp-server host x.x.x.x version 3 priv UserName SNMP server that will be allowed SNMP access (auth/noauth/priv)
1309
1310#show snmp (user/community) verify SNMP config (user/community and ACL info)
1311***$ snmpget -v2c -c community x.x.x.x x.x.x.x.x.x.x.x.x.x.x -version, password, IP addr, OID (snmpget utility)
1312 snmpgetnext, snmpwalk
1313 SNMP Object Navigator – Cisco website, decode OID/MIB
1314
1315NetFlow
1316(config)#int Xx/x
1317 nfig-if)#ip flow ingress
1318 nfig-if)#ip flow egress
1319(config)#ip flow-export destination x.x.x.x xxx NetFlow collector destination ip addr, udp port
1320 *Packet Tracer uses port 9996, other common: 99, 2055
1321(config)#ip flow-export version x 1 (default), 5, 7, 8, 9*most common
1322(config)#ip flow-export source Xx/x/x
1323
1324#clear ip flow stats
1325
1326#show ip flow interface NetFlow capture interface info
1327#show ip flow export NetFlow data export info, check config of export parameters
1328#show ip cache flow Confirms data collection – summary/proto/hosts
1329
1330Flexible NetFlow (From SecFnd)
1331(config)#flow record R1-Flow-Record-1 create/edit Flow Record
1332 flow-record)#description Xxx xxXxx xXxXx optional
1333 flow-record)#match ipv4 destination address configure key field for flow record
1334 flow-record)#collect interface input configure non-key field
1335 *hundreds of variations starting from match and collect. ? to show options.
1336(config)#flow monitor R1-Flow-Monitor-1 create/edit monitor
1337 flow-monitor)#description Xxx xxXxx xXxXx optional
1338 flow-monitor)#record netflow PreviouslyCreatedNetflow Identify the Flow Record #record ? - see all options
1339 flow-monitor)#exporter NC-EXPORTER-1 specify exporter (created below)
1340(config)#flow exporterNC-EXPORTER-1 create/edit exporter
1341 flow-exporter)#description Xxx xxXxx xXxXx optional
1342 flow-exporter)#export-protocol netflow-v9 export protocol, optionally netflow-v5 or ipfix
1343 flow-exporter)#destination x.x.x.x (transport udp xxx) def port is 9995 (2055???)
1344(config)#int Xx/x flow monitor must be applied to at least one interface
1345nfig-if)#ip flow monitor R1-Flow-Monitor-1 input
1346
1347#show flow record (name) description, status, and fields
1348#show flow monitor status/configured parameters
1349 #show flow monitor R1-Flow-Monitor-1 cache format record status and flow data in NetFlow cache
1350#show flow exporter view configured options
1351#show run flow record/monitor/exporter
1352
1353AAA and other Management Plane
1354(config)#no service password-recovery Disables ROMMON password recovery feature
1355(config)#enable algorithm-type (md5/scrypt/sha256) secret Password Enable/Priv Exec password *IOS 15.5
1356(config)#username Name algorithm-type (md5/scrypt/sha256) secret Password Local database password
1357(config)#login quiet-mode access class acl-name/acl-number ACL identifies hosts to ensure authorized devices always connect
1358(config)#login delay xx seconds user must wait between unsuccessful attempts
1359(config)#login on-success/failure (every login) log successful/unsuccessful login attempts
1360
1361Custom Privilege levels Privilege Level 1 (User mode >), Privilege Level 15 (Privileged mode #) *15 is the default level, can assign levels 2-14
1362(config)#privilege exec level 8 configure terminal assigns command “configure terminal” to Privilege Level 8
1363(config)#enable secret level 8 0 password assigns password for Privilege Level 8, “0” is default/not normally entered (creates MD5 hash)
1364 (0 indicates it’s unencrypted – an encrypted pw can be copied from another configuration)
1365(config)#privilege exec level 5 ping assigns “ping” to Level 5
1366(config)#enable algorithm-type scrypt secret level 5 password assign secret “password” to Level 5 (specifies algo too)
1367
1368>enable 8 prompts for password configured for “Privilege Level 8” and allows commands as configured (above)
1369>/#disable disables current Privilege level
1370
1371>/#show privilege verify Privilege level *>enable ? additional commands
1372
1373(config)#username Name privilege 8 secret Password assigns Privilege Level when creating a local user/pw
1374(config)#username Name privilege 5 algorithm-type scrypt secret password same as above, also specifies algo
1375
1376Parser View/View – Can be created with subsets of Level 15 commands. Restrict Users without having to create custom privilege levels
1377 Role Based CLI Access, RBAC, CLI Views. Possible to create superview using multiple using one or more CLI Views.
1378 *”enable secret password” and “aaa new-model” must be configured to create a View:
1379(config)#enable secret Password Privilege Exec Mode/Level 15 password
1380(config)#aaa new-model
1381#enable view enter default (root) View (prompted for above password), can be entered from > or # mode
1382#configure terminal
1383(config)#parser view ViewName create new custom view
1384 -view)#secret Password set password *sha256 and scrypt are NOT supported
1385 -view)#commands exec include ping specify commands to be included as part of View_Name
1386 -view)#commands exec include all show
1387 -view)#commands exec include configure
1388 -view)#commands configure include access-list
1389>enable view ViewName use/test above configured View
1390
1391#show parser view (all) verify Parser View being used i.e. View_Name (Root can see all conf Views)
1392
1393(config)# username Name view ViewName secret password assign View when creating local user/pw
1394
1395(config)# aaa type {default | list-name} method-1 [method-2 method-3 method-4] general syntax to create method list
1396 type – authentication, authorization, accounting
1397 list-name – used to apply Method List to a line, “default” can be edited
1398 At least one method must be applied:
1399 local, enable, krb5, krb5-telnet, line, local-case, none, group radius, group tacacs+, group group-name (ACS Server)
1400 *Multiple methods are “fallback” in case previous can’t be reached - not attempted if first method returns refusal/user not defined
1401aaa authentication login default/list-name method1 (method2…4) “default” applies to all lines (vty/console/aux), list-name can be applied specifically
1402aaa authorization commands x/exec/network default/list-name method1 (method2…4) commands x - Privilege Level 1 – 15 for Global Config
1403aaa accounting system/network/exec/connection/commands x default/list-name start-stop/stop-only/none method1 (method2…4)
1404
1405(config)# aaa authentication login default local enable default Method List, tries local db(Running-Config) first then Enable (Priv Exec) password (applies to all: Console, SSH, Telnet, AUX, etc unless another Method List is applied)
1406
1407(config)#aaa authorization exec default local
1408
1409Configure ACS with TACACS+ (and alt): Enable, create Named Method Lists for Authentication/Authorization, Specify ACS Server, Apply to Line VTY
1410(config)#username Name privilege x (algorithm-type scrypt) secret Password create a local db username entry (backup access if ACS/TACACS is down)
1411(config)#aaa new-model enables AAA features, disabled by default
1412(config)#aaa authentication login AUTHENTviaTACACS group tacacs+ local attempts usern/passw check with TACACS+, then local db (running conf)
1413(config)#aaa authorization exec AUTHORviaTACACS group tacacs+ local permits EXEC shell
1414(config)#tacacs-server host x.x.x.x key TACPassword specify ACS server to use, *ping to verify server host is reachable
1415
1416(config)#line vty 0 4 configure telnet to use authentication/authorization method lists
1417 -line)#login authentication AUTHENTviaTACACS specifically applies Method List Name
1418 -line)#authorization exec AUTHORviaTACACS
1419
1420- 31 days (variation examples)
1421(config)#username Name privilege x (algorithm-type scrypt) secret Password create a local db username entry (backup access if ACS/TACACS is down)
1422(config)#aaa new-model enable AAA globally
1423(config)#tacacs server TACSRV/x.x.x.x version/device dependent, IP addr can be used in place of Name
1424 *”tacacs-server (host/key)” or “tacacs host/key” seem to be predominant, not “tacacs server” (same for “radius”)
1425 -tacacs)#address ipv4 x.x.x.x if not entered as part of above command
1426 -tacacs)#single-connection maintain single TCP connection for duration of session
1427 -tacacs)#key TACPassword
1428 (config)#radius server RADSRV
1429 -server)#address ipv4 x.x.x.x auth-port 1812 acct-port 1813 *1645/1646
1430 -server)#key RADPassword
1431(config)#aaa authentication login default group tacacs+ group radius local-case edit “default” Method List to use AAA then local case sensitive
1432(config)#aaa authentication login NOAUTH none Method List to NOT require authentication *applied to Line below
1433(config)#aaa authentication login SRVAUTH group tacacs+ group radius local-case create Method List to provide authentication
1434(config)#ip http authentication aaa login-authentication default apply “default” Method List to HTTP server
1435(config)#line con 0
1436 -line)#login authentication NOAUTH NOAUTH uses “none” which requires no authentication
1437(config)#line vty 0 4
1438 -line)#transport input ssh
1439 -line)#login authentication SRVAUTH apply SRVAUTH to Telnet
1440(config)#aaa authorization exec SRVEXEC group tacacs+ group radius local authorize Exec Shell access
1441(config)#aaa authorization commands 15 SRVCMD group tacacs+ group radius local authorize Global Conf command Level 15 access
1442(config)#aaa authorization config-commands authorize all configuration commands *Global Config, may vary by version
1443(config)#line vty 0 4 apply above Method Lists
1444 -line)#authorization exec SRVEXEC
1445 -line)#authorization commands 15 SRVCMD
1446(config)#aaa accounting exec ACCEXEC start-stop group tacacs+ group radius start/stop accounting at beginning and end of Exec session (terminal)
1447(config)#aaa accounting commands 15 ACCCMDS stop-only group tacacs+ group radius accounting at end of Command/Global Config session
1448(config)#line vty 0 4
1449 -line)#accounting exec ACCEXEC apply ACCEXEC to vty
1450 -line)#accounting commands 15 ACCCMDS apply ACCCMDS to vty
1451AAA/HTTP:
1452(config)#aaa new-model
1453(config)#aaa authentication login AuthentHTTP radius local create Authentication Method List
1454*(config)#aaa authentication login default local specify Local for Default Authentication Method List
1455(config)#aaa authorization exec AuthorHTTP radius local create Authorization Method List
1456(config)#ip http authentication aaa require AAA for HTTP authentication
1457(config)#ip http authentication aaa login-authentication HTTPonly apply AuthentHTTP
1458(config)#ip http authentication aaa exec-authorization HTTPonly apply AuthorHTTP
1459*(config)#ip http authentication aaa login-authentication default apply Default Method List to HTTP server ???necessary
1460
1461#show aaa servers
1462#debug tacacs/radius more granular view of authentication process
1463#debug aaa authentication high level view of login activity, method used, pass/fail
1464#debug aaa authorization
1465#debug aaa accounting
1466
1467#test aaa group tacacs+ UserName Password legacy verify ACS to router authentication component is working *pg 62 for output
1468
1469Device/User Group – Logical organization in ACS for assigning routers and users then associating permissions *OU in Windows
1470 Network Group/Device and Identity Group/User Account, Authorization Profiles control rights
1471 Create Device Group > Create/Assign Client (Device)
1472 Create Identity Group > Create/Assign User Account
1473 Configure Authorization Policy > Assign Identity Group & Network Device Group (NDG) Device Type
1474 Select Shell Profile (used for Authorization purposes and associated with Authorization policy) *Read/Deny/Permit/Full Access
1475
1476802.1X (SecFnd/CyOps Chap 4 pg 220)
1477enable 802.1X on a Switch: (31 Days pg63)
1478S(config)#aaa new-model AAA enabled
1479S(config)#radius server RADSRV Radius Server Configured *802.1x ONLY uses RADIUS – EAP not supported in TACACS+
1480 -radius-server)#address ipv4 x.x.x.x auth-port 1812 acct-port 1813
1481 -radius-server)#key SecretRADIUS
1482S(config)#aaa authentication dot1x default group radius 802.1X Authentication Method List *default
1483S(config)#dot1x system-auth-control enable globally
1484S(config)#int Xx/x
1485 -if)#switchport mode access *802.1X not supported on EtherChannel/Trunk/Dynamic ports
1486 -if)#authentication port-control auto Allows port to also initiate authentication *authentication replaced dot1x
1487 *forced-authorized authorizes all/force-unauthorized – authorizes no one/auto – uses 802.1x
1488 -if)#dot1x pae authenticator Act only as Authenticator, ignore messages for Supplicant
1489 *Port Access Entity type (authenticator/supplicant/both)
1490
1491#show dot1x (all (summary) / int Xx/x / details / statistics)
1492
1493ZPF/ZBF – ISR Zone-based Policy Firewall - C3PL (Cisco Common Classification Policy Language) *MQC – CoPP/CPPr Modular Policy Framework - ASA
1494(config)#zone security Inside create Security Zones
1495(config)#zone security Outside
1496(config)#zone security DMZ
1497
1498nfig-if)#zone-member security Inside assign interfaces to Security Zones, can assign an int to only one Security Zone
1499nfig-if)#zone-member security Outside
1500nfig-if)#zone-member security DMZ
1501
1502(config)#access-list 100 permit ip host x.x.x.x any create ACL to be applied to Class Map
1503
1504(config)#class-map type inspect match-all CMAPBogusSource create Class Map - identifies traffic *“inspect” identifies as Class/Policy Map for ZBF
1505 -cmap)#match access-group 100 apply ACL (or protocol or class-map) to Class Map
1506
1507(config)#class-map type inspect match-any CMAPCommonProtocols
1508 -cmap)#match protocol tcp specify protocols to match to Class Map
1509 -cmap)#match protocol udp
1510 -cmap)#match protocol icmp
1511
1512(config)#policy-map type inspect PMAPforZBF create Policy Map – specify action to take on traffic *”inspect” above
1513 -pmap)#class type inspect CMAPBogusSource specify Class Map to inspect
1514 -c)#drop log action to take (inspect/pass/drop (log))
1515 -pmap)#class type inspect CMAPCommonProtocols
1516 -c)#inspect *”inspect” permits initial and allows return traffic
1517
1518(config)#zone-pair security InToOut source Inside destination Outside create Zone Pair – name, assign source/dest zones
1519 -sec-zone-pair)#service-policy type inspect PMAPforZBF apply Policy Map to Zone Pair *unidirectional flow, one Serv Policy per Zn Pair
1520
1521#show class-map type inspect
1522#show policy-map type inspect (zone-pair InToOut sessions) state table
1523#show zone security
1524#show zone-pair security
1525
1526Antispoofing ACL (RFC 1918, loopback, internal, broadcast etc. addresses). Placed on outside interface.
1527access-list 150 deny
1528ip host 0.0.0.0 any
1529access-list 150 deny
1530ip 10.0.0.0 0.225.255.255 any
1531access-list 150 deny
1532ip 127.0.0.0 0.225.255.255 any
1533access-list 150 deny
1534ip 172.16.0.0 0.15.255.255 any
1535access-list 150 deny
1536ip 192.168.0.0 0.0.255.255 any
1537access-list 150 deny
1538ip 224.0.0.0 15.225.255.255 any
1539access-list 150 deny
1540ip 192.0.2.0 0.0.0.255 any
1541access-list 150 deny
1542ip 198.51.100.0 0.0.0.255 any
1543access-list 150 deny
1544ip host 255.255.255.255 any
1545access-list 150 permit
1546ip any any
1547
1548
1549service-module t1 clock source {line | internal} dce/dte
1550service-module t1 timeslots {all | <range>} [speed 56 | 64]
1551service-module t1 framing {sf | esf}
1552service-module t1 linecode {b8zs | ami}
1553ROM Bootup - Basic Diag (POST), Limited IOS (BIOS/Boot Loader)
1554Flash IOS, other system files (vlan.dat)
1555NVRAM Startup Config, storage for other -config
1556RAM Running IOS, Running Config, IP Routing/ARP Tables, Packet Buffer
1557*Boot Loader access:
1558 - console cable
1559 - unplug power
1560 - reconnect power and hold “Mode” button (while System LED is still flashing green)
1561 - hold Mode until System LED briefly turns amber then solid green
1562 - switch: prompt appears (supports format flash file system, reinstall OS, and recover lost passwords)